[security bulletin] HPSBMU03065 rev.1 - HP Operations Analytics, OpenSSL Vulnerability, SSL/TLS, Remote Code Execution, Denial of Service (DoS), Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04363613 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04363613 Version: 1 HPSBMU03065 rev.1 - HP Operations Analytics, OpenSSL Vulnerability, SSL/TLS, Remote Code Execution, Denial of Service (DoS), Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-07-08 Last Updated: 2014-07-08 Potential Security Impact: Remote code execution, denial of service (DoS), disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Operations Analytics. The vulnerability could be exploited to allow remote code execution, denial of service (DoS) and disclosure of information. This OpenSSL vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some HP Software products. This bulletin notifies HP Software customers about products affected by the OpenSSL vulnerabilities Note: OpenSSL vulnerabilities, are vulnerabilities found in the OpenSSL product cryptographic software library product. This weakness potentially allows Man in the Middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The impacted products appear in the list below are vulnerable due to embedding of OpenSSL standard release software. References: CVE-2014-0195 Remote Unauthorized Access CVE-2014-0221 Remote Denial of Service (DoS) CVE-2014-0224 Remote Unauthorized Access or Disclosure of Information CVE-2014-3470 Remote Code Execution or Unauthorized Access SSRT101630 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Operations Analytics v2.0, v2.1 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-0195(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-0221(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2014-0224(AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-3470(AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following guidline for HP Operations Analytics to resolve these vulnerabilities. Guidline: http://support.openview.hp.com/selfsolve/document/KM01020441 HISTORY Version:1 (rev.1) - 8 July 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux)
[SECURITY] [DSA 2974-1] php5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2974-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso July 08, 2014 http://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2014-0207 CVE-2014-3478 CVE-2014-3479 CVE-2014-3480 CVE-2014-3487 CVE-2014-3515 CVE-2014-4721 Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0207 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_read_short_sector() function. CVE-2014-3478 Francisco Alonso of the Red Hat Security Response Team discovered a flaw in the way the truncated pascal string size in the mconvert() function is computed. CVE-2014-3479 Francisco Alonso of the Red Hat Security Response Team reported an incorrect boundary check in the cdf_check_stream_offset() function. CVE-2014-3480 Francisco Alonso of the Red Hat Security Response Team reported an insufficient boundary check in the cdf_count_chain() function. CVE-2014-3487 Francisco Alonso of the Red Hat Security Response Team discovered an incorrect boundary check in the cdf_read_property_info() funtion. CVE-2014-3515 Stefan Esser discovered that the ArrayObject and the SPLObjectStorage unserialize() handler do not verify the type of unserialized data before using it. A remote attacker could use this flaw to execute arbitrary code. CVE-2014-4721 Stefan Esser discovered a type confusion issue affecting phpinfo(), which might allow an attacker to obtain sensitive information from process memory. For the stable distribution (wheezy), these problems have been fixed in version 5.4.4-14+deb7u12. In addition, this update contains several bugfixes originally targeted for the upcoming Wheezy point release. For the testing distribution (jessie), these problems have been fixed in version 5.6.0~rc2+dfsg-1. For the unstable distribution (sid), these problems have been fixed in version 5.6.0~rc2+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTvGOcAAoJEAVMuPMTQ89EC90P/RbqBCzbcPKK6S/9sQeSTuDV h3NpP8a9dYZRW0jOoycC0BwmuuO8JfJlUItD02wmiU4Yjjk64d2PDdhkNGKC7MQr dDOboHGBxdmjBrj2HGxDwvqx1soi652aLr8Vvj7w6nWuWZVKF6LyRFc6PLnCLAil RsjDe65+VTf/Ayymp6W+Epdx7H7z8uURRrsPg/kypDEKINSh+WedkW4G/XyQuGWL zBtCHHpAHZqn4gz1pDEveuloFQXmia9GsVH2wLWtZZurtxwLZgYCDuhzAJnNfUzO ihF2rA/8cgxb1808P50QqN8An05uvXABz6YCJPQusgZf/v27CP4xfpFDkDk9yll4 n1Jgw3b9Xui+5qi3VoH7qQ7Ho/scHmEzEs+24iNn5apx3LSbTTCAiThugLCqPzdR oIrOlw0dwFC0fKrpG5TzKHjjzKLpKl8+yjKb7Dudoj4ESh2cQlTT82BrtO+N8rRw 4dWYrt8yH77CFp9tddbHz96BS3bjSasGdBxbhA2Ta83puTo37YfR8xiEl18Wwa5B e1xwAkVgGKdeX0iEr/pqZg99rK6t3URdFKopfmxKnOodDQYu1ygm3GsuWIXtzoSH leAHHOMC6jvSAml3C+Fk5AdihdbT2BvwIySTzJhMZW2kHF4V6HlR3TyDJeSgaKQ4 +ww4LJZzcwUptYveSGum =+AZH -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-14:17.kmem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:17.kmem Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in control messages and SCTP notifications Category: core Module: kern, sctp Announced: 2014-07-08 Credits:Michael Tuexen Affects:All supported versions of FreeBSD. Corrected: 2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE) 2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7) 2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2) 2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10) 2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17) 2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE) 2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14) CVE Name: CVE-2014-3952, CVE-2014-3953 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The control message API is used to construct ancillary data objects for use in control messages sent and received across sockets and passed via the recvmsg(2) and sendmsg(2) system calls. II. Problem Description Buffer between control message header and data may not be completely initialized before being copied to userland. [CVE-2014-3952] Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland. [CVE-2014-3953] III. Impact An unprivileged local process may be able to retrieve portion of kernel memory. For the generic control message, the process may be able to retrieve a maximum of 4 bytes of kernel memory. For SCTP, the process may be able to retrieve 2 bytes of kernel memory for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the local process is permitted to receive SCTP notification, a maximum of 112 bytes of kernel memory may be returned to userland. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc # gpg --verify kmem.patch.asc [FreeBSD 8.4, 9.2 and 9.3-RC] # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc # gpg --verify kmem.patch.asc [FreeBSD 9.1] # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc # gpg --verify kmem.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r268432 releng/8.4/ r268435 stable/9/ r268432 releng/9.1/
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Unified Communications Domain Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Multiple Vulnerabilities in Cisco Unified Communications Domain Manager Advisory ID: cisco-sa-20140702-cucdm Revision 2.0 Last Updated 2014 July 8 21:14 UTC (GMT) For Public Release 2014 July 2 16:00 UTC (GMT) Summary === Cisco Unified Communications Domain Manager (Cisco Unified CDM) is affected by the following vulnerabilities: Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability Cisco Unified Communications Domain Manager Default SSH Key Vulnerability Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability Successful exploitation of the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability or of the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability may allow an attacker to execute arbitrary commands or obtain privileged access to the affected system. Successful exploitation of the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may allow an attacker to access and modify BVSMWeb portal user information such settings in the personal phone directory, speed dials, Single Number Reach, and call forward settings. Cisco has released free software updates that address the Cisco Unified Communications Domain Manager Privilege Escalation Vulnerability and the Cisco Unified Communications Domain Manager Default SSH Key Vulnerability. Cisco will provide a free software update for the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability as soon as the fix is available. Workarounds that mitigate these vulnerabilities are not available. Customers that are concerned about the Cisco Unified Communications Domain Manager BVSMWeb Unauthorized Data Manipulation Vulnerability may apply the mitigation detailed in the Workarounds section of this advisory. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140702-cucdm -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTvIeDAAoJEIpI1I6i1Mx30I0P/1XF/8k9GNDxvbijSpdhGFjv b0LtB8NhI/k3oYeFJRtkqONhx6wM+1IPui5n0GM331JdIRuFGIql98iM2dNIgfoL YYWeybJ8cePFQ6Hk4YDyP7arm+Q49q6x7ulRw6f1zF7TEuRElDBKvCpjexkS3aTY DqklP/jGn7yZzT5eVmXAohcgve4Jbn20bBJBp3kqr9+HOXs3zOMbt/2kuoEWc9lX OfsmbSqwyJJT3RGs/kN68zdC1BI7VhOMhzcBfvdnoYxVUlcWWzZimoS0Nujlh+0N eLKlNRl/Xb85jD9m3KCfw4EsZ+oY7aVILOVguHFRV35LObjzp8fz0XqDi3Qesiw7 F/CVG77B1J3lkRpIlBaHnwD1RDgKL4CG7LSeCsyKaYDcJzZGcx3CLzVDYHFWMELo +LeRnDSRlT0PJPOcdj/UPZic8s0sUfEzEtlrM2xDe0m4y/Z/GXutD9CbbaVguX97 Pk56BennXG4ZdfDV1GLO6fbvHK/Ai59u6HCeJj7A5rop7wFGy4WpLiyYjD/Qa+ks akNpfIIMgvpMqzpW8WhWOUK+sP8ScTUr7QDcSQKxDrtO9WsKz8ndmRGFIRs0zx5J CEKgd+qJ9ElEovS4GSWimgNmjMCII4TzmQ+H1lHkcIqkC89DYMJmGNeARkJi6iTU HKJjjGl59+rt55H53va+ =DVAZ -END PGP SIGNATURE-
CVE-2014-4331 OctavoCMS reflected XSS vulnerability
This proprietary content management software is vulnerable to reflected XSS on the file admin/viewer.php, src parameter. Current release on their demo site is vulnerable, same as other few sites I could find. PoC: http://demo.octavocms.com/admin/viewer.php?src=%22%3E%3C/img%3E%3Ch2%3EThis%20is%20a%20test%3C/h2%3E%3Cscript%3Ealert(123)%3C/script%3E%3C!--%22 On the 9th of June I contacted the guys of OctavoCMS and eMB Group but they have not replied yet. At the moment of this writing the on-line demo still vulnerable.
Android NFC Service Denial of Service
Android NFC Service Denial of Service -- I. Summary NFC Service is a process of Android OS for providing access to NFC functionality, allowing applications to read NDEF message in NFC tags. A flaw has beend found in NFC Service implementation in Android OS before 4.4. When a bluetooth pair tag written with a crafted message is touched by a phone with Android OS before 4.4, it will cause a denial of service of NFC service. -- II. Description According to the NFC Bluetooth Simple Pairing Message Specification(NFC Forum), construct a message with its field Length of Local Name set to 0b or 0b1XXX (X means any binary value). Then write the crafted messages to NFC tag. Touch the NFC tag with a smart phone with Android OS before 4.4, NFC Service will crash. The reason for this is that NFC Stack don't parse zero length or negative length correctly (com.android.nfc.handover.HandoverManager.parseBtOob/ com.android.nfc.handover.HandoverManager.parse). Here are two crafted messages. Eg.1 zero value DA 20 1C 01 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 62 6C 75 65 74 6F 6F 74 68 2E 65 70 2E 6F 6F 62 30 1C 00 5C 5C 5C 5C 5C 5C [00] 09 41 6E 64 72 6F 69 64 04 0D 0C 02 40 05 03 1E 11 0B 11 Eg.2 negative value DA 20 1C 01 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E 64 2E 62 6C 75 65 74 6F 6F 74 68 2E 65 70 2E 6F 6F 62 30 1C 00 5C 5C 5C 5C 5C 5C [80] 09 41 6E 64 72 6F 69 64 04 0D 0C 02 40 05 03 1E 11 0B 11 -- III. Impact This bug cause a DoS of NFC service and NFC function returns to normal until NFC Service reboot automatically . -- IV. Affected Android OS before 4.4. Other customized OS based on Android may also be affected due to this bug, such as MIUI before 5.30. -- V. Solution modify the source codes about Bluetooth pairing message parsing.
[ MDVSA-2014:127 ] gnupg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:127 http://www.mandriva.com/en/support/security/ ___ Package : gnupg Date: July 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated gnupg and gnupg2 packages fix security vulnerability: GnuPG versions before 1.4.17 and 2.0.24 are vulnerable to a denial of service which can be caused by garbled compressed data packets which may put gpg into an infinite loop (CVE-2014-4617). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617 http://advisories.mageia.org/MGASA-2014-0276.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 8bf47fc5000c48ab2ebdbb22324f6233 mbs1/x86_64/gnupg-1.4.12-3.4.mbs1.x86_64.rpm 917ae5a64551442efb26c38d05413f03 mbs1/x86_64/gnupg2-2.0.18-3.3.mbs1.x86_64.rpm 2864106f4f7bae3601754efbe473c78c mbs1/SRPMS/gnupg-1.4.12-3.4.mbs1.src.rpm 404b181bd27083edb028e45b4d9f2dfc mbs1/SRPMS/gnupg2-2.0.18-3.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTvOhAmqjQ0CJFipgRAsdhAKDpDltVeZZTOMypWFBJos2j2FwhmQCgmat3 3oquo4pkKvkYstDzPuAfao0= =pzen -END PGP SIGNATURE-
[ MDVSA-2014:128 ] iodine
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:128 http://www.mandriva.com/en/support/security/ ___ Package : iodine Date: July 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated iodine packages fix security vulnerability: Oscar Reparaz discovered an authentication bypass vulnerability in iodine, a tool for tunneling IPv4 data through a DNS server. A remote attacker could provoke a server to accept the rest of the setup or also network traffic by exploiting this flaw (CVE-2014-4168). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4168 http://advisories.mageia.org/MGASA-2014-0277.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 40ded64fecd6fd32d111cf12b8906251 mbs1/x86_64/iodine-client-0.6.0-0.rc1.3.mbs1.x86_64.rpm ce1a3441a483507e67179657a2dac657 mbs1/x86_64/iodine-server-0.6.0-0.rc1.3.mbs1.x86_64.rpm 52291749911f1449ee3dcd59d72938a3 mbs1/SRPMS/iodine-0.6.0-0.rc1.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTvOmCmqjQ0CJFipgRArwsAKCL+0kumw0eHe3LuqoMeqALXkAyMwCg7Va9 GPEcuEB/UPJDBk5lm3vlRtY= =wtRl -END PGP SIGNATURE-
[ MDVSA-2014:130 ] php
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:130 http://www.mandriva.com/en/support/security/ ___ Package : php Date: July 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated php packages fix security vulnerabilities: The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515). It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049). A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). PHP contains a bundled copy of the file utility#039;s libmagic library, so it was vulnerable to this issue. It has been updated to versions 5.5.14, which fix this issue and several other bugs. The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721). Additionally, php-apc has been rebuilt against the updated php packages and the php-timezonedb packages has been upgraded to the 2014.5 version. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4721 http://www.php.net/ChangeLog-5.php#5.5.14 http://advisories.mageia.org/MGASA-2014-0284.html ___ Updated Packages: Mandriva Business Server 1/X86_64: d750f3a4dd445dfff5d48c2cd335f5ee mbs1/x86_64/apache-mod_php-5.5.14-1.mbs1.x86_64.rpm bd6c38473df5579c601717197e0b3871 mbs1/x86_64/lib64php5_common5-5.5.14-1.mbs1.x86_64.rpm 438c5c236dd05aaf8f7df1aef41402f3 mbs1/x86_64/php-apc-3.1.15-1.8.mbs1.x86_64.rpm a52f3e744008e04d0136b8ecacee951e mbs1/x86_64/php-apc-admin-3.1.15-1.8.mbs1.x86_64.rpm 0f8c84efaeb06e7db89942525195da9b mbs1/x86_64/php-bcmath-5.5.14-1.mbs1.x86_64.rpm b0199c32c7bee5c4b17919db7d84190f mbs1/x86_64/php-bz2-5.5.14-1.mbs1.x86_64.rpm 9bd5ffbaf938d31fd5f9de5ed69d31f2 mbs1/x86_64/php-calendar-5.5.14-1.mbs1.x86_64.rpm c08143e0bcfac5d80136114d43157f31 mbs1/x86_64/php-cgi-5.5.14-1.mbs1.x86_64.rpm 8e6d23960410e1232e6810d5b3c9175e mbs1/x86_64/php-cli-5.5.14-1.mbs1.x86_64.rpm 3489e684a75c2025b795ef8812f9a6b3 mbs1/x86_64/php-ctype-5.5.14-1.mbs1.x86_64.rpm 6258c812ae9dd1ed984d707ef702e5a5 mbs1/x86_64/php-curl-5.5.14-1.mbs1.x86_64.rpm 34d78b00a2c29b01afd140f7e9af7ade mbs1/x86_64/php-dba-5.5.14-1.mbs1.x86_64.rpm f5291102bb3825e22f7b48e750a8fc39 mbs1/x86_64/php-devel-5.5.14-1.mbs1.x86_64.rpm 26bb707cceccc837d09e1e910f9ff2d8 mbs1/x86_64/php-doc-5.5.14-1.mbs1.noarch.rpm 25136ba7b5fa05754b785aadb646dad4 mbs1/x86_64/php-dom-5.5.14-1.mbs1.x86_64.rpm 4883b77f434fb92f66b5c9d25d1bb75f mbs1/x86_64/php-enchant-5.5.14-1.mbs1.x86_64.rpm d6344ab3bbf9bcc1acc6c88cc4a23203 mbs1/x86_64/php-exif-5.5.14-1.mbs1.x86_64.rpm f2c02261ca1827f8c1277e1f9010a34c mbs1/x86_64/php-fileinfo-5.5.14-1.mbs1.x86_64.rpm d61863b92ae06460d19a1927986fda23 mbs1/x86_64/php-filter-5.5.14-1.mbs1.x86_64.rpm f7b5b349884f7f733270f76bae3adb3d mbs1/x86_64/php-fpm-5.5.14-1.mbs1.x86_64.rpm 6a5922f4ce756fb7beb4f1547d940003 mbs1/x86_64/php-ftp-5.5.14-1.mbs1.x86_64.rpm 59ea194bdd3fd658e4cae8991abf8a22 mbs1/x86_64/php-gd-5.5.14-1.mbs1.x86_64.rpm 75a19794726b72db481fdfcbdf85a389 mbs1/x86_64/php-gettext-5.5.14-1.mbs1.x86_64.rpm 9000903f2268d2abebc2c968c8a3fe94 mbs1/x86_64/php-gmp-5.5.14-1.mbs1.x86_64.rpm d1b21d9cb29de195df99e26e165dd888 mbs1/x86_64/php-hash-5.5.14-1.mbs1.x86_64.rpm c3bce91b1e2399f0294d30c7cc8c348b mbs1/x86_64/php-iconv-5.5.14-1.mbs1.x86_64.rpm aefdb8dc9393e62379d9ef7ba7a61754 mbs1/x86_64/php-imap-5.5.14-1.mbs1.x86_64.rpm
[ MDVSA-2014:129 ] ffmpeg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:129 http://www.mandriva.com/en/support/security/ ___ Package : ffmpeg Date: July 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been discovered and corrected in ffmpeg: Multiple unspecified vulnerabilities in libavcodec/wmalosslessdec.c in FFmpeg before 0.11 have unknown impact and attack vectors related to (1) size of mclms arrays, (2) a get_bits(0) in decode_ac_filter, and (3) too many bits in decode_channel_residues(). (CVE-2012-2795). libavcodec/wmalosslessdec.c in FFmpeg before 2.1.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data (CVE-2014-2098). The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.1.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data (CVE-2014-2099). The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg, possibly 2.1 and earlier, allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write (CVE-2014-2263). A use-after-free vulnerability in FFmpeg before 1.1.9 involving seek operations on video data could allow remote attackers to cause a denial of service (CVE-2012-5150). An integer overflow can occur when processing any variant of a literal run in the av_lzo1x_decode function (CVE-2014-4609, CVE-2014-4610). The updated packages have been upgraded to the 0.10.14 version which is not vulnerable to these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2263 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4609 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4610 https://www.ffmpeg.org/security.html http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html http://www.openwall.com/lists/oss-security/2014/06/26/22 http://seclists.org/oss-sec/2014/q2/668 ___ Updated Packages: Mandriva Business Server 1/X86_64: b51959a114b898f61f4e9f2fa227164b mbs1/x86_64/ffmpeg-0.10.14-1.mbs1.x86_64.rpm a01603d6bd7ce8062078477657d5f3f6 mbs1/x86_64/lib64avcodec53-0.10.14-1.mbs1.x86_64.rpm afbd4762fda0acee6e3c82077bafe7ea mbs1/x86_64/lib64avfilter2-0.10.14-1.mbs1.x86_64.rpm f667967cd563412ceb5e59c89f6b4854 mbs1/x86_64/lib64avformat53-0.10.14-1.mbs1.x86_64.rpm fe233107398c0188cc562271c69fa385 mbs1/x86_64/lib64avutil51-0.10.14-1.mbs1.x86_64.rpm 6ba5fccb492c998cd36fd61819e4da92 mbs1/x86_64/lib64ffmpeg-devel-0.10.14-1.mbs1.x86_64.rpm ccb2f3026cc84e27a464da14192a992b mbs1/x86_64/lib64ffmpeg-static-devel-0.10.14-1.mbs1.x86_64.rpm 24e803e02ce1abccc513c98f2aa9ed53 mbs1/x86_64/lib64postproc52-0.10.14-1.mbs1.x86_64.rpm f9d57b25aa155019199ba095a74d4e32 mbs1/x86_64/lib64swresample0-0.10.14-1.mbs1.x86_64.rpm 6e50dd84e0667eca277d083ddbca0162 mbs1/x86_64/lib64swscaler2-0.10.14-1.mbs1.x86_64.rpm de39ad82d3ac7982d5959714560ada9d mbs1/SRPMS/ffmpeg-0.10.14-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTvPbPmqjQ0CJFipgRAkl1AKDcwdrqkW1vL/fpk/Zxy8kf9ZW3hACguPxH 4gosVSoytWdei2eBER8E5Pk= =8dsG -END PGP SIGNATURE-
[ MDVSA-2014:131 ] file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:131 http://www.mandriva.com/en/support/security/ ___ Package : file Date: July 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated file packages fix security vulnerabilities: A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478). Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-3479, CVE-2014-3480, CVE-2014-3487). Note: these issues were announced as part of the upstream PHP 5.4.30 release, as PHP bundles file#039;s libmagic library. Their announcement also references an issue in CDF file parsing, CVE-2014-0207, which was previously fixed in the file package in MGASA-2014-0252, but was not announced at that time. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487 http://advisories.mageia.org/MGASA-2014-0282.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 8e1ee8abafa844ed407f0f0b7d9281ee mbs1/x86_64/file-5.12-1.3.mbs1.x86_64.rpm 021a9c59681a806162833049a01431fe mbs1/x86_64/lib64magic1-5.12-1.3.mbs1.x86_64.rpm cee7091c2276d3e6377f601f331f mbs1/x86_64/lib64magic-devel-5.12-1.3.mbs1.x86_64.rpm eb0fdbb60d79014687c102681eec6cfd mbs1/x86_64/lib64magic-static-devel-5.12-1.3.mbs1.x86_64.rpm 5da77e303c85b116d20a34ab7fa76263 mbs1/x86_64/python-magic-5.12-1.3.mbs1.noarch.rpm 4b842d4eeff485db6e50cd120c56990b mbs1/SRPMS/file-5.12-1.3.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTvP0cmqjQ0CJFipgRAlSGAJ9cufnRRNhFcnDucuOWJl0O6OX1EgCeNfqx E4EhIiJGqEMlyzSm9snKf9k= =BdC9 -END PGP SIGNATURE-
[ MDVSA-2014:132 ] libxfont
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:132 http://www.mandriva.com/en/support/security/ ___ Package : libxfont Date: July 9, 2014 Affected: Business Server 1.0 ___ Problem Description: Updated libxfont packages fix security vulnerabilities: Ilja van Sprundel discovered that libXfont incorrectly handled font metadata file parsing. A local attacker could use this issue to cause libXfont to crash, or possibly execute arbitrary code in order to gain privileges (CVE-2014-0209). Ilja van Sprundel discovered that libXfont incorrectly handled X Font Server replies. A malicious font server could return specially-crafted data that could cause libXfont to crash, or possibly execute arbitrary code (CVE-2014-0210, CVE-2014-0211). ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0209 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0210 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0211 http://advisories.mageia.org/MGASA-2014-0278.html ___ Updated Packages: Mandriva Business Server 1/X86_64: 4f39de10316b1527b1c32d5f756dcef9 mbs1/x86_64/lib64xfont1-1.4.5-2.2.mbs1.x86_64.rpm d68016ac4f6fde1544dec8564fa88957 mbs1/x86_64/lib64xfont1-devel-1.4.5-2.2.mbs1.x86_64.rpm 6cce20596a6edab6490899c04a0cb6ea mbs1/x86_64/lib64xfont1-static-devel-1.4.5-2.2.mbs1.x86_64.rpm f86ce76eddbbe9fac7ed98a2b39afc73 mbs1/SRPMS/libxfont-1.4.5-2.2.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTvQMYmqjQ0CJFipgRAtDaAKC+8+ikYCvilKpLehNRkl58qgCsmACg83WX ofuALTOMgUfGeL5+0+jFH5s= =MUlZ -END PGP SIGNATURE-
OS Command Injection Infoblox Network Automation
Product: Network Automation, licensed as: NetMRI Switch Port Manager Automation Change Manager Security Device Controller Vendor: Infoblox Vulnerable Version(s): 6.4.X.X-6.8.4.X Tested Version: 6.8.2.11 Vendor Notification: May 12th, 2014 Vendor Patch Availability to Customers: May 16th, 2014 Public Disclosure: July 9th, 2014 Vulnerability Type: OS Command Injection [CWE-78] CVE Reference: CVE-2014-3418 Risk Level: High CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Solution Status: Solution Available Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ ) --- Advisory Details: Depth Security discovered a vulnerability in the Infoblox Network Automation management web interface. This attack does not require authentication of any kind. 1) OS Command Injection in Infoblox Network Automation Products: CVE-2014-3418 The vulnerability exists due to insufficient sanitization of user-supplied data in in skipjackUsername POST parameter. A remote attacker can inject operating system commands as the root user, and completely compromise the operating system. The following is the relevant portion of the multipart/form-data POST request to netmri/config/userAdmin/login.tdf Content-Disposition: form-data; name=skipjackUsername admin`ping -n 20 127.0.0.1` --- Solution: Infoblox immediately released a hotfix to remediate this vulnerability on existing installations (v6.X-NETMRI-20710.gpg). The flaw was corrected in the 6.8.5 release (created expressly for dealing with this issue), and that release has been put into manufacturing for new appliances. --- Proof of Concept: In addition to manual exploitation via the above mentioned vector, proof of concept is provided in the form of a module for the metasploit framework. https://github.com/depthsecurity/NetMRI-2014-3418 --- References: [1] Depth Security Advisory - http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.html - OS Command Injection in NetMRI. [2] NetMRI - http://www.infoblox.com/products/network-automation/netmri - NetMRI is an Enterprise Network Management Appliance. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] NetMRI Metasploit Module - https://github.com/depthsecurity/NetMRI-2014-3418
Weak Local Database Credentials in Infoblox Network Automation
Product: Network Automation NetMRI Switch Port Manager Automation Change Manager Security Device Controller Vendor: InfoBlox Vulnerable Version(s): 6.4.X.X-6.8.4.X Tested Version: 6.8.2.11 Vendor Notification: May 12th, 2014 Public Disclosure: July 9th, 2014 Vulnerability Type: OS Command Injection [CWE-521] CVE Reference: CVE-2014-3419 Risk Level: High CVSSv2 Base Score: 5.2 (AV:L/AC:L/Au:S/C:C/I:P/A:N) Solution Status: Solution Available Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ ) --- Advisory Details: Depth Security discovered a vulnerability in the InfoBlox Network Automation Products. This attack requires OS level access which must be obtained via another method. 1) Weak password on local MySQL database: CVE-2014-3419 The vulnerability exists due to a weak password used for local MySQL access An authenticated user with shell access to the operating system can access the contents of any database in the local MySQL instance using the local MySQL client (mysql u root p) with the following credentials: Username: root Password: root Sensitive information such as SNMP community names and network device credentials are encrypted inside of the database. --- Solution: The vendor has released a hotfix to remediate this vulnerability on existing installations. The flaw was corrected in the 6.8.5 release. --- References: [1] Depth Security Advisory - http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.html - OS Command Injection in NetMRI. [2] NetMRI - http://www.infoblox.com/products/network-automation/netmri - NetMRI is an Enterprise Network Management Appliance. [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ---
Cisco Security Advisory: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products Advisory ID: cisco-sa-20140709-struts2 Revision 1.0 For Public Release 2014 July 9 16:00 UTC (GMT) +- Summary === Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870. The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on the targeted system. Cisco has released free software updates that address this vulnerability for all the affected products except Cisco Business Edition 3000 Series. Customers using Cisco Business Edition 3000 Series should contact their Cisco representative for available options. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (SunOS) iQIVAwUBU71eXopI1I6i1Mx3AQJu/Q/9F42pW2mdAuuej2Aw/P+OLYUKHhZiNr7y 2UeNYi/OqfQRDQS5ZeErZVtKT0GaHtybC9dKvZasAZnVn/u/bDIk71JlDA4QXTXS RBcUsOPHJj0x5hdtYp0mc3WisfoPJXsp2pYHTY0JqJRgdqmHtO7f8aKYam+k6RbW rb+E1w8dbUOerEwFQLC7yZRv0H4hru6/JRWFow8wUh9qbpwIVE5EJZukQ/u9ypgg 3PQjt353Cdim1DmDBaZzPvP0d758G9PcjOlTqDw1TTg+ubOrJpV7gjxoVgDbdAb9 C4r1WbR23aSe6C78FPAJOQgN0ukExXYzVTBQr90UEY2mWKSOk83QCFQQu8lXFRCh 6S6GpcFdEmWMpq2itXAuZ9WWmo+kX6r4D+QBYvLMg7fFy5LL29uqLqddSZtF8Q0s Z0i20uhkkRV+uZRBNB44yGBCKHzIXytgCzWRGYBQAK/Qfb6tlQNlNcUldiUEKZiQ iKXgwPSa67IROZNWeuEII0bfu9UpCboQ02kPk+vIAjPpUV5nVtU6642ihYUfTm9k DDgw5cn1Ek1sdhmEfAtKZY9Ozx6Nwg505CZ3dxk7JVRvRS+073nfzcP+SRlqJP4H 6CdUVFOhsi1O6AJKxFDThBIh5DDn18us1Y/LZl62O77HH/8npcq9WsqUFatrsbUx 3PgQYYf+4yY= =s6SX -END PGP SIGNATURE-
[SECURITY] [DSA 2975-1] phpmyadmin security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2975-1 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst July 09, 2014 http://www.debian.org/security/faq - - Package: phpmyadmin CVE ID : CVE-2013-4995 CVE-2013-4996 CVE-2013-5002 CVE-2013-5003 CVE-2014-1879 Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-4995 Authenticatd users could inject arbitrary web script or HTML via a crafted SQL query. CVE-2013-4996 Cross site scripting was possible via a crafted logo URL in the navigation panel or a crafted entry in the Trusted Proxy list. CVE-2013-5002 Authenticated users could inject arbitrary web script or HTML via a crafted pageNumber value in Schema Export. CVE-2013-5003 Authenticated users could execute arbitrary SQL commands as the phpMyAdmin 'control user' via the scale parameter PMD PDF export and the pdf_page_number parameter in Schema Export. CVE-2014-1879 Authenticated users could inject arbitrary web script or HTML via a crafted file name in the Import function. For the stable distribution (wheezy), these problems have been fixed in version 4:3.4.11.1-2+deb7u1. For the unstable distribution (sid), these problems have been fixed in version 4:4.2.5-1. We recommend that you upgrade your phpmyadmin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJTvY2OAAoJEFb2GnlAHawERZwH+wbqvBCPR5awNqCCyEVhMITw wtHO9fEK19jIZ1TklgQ0Iv6AIFocwfOrt/xqfJa3hKsisp1GdQFkLL/zWzYnkHN4 gC1oQ6mhrPGnJTVqCK1eyeUTrRB23RHQGIKuebWqk5NvjyuusJoUx2VwgtU712r4 VbIuggURhtpFXWjdNUCy/iK3PkE0yv58OQrr9OmN0rMYfet3fSVKijFBrcIurGBe 3a/rAXjV/sQ+4+75XkcOWBQODo6BzcyZ5mvkpdtPvHsGuqyyNHb36RdpAyrFg93H i3TwYO9QDyJXftuyIIK0X1YLK5hg64lmasOy3EmkTtsXZcW2PTfk38B3qDCU66Q= =QrRu -END PGP SIGNATURE-