Moritz Muehlenhoff | 20 Jul 23:17 2014
Picon

[SECURITY] [DSA 2983-1] drupal7 security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-2983-1                   security <at> debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
July 20, 2014                          http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : drupal7
CVE ID         : not yet available

Multiple security issues have been discovered in the Drupal content
management system, ranging from denial of service to cross-site
scripting. More information can be found at
https://www.drupal.org/SA-CORE-2014-003

For the stable distribution (wheezy), this problem has been fixed in
version 7.14-2+deb7u5.

For the testing distribution (jessie), this problem has been fixed in
version 7.29-1.

For the unstable distribution (sid), this problem has been fixed in
version 7.29-1.

We recommend that you upgrade your drupal7 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

(Continue reading)

Moritz Muehlenhoff | 19 Jul 12:09 2014
Picon

[SECURITY] [DSA 2982-1] ruby-activerecord-3.2 security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-2982-1                   security <at> debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
July 19, 2014                          http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : ruby-activerecord-3.2
CVE ID         : CVE-2014-3482 CVE-2014-3483

Sean Griffin discovered two vulnerabilities in the PostgreSQL adapter 
for Active Record which could lead to SQL injection.

For the stable distribution (wheezy), these problems have been fixed in
version 3.2.6-5+deb7u1. Debian provides two variants of "Ruby on Rails" 
in Wheezy (2.3 and 3.2). Support for the 2.3 variants had to be ceased 
at this point. This affects the following source packages: 
ruby-actionmailer-2.3, ruby-actionpack-2.3 ruby-activerecord-2.3, 
ruby-activeresource-2.3, ruby-activesupport-2.3 and ruby-rails-2.3. The
version of Redmine in Wheezy still requires 2.3, you can use an updated
version from backports.debian.org which is compatible with rails 3.2.

For the unstable distribution (sid), these problems have been fixed in
version 3.2.19-1 of the rails-3.2 source package.

We recommend that you upgrade your ruby-activerecord-3.2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
(Continue reading)

Jordan Sissel | 18 Jul 19:04 2014

CVE-2014-4326 Remote command execution in Logstash zabbix and nagios_nsca outputs.

Vendor: Elasticsearch
Product: Logstash
CVE: CVE-2014-4326
Affected versions: Logstash 1.0.14 through 1.4.1

Recommendations: All affected users should upgrade to Logstash 1.4.2.
We also provide patch instructions for Logstash 1.3.x at the bottom of
this note.

The vulnerability impacts deployments that use either the zabbix or
the nagios_nsca outputs. In these cases, an attacker with an ability
to send crafted events to any source of data for Logstash could
execute operating system commands with the permissions of the Logstash
process.

Deployments that do not use the zabbix or the nagios_nsca outputs are
not vulnerable and do not need to upgrade for this reason.

We would like to thank Jan Karwowski and Danila Borisiuk for reporting
the issue and working with us on the resolution.

Related links:

http://www.elasticsearch.org/blog/logstash-1-4-2/

Logstash 1.3.x patch instructions:

   mkdir -p /tmp/logstash-patch/logstash/
outputs
   wget -O /tmp/logstash-patch/logstash/outputs/zabbix.rb
(Continue reading)

Salvatore Bonaccorso | 18 Jul 17:26 2014
Picon

[SECURITY] [DSA 2981-1] polarssl security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-2981-1                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
July 18, 2014                          http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : polarssl
CVE ID         : CVE-2014-4911
Debian Bug     : 754655

A flaw was discovered in PolarSSL, a lightweight crypto and SSL/TLS
library, which can be exploited by a remote unauthenticated attacker to
mount a denial of service against PolarSSL servers that offer GCM
ciphersuites. Potentially clients are affected too if a malicious server
decides to execute the denial of service attack against its clients.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.9-1~deb7u3.

For the testing distribution (jessie), this problem has been fixed in
version 1.3.7-2.1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.7-2.1.

We recommend that you upgrade your polarssl packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
(Continue reading)

i amroot | 18 Jul 16:49 2014

CVE-2014-4980 Parameter Tampering in Nessus Web UI - Remote Information Disclosure

Product: Nessus
Vendor: Tenable Network Security‎
Version: Nessus 5.2.3-5.2.7 - Web UI 2.3.4 (potentially lower)
Vendor Notified Date: June 24, 2014
Vendor Resolved Date: June 25, 2014
Release Date: July 18, 2014
Risk: Medium
Authentication: Not Required
Remote: Yes

Description:
A parameter tampering vulnerability exists in Nessus 5.2.7 and potentially below that allows remote
attackers to retrieve potentially sensitive information from the server via the Nessus Web UI. By not
checking each parameter, an attacker can retrieve information meant for authenticated users.
Successful exploitation of this vulnerability resulted in retrieving the following data without
authentication, which can assist an attacker to launching further attacks:
Plugin Set, Server uuid, Web Server Version, Nessus UI Version, Nessus Type, Notifications, MSP,
Capabilities, Multi Scanner, Multi User, Tags, Reset Password, Report Diff, Report Email Config,
Report Email, PCI Upload, Plugin Rules, Plugin Set, Idle Timeout, Scanner Boot time, Server Version,
Feed, and Status.

Exploit steps for proof-of-concept:
1. Navigate to http://vulnerablehost.com/server/properties?token= and observe the returned content.
2. Navigate to http://vulnerablehost.com/server/properties?token=1 and observe the newly returned
content meant for authenticated sessions.

Vendor Response: Fix was added to Web UI 2.3.5 on June 25, 2014.

Reference:
CVE-2014-4980
(Continue reading)

Security Alert | 18 Jul 14:51 2014

ESA-2014-074: EMC RecoverPoint Appliance Security Control Bypass Vulnerability



ESA-2014-074: EMC RecoverPoint Appliance Security Control Bypass Vulnerability

EMC Identifier: ESA-2014-074

CVE Identifier: CVE-2014-2519 

Severity Rating: CVSS v2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P)
 
Affected products:   
•	EMC RecoverPoint 4.1

Summary:   
EMC RecoverPoint Appliance (RPA) 4.1 has the internal firewall disabled by default. 

Details:   

The firewall rule in EMC RPA 4.1 to drop incoming connections except from the ports explicitly allowed was
not enabled by default. This may allow unauthenticated malicious attackers to run port scans and/or
disrupt services remotely. 

Resolution:   

EMC recommends that RPA 4.1 customers apply the RPA 4.1.0.1 patch that contains the resolution to this
issue. To upgrade to the 4.1.0.1 patch contact Customer Support. Alternatively, customers can apply a
non-disruptive signed script to resolve this issue. Please refer to the link under “Link to remedies”
to get the script.  
(Continue reading)

Vulnerability Lab | 18 Jul 11:11 2014

Microsoft MSN HBE - Blind SQL Injection Vulnerability

Document Title:
===============
Microsoft MSN HBE - Blind SQL Injection Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1183

Video: http://www.vulnerability-lab.com/get_content.php?id=1282

Vulnerability Magazine: http://vulnerability-db.com/magazine/articles/2014/07/17/vl-core-team-published-blind-sql-injection-vulnerability-video-poc-msrc

Release Date:
=============
2014-07-17

Vulnerability Laboratory ID (VL-ID):
====================================
1183

Common Vulnerability Scoring System:
====================================
9.1

Product & Service Introduction:
===============================
MSN (originally The Microsoft Network; stylized as msn) is a collection of Internet sites and services
provided by Microsoft. 
The Microsoft Network debuted as an online service and Internet service provider on August 24, 1995, to
coincide with the 
(Continue reading)

Vulnerability Lab | 18 Jul 11:06 2014

Barracuda Networks Message Archiver 650 - Persistent Input Validation Vulnerability (BNSEC 703)

Document Title:
===============
Barracuda Networks Message Archiver 650 - Persistent Input Validation Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=751

https://www.barracuda.com/support/knowledgebase/501600000013lXe
Barracuda Networks Security ID (BNSEC): 703

BNSEC-00703: Remote authenticated persistent XSS in Barracuda Message Archiver v3.2
Solution #00006604

Release Date:
=============
2014-07-18

Vulnerability Laboratory ID (VL-ID):
====================================
751

Common Vulnerability Scoring System:
====================================
3.6

Product & Service Introduction:
===============================
The Barracuda Message Archiver is a complete and affordable email archiving solution, enabling you to
effectively 
(Continue reading)

Moritz Muehlenhoff | 17 Jul 17:59 2014
Picon

[SECURITY] [DSA 2980-1] openjdk-6 security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-2980-1                   security <at> debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
July 17, 2014                          http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : openjdk-6
CVE ID         : CVE-2014-2490 CVE-2014-4209 CVE-2014-4216 CVE-2014-4218 
                 CVE-2014-4219 CVE-2014-4244 CVE-2014-4252 CVE-2014-4262
                 CVE-2014-4263 CVE-2014-4266 CVE-2014-4268

Several vulnerabilities have been discovered in OpenJDK, an 
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure
or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 6b32-1.13.4-1~deb7u1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce <at> lists.debian.org
Moritz Muehlenhoff | 17 Jul 17:59 2014
Picon

[SECURITY] [DSA 2979-1] fail2ban security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-2979-1                   security <at> debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
July 17, 2014                          http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : fail2ban
CVE ID         : CVE-2013-7176 CVE-2013-7177

Two vulnerabilities were discovered in Fail2ban, a solution to ban hosts 
that cause multiple authentication errors. When using Fail2ban to monitor
Postfix or Cyrus IMAP logs, improper input validation in log parsing 
could enable a remote attacker to trigger an IP ban on arbitrary 
addresses, resulting in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 0.8.6-3wheezy3.

For the testing distribution (jessie), these problems have been fixed in
version 0.8.11-1.

For the unstable distribution (sid), these problems have been fixed in
version 0.8.11-1.

We recommend that you upgrade your fail2ban packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
(Continue reading)

Jan Kechel | 17 Jul 14:15 2014
Picon

Ignore the amount customers confirm is no security vulnerability according to PayPal


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

**********************
Title:
**********************
Transfer any amount regardless of what customer confirmed

**********************
Short description:
**********************
In PayPal Express Checkout the Online-Shop can transfer
any amount, no matter which amount the client actually
confirmed at the PayPal website.

**********************
Steps to reproduce:
**********************
1. SetExpressCheckout with any amount (e.g. 1 Dollar)
2. After confirmation of that Dollar simply call
DoExpressCheckoutPayment with any amount (e.g. 200 Dollar)

**********************
Proof of Concept:
**********************
URL:
http://lvps91-250-100-5.dedicated.hosteurope.de:43926

Just click 'step 1', login with your paypal-account and
(Continue reading)


Gmane