Getsocial, S.A. Security Vulnerabilities

Mandriva Linux Security Advisory : python-setuptools (MDVSA-2013:227)

A vulnerability has been discovered and corrected in python-setuptools/python-virtualenv : easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute...

SilverStripe(R) Information Exposure Through Query Strings in GET Request (CWE-598)

SilverStripe(R) Information Exposure Through Query Strings in GET Request (CWE-598) CVE: CVE-2013-2653 CWE: CWE-598 Deloitte Argentina Advisory Code: DTTAR-20130002 Vendor Status: CONFIRMED Vendor Disclosure Date: May, 8th, 2013. Public Disclosure Date: August, 1st, 2013. Vendors Affected:...

Mandriva Linux Security Advisory : roundcubemail (MDVSA-2013:226)

Multiple vulnerabilities has been discovered and corrected in roundcubemail : Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft.....

Mandriva Linux Security Advisory : libtiff (MDVSA-2013:224)

Updated libtiff packages fix security vulnerability : Pedro Ribeiro and Huzaifa S. Sidhpurwala discovered multiple vulnerabilities in various tools shipped by the tiff library. Processing a malformed file may lead to denial of service or the execution of arbitrary code...

Mandriva Linux Security Advisory : libdigidoc (MDVSA-2013:225)

Updated libdigidoc packages fix security vulnerability : Fixed one critical bug in the DDOC parsing routines. By persuading a victim to open a specially crafted DDOC file, a remote attacker could exploit this vulnerability to overwrite arbitrary files on the system with the privileges of the...

Mandriva Linux Security Advisory : asterisk (MDVSA-2013:223)

Updated asterisk packages fix security vulnerabilities : A remotely exploitable crash vulnerability exists in the SIP channel driver if an ACK with SDP is received after the channel has been terminated. The handling code incorrectly assumes that the channel will always be present (CVE-2013-5641)......

Mandriva Linux Security Advisory : php (MDVSA-2013:221)

A vulnerability has been discovered and corrected in php : The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which.....

Mandriva Linux Security Advisory : puppet (MDVSA-2013:222)

Updated puppet and puppet3 package fix security vulnerabilities : It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files (CVE-2013-4761). It was discovered that Puppet incorrectly handled...

Mandriva Linux Security Advisory : lcms (MDVSA-2013:220)

Updated lcms packages fix security vulnerability : Three buffer overflows in Little CMS version 1.19 that could possibly be exploited through user input...

Mandriva Linux Security Advisory : libtiff (MDVSA-2013:219)

Updated libtiff packages fix security vulnerabilities : Pedro Ribeiro discovered a buffer overflow flaw in rgb2ycbcr, a tool to convert RGB color, greyscale, or bi-level TIFF images to YCbCr images, and multiple buffer overflow flaws in gif2tiff, a tool to convert GIF images to TIFF. A remote...

Mandriva Linux Security Advisory : perl-Proc-ProcessTable (MDVSA-2013:216)

Updated perl-Proc-ProcessTable package fixes security vulnerability : ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS...

Mandriva Linux Security Advisory : spice (MDVSA-2013:217)

Updated spice packages fix security vulnerability : An user able to initiate spice connection to the guest could use a flaw in server/red_channel.c to crash the guest...

Mandriva Linux Security Advisory : python (MDVSA-2013:214)

Updated python packages fix security vulnerability : Ryan Sleevi of the Google Chrome Security Team has discovered that Python's SSL module doesn't handle NULL bytes inside subjectAltNames general names. This could lead to a breach when an application uses ssl.match_hostname() to match the...

Mandriva Linux Security Advisory : otrs (MDVSA-2013:212)

Updated otrs package fixes security vulnerability : It was discovered that otrs2, the Open Ticket Request System, does not properly sanitise user-supplied data that is used on SQL queries. An attacker with a valid agent login could exploit this issue to craft SQL queries by injecting arbitrary SQL....

Mandriva Linux Security Advisory : xymon (MDVSA-2013:213)

Updated xymon package fixes security vulnerability : A security vulnerability has been found in version 4.x of the Xymon Systems Network Monitor tool The error permits a remote attacker to delete files on the server running the Xymon trend-data daemon xymond_rrd. File deletion is done with the...

Mandriva Linux Security Advisory : lcms2 (MDVSA-2013:211)

Updated lcms2 packages fixes security vulnerability : It was discovered that Little CMS did not properly verify certain memory allocations. If a user or automated system using Little CMS were tricked into opening a specially crafted file, an attacker could cause Little CMS to crash...

Mandriva Linux Security Advisory : samba (MDVSA-2013:207)

A vulnerability has been found and corrected in samba : Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.....

Mandriva Linux Security Advisory : subversion (MDVSA-2013:209)

A vulnerability has been found and corrected in subversion : The mod_dav_svn Apache HTTPD server module in Subversion 1.7.0 through 1.7.10 and 1.8.x before 1.8.1 allows remote authenticated users to cause a denial of service (assertion failure or out-of-bounds read) via a certain (1) COPY, (2)...

Mandriva Linux Security Advisory : libtiff (MDVSA-2013:208)

Updated libtiff packages fix security vulnerabilities : A heap-based buffer overflow flaw was found in the way tiff2pdf of libtiff performed write of TIFF image content into particular PDF document file, in the tp_process_jpeg_strip() function. A remote attacker could provide a specially crafted...

Mandriva Linux Security Advisory : owncloud (MDVSA-2013:206)

Updated owncloud package fixes security vulnerabilities : XSS vulnerability in Share Interface (oC-SA-2013-029). Authentication bypass in user_webdavauth (oC-SA-2013-030). This update provides OwnCloud 5.0.9, which fixes these issues, as well as several other...

SilverStripe CMS 3.0.3 Information Disclosure

...

Mandriva Linux Security Advisory : gnupg (MDVSA-2013:205)

A vulnerability has been discovered and corrected in gnupg and in libgcrypt : Yarom and Falkner discovered that RSA secret keys in applications using GnuPG 1.x, and using the libgcrypt library, could be leaked via a side channel attack, where a malicious local user could obtain private key...

Mandriva Linux Security Advisory : wireshark (MDVSA-2013:204)

Updated wireshark package fixes security vulnerabilities : The Bluetooth SDP dissector could go into a large loop (CVE-2013-4927). The DIS dissector could go into a large loop (CVE-2013-4929). The DVB-CI dissector could crash (CVE-2013-4930). The GSM RR dissector (and possibly others) could go...

Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2013:203)

Multiple vulnerabilities has been discovered and corrected in phpmyadmin : XSS due to unescaped HTML Output when executing a SQL query (CVE-2013-4995). 5 XSS vulnerabilities in setup, chart display, process list, and logo link. If a crafted version.json would be presented, an XSS...

Mandriva Linux Security Advisory : bind (MDVSA-2013:202)

A vulnerability has been discovered and corrected in bind : The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and 9.9.4-S1b1, allows remote attackers to cause a denial of...

Mandriva Linux Security Advisory : ruby (MDVSA-2013:201)

A vulnerability has been discovered and corrected in ruby : A flaw was found in Ruby's SSL client's hostname identity check when handling certificates that contain hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers......

Mandriva Linux Security Advisory : squid (MDVSA-2013:199)

Multiple vulnerabilities has been discovered and corrected in squid : Due to incorrect data validation Squid is vulnerable to a buffer overflow attack when processing specially crafted HTTP requests. This problem allows any trusted client or client script who can generate HTTP requests to trigger.....

Mandriva Linux Security Advisory : libxml2 (MDVSA-2013:198)

Multiple vulnerabilities has been discovered and corrected in libxml2 : A denial of service flaw was found in the way libxml2, a library providing support to read, modify and write XML and HTML files, performed string substitutions when entity values for external entity references replacement...

Mandriva Linux Security Advisory : php (MDVSA-2013:195)

A vulnerability has been discovered and corrected in php : Fixed PHP bug #65236 (heap corruption in xml parser) (CVE-2013-4113). The updated packages have been upgraded to the 5.3.27 version which is not vulnerable to this issue. The php-timezonedb package has been updated to the 2013.4...

Mandriva Linux Security Advisory : kernel (MDVSA-2013:194)

Multiple vulnerabilities has been found and corrected in the Linux kernel : net/ceph/auth_none.c in the Linux kernel through 3.10 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an auth_reply message...

Mandriva Linux Security Advisory : apache (MDVSA-2013:193)

A vulnerability has been found and corrected in apache (ASF HTTPD) : mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI.....

Mandriva Linux Security Advisory : fail2ban (MDVSA-2013:191)

Updated fail2ban packages fix CVE-2013-2178 Krzysztof Katowicz-Kowalewski discovered a vulnerability in Fail2ban, a log monitoring and system which can act on attack by preventing hosts to connect to specified services using the local firewall. When using Fail2ban to monitor Apache logs, improper.....

Mandriva Linux Security Advisory : php-radius (MDVSA-2013:192)

A security vulnerability was discovered and fixed in php-radius. Fix a security issue in radius_get_vendor_attr() by enforcing checks of the VSA length field against the buffer size (CVE-2013-2220). The updated packages have been upgraded to the 1.2.7 version which is not affected by this...

Mandriva Linux Security Advisory : apache-mod_security (MDVSA-2013:187)

Updated apache-mod_security packages fix security vulnerability : When ModSecurity receives a request body with a size bigger than the value set by the SecRequestBodyInMemoryLimit and with a Content-Type that has no request body processor mapped to it, ModSecurity will systematically crash on...

Mandriva Linux Security Advisory : otrs (MDVSA-2013:188)

Updated otrs package fixes security vulnerabilities : An attacker with a valid agent login could manipulate URLs in the ticket watch mechanism to see contents of tickets they are not permitted to see (CVE-2013-3551,...

Mandriva Linux Security Advisory : wordpress (MDVSA-2013:189)

Updated wordpress package fixes security vulnerabilities : A denial of service flaw was found in the way Wordpress, a blog tool and publishing platform, performed hash computation when checking password for password protected blog posts. A remote attacker could provide a specially- crafted input...

Mandriva Linux Security Advisory : autotrace (MDVSA-2013:190)

Updated autotrace package fixes security vulnerability : Stack-based buffer overflow in bmp parser (CVE-2013-1953). Updated autotrace package corrects the...

Mandriva Linux Security Advisory : puppet (MDVSA-2013:186)

Updated puppet packages fix remote code execution vulnerability When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of....

Mandriva Linux Security Advisory : mesa (MDVSA-2013:182)

Updated mesa packages fix multiple vulnerabilities An out-of-bounds access flaw was found in Mesa. If an application using Mesa exposed the Mesa API to untrusted inputs (Mozilla Firefox does this), an attacker could cause the application to crash or, potentially, execute arbitrary code with the...

Mandriva Linux Security Advisory : perl-Module-Signature (MDVSA-2013:185)

Updated perl-Module-Signature package fixes CVE-2013-2145 Arbitrary code execution vulnerability in Module::Signature before 0.72...

Mandriva Linux Security Advisory : curl (MDVSA-2013:180)

A vulnerability has been discovered and corrected in curl : libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curl_easy_unescape() decodes URL encoded strings to raw binary data. URL encoded octets are represented with %HH...

Mandriva Linux Security Advisory : perl-Dancer (MDVSA-2013:184)

Updated perl-Dancer package fixes CVE-2012-5572 A security flaw was found in the way Dancer.pm, lightweight yet powerful web application framework / Perl language module, performed sanitization of values to be used for cookie() and cookies() methods. A remote attacker could use this flaw to inject....

Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:183)

Updated java-1.7.0-openjdk packages fix multiple security vulnerabilities Multiple flaws were discovered in the ImagingLib and the image attribute, channel, layout and raster processing in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java...

Mandriva Linux Security Advisory : nfs-utils (MDVSA-2013:178)

Updated nfs-utils packages fix security vulnerability It was reported that rpc.gssd in nfs-utils is vulnerable to DNS spoofing due to it depending on PTR resolution for GSSAPI authentication. Because of this, if a user where able to poison DNS to a victim's computer, they would be able to trick...

Mandriva Linux Security Advisory : dbus (MDVSA-2013:177)

Updated dbus packages fix security vulnerability. Alexandru Cornea discovered a vulnerability in libdbus caused by an implementation bug in _dbus_printf_string_upper_bound(). This vulnerability can be exploited by a local user to crash system services that use libdbus, causing denial of service....

Mandriva Linux Security Advisory : kernel (MDVSA-2013:176)

Multiple vulnerabilities has been found and corrected in the Linux kernel : The scm_set_cred function in include/net/scm.h in the Linux kernel before 3.8.11 uses incorrect uid and gid values during credentials passing, which allows local users to gain privileges via a crafted application....

Mandriva Linux Security Advisory : owncloud (MDVSA-2013:175)

Multiple vulnerabilities has been found and corrected in owncloud : Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the files_videoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to...

Mandriva Linux Security Advisory : apache (MDVSA-2013:174)

Multiple vulnerabilities has been found and corrected in apache : mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an...

Mandriva Linux Security Advisory : subversion (MDVSA-2013:173)

Multiple vulnerabilities has been found and corrected in subversion : If a filename which contains a newline character (ASCII 0x0a) is committed to a repository using the FSFS format, the resulting revision is corrupt. This can lead to disruption for users of the repository (CVE-2013-1968)....

Mandriva Linux Security Advisory : wireshark (MDVSA-2013:172)

Multiple vulnerabilities has been found and corrected in wireshark : The ASN.1 BER dissector could crash (CVE-2013-3557). The CAPWAP dissector could crash (CVE-2013-4074). The HTTP dissector could overrun the stack (CVE-2013-4081). The DCP ETSI dissector could crash...