Important: Red Hat Security Advisory: katello-installer-base security and enhancement update

An update for katello-installer-base which configures qpid-dispatch-router is now available for Red Hat Satellite 6.4 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed...

katello-installer-base: QMF methods exposed to goferd via qdrouterd

A lack of access control was found in the message queues maintained by Satellite's QPID broker and used by katello-agent. A malicious user authenticated to a host registered to Satellite or Capsule can use this flaw to access QMF methods to any host also registered to Satellite or Capsule and...

Unhackable Cryptography?

A recent article overhyped the release of EverCrypt, a cryptography library created using formal methods to prove security against specific attacks. The Quanta magazine article sets off a series of "snake-oil" alarm bells. The author's Github README is more measured and accurate, and illustrates...

Edge no prior knowledge of the exploit-vulnerability warning-the black bar safety net

The background set forth 2007 held so far, in the pwn2own contest, the browser is always the main event. Watch the game at the same time, I believe a lot of friends have been eager to try. But do you remember how many times full of confidence, last and all the time being put on hold? The article...

openSUSE: Security Advisory for openwsman (openSUSE-SU-2019:1111-1)

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Security update for python-cryptography, python-pyOpenSSL (important)

openSUSE Security Update: Security update for python-cryptography, python-pyOpenSSL Announcement ID: openSUSE-SU-2019:1104-1 Rating: important References: 1021578 1052927 1111634 1111635 1119077 Cross-References: CVE-2018-1000807 CVE-2018-1000808 Affected Products: openSUSE Leap 42.3 An update th...

Security update for nodejs4 (moderate)

openSUSE Security Update: Security update for nodejs4 Announcement ID: openSUSE-SU-2019:1076-1 Rating: moderate References: 1127080 1127532 1127533 Cross-References: CVE-2019-1559 CVE-2019-5737 CVE-2019-5739 Affected Products: openSUSE Leap 42.3 An update that fixes three vulnerabilities is now...

Security update for MozillaFirefox (important)

openSUSE Security Update: Security update for MozillaFirefox Announcement ID: openSUSE-SU-2019:1056-1 Rating: important References: 1129821 1130262 Cross-References: CVE-2018-18506 CVE-2019-9788 CVE-2019-9790 CVE-2019-9791 CVE-2019-9792 CVE-2019-9793 CVE-2019-9794 CVE-2019-9795 CVE-2019-9796...

An Argument that Cybersecurity Is Basically Okay

Andrew Odlyzko's new essay is worth reading -- "Cybersecurity is not very important": Abstract: There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2019:0343-1 Rating: important References: 1129059 Cross-References: CVE-2019-5787 CVE-2019-5788 CVE-2019-5789 CVE-2019-5790 CVE-2019-5791 CVE-2019-5792 CVE-2019-5793 CVE-2019-5794 CVE-2019-5795 CVE-2019-5796...

openSUSE: Security Advisory for libcomps (openSUSE-SU-2019:0323-1)

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

JDK: buffer overflow in jio_snprintf() and jio_vsnprintf()

In Eclipse OpenJ9, prior to the 0.12.0 release, the jiosnprintf and jiovsnprintf native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code...

Cross-Site Request Forgery (CSRF)

yiisoft/yii2 is vulnerable to cross-site request forgery CSRF. Request methods are not validated or restricted in \yii\web\Request::getMethod. This allows an attacker to bypass CSRF token checks by downgrading the HTTP request to read methods such as GET, HEAD or OPTIONS...

RSA Conference 2019: BEC Scammer Gang Takes Aim at Boy Scouts, Other Nonprofts

SAN FRANCISCO – A Nigeria-based scammer gang dubbed “Scarlet Widow” has been launching email fraud attacks against thousands of targets – including universities, the Salvation Army, and Boy Scouts of America. Researchers with Agari detailed the attack during an RSA Conference session on Tuesday...

jenkins-plugin-script-security: Sandbox Bypass in finalize methods

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permissio...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2019:0205-1 Rating: important References: 1123641 1124936 Cross-References: CVE-2019-5754 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762 CVE-2019-57...

Security update for libu2f-host (low)

openSUSE Security Update: Security update for libu2f-host Announcement ID: openSUSE-SU-2019:0199-1 Rating: low References: 1124781 Cross-References: CVE-2018-20340 Affected Products: openSUSE Leap 42.3 An update that fixes one vulnerability is now available. Description: This update for libu2f-ho...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2019:0206-1 Rating: important References: 1123641 1124936 Cross-References: CVE-2019-5754 CVE-2019-5755 CVE-2019-5756 CVE-2019-5757 CVE-2019-5758 CVE-2019-5759 CVE-2019-5760 CVE-2019-5761 CVE-2019-5762 CVE-2019-57...

openSUSE: Security Advisory for curl (openSUSE-SU-2019:0174-1)

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

MGASA-2019-0077 Updated dom4j packages fix security vulnerability

dom4j version prior to version 2.1.1 contains an XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appears to be exploitable via an attacker specifying attributes or...