[security bulletin] HPSBMU03024 rev.2 - HP Insight Control Server Deployment on Linux and Windows running OpenSSL with System Management Homepage and Systems Insight Manager, Remote Disclosure of Info
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04267749 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04267749 Version: 2 HPSBMU03024 rev.2 - HP Insight Control Server Deployment on Linux and Windows running OpenSSL with System Management Homepage and Systems Insight Manager, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-30 Last Updated: 2014-05-02 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP System Management Homepage (SMH) running on Linux and Windows and HP Systems Insight Manager (SIM), components of HP Insight Control server deployment. This is the OpenSSL vulnerability known as Heartbleed which could be exploited remotely resulting in disclosure of information. Insight Control server deployment packages HP System Management Homepage (SMH) and HP Systems Insight Manager (SIM) and can deploy them through the below list of items. This bulletin will give you the information needed to update your HP Insight Control server deployment solution. Install HP Management Agents for Windows x86/x64 Install HP Management Agents for RHEL 5 x64 Install HP Management Agents for RHEL 6 x64 Install HP Management Agents for SLES 10 x64 Install HP Management Agents for SLES 11 x64 References: CVE-2014-0160 (SSRT101538) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, v7.2.2 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP is actively working to address this vulnerability for the impacted versions of HP Insight Control server deployment. This bulletin may be revised. It is recommended that customers take the following approaches depending on the version of HP Insight Control server deployment: To address the vulnerability in an initial installation of HP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2 only follow steps 1 through Step 3 of the following procedure, before initiating an operating system deployment. To address the vulnerability in a previous installation of HP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2 follow all steps in the following procedure. Delete the smhamd64-*.exe/smhx86-*.exe from Component Copy Location listed in the following table, row 1,2,3,4. Delete the affected hpsmh-7.*.rpm from Component Copy Location listed in the following table, row 5. In sequence, perform the steps from left to right in the following table. First, download components from Download Link; Second, rename the component as suggested in Rename to. Third, copy the component to the location suggested in Component Copy Location. Table Row Number Download Link Rename to Component Copy Location 1 http://www.hp.com/swpublishing/MTX-d1488fd987894bc4ab3fe0ef52 smhx86-cp023242.exe \\express\hpfeatures\hpagents-ws\components\Win2003 2 http://www.hp.com/swpublishing/MTX-4575754bbb614b58bf0ae1ac37 smhamd64-cp023243.exe \\express\hpfeatures\hpagents-ws\components\Win2003 3 http://www.hp.com/swpublishing/MTX-37075daeead2433cb41b59ae76 smhamd64-cp023341.exe \\express\hpfeatures\hpagents-ws\components\Win2008 4 http://www.hp.com/swpublishing/MTX-27e03b2f9cd24e77adc9dba94a smhx86-cp023340.exe \\express\hpfeatures\hpagents-ws\components\Win2008 5 http://www.hp.com/swpublishing/MTX-bfd3c0fb11184796b9428ced37 Do not rename the downloaded component for this step. \\express\hpfeatures\hpagents-sles11-x64\components \\express\hpfeatures\hpagents-sles10-x64\components \\express\hpfeatures\hpagents-rhel5-x64\components \\express\hpfeatures\hpagents-rhel6-x64\components Table 1 Initiate Install HP Management Agents for SLES 11 x64 on targets running SLES11 x64. Initiate Install HP Management Agents for SLES 10 x64 on targets running SLES10 x64. Initiate Install HP Management Agents for RHEL 6 x64 on targets running RHEL 6 x64. Initiate Install HP Management Agents for RHEL 5 x64 on targets running RHEL 5 x64. Initiate Install HP Management Agents for Windows x86/x64 on targets running Windows. Refer to the System Management Homepage security bulletin HPSBMU02998 for steps to take after SMH is updated to a version that is not impacted by Heartbleed, such as changing SMH passwords, and revoking SMH certificates if imported into HP Systems
[security bulletin] HPSBMU03033 rev.2 - HP Insight Control Software Components running OpenSSL, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04272892 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04272892 Version: 2 HPSBMU03033 rev.2 - HP Insight Control Software Components running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-30 Last Updated: 2014-05-02 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Insight Control software components running OpenSSL. This is the OpenSSL vulnerability known as Heartbleed which could be exploited remotely resulting in disclosure of information. Note: additional information regarding the OpenSSL Heartbleed vulnerability concerning HP Servers products is available at the following HP Customer Notice: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n a-c04239413 References: CVE-2014-0160, SSRT101550 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control impacted software component products and versions HP Systems Insight Manager v7.2, v7.2.1, v7.2.2, v7.3, and v7.3.1 bundled with the following software: HP Smart Update Manager (SUM) v6.0.0 through v6.3.0 HP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3, v7.3.1 for Linux and Windows WMI Mapper for HP Systems Insight Manager v7.2.1, v7.2.2, v7.3, and v7.3.1 HP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for Windows HP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux HP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for Windows HP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3, v7.3.1 for Linux and Windows HP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2 HP Insight Control server migration v7.3 and v7.3.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has addressed this vulnerability for the impacted HP Insight Control software components in the following HP Security Bulletins. HP Insight Control software components HP Security Bulletin Security Bulletin Location HP Systems Insight Manager (SIM) HPSBMU03022 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04263236 HP Smart Update Manager (SUM) HPSBMU02997 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04239375 HP System Management Homepage (SMH) HPSBMU02998 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04239372 WMI Mapper for HP Systems Insight Manager HPSBMU03013 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04260385 HP Version Control Agent (VCA) and Version Control Repository Manager (VCRM) on Linux and Windows HPSBMU03020 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04262472 HP Insight Control server deployment HPSBMU03024 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04267749 HP Insight Control server migration HPSBMU03029 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04268240 HISTORY Version:1 (rev.1) - 30 April 2014 Initial release Version:2 (rev.2) - 2 May 2014 Added information for HP Insight Control server migration Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P =
[SECURITY] [DSA 2919-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2919-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 03, 2014 http://www.debian.org/security/faq - - Package: mysql-5.5 CVE ID : CVE-2014-0001 CVE-2014-0384 CVE-2014-2419 CVE-2014-2430 CVE-2014-2431 CVE-2014-2432 CVE-2014-2436 CVE-2014-2438 CVE-2014-2440 Debian Bug : 737596 744910 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.37. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-36.html http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-37.html http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html For the stable distribution (wheezy), these problems have been fixed in version 5.5.37-0+wheezy1. For the testing distribution (jessie), these problems have been fixed in version 5.5.37-1. For the unstable distribution (sid), these problems have been fixed in version 5.5.37-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTZKMTAAoJEAVMuPMTQ89EEjwP/RnbHaJeN9D/0HcqRjDFsN/a 3I6WlLAebdW9jJDX5y+ynJ/dMPx9uzQcmACmzYGl8LNbUaqGiCyiBhpVI0jGXzql FaPR79uaKtqEOFZIpw0a+fwc7J85/Q7kid6201csAWvij02gEkw07ddQP4MbZlC/ Z87eosw070HwJqVYEkZTaK+9sae+U2LhfjaLaXsRdphn5SN0f0m8vAKUggEmuERI GxXLSEojDr0GeCwlUgKiu7jbizmNOOBfHWm/0tXhsGev9vkWVv2va9Zr0J5gcTM/ B2NcGSPkbGmDo0qaltL9R0YA0nbM85z1h4ABkT8ckEhT7i9MHXfc4n2OWcB1uV3G K/1iFWD61nHPfFqXfoYMDNEAuykJnxB2aNnAWZfo59Er0kUCO/8cPLfwaoL6IUzO h/8xEtcHKvH7Uqx9Hme23z4oDwYoUVfcQQd08alEsA6FVU4JEuGXxLFiJufcs2bj G2kcLXWQDYe+w+qyLYtTKu7iHDxXbyksIcQ7mdAf9kPzSvB1SROojbuWQBjp4UQ+ Qrw/n72EmJj3fgHkJU1VdAS4OtNfdZLSM9vooTmJrp7tjIuXhAzFimDy7nuNbcb4 TtRSnSwrJ0FWoxk94uwggPK5XIoPQ7d0u6ohBXGkhQp298gIDnx+fsHvsslRyQss o4v6AdSgotKNV/oYEuyb =g7vR -END PGP SIGNATURE-
[SECURITY] [DSA 2920-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2920-1 secur...@debian.org http://www.debian.org/security/ Michael Gilbert May 03, 2014 http://www.debian.org/security/faq - - Package: chromium-browser CVE ID : CVE-2014-1730 CVE-2014-1731 CVE-2014-1732 CVE-2014-1733 CVE-2014-1734 CVE-2014-1735 CVE-2014-1736 Several vulnerabilities have been discovered in the chromium web browser. CVE-2014-1730 A type confusion issue was discovered in the v8 javascript library. CVE-2014-1731 John Butler discovered a type confusion issue in the WebKit/Blink document object model implementation. CVE-2014-1732 Khalil Zhani discovered a use-after-free issue in the speech recognition feature. CVE-2014-1733 Jed Davis discovered a way to bypass the seccomp-bpf sandbox. CVE-2014-1734 The Google Chrome development team discovered and fixed multiple issues with potential security impact. CVE-2014-1735 The Google Chrome development team discovered and fixed multiple issues in version 3.24.35.33 of the v8 javascript library. CVE-2014-1736 SkyLined discovered an integer overlflow issue in the v8 javascript library. For the stable distribution (wheezy), these problems have been fixed in version 34.0.1847.132-1~deb7u1. For the testing distribution (jessie), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 34.0.1847.132-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQQcBAEBCgAGBQJTZWJ6AAoJELjWss0C1vRzK+sgALIEDCn9Ud3owKNxdM6sglkB /yx9toTplWx2reGXn4qyfNPtxQMbS9AyIhcLEKMbIIrXaEY9CjB+JhfP6IC0RPCJ NLPd21uDo63LhiCkgtbNgftPcDK6NwaPy67Uui64zI/MkB6me4C3ECZB2nxmjNAO 0OJQMDQv217ei1w8QCIofouUbJU4Vq56mxpX7tEVUPJkgA6FE4aUNcrxKcKhdnxU WtUW49d1Q+6RcJjthugyWppzb9N+0ClxNpRADzMa5jgaiQxEBuRJewipiJhTQg5l XTB2o6V8G/+NWEqTJPe7t+QKwERE9yUp4pyiwMolttJffKm7ipgbDdIHTan/LYfu A5CQFT7cre7l4r90YtgAo/da/kwDs6whTAoiFb6hxhLLgarpsO5WjMFrCeGHZek1 weOMO6VbhLDaHJHKQOnIy2shhG850OX4twLznOnqZ2x3XcurhqjZEg8XaiFRQiPU p8d2Qy25XraAQ8fG71LKN7M5h6q8yWkofZFrVysNOSu7zeadZUfmO7OXE9vO4Gqu bA8P/1ihaH0+KcUJsd7yP0Lv+avtww++/4Ak1msUn95OiOynjuJ1e5VtEQFFyRDj fRWcJcG1ssKCIKB8lSuqVXcEyYDS5LpfRTcWJq/6Jutz+N5axWYlDBMZwq75CULR EkW6oUrZtq9dACLTBNtRqPF7ClBV6x42lgZ3nfKTly84/nS3tpsfQv8oKDRsckzm GsJPl/DKm/D73kJyZEqYChxiKE3i4WYmsjltcCXQi0PJzEqGnvFaWsAPISD3EEYz nIwpjBMXAYFyVwp16UcNj7uVjlf9ZQetY5dVEF//I3jjTUMWFadHQ0IYZaHpYRle ZC0fKv6xqGN5krE6ommWvAgkLlQdlupU+FT8abaXWyrnWTHTGi2bOFe0wlXzdUPh gp7zgaOehCI7CsMUxK8VeRXF19K4x1KfGUA+VVUsvXF5G5D6Ucowybi6ObTPqFDA LHDrIIL44cnPU4BqZ/KRfN/f0hfu1hHHD7TmonHbt7JeWIFqEWDvtDI4hx4kjaYc nHt1ZyK2YyGRZwJ8drhJi1+iYSRApx36nvIOZn6fa8rZDCqE1VObPOr6lyexuhge tnTDQta21hkXnyTEs/lYRbWK4K0KK4AXyWCtbiAJOe65/9eSd5Yq48dbfPBLUJSe XKFKhkTo0FNDLB2MsgVikTptvpiFG8dwoOrWqCBz9z23eAhFmVGM/vciNBLNyy2B QtSLd4+VSd/za51sldpN6ZFG4CTm6Z5NWGEnNxptHw5iE6cQHior+snS65HzbsQ5 ykJ5HqSGIsGLSkdeKC44XOfBUU9jU14llMOdf5OKx9vfmX/Hl3T0Z+jWwHpKpWk= =/B/T -END PGP SIGNATURE-
[SECURITY] [DSA 2921-1] xbuffy security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2921-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez May 04, 2014 http://www.debian.org/security/faq - - Package: xbuffy CVE ID : CVE-2014-0469 Michael Niedermayer discovered a vulnerability in xbuffy, an utility for displaying message count in mailbox and newsgroup accounts. By sending carefully crafted messages to a mail or news account monitored by xbuffy, an attacker can trigger a stack-based buffer overflow, leading to xbuffy crash or even remote code execution. For the oldstable distribution (squeeze), this problem has been fixed in version 3.3.bl.3.dfsg-8+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 3.3.bl.3.dfsg-8+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 3.3.bl.3.dfsg-9. For the unstable distribution (sid), this problem has been fixed in version 3.3.bl.3.dfsg-9. We recommend that you upgrade your xbuffy packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCgAGBQJTZqtGAAoJEG3bU/KmdcClSCQH/jaytTnWyJpaBCj9RgsL2ulO 7elVLmvLwN2Tfo5hwmWzW1ibPTDaF+T19CPptimNmHx2wor0rDdNswfZFGqep4H0 TBBln9VdTrdlwkjMZwhlgceMIza+1/WlAWh/h1UFa+2Z5obyBIfDJ1mbgASsjISs qWz3mSxJfUXV6nmQys+5b8gmbjdcMYCHk63TWkLOZrtqbMm4jIFPw7zwkehmrddr PTyuKm8Dd+J2VSr3rnzfzVIDBxCBkU/np2Fh9ay6kpDXP2r1rGoYHoeHN50eKTPV lMVmqPnsXJWsZOr82p2s+xwbvDxsOCHsfxMSMDCGx7QmBPrVNbPukpFFWuv5w34= =Xx9R -END PGP SIGNATURE-
ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-028: EMC Cloud Tiering Appliance XML External Entity (XXE) and Information Disclosure Vulnerabilities EMC Identifier: ESA-2014-028 CVE Identifier: CVE-2014-0644, CVE-2014-0645 Severity Rating: CVSS v2 Base Score: See below for individual scores Affected products: EMC Cloud Tiering Appliance (CTA) 10 EMC Cloud Tiering Appliance (CTA) 10 SP1 EMC Cloud Tiering Appliance (CTA) 9.x EMC File Management Appliance (FMA) 7.x Summary: EMC CTA is vulnerable to XML External Entity (XXE) and information disclosure vulnerabilities that may allow a remote malicious user to compromise the affected system. Details: EMC CTA versions 10 and 10 SP1 are vulnerable to XXE attack (CVE-2014-0644) which may allow a remote unauthenticated user to access arbitrary files on the affected system with root privileges. The exploit code that exposes the password file has been made available to the public. This vulnerability does not affect CTA 9.x and FMA 7.x versions. CVSS 8.5 (AV:N/AC:L/Au:N/C:C/I:N/A:P) In addition, the default passwords for built-in accounts (root, super, admin) are stored using a weak DES-based hash (CVE-2014-0645). This issue does not affect passwords changed during installation/usage of the product and/or for newly added accounts. This issue affects all versions of CTA and FMA. CVSS 6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C) Resolution: The below product version contain resolution to both these issues: CTA 10.0 SP1.1 EMC strongly recommends all CTA 10.0 and 10.0 SP1 customers upgrade to 10.0 SP1.1 at the earliest opportunity. EMC strongly recommends all CTA and FMA customers change the default password for all users namely SSH users root and super as well as GUI admin accounts. See CTA Getting Started Guide for information on how to change passwords. Link to remedies: Customers with CTA 10.0 and CTA 10.0 SP1 can download the 10.0 SP1.1 service pack from the following Support Zone links. Cloud Tiering Appliance: https://support.emc.com/downloads/6298_Cloud-Tiering-Appliance CTA/VE: https://support.emc.com/downloads/16781_Cloud-Tiering-Appliance-VE Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlNnmJIACgkQtjd2rKp+ALzmkQCdEZ7gm4r35p8lecqlFre5NxF5 1rgAn2bifnVXCJd+Dk/1sQxW4hEWRTUr =uj3x -END PGP SIGNATURE-
[ANN] Struts 2.3.16.3 GA release available - security fix
The Apache Struts group is pleased to announce that Struts 2.3.16.3 is available as a General Availability release.The GA designation is our highest quality grade. Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time. This release includes important security fixes: - S2-022 - Extends excluded params to avoid manipulation of Struts' internals via CookieInterceptor * http://struts.apache.org/release/2.3.x/docs/s2-022.html All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.16.3 Struts 2.3.16.3 is available in a full distribution, or as separate library, source, example and documentation distributions, from the releases page. * http://struts.apache.org/download.cgi#struts23163 The release is also available from the central Maven repository under Group ID org.apache.struts. The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: * Java Servlet 2.4 and JavaServer Pages (JSP) 2.0 * Java 2 Standard Platform Edition (J2SE) 5 The release notes are available online at: * http://struts.apache.org/release/2.3.x/docs/version-notes-23163.html Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.appropriate, file a tracking ticket: * https://issues.apache.org/jira/browse/WW - The Apache Struts group. Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/
[SECURITY] [DSA 2923-1] openjdk-7 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2923-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 05, 2014 http://www.debian.org/security/faq - - Package: openjdk-7 CVE ID : CVE-2013-6629 CVE-2013-6954 CVE-2014-0429 CVE-2014-0446 CVE-2014-0451 CVE-2014-0452 CVE-2014-0453 CVE-2014-0454 CVE-2014-0455 CVE-2014-0456 CVE-2014-0457 CVE-2014-0458 CVE-2014-0459 CVE-2014-0460 CVE-2014-0461 CVE-2014-1876 CVE-2014-2397 CVE-2014-2398 CVE-2014-2402 CVE-2014-2403 CVE-2014-2412 CVE-2014-2413 CVE-2014-2414 CVE-2014-2421 CVE-2014-2423 CVE-2014-2427 Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the execution of arbitrary code, breakouts of the Java sandbox, information disclosure or denial of service. For the stable distribution (wheezy), these problems have been fixed in version 7u55-2.4.7-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 7u55-2.4.7-1. We recommend that you upgrade your openjdk-7 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTZ6HoAAoJEBDCk7bDfE42AMQP/1QnMmcQoIS6ZsHtqnXgrPPx fbHlqCZZ2silTQbq8QGtkW3mUFJxOjQ4CykpBeY9Yxk+7O4H8A2vWDJpptGsCu2v oQ/8G4By2OxfoDt5Oc7WWpO9gb2sjMmohjwwv56fUk+jvnPAYL7nA4Z80HqPRJk2 8zTJCM6SD5QzalVpcYFiQOvs0H/Tgy3Qx3lXalAdsUPL8cpdq8adT58cYZPn/qRi 9PgyF3LrteUNobYNhyruUGuQjNjVpuyGcDNlBhzeAEx2/psBBtSOkAbS2M7s5JPC iyLZe6Rnlg1MD2/Txt7nNbRKurJA50/mIjPzApSHcbmMzDgMm8pORuJ3NLxU1yi/ QxYgjvnHOTssspdFOgX5RSnTcXurNLzYli/UsmjcpXNNt4cVufoUl431QhndOMrJ ywvF/9kjgQ4t75gTDPM3HVlc/h9DLl009Tx9YHLXUoUu0wQL+GG9n39sHkxcRvOa Y47oIbYsapuH1Z6QG9tUuCXNaAhowT0Wl/1vvtEbxbzI2SBEijDAMDD7WQlJcim4 MdDi7eS+x8RGx30Pbf9QnediK+jAjFxUw1jhBSzva/RNTdode0GOsMiEvZHQ8tOk rXDMYX2dtJs0miLXVJ5DD1JYwZNPSUSFmiheMOw5YOQDU6+PMPf7ISNOYbhkNjNK sSXL8ac4JI3rYYHpkht5 =AfXK -END PGP SIGNATURE-
[SECURITY] [DSA 2922-1] strongswan security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2922-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez May 05, 2014 http://www.debian.org/security/faq - - Package: strongswan CVE ID : CVE-2014-2891 A vulnerability has been found in the ASN.1 parser of strongSwan, an IKE/IPsec suite used to establish IPsec protected links. By sending a crafted ID_DER_ASN1_DN ID payload to a vulnerable pluto or charon daemon, a malicious remote user can provoke a null pointer dereference in the daemon parsing the identity, leading to a crash and a denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 4.4.1-5.6. For the stable distribution (wheezy), this problem has been fixed in version 4.5.2-1.5+deb7u4. For the testing distribution (jessie), this problem has been fixed in version 5.1.2-1. For the unstable distribution (sid), this problem has been fixed in version 5.1.2-1. We recommend that you upgrade your strongswan packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCgAGBQJTZ4o6AAoJEG3bU/KmdcClhi4H/3aeU8f6G2KfkCCKJuHsxHOQ ENJqoQzL6VoUmnJX5mfVU/sIfMSjVPILwqEceQmaPemobsoAciRHHYX8xrnveqmf LvhfNQFN3M+zxDpyBKp8qJtUW39t3HgrcqWkMJ/476C1tokdkUHO/kfBEYxHgTj3 IoZuTcLbIMVjDSgdMPszEA5FPoBGNPLsHfhEKDX7WRs3lPYGXS94INddugelau2V qj3iFuhvWDGIBA7+ByEhW9xo0z9kzuDNh94ra6CZjOgMqu1BrVc1HB8uxHRoXfaw noHjRcZE/iPiSMDXjcTjsQRqvyjopZFFesN5a0fyKKr/f13E5jzykuVC+iNOk20= =dy69 -END PGP SIGNATURE-
[SECURITY] [DSA 2924-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2924-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 05, 2014 http://www.debian.org/security/faq - - Package: icedove CVE ID : CVE-2014-1518 CVE-2014-1523 CVE-2014-1524 CVE-2014-1529 CVE-2014-1530 CVE-2014-1531 CVE-2014-1532 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client: Multiple memory safety errors, buffer overflows, missing permission checks, out of bound reads, use-after-frees and other implementation errors may lead to the execution of arbitrary code, privilege escalation, cross-site scripting or denial of service. For the stable distribution (wheezy), these problems have been fixed in version 24.5.0-1~deb7u1. For the testing distribution (jessie), these problems have been fixed in version 24.5.0-1. For the unstable distribution (sid), these problems have been fixed in version 24.5.0-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTZ6LhAAoJEBDCk7bDfE42HggP/jnOA7wjnvul1m2kWEmhoRny ZU9NT8SCLytyiwjA6eMUZgjVm2IWcmRAdg8A4volIzrb1SS7Ublkv+F54vDKWDfh YUIrNjn4bRAmwoFND/gdjs4TJk8SAlI7kp61zRyID3q4DadOV7MFi+4SrBEKuXqc jY8ekynkdKQ4+ssBHB7/XVrqQJX2o7T+RaVctPeYFjHibwUSRsjDWgC2qb3wS6UP ib85DrbJ7Roq6PJbSdM9A0YuAYcSdLw24worF/jAgu7pu2b4/CNP/y/LIj7LU+Yg FL2PcuIJ1jVWQ1uOVzMR/YiL7DCNYJDHKpQNhpzWnEkeCMxJNrUm79zLTpiormdh xriZqVZhO0bNwjUb+/KdRrCqx9VRSPfSD1jQ67RtFIFlVBBIIvfiF8OrD0Ok/uC6 tNgVSxbbjBv1JE99P2+hJJBt+Pz+uQb4yLP5zAFfWBF/M7hBybGtpR0RXfEh7Bn2 u5kwH4UiCm6JKGNUBLo55V8KEsX7KGTydmUc/+ZxZQWvdp3D5M+U8mPC6G+HRamv NBkbZOceCWG42SMnptQog9dle1k7qWqoaxe/wlqX8RtMDCfbh8Y+2nyZtI6ga4Q8 gC+5Z6aiViO9HOhLDZzSsXd3GqbNtNjvOF9RExFI1B/Pvzwmjt9xvhoLT7tP0dUH EF77TJoblOXj6YOA5iWd =BY66 -END PGP SIGNATURE-
[security bulletin] HPSBGN03010 rev.4 - HP Software Server Automation running OpenSSL, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04250814 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04250814 Version: 4 HPSBGN03010 rev.4 - HP Software Server Automation running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-17 Last Updated: 2014-05-05 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP Sotware Server Automation running OpenSSL. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. NOTE: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL cryptographic software library. This weakness potentially allows disclosure of information that is normally protected by the SSL/TLS protocol. The impacted products in the list below are vulnerable due to embedding OpenSSL standard release software. References: CVE-2014-0160 (SSRT101517) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Server Automation, 10.00, 10.01 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has released the following software update to resolve the vulnerability: http://support.openview.hp.com/selfsolve/document/LID/SRVA_00174 It is also recommended to read the following security guidelines for remediation before applying the patch. These can be downloaded from the following link: http://support.openview.hp.com/selfsolve/document/KM00843314/binary/SA_Alert_ Heartbleed_Vulnerability.pdf HP recommends completing the following action items after applying the patch: Revocation of the old key pairs that were just superseded Changing potentially affected passwords Invalidating all session keys and cookies Bulletin Applicability: This bulletin applies to each OpenSSL component that is embedded within the HP products listed in the security bulletin. The bulletin does not apply to any other 3rd party application (e.g. operating system, web server, or application server) that may be required to be installed by the customer according instructions in the product install guide. To learn more about HP Software Incident Response, please visit http://www8.hp.com/us/en/software-so lutions/enterprise-software-security-center/response-center.html . Software updates are available from HP Software Support Online at http://support.openview.hp.com/downloads.jsp HISTORY Version:1 (rev.1) - 17 April 2014 Initial release Version:2 (rev.2) - 25 April 2014 Added link to patch Version:3 (rev.3) - 30 April 2014 Removed direct link to patch. Please contact HP Technical Support for patch assistance. Version:4 (rev.4) - 5 May 2014 Patch available for customer self service download Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its