OpenJDK: incorrect tracking of ChangeCipherSpec during SSL/TLS handshake (JSSE, 8057555)

It was discovered that the SSL/TLS implementation in the JSSE component in OpenJDK failed to properly check whether the ChangeCipherSpec was received during the SSL/TLS connection handshake. An MITM attacker could possibly use this flaw to force a connection to be established without encryption...

Microsoft Reports Massive Increase in Macros Enabled Threats

The Microsoft Malware Protection Center says there has been a dramatic increase in threats using macros to spread malware via spam and social engineering over the last month. Macros are used for automating frequently used tasks in Office. Macro-related infections were constant and near zero daily...

Microsoft Windows SSL Library Private Communications Transport Buffer Overflow - Ver2 (CVE-2003-0719)

A buffer overflow vulnerability has been reported in Microsoft Windows SSL Library. The vulnerability is due to the processing of certain messages. A remote attacker can exploit this issue by executing arbitrary code in the context of a local system user when SSL is enabled...

DEBIAN-CVE-2014-8134

The paravirtopssetup function in arch/x86/kernel/kvm.c in the Linux kernel through 3.18 uses an improper paravirtenabled setting for KVM guest kernels, which makes it easier for guest OS users to bypass the ASLR protection mechanism via a crafted application that reads a 16-bit value...

httpd: NULL pointer dereference in mod_cache if Content-Type has empty value

A NULL pointer dereference flaw was found in the way the modcache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled...

USN-2428-1 thunderbird vulnerabilities

Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas Werner discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service...

RHEL 6 : Storage Server (RHSA-2014:0377) (Heartbleed)

Updated openssl packages that fix one security issue are now available for Red Hat Storage 2.1. The Red Hat Security Response Team has rated this update as having Important security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...

Ubuntu systemd-shim DoS

Debugging is enabled by default...

DEBIAN-CVE-2014-4877

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the...

UBUNTU-CVE-2014-4877

Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the...

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...

openstack-keystone: denial of service via V3 API authentication chaining

A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this...

CentOS 6 / 7 : openssl (CESA-2014:1652)

Updated OpenSSL packages that contain a backported patch to mitigate the CVE-2014-3566 issue known as SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability POODLE, and fixed two security issues that are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has...

[SECURITY] Fedora 20 Update: kscd-4.14.1-1.fc20

KsCD is a small, fast, CDDB enabled audio CD player...

USN-2330-1 thunderbird vulnerabilities

Jan de Mooij, Christian Holler, Karl Tomlinson, Randell Jesup, Gary Kwong, Jesse Ruderman and JW Wang discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to...

DEBIAN-CVE-2014-5369

Enigmail 1.7.x before 1.7.2 sends emails in plaintext when encryption is enabled and only BCC recipients are specified, which allows remote attackers to obtain sensitive information by sniffing the network...

Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities

Mpay24 PrestaShop Payment Module 1.5 - Multiple Vulnerabilities Mpay24 PrestaShop Payment Module Multiple Vulnerabilities - · Affected Vendor: Mpay24 - · Affected Software: Mpay24 Payment Module - · Affected Version: 1.5 and earlier - · Issue Type: SQL injection and information disclosure - ·...

Backoff Sinkhole Reveals Sorry Point-of-Sale Security

Kaspersky Lab researchers say that a recent analysis of two Backoff malware command and control servers paints “a very bleak picture of the state of point-of-sale security.” Kaspersky Lab sinkholed two of the malware’s command and control servers. In just two days, nearly 100 infected systems,...

UBUNTU-CVE-2014-3562

Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory...

CVE-2014-5240

Cross-site scripting XSS vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL...