USN-2250-1 thunderbird vulnerabilities

Gary Kwong, Christoph Diehl, Christian Holler, Hannes Verschore, Jan de Mooij, Ryan VanderMeulen, Jeff Walden and Kyle Huey discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potential...

CVE-2014-3476

OpenStack Identity Keystone before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a 1 trust or 2 OAuth token with impersonation enabled to create a new token with...

UBUNTU-CVE-2014-3476

OpenStack Identity Keystone before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a 1 trust or 2 OAuth token with impersonation enabled to create a new token with...

Scientific Linux Security Update : openssl097a and openssl098e on SL5.x, SL6.x i386/x86_64 (20140605)

It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. CVE-2014-0224 Note: In order to...

Important: Red Hat Security Advisory: openssl security update

Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat...

Important: Red Hat Security Advisory: openssl097a and openssl098e security update

Updated openssl097a and openssl098e packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6 respectively. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System CVSS base score, which...

tomcat: incomplete fix for CVE-2012-3544

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat and JBoss Web processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by...

CVE-2013-1407

Multiple cross-site scripting XSS vulnerabilities in the Events Manager plugin before 5.3.5 and Events Manager Pro plugin before 2.2.9 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 scope parameter to index.php; 2 username, 3 dbemphone, 4 useremail, or 5...

PT-2014-4539 · Cisco · Cisco Asa

Name of the Vulnerable Software and Affected Versions: Cisco Adaptive Security Appliance ASA Software affected versions not specified Description: A denial of service issue exists, allowing remote attackers to cause a device reload via a crafted DHCPv6 packet when DHCPv6 replay is configured. Thi...

Important: Red Hat Security Advisory: openssl security update

Updated openssl packages that fix one security issue are now available for Red Hat Storage 2.1. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...

RHEL 6 : openssl (RHSA-2014:0376)

Updated openssl packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Scientific Linux Security Update : openssl on SL6.x i386/x86_64

An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server...

openstack-keystone: trustee token revocation does not work with memcache backend

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

CVE-2014-1893

Multiple integer overflows in the 1 FLASKGETBOOL and 2 FLASKSETBOOL suboperations in the flask hypercall in Xen 4.1.x, 3.3.x, 3.2.x, and earlier, when XSM is enabled, allow local users to cause a denial of service processor fault via unspecified vectors, a different vulnerability than...

Data Breaches Show Difficulty of Defenders' Task

When attackers broke into the network of the University of Maryland last month, the university’s wasn’t sure how to react. The organization had never had a major security incident before, and this one qualified as major: 310,000 Social Security numbers and other information was gone. And then thr...

ClipSharePro 4.1 Local File Inclusion

Exploit Title : ClipSharePro 0 $configfile = $GET'configfile'; else showAlertMessage"ERROR: Failed to find configfile parameter", 1; else $configfile = $DEFAULTCONFIG; // Load config file require $configfile; //including arbitrary file $GET'configfile' echo $configfile; The vulnerability can be...

ClipSharePro 4.1 - Local File Inclusion

Exploit Title : ClipSharePro 0 $configfile = $GET'configfile'; else showAlertMessage"ERROR: Failed to find configfile parameter", 1; else $configfile = $DEFAULTCONFIG; // Load config file require $configfile; //including arbitrary file $GET'configfile' echo $configfile; The vulnerability can be...

HTTPS can leak your Personal details to Attackers

Explosive revelations of massive surveillance programs conducted by government agencies by the former contractor Edward Snowden triggered new debate about the security and privacy of each individual who is connected somehow to the Internet and after the Snowden’s disclosures they think that by...

PT-2014-2155 · Debian · Apt

Name of the Vulnerable Software and Affected Versions: apt versions prior to 0.8.11 Description: The issue allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors when the certificate host name fails validation and Verify-Host is enabled. Recommendations: For...

MGASA-2014-0103 Updated kernel fixes security vulnerabilities

This kernel update provides an update to the upstream stable 3.12.13 maintenance release and fixes the following security issues: A flaw was found in the way cifs handled iovecs with bogus pointers userland passed down via writev during uncached writes. An unprivileged local user with access to...