Fedora 22 : freeipa-4.1.4-1.fc22 / slapi-nis-0.54.2-1.fc22 (2015-4788)

CVE-2015-1827: It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash...

Mandriva Linux Security Advisory : apache-mod_wsgi (MDVSA-2015:180)

Updated apache-modwsgi package fixes security vulnerabilities : apache-modwsgi before 4.2.4 contained an off-by-one error in applying a limit to the number of supplementary groups allowed for a daemon process group. The result could be that if more groups than the operating system allowed were...

DEBIAN-CVE-2015-0283

The slapi-nis plug-in before 0.54.2 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service infinite loop and CPU consumption via a request for a 1 group with a large number of members or 2 user that belongs to a large number o...

UBUNTU-CVE-2015-0283

The slapi-nis plug-in before 0.54.2 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service infinite loop and CPU consumption via a request for a 1 group with a large number of members or 2 user that belongs to a large number o...

ipa: memory corruption when using get_user_grouplist()

It was discovered that the IPA extdom Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for a list of groups for a user that belongs to a large number of groups would cause a Directory Server to crash...

PT-2015-4561 · 389 Directory Server +2 · Slapi-Nis Plug-In +2

Name of the Vulnerable Software and Affected Versions: slapi-nis plug-in versions prior to 0.54.2 Description: The issue allows remote attackers to cause a denial of service, resulting in an infinite loop and CPU consumption. This can be achieved by requesting a group with a large number of membe...

China Finally Admits It Has Army of Hackers

China finally admits it has special cyber warfare units — and a lot of them. From years China has been suspected by U.S. and many other countries for carrying out several high-profile cyber attacks, but every time the country strongly denied the claims. However, for the first time the country has...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in the administrative backend in MyBB aka MyBulletinBoard before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the 1 MIME-type field in an add action in the config-attachmenttypes module to admin/index.php; 2...

Vimeo: Post in private groups after getting removed

Steps to reproduce: 1. A uservictim have a private video and he have added it on his private groups. Now the group members can see it and comment to it. 2. The attacker is on the group and he adds a new comment and capture the request using burp proxy. 3. Then the attacker is removed from the gro...

Vimeo: A user can add videos to other user's private groups

It is possible for a user to add videos to other user's private groups. Steps to verify: 1. Log into vimeo.com as Alice. Create a new group lets say, AlicePrivateGroup with group id 301924 and choose 'Only members can see this group' setting. 2. Login as Bob and create a new group lets say,...

sssd: incorrect expansion of group membership when encountering a non-POSIX group

The System Security Services Daemon SSSD 1.11.6 does not properly identify group membership when a non-POSIX group is in a group membership chain, which allows local users to bypass access restrictions via unspecified vectors...

Encryption and Silence Can be Targets' Best Assets

CANCUN–Things are getting real these days for executives, researchers, journalists and others involved in the security community. Targeted surveillance is a reality for many in the community, and researchers and activists are trying now to help them assess and address that threat to their privacy...

APT Groups Emerging in Middle East

CANCUN–Since security researchers and vendors began exposing the inner workings of APT groups a few years ago, virtually all of the operations that have been made public have been the work of attackers in Europe, Asia or North America. But recently, groups in the Middle East have joined the game ...

Authentication flaw

Cisco Adaptive Security Appliance ASA Software 9.2.3 and earlier, when challenge-response authentication is used, does not properly select tunnel groups, which allows remote authenticated users to bypass intended resource-access restrictions via a crafted tunnel-group parameter, aka Bug ID...

PYSEC-2015-33

RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the 1 updaterepo, 2 getlocks, or 3 getusergroups API method...

Cisco IOS Software Access Control List Bypass Vulnerability

A vulnerability in Cisco IOS Software access control lists ACLs that use object groups could occasionally allow an unauthenticated, remote attacker to bypass the ACL. The vulnerability is due to a race condition between process switching and Cisco Express Forwarding switching while evaluating ACL...

Researchers: PlugX More Prominent Than Ever

Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups. Many attacks, especially those occurring during the latter...

SUSE-SU-2015:0281-1 Security update for strongswan

This strongswan update fixes the following security and non security issues. - Disallow brainpool elliptic curve groups in fips mode bnc856322. - Applied an upstream fix for a denial-of-service vulnerability, which can be triggered by an IKEv2 Key Exchange payload, that contains the Diffie-Hellma...

Security auditing tool for AWS: AWS Scout2

Scout2 is an open source tool that helps assessing the security posture of AWS environments. Using the AWS API, the Scout2 Python scripts fetch CloudTrail, EC2, IAM, RDS, and S3, configuration data. The gathered configuration is analysed and stored as JSON objects in several JavaScript files. The...

cgmanager information disclosure

Invalid nested groups processing...