Salvatore Bonaccorso | 18 Sep 22:30 2014
Picon

[SECURITY] [DSA 3025-2] apt regression update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3025-2                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
September 18, 2014                     http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : apt
Debian Bug     : 762079

The previous update for apt, DSA-3025-1, introduced a regression when
file:/// sources are used and those are on a different partition than
the apt state directory. This update fixes the regression.

For reference, the original advisory follows.

It was discovered that APT, the high level package manager, does not
properly invalidate unauthenticated data (CVE-2014-0488), performs
incorrect verification of 304 replies (CVE-2014-0487), does not perform
the checksum check when the Acquire::GzipIndexes option is used
(CVE-2014-0489) and does not properly perform validation for binary
packages downloaded by the apt-get download command (CVE-2014-0490).

For the stable distribution (wheezy), this problem has been fixed in
version 0.9.7.9+deb7u4.

For the unstable distribution (sid), this problem has been fixed in
version 1.0.9.1.

We recommend that you upgrade your apt packages.
(Continue reading)

Asterisk Security Team | 18 Sep 21:17 2014

AST-2014-010: Remote crash when handling out of call message in certain dialplan configurations

               Asterisk Project Security Advisory - AST-2014-010

         Product        Asterisk                                              
         Summary        Remote crash when handling out of call message in     
                        certain dialplan configurations                       
    Nature of Advisory  Remotely triggered crash of Asterisk                  
      Susceptibility    Remote authenticated sessions                         
         Severity       Minor                                                 
      Exploits Known    No                                                    
       Reported On      05 September 2014                                     
       Reported By      Philippe Lindheimer                                   
        Posted On       18 September 2014                                     
     Last Updated On    September 18, 2014                                    
     Advisory Contact   Matt Jordan <mjordan AT digium DOT com>               
         CVE Name       Pending                                               

    Description  When an out of call message - delivered by either the SIP    
                 or PJSIP channel driver or the XMPP stack - is handled in    
                 Asterisk, a crash can occur if the channel servicing the     
                 message is sent into the ReceiveFax dialplan application     
                 while using the res_fax_spandsp module.                      

                 Note that this crash does not occur when using the           
                 res_fax_digium module.                                       

                 While this crash technically occurs due to a configuration   
                 issue, as attempting to receive a fax from a channel driver  
                 that only contains textual information will never succeed,   
                 the likelihood of having it occur is sufficiently high as    
                 to warrant this advisory.                                    
(Continue reading)

Asterisk Security Team | 18 Sep 21:17 2014

AST-2014-009: Remote crash based on malformed SIP subscription requests

               Asterisk Project Security Advisory - AST-2014-009

         Product        Asterisk                                              
         Summary        Remote crash based on malformed SIP subscription      
                        requests                                              
    Nature of Advisory  Remotely triggered crash of Asterisk                  
      Susceptibility    Remote authenticated sessions                         
         Severity       Major                                                 
      Exploits Known    No                                                    
       Reported On      30 July, 2014                                         
       Reported By      Mark Michelson                                        
        Posted On       18 September, 2014                                    
     Last Updated On    September 18, 2014                                    
     Advisory Contact   Mark Michelson <mmichelson AT digium DOT com>         
         CVE Name       Pending                                               

    Description  It is possible to trigger a crash in Asterisk by sending a   
                 SIP SUBSCRIBE request with unexpected mixes of headers for   
                 a given event package. The crash occurs because Asterisk     
                 allocates data of one type at one layer and then interprets  
                 the data as a separate type at a different layer. The crash  
                 requires that the SUBSCRIBE be sent from a configured        
                 endpoint, and the SUBSCRIBE must pass any authentication     
                 that has been configured.                                    

                 Note that this crash is Asterisk's PJSIP-based               
                 res_pjsip_pubsub module and not in the old chan_sip module.  

    Resolution  Type-safety has been built into the pubsub API where it       
                previously was absent. A test has been added to the           
(Continue reading)

Christey, Steven M. | 18 Sep 19:09 2014
Picon

CVE ID Syntax Change - Deadline Approaching


As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed).  Some people are still unaware that this
change has happened or have been slow to implement it.

Once a CVE identifier is issued using the new syntax, some security
products and processes could break or report incorrect vulnerability
identifiers, making vulnerability management more difficult.  Consider
a product that stops processing an XML document because its validation
step assumes that CVE IDs have only 4 digits.  Perhaps worse, consider
a critical vulnerability in a popular product that is given a 5-digit
CVE ID, which is inadvertently and silently truncated to a 4-digit ID
for a low-priority issue in a rarely-used product.  We know of at
least 6 different products or services that have had problems.
Custom, in-house software is not necessarily immune, either.

MITRE has been assigning CVE IDs faster than ever; we're up to
CVE-2014-6446 even though it's only September, which puts us on pace
to exceed 9000 for 2014 by the end of the year - and the rate of
assignment could increase in the coming months.  Even if we don't
reach 10,000 CVE-2014-xxxx identifiers by the end of 2014, MITRE will
be issuing at least one 5-digit identifier no later than January 13,
2015, to ensure that all software is tested for support of the new
syntax.

To help people address this problem, we have created a web page about
the ID syntax change, including the product features most likely to be
(Continue reading)

Apple Product Security | 18 Sep 17:40 2014
Picon

APPLE-SA-2014-09-17-7 Xcode 6.0.1


APPLE-SA-2014-09-17-7 Xcode 6.0.1

Xcode 6.0.1 is now available and addresses the following:

subversion
Available for:  OS X Mavericks v10.9.4 or later
Impact:  A malicious attacker may be able to cause Subversion
to terminate unexpectedly
Description:  A denial of service issue existed in Subversion when
SVNListParentPath was enabled. This issue was addressed by updating
Subversion to version 1.7.17.
CVE-ID
CVE-2014-0032

Xcode 6.0.1 may be obtained from the Downloads section of the
Apple Developer Connection Member site:  http://developer.apple.com/
Login is required, and membership is free.

Xcode 6.0.1 is also available from the App Store. It is free to
anyone with OS X Mavericks v10.9.4 and later.

To check that the Xcode has been updated:

* Select Xcode in the menu bar
* Select About Xcode
* The version after applying this update will be "6.0.1".

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
(Continue reading)

Vulnerability Lab | 18 Sep 13:29 2014

Oracle Corporation MyOracle - Persistent Vulnerability

Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261

Oracle Security ID (Team Tracking ID): admin <at> vulnerability-lab.com-001:2014

http://vulnerability-db.com/magazine/articles/2014/09/17/oracle-corporation-fixed-vulnerability-myoracle-online-service-application

Release Date:
=============
2014-09-17

Vulnerability Laboratory ID (VL-ID):
====================================
1261

Common Vulnerability Scoring System:
====================================
3.9

Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation headquartered in
Redwood City, California, United States. 
The company specializes in developing and marketing computer hardware systems and enterprise software
products – particularly its own brands 
(Continue reading)

VSR Advisories | 18 Sep 07:07 2014

Apple iOS / OSX Foundation NSXMLParser XML eXternal Entity (XXE) Flaw

hope that it will help promote public safety.  This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose.  Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices:
  http://www.vsecurity.com/company/disclosure

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
     Copyright 2014 Virtual Security Research, LLC.  All rights reserved.
Apple Product Security | 18 Sep 04:47 2014
Picon

APPLE-SA-2014-09-17-6 OS X Server 2.2.3


APPLE-SA-2014-09-17-6 OS X Server 2.2.3

OS X Server 2.2.3 is now available and addresses the following:

CoreCollaboration
Available for:  OS X Mountain Lion v10.8.5
Impact:  A remote attacker may be able to execute arbitrary SQL
queries
Description:  A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad <at> securation.com) of CERT of
Ferdowsi University of Mashhad

OS X Server 2.2.3 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

Apple Product Security | 18 Sep 04:46 2014
Picon

APPLE-SA-2014-09-17-5 OS X Server 3.2.1


APPLE-SA-2014-09-17-5 OS X Server 3.2.1

OS X Server 3.2.1 is now available and addresses the following:

CoreCollaboration
Available for:  OS X Mavericks v10.9.5 or later
Impact:  A remote attacker may be able to execute arbitrary SQL
queries
Description:  A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad <at> securation.com) of CERT of
Ferdowsi University of Mashhad

CoreCollaboration
Available for:  OS X Mavericks v10.9.5 or later
Impact:  Visiting a maliciously crafted website may lead to the
execution of arbitrary JavaScript
Description:  A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC

CoreCollaboration
Available for:  OS X Mavericks v10.9.5 or later
Impact:  Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description:  Multiple vulnerabilities existed in PostgreSQL. This
issue was addressed by updating PostgreSQL to version 9.2.7.
(Continue reading)

Apple Product Security | 18 Sep 04:36 2014
Picon

APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update 2014-004


APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update
2014-004

OS X Mavericks 10.9.5 and Security Update 2014-004 are now available
and address the following:

apache_mod_php
Available for:  OS X Mavericks 10.9 to 10.9.4
Impact:  Multiple vulnerabilities in PHP 5.4.24
Description:  Multiple vulnerabilities existed in PHP 5.4.24, the
most serious of which may have led to arbitrary code execution. This
update addresses the issues by updating PHP to version 5.4.30
CVE-ID
CVE-2013-7345
CVE-2014-0185
CVE-2014-0207
CVE-2014-0237
CVE-2014-0238
CVE-2014-1943
CVE-2014-2270
CVE-2014-3478
CVE-2014-3479
CVE-2014-3480
CVE-2014-3487
CVE-2014-3515
CVE-2014-3981
CVE-2014-4049

Bluetooth
(Continue reading)

Apple Product Security | 18 Sep 04:37 2014
Picon

APPLE-SA-2014-09-17-4 Safari 6.2 and Safari 7.1


APPLE-SA-2014-09-17-4 Safari 6.2 and Safari 7.1

Safari 6.2 and Safari 7.1 are now available and address the
following:

Safari
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  An attacker with a privileged network position may intercept
user credentials
Description:  Saved passwords were autofilled on http sites, on https
sites with broken trust, and in iframes. This issue was addressed by
restricting password autofill to the main frame of https sites with
valid certificate chains.
CVE-ID
CVE-2014-4363 : David Silver, Suman Jana, and Dan Boneh of Stanford
University working with Eric Chen and Collin Jackson of Carnegie
Mellon University

WebKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-6663 : Atte Kettunen of OUSPG
CVE-2014-4410 : Eric Seidel of Google
CVE-2014-4411 : Google Chrome Security Team
CVE-2014-4412 : Apple
(Continue reading)


Gmane