[SECURITY] [DSA 3501-1] perl security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3501-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
March 01, 2016https://www.debian.org/security/faq
- -

Package: perl
CVE ID : CVE-2016-2381

Stephane Chazelas discovered a bug in the environment handling in Perl.
Perl provides a Perl-space hash variable, %ENV, in which environment
variables can be looked up.  If a variable appears twice in envp, only
the last value would appear in %ENV, but getenv would return the first.
Perl's taint security mechanism would be applied to the value in %ENV,
but not to the other rest of the environment.  This could result in an
ambiguous environment causing environment variables to be propagated to
subprocesses, despite the protections supposedly offered by taint
checking.

With this update Perl changes the behavior to match the following:

 a) %ENV is populated with the first environment variable, as getenv
would return.
 b) Duplicate environment entries are removed.

For the oldstable distribution (wheezy), this problem has been fixed
in version 5.14.2-21+deb7u3.

For the stable distribution (jessie), this problem has been fixed in
version 5.20.2-3+deb8u4.

For the unstable distribution (sid), this problem will be fixed in
version 5.22.1-8.

We recommend that you upgrade your perl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJW1bTDAAoJEAVMuPMTQ89En28P/3uLGpzAppXhj4Hik/2lG/Tl
+UspDr3Dyl2CSeKmLK/iPexhp66R2fTu3FX0QWvNznYlVe9goQpWAK1fMpFitagO
LL3dJgal0dy+pHLmUkqIr1IllEdMoW69Wk0/a6n8Ko0upG7Bjb5BthRtC6EfLdW6
xYND4pzAPENxBmWsgMv1E2gP2FZesPZAmnNM7DjKmOe7uSF5gw3hplZ2Mufkj4oI
HIzG248UyhNkCOkYw2uzI8vpeEktzsAnkNgQQzfBtI9aW+4uL8c9JYHztkYUuzWP
wqZygN4aIvS8IzlDqQ40jQSqqHM97StAfTJ7vIP6bK8uMTD9tccYCEN0j1OCiTHS
e5h3ZbYhdTgWGHDfwZHkmQcfkhAOXjkNu8gxvf4XrXaSXInJwXCtOC9V3It/PrAs
gpKug9vC2qhTgNIOqX2JqayoVIH2rtPTfsoYDnl7GKyFs0GsWhrr6h1DR+xTxA8x
INrL7MbgF2ydqNnqmp7YAdJAc8c3H8YrW/ERiuW4r/YvD/pUwqbJaF6NFUIqB3v0
o+24ymPgqGQrK08oopNwkgByQs5JvkcOLZKUpos0puwJTZ4f492WFgwFQQOo+V3j
pFqcNE9d4LswV+Dymbi8//hpkiT+qL6+N4uTULx5pCUO0KzQD4L2+9Fg4ReO//NI
BhdHUyds14H7iDdAZvC5
=WDZ9
-END PGP SIGNATURE-

[SECURITY] [DSA 3500-1] openssl security update

[Alessandro Ghedini]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3500-1   secur...@debian.org
https://www.debian.org/security/   Alessandro Ghedini
March 01, 2016https://www.debian.org/security/faq
- -

Package: openssl
CVE ID : CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798
 CVE-2016-0799

Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer
toolkit.

CVE-2016-0702

Yuval Yarom from the University of Adelaide and NICTA, Daniel Genkin
from Technion and Tel Aviv University, and Nadia Heninger from the
University of Pennsylvania discovered a side-channel attack which
makes use of cache-bank conflicts on the Intel Sandy-Bridge
microarchitecture. This could allow local attackers to recover RSA
private keys.

CVE-2016-0705

Adam Langley from Google discovered a double free bug when parsing
malformed DSA private keys. This could allow remote attackers to
cause a denial of service or memory corruption in applications
parsing DSA private keys received from untrusted sources.

CVE-2016-0797

Guido Vranken discovered an integer overflow in the BN_hex2bn and
BN_dec2bn functions that can lead to a NULL pointer dereference and
heap corruption. This could allow remote attackers to cause a denial
of service or memory corruption in applications processing hex or
dec data received from untrusted sources.

CVE-2016-0798

Emilia Käsper of the OpenSSL development team discovered a memory
leak in the SRP database lookup code. To mitigate the memory leak,
the seed handling in SRP_VBASE_get_by_user is now disabled even if
the user has configured a seed. Applications are advised to migrate
to the SRP_VBASE_get1_by_user function.

CVE-2016-0799

Guido Vranken discovered an integer overflow in the BIO_*printf
functions that could lead to an OOB read when printing very long
strings. Additionally the internal doapr_outch function can attempt
to write to an arbitrary memory location in the event of a memory
allocation failure. These issues will only occur on platforms where
sizeof(size_t) > sizeof(int) like many 64 bit systems. This could
allow remote attackers to cause a denial of service or memory
corruption in applications that pass large amounts of untrusted data
to the BIO_*printf functions.

Additionally the EXPORT and LOW ciphers were disabled since thay could
be used as part of the DROWN (CVE-2016-0800) and SLOTH (CVE-2015-7575)
attacks, but note that the oldstable (wheezye) and stable (jessie)
distributions are not affected by those attacks since the SSLv2 protocol
has already been dropped in the openssl package version 1.0.0c-2.

For the oldstable distribution (wheezy), these problems have been fixed
in version 1.0.1e-2+deb7u20.

For the stable distribution (jessie), these problems have been fixed in
version 1.0.1k-3+deb8u4.

For the unstable distribution (sid), these problems will be fixed shortly.

We recommend that you upgrade your openssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJW1ah7AAoJEK+lG9bN5XPLwZAQAIC8QcmipL7pZmkkn2k3w0w2
HvaHZEFOnbMXLRqKquu1L+RC57TemNqVZ/0kH4qlrXZs5W+Y2ZAEcvBCFEC8OFEJ
yuz6GPnmZLqNeIIrnlJS4p9JiB06KEfadwACm4+y8YcWde8651CYavbZzlJAybOk
K48rdvG5A1h0VGaz9PUSdfMmesnHyJCixSANOSmgZ6i9FKLMLuU/+bZu4hHOwnWl
e4oHFv4XEvc2C5CxKiDDVhIu5J+Mx2lnFXQ+DBcau0JNqphx2zCulM6+ZLDMGK4P
LrxLf0IuLpQ+s5CNhiOttkP3XgCaC8iMSOXx1cOx73qRRDki5MnQuCu7t5WYMuw7
vXDWdCq8uqukXF3H0pZWGieOIa1v1cqocWZa+eH2Al5nIET3593ARgDXV+XzosUX
3cYMMh7dsJWFpaGFgnhpsE80843aE8Q4eVFAjLw83nBTtyg5hJ2qEqGs5L/gLUXR
4F+eKBLnEn79LwC5XeLq0N5o7xCnYlpuMluOH/AQi+AHF29Z1UQ7ZmMkR/iqvt0D
J+8MzDfwnlUqZrvSNgrQvIBI+Lu7cxdm8B1GSD/nUqiQDV4CHe2tc++Wfbqgl4F9
LrHZWA/j1wGuGMT/vDjXQWRSl8lIhRvAMm/FMoyBiGndNTh5TK5I9Tykazb/xp++
kW1cZiPsdcvSgmhPVjD7
=nYQh
-END PGP SIGNATURE-

Executable installers are vulnerable^WEVIL (case 29): putty-0.66-installer.exe allowa arbitrary (remote) code execution WITH escalation of privilege

[Stefan Kanthak]

Hi,

putty-0.66-installer.exe loads and executes DWMAPI.dll or
UXTheme.dll from its "application directory".


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
,

and  for
"prior art" about this well-known and well-documented vulnerability.


If an attacker places one of the above named DLL in the user's
"Downloads" directory (for example per "drive-by download"
or "social engineering") this vulnerability becomes a remote
code execution.


Proof of concept/demonstration:
~~~

1. visit , download
   , save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   DWMAPI.dll;

2. download putty-0.66-installer.exe and save it in your
   "Downloads" directory;

3. execute putty-0.66-installer.exe from your "Downloads"
   directory;

4. notice the message boxes displayed from the DLLs placed in
   step 1.

PWNED!


See ,
 and
 plus
 and
 for details about
this well-known and well-documented BEGINNER'S error!  


stay tuned
Stefan Kanthak


Timeline:
~

2015-12-24sent vulnerability report to author

  NO REPLY, not even an acknowledgement of receipt

2016-01-02resent vulnerability report to author

  NO REPLY, not even an acknowledgement of receipt

2016-03-01report published

[SYSS-2016-009] Sophos UTM 525 Web Application Firewall - Cross-Site Scripting in

[adrian . vollmer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Advisory ID: SYSS-2016-009
Product: Sophos UTM 525 Full Guard 
Vendor: Sophos
Affected Version(s): 9.352-6, 94988 
Tested Version(s): 9.352-6, 94988 
Vulnerability Type: Cross-Site Scripting (CWE-79) 
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2016-02-03
Solution Date: 2016-02-17
Public Disclosure: 2016-03-01
CVE Reference: Not assigned
Author of Advisory: Dr. Adrian Vollmer (SySS GmbH)



Overview:

The Sophos UTM 525 is a hardware appliance which aims to provide several
protection mechanisms for users and servers in an enterprise environment.
One if its functions is a Web Application Firewall (WAF).

The software manufacturer describes the application as follows (see [1]):

Sophos UTM 525 is designed to provide protection for larger enterprises.
Based on high quality Intel-compatible server systems, including Intel
Multi-Core processor technology and redundant hard disks and power 
supplies, it provides optimal performance and reliability even for 
larger environments.



Vulnerability Details:

The SySS GmbH identified a text-book Cross-Site Scripting vulnerability.

Inserting an HTML 'script' tag into the URL of a web site protected by
Sophos UTM 525 yields an error page which contains the 'script' tag
unfiltered. Executing malicious JavaScript code in the victim's browser 
is therefore straightforward.



Proof of Concept (PoC):

The following Unix command demonstrates the vulnerability.

$ curl 'https://[HOST]/%3Cscript%3Ealert("SySS%20XSS")%3C/script%3E'

Request blockedRequest blockedThe web
application firewall has blocked access to /alert("SySS
XSS") for the following reason:No signature
found

The unfiltered 'script' tag is visible in the HTML source of the response
and the contained JavaScript code will be executed in the victim's 
browser.



Solution:

Update the firmware to version 9.354 or later [4].



Disclosure Timeline:

2015-11-24: Vulnerability discovered
2016-02-03: Vulnerability reported to vendor
2016-02-17: Release of version 9.354
2016-03-01: Public release of security advisory



References:

[1] 
www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosutm525dsna.pdf?la=en-us
[2] SySS GmbH, SYSS-2016-009 

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/2016/SYSS-2016-009.txt
[3] SySS GmbH, SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
[4] https://blogs.sophos.com/2016/02/17/utm-up2date-9-354-released/



Credits:

Security vulnerability found by Dr. Adrian Vollmer of SySS GmbH.

E-Mail: adrian.voll...@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Adrian_Vollmer.asc
Key ID: 0x037C9FE7
Key Fingerprint: 70CF E88C AEE7 DB0F 5DC8 3403 0E02 7C7E 037C 9FE7



Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.



Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCAAGBQJW1XPsAAoJEA4CfH4DfJ/nxZIQANaccfjx9phCr6iP3cy53i16
iun/WHe0nxvGoVmVmj2SwyvXzQwI8nU5jvu2AwlJ2rVhgLQFACCyyWaEs2r5yyKn
yT4hGgSwqCKbLk18ozaJ0NfCQD4PvCi/3I/8Gzy+iqRG87DVUbBtDWp1RDnnfovt
mhp9JakZuKImuL/DJ0PNbA6hVYQvi1HoWVh/3j7WJQpQ9NjlLJhce43deTA9IPtx
3ggtd8/6BcAY5nui3YSfDp2p6EvAu8VnBjSvUOzmEr5YKkwI3CcGnLui5XMV8I0Z
SUyq9wXb2p1ycTvR+p3rs+ZS4PF40Hmjp49ibojr/19Cv1CFic/mrRkEbgfBT8N1
LKJeLHJePE0B0JwUyZjTaMW8WffHztrBgt1ueJYkx8hQE/yDvrb5iCRapTQ9ffMA
1gPNyL13lRaYO8F6dHo/nMEdxDkR2ubgNvhu1jEwXOQDeeTSpMA5d0uZLm9m7y7c
WlGk50FhD6BKnzpaq+emTEUkKlgVmi+DedHE5ipeveFEDaQ46l1rloW0u5mCOzZd
/8pKzIyqMX78L0iHItx65LC/GX9gZvIp9dTeq5fjmPAic9kAfBNUdjJMdgg3boRB
/nEuCZfdkdBENoqWYPhiZim59ap8vzQmOzck6E+KJp/vLmFyeL0vpTbhlz2ebDs3
n0R7GMOr3ZPEbshPROg4
=kxkb
-END PGP SIGNATURE-

WordPress plugin GravityForms Cross-site Scripting vulnerability

[Henri Salo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Product: WordPress plugin GravityForms
Product URL: http://www.gravityforms.com/
Vendor: Rocketgenius

Vulnerability Type: Reflected Cross-site Scripting (CWE-79)
Vulnerable Versions: 1.9.15.11 (other versions not tested)
Fixed Version: 1.9.16
Solution Status: Fixed by Vendor
Vendor Notification: 2016-01-21
Solution date: 2016-02-03
Public Disclosure: 2016-03-01

Vulnerability details:
- --

The software does not neutralize or incorrectly neutralizes user-controllable
input before it is placed in output that is used as a web page that is served to
users.

Steps to reproduce:
- ---

1. Log in to WordPress administrator panel with "Administrator" role
2. Open URL below:

http://example.org/wp-admin/admin.php?page=gf_settings=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%0A

Solution:
- -

Upgrade to 1.9.16 version.

References:
- ---

https://www.gravityhelp.com/gravity-forms-v1-9-16-released/

Notes:
- --

Please note that WordPress HTTP authentication cookie is using HttpOnly flag by
default.

Timeline:
- -

2016-01-21: Issue reported to vendor
2016-01-21: Vendor confirms the issue
2016-02-03: Vendor publishes new release
2016-02-29: CVE request
2016-03-01: MITRE responds that CVE request is out-of-scope of CVE's published 
priorities
2016-03-01: Public advisory

- -- 
Henri Salo
Security Specialist, Nixu Oy
Mobile: +358 40 770 5733
PL 39 FIN (Keilaranta 15)
FIN-02151 Espoo, Finland
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJW1VFsAAoJEHu3+uinl6paKdQP/2219uKXJgBi18mQ+E8ljc6B
DGg0XupoMKsr8yvK4wWK3Evrjce7mZgQv0YnFw8D9nG/QEBEckrGEhDxtBYQ1I3c
wRS03xsA942o+4Jxs3Adc5iAGN8XY2NbMHGgq0HywZPB2jK1nvAVYrycoJ8ATWl5
srDMlvv9YJmakdw9nQtijFyyTIL0kU949VTJGq6yM7Ug6D46kx0Km5lFVqfRmQhj
hRCq/F4PmnsGcgYOBzitKzoSeB+v+/Crw7Heghy/JQrS0TnuUXl82ZoJuFK9CNLj
vPj292884DeYmsNON+4t+jTTbnFwgE/GWqXtXAblFITvVFSVczXCEzxyQvK+jaXQ
LL6toYclrJ5qVU9y20SQyf0TUdWpLQGCNj0+AvXrtMv76uStLW1/Y4seaGG5y+fU
tHc9W9Y2bVT7M52l2OWeVpqlDnb4z3tyMHx6jBEeeTnhC2Jf94HRKdzLZErfY882
OdkxhGYC7AmwqqWZbNSYdzVpb91+yI3EXUiMb9WclfVVCEWCu0GzFtg1bw0x5l3f
n/0/UYVfxaN0JsmYWEduCkSCLRGKjOmy4NsFTJ8LflHMA7kl466ECsE21+hC2T7j
VPg68YB4hLBbwswl5exWrauVHv5E5cTcb/YwPYfuD/WBiC9aMzaQkyDzHGmYqiyZ
cngKk2P97PQs3pf3RuEE
=Cs0K
-END PGP SIGNATURE-