[SECURITY] [DSA 2843-1] graphviz security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2843-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 13, 2014 http://www.debian.org/security/faq - - Package: graphviz Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2014-0978 CVE-2014-1236 Debian Bug : 734745 Two buffer overflow vulnerabilities were reported in Graphviz, a rich collection of graph drawing tools. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2014-0978 It was discovered that user-supplied input used in the yyerror() function in lib/cgraph/scan.l is not bound-checked before beeing copied into an insufficiently sized memory buffer. A context-dependent attacker could supply a specially crafted input file containing a long line to cause a stack-based buffer overlow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code. CVE-2014-1236 Sebastian Krahmer reported an overflow condition in the chkNum() function in lib/cgraph/scan.l that is triggered as the used regular expression accepts an arbitrary long digit list. With a specially crafted input file, a context-dependent attacker can cause a stack-based buffer overflow, resulting in a denial of service (application crash) or potentially allowing the execution of arbitrary code. For the oldstable distribution (squeeze), these problems have been fixed in version 2.26.3-5+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 2.26.3-14+deb7u1. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your graphviz packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS1F2EAAoJEAVMuPMTQ89EWBwQAISt7imnmeVUWImsvIT7r/pa WWoN0n8/MWvkyjEmBKHDETbh4sN+7J6Ri7U03m/aK6jJ//Z+uAbYi7GRAOwf2xV0 qyw0xcHlu4G0Z+ECZyXZ+2+vXFV/1D5+5nZpc47xqGhudd0IQQ2JstWwOAHmJmyi gYN3qsfXW0i3uhBAaZjnfhxfymoq6y9OMRUM7KCNABB+/uBJ1VbZfvnGsTUDas0x lvK1RyPnm3qHfEP9M8OS1DZWo3CJDuNS1CxJAaPvoGZwSzTCJ0UxuOEp6dTDWfO6 nCE4jfKtoJvzAHZqJNVuY0uEYUB++1AEyu9g9uFxvMaDMS3GxMh9kaihKl7SspR9 YXjtnzburBcBdDsbrCkXsyC+yxtW+h1GqI7F6lh9oT32ap3FZsP9zukUP9z/JL8z rY8T9xKiotBUw6nlL8aaPBBEXPEDNGGbAiPDriyiAhPPYxoZI24IjYlfcjS3ucip LqgTGttnboymyYhyVIQNkNxhB1Nu+OasYN9zwmiBvmncjSB5lAIQ6B7EOWMMqV2m z/ifZHMbt4E1BIvCTG6mnK7BmAxFHKIkQdEPqxQ59x+uzJbtaiIsi/fS5v2GXJhr Pk69Jjskt1t84pLqujbPqtvS6P5fatfQLILWFTTa+PSTNJ3TzlhRtwbMXwRgcbvi +6lL8C17nOZb5lIyB8BP =9P+C -END PGP SIGNATURE-
[security bulletin] HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04084148 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04084148 Version: 1 HPSBUX02960 SSRT101419 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-01-13 Last Updated: 2014-01-13 Potential Security Impact: Remote Denial of Service (DoS), execution of arbitrary code Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running NTP. The vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2013-5211 (SSRT101419) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.31 running NTP version 4.2.6. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-5211(AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following workaround to temporarily resolve this vulnerability. This bulletin will be revised when a General Release patch is available. MANUAL ACTIONS: Yes To prevent the monlist DoS vulnerability, configure the following: Verify the NTPv4 version. For example: /usr/sbin/ntpd --version ntpd 4.2.6p5 ntpd 4.2.6 Revision 0.0 Tue Nov 5 14:21:22 UTC 2012 Modify the ntp.conf on your time server and add the following. # Block all control queries from external systems, allows time services restrict default noquery # Allow local queries restrict 127.0.0.1 Cycle the ntpd daemon. /sbin/init.d/ntpd stop /sbin/init.d/ntpd start Verification of the workaround. Test on the local time server using the ntpq -p command. Verify proper operation with output similar to: remote refid st t when poll reach delay offset disp == *LOCAL(1) .LOCL. 6 l 13 16 377 0.000 0.000 0.233 On a remote time client, execute ntpdc or xntpdc as follows # ntpdc -c monlist server.name.with.restrict A timeout error should occur. # xntpdc -c monlist xyz.hp.com xyz.hp.com: timed out, nothing received ***Request timed out # HISTORY Version:1 (rev.1) - 13 January 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlLUOUEACgkQ4B86/C0qfVkmlQCg8mFeTO+UynzsMEZmrKCjqTSc lJwAn31N8anDuC33OqqUw7J4zuTqzImk =LUiS -END PGP SIGNATURE-
[CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application
Title: [CVE-2014-0647] Insecure Data Storage of User Data Elements in Starbucks v2.6.1 iOS mobile application Published: January 13, 2014 Reported to Vendor: December 2013 (no direct response) CVE Reference: CVE-2014-0647 Credit: This issue was discovered by Daniel E. Wood http://www.linkedin.com/in/danielewood Product: Starbucks iOS mobile application Version: 2.6.1 (May 02, 2013) Vendor: Starbucks Coffee Company URL: https://itunes.apple.com/us/app/starbucks/id331177714 Issue: Username, email address, and password elements are being stored in clear-text in the session.clslog crashlytics log file. Location: /Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog Within session.clslog there are multiple instances of the storage of clear-text credentials that can be recovered and leveraged for unauthorized usage of a users account on the malicious users’ own device or online at https://www.starbucks.com/account/signin. It contains the HTML of the mobile application page that performs the account login or account reset. session.clslog also contains the OAuth token (signed with HMAC-SHA1) and OAuth signature for the users account/device to the Starbucks service. From session.clslog: div class=block_login form action=/OAuth/sign-in class=siren id=accountForm method=post fieldset class=login_position legendspan class=group-headerI have a Starbucks account./span/legend [...snip...] li label for=Account_UserName class=Username span class='req'*/span/label span class=x input class=field text medium id=Account_UserName maxlength=200 name=Account.UserName tabindex=0 type=text value=CLEARTEXT / /span /li li label for=Account_PassWord class=Password span class='req'*/span/label span class=x input class=field text medium id=Account_PassWord maxlength=200 name=Account.PassWord tabindex=0 type=password value=CLEARTEXT / /span /li 43440 $ -[AccountManager forgotPasswordEmail:withUserName:] line 1609 $ BODY STRING:[ {emailAddress:CLEARTEXT,userName:CLEARTEXT} ] Note: All references of 'CLEARTEXT' above are the cleartext values of each referenced string. Mitigation: To prevent sensitive user data (credentials) from being recovered by a malicious user, output sanitization should be conducted to prevent these data elements from being stored in the crashlytics log files in clear-text, if at all. iOS Specific Best Practices (from OWASP Mobile Top 10 - M1 Insecure Data Storage): - Never store credentials on the phone file system. Force the user to authenticate using a standard web or API login scheme (over HTTPS) to the application upon each opening and ensure session timeouts are set at the bare minimum to meet the user experience requirements. - Where storage or caching of information is necessary consider using a standard iOS encryption library such as CommonCrypto - If the data is small, using the provided apple keychain API is recommended but, once a phone is jailbroken or exploited the keychain can be easily read. This is in addition to the threat of a bruteforce on the devices PIN, which as stated above is trivial in some cases. - For databases consider using SQLcipher for Sqlite data encryption - For items stored in the keychain leverage the most secure API designation, kSecAttrAccessibleWhenUnlocked (now the default in iOS 5) and for enterprise managed mobile devices ensure a strong PIN is forced, alphanumeric, larger than 4 characters. - For larger or more general types of consumer-grade data, Apple’s File Protection mechanism can safely be used (see NSData Class Reference for protection options). - Avoid using NSUserDefaults to store senstitve pieces of information as it stores data in plist files. - Be aware that all data/entities using NSManagedObects will be stored in an unencrypted database file. References: http://try.crashlytics.com/security/ https://developer.apple.com/library/mac/documentation/Security/Conceptual/SecureCodingGuide/SecurityDevelopmentChecklists/SecurityDevelopmentChecklists.html#//apple_ref/doc/uid/TP40002415-CH1-SW1 https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet#Insecure_Data_Storage_.28M1.29 signature.asc Description: Message signed with OpenPGP using GPGMail
[slackware-security] php (SSA:2014-013-03)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] php (SSA:2014-013-03) New php packages are available for Slackware 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/php-5.4.24-i486-1_slack14.1.txz: Upgraded. The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.4.24-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.4.24-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.4.24-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.4.24-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.4.24-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-5.4.24-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: 1c864df50286602ccb2d3efbabb9d7ec php-5.4.24-i486-1_slack14.0.txz Slackware x86_64 14.0 package: cc0f365855b83708c82a84ea44a4ad21 php-5.4.24-x86_64-1_slack14.0.txz Slackware 14.1 package: 1091912280ef2fbe271da2aa304dba36 php-5.4.24-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 22b91ef0428a15b3124c5b4fb911b1bc php-5.4.24-x86_64-1_slack14.1.txz Slackware -current package: f306c21609d14c7380295d63054d8f46 n/php-5.4.24-i486-1.txz Slackware x86_64 -current package: 3cb4ff4fdaba44aa5ed3a946adbe9c9f n/php-5.4.24-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg php-5.4.24-i486-1_slack14.1.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLUzowACgkQakRjwEAQIjOBVQCcDiwgPbXcW00cZHNBZPw3IAA3 5fYAnA778rlHCXeq3iwaA93L7M/QxIEr =7dgM -END PGP SIGNATURE-
[slackware-security] samba (SSA:2014-013-04)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] samba (SSA:2014-013-04) New samba packages are available for Slackware 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/samba-4.1.4-i486-1_slack14.1.txz: Upgraded. This update fixes a heap-based buffer overflow that may allow AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4408 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/samba-4.1.4-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/samba-4.1.4-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-4.1.4-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/samba-4.1.4-x86_64-1.txz MD5 signatures: +-+ Slackware 14.1 package: 4a8e846abd013a98fa4a4917796601fb samba-4.1.4-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 85bf2b6a49192e1cbfa6100d3302924d samba-4.1.4-x86_64-1_slack14.1.txz Slackware -current package: 65352cf3d9e54d6a91952c0cd86e5b7b n/samba-4.1.4-i486-1.txz Slackware x86_64 -current package: 2e7f139938fba5a5ca8ae5a697311d81 n/samba-4.1.4-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg samba-4.1.4-i486-1_slack14.1.txz Then, if Samba is running restart it: # /etc/rc.d/rc.samba restart +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLUzo4ACgkQakRjwEAQIjPzggCeLHHKEEtrMXo4LhEzxFyl1Ezn +F8AnA47jVkkpyqMNEZRqxb+fAPJqNnM =esbL -END PGP SIGNATURE-
[slackware-security] libXfont (SSA:2014-013-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] libXfont (SSA:2014-013-01) New libXfont packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/libXfont-1.4.7-i486-1_slack14.1.txz: Upgraded. This update fixes a stack overflow when reading a BDF font file containing a longer than expected string, which could lead to crashes or privilege escalation. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6462 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the Get Slack section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.0: ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libXfont-1.4.7-i486-1_slack13.0.txz Updated package for Slackware x86_64 13.0: ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libXfont-1.4.7-x86_64-1_slack13.0.txz Updated package for Slackware 13.1: ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libXfont-1.4.7-i486-1_slack13.1.txz Updated package for Slackware x86_64 13.1: ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libXfont-1.4.7-x86_64-1_slack13.1.txz Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libXfont-1.4.7-i486-1_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libXfont-1.4.7-x86_64-1_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libXfont-1.4.7-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libXfont-1.4.7-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/libXfont-1.4.7-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/libXfont-1.4.7-x86_64-1_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/x/libXfont-1.4.7-i486-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/x/libXfont-1.4.7-x86_64-1.txz MD5 signatures: +-+ Slackware 13.0 package: 7ee623794aef580b4bf7558d866fae65 libXfont-1.4.7-i486-1_slack13.0.txz Slackware x86_64 13.0 package: 305b7cbe9b6d350c05161eacab99a80f libXfont-1.4.7-x86_64-1_slack13.0.txz Slackware 13.1 package: e082bca2fd00409d91631bb7156863f9 libXfont-1.4.7-i486-1_slack13.1.txz Slackware x86_64 13.1 package: 7c163c76b3fb28c4fa64331f9bf4027d libXfont-1.4.7-x86_64-1_slack13.1.txz Slackware 13.37 package: fda77265598ffa01cb0cc89b6310d0d1 libXfont-1.4.7-i486-1_slack13.37.txz Slackware x86_64 13.37 package: 815a61cd07e88234f39badf8572d25bc libXfont-1.4.7-x86_64-1_slack13.37.txz Slackware 14.0 package: c7152f16dc5c93123d0850138e4ff9b8 libXfont-1.4.7-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 26e127a7546ac150b310f40738adfbec libXfont-1.4.7-x86_64-1_slack14.0.txz Slackware 14.1 package: 8c3209463d0715b1f0bec65de5f1866f libXfont-1.4.7-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 449c00f274acdb484f9bef89c555930f libXfont-1.4.7-x86_64-1_slack14.1.txz Slackware -current package: 23559a0985e00a5852e59918d2d51379 x/libXfont-1.4.7-i486-1.txz Slackware x86_64 -current package: 6399e8d10d536750c815000c3a0b3679 x/libXfont-1.4.7-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg libXfont-1.4.7-i486-1_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. |