Damien Regad | 30 Oct 21:54 2014

SQL injection vulnerability in MantisBT SOAP API

Description:

Several SQL injection vulnerabilities were identified in
CVE-2014-1609, and subsequently fixed in MantisBT release 1.2.16 [1].

However, it was recently discovered that the patch did not fully
address the original problem in the SOAP API. Research demonstrates
that using a specially crafted 'project id' parameter when calling
mc_project_get_attachments(), an attacker could still perform an SQL
injection.

Affected versions:
MantisBT >= 1.1.0a4, <= 1.2.17

Fixed in versions:
1.2.18 (not yet released)

Credit:
Issue was discovered by
- Edwin Gozeling and Wim Visser from ITsec Security Services BV
(http://www.itsec.nl)
- Paul Richards (former MantisBT developer)

References:
- further details, including patch available in our issue tracker [2] (

Please assign a CVE ID for this issue, which is a follow-up on
CVE-2014-1609 (the released fix of which was incomplete).

[1] http://www.mantisbt.org/bugs/view.php?id=16880
(Continue reading)

Aaron Patterson | 30 Oct 21:29 2014

[AMENDED] [CVE-2014-7819] Arbitrary file existence disclosure in Sprockets

I've updated this advisory to include the correct version numbers in the
"Fixed Versions" section.

Arbitrary file existence disclosure in Sprockets

There is an information leak vulnerability in Sprockets. This vulnerability
has been assigned the CVE identifier CVE-2014-7819.

Versions Affected:  ALL
Not affected:       NONE
Fixed Versions:     3.0.0.beta.3, 2.12.3, 2.11.3, 2.10.2, 2.9.4, 2.8.3, 2.7.1, 2.5.1, 2.4.6, 2.3.3, 2.2.3,
2.1.4, 2.0.5

Impact
------
Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside an application's root directory.  The files will not be served, but
attackers can determine whether or not the file exists.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases 
-------- 
The 2.12.X releases are available at the normal locations. 

Workarounds 
----------- 
In Rails applications, work around this issue, set config.serve_static_assets = false in an
initializer.  This work around will not be possible in all hosting environments and upgrading is advised.

(Continue reading)

cve | 30 Oct 19:59 2014
Picon

CVE-2014-8559 - Linux kernel fs/dcache.c incorrect use of rename_lock


CVE-2014-8559 has been assigned to this fs/dcache.c issue that
leads to a deadlock:

  https://lkml.org/lkml/2014/10/25/171
  https://lkml.org/lkml/2014/10/25/179
  https://lkml.org/lkml/2014/10/25/180
  https://lkml.org/lkml/2014/10/26/101
  https://lkml.org/lkml/2014/10/26/116
  https://lkml.org/lkml/2014/10/26/129

--

-- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Aaron Patterson | 30 Oct 19:52 2014

Arbitrary file existence disclosure in Sprockets (CVE-2014-7819)

Arbitrary file existence disclosure in Sprockets

There is an information leak vulnerability in Sprockets. This vulnerability
has been assigned the CVE identifier CVE-2014-7819.

Versions Affected:  ALL
Not affected:       NONE
Fixed Versions:     2.12.X

Impact
------
Specially crafted requests can be used to determine whether a file exists on
the filesystem that is outside an application's root directory.  The files will not be served, but
attackers can determine whether or not the file exists.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases 
-------- 
The 2.12.X releases are available at the normal locations. 

Workarounds 
----------- 
In Rails applications, work around this issue, set config.serve_static_assets = false in an
initializer.  This work around will not be possible in all hosting environments and upgrading is advised.

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release
series.  They are in git-am format and consist of a single changeset. 
(Continue reading)

Aaron Patterson | 30 Oct 19:47 2014

Arbitrary file existence disclosure in Action Pack (CVE-2014-7818)

Arbitrary file existence disclosure in Action Pack

There is an information leak vulnerability in Action Pack. This vulnerability
has been assigned the CVE identifier CVE-2014-7818.

Versions Affected:  >= 3.0.0
Not affected:       <= 3.0.0
Fixed Versions:     3.2.20, 4.0.11, 4.1.7, 4.2.0.beta3

Impact
------
Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside
the Rails application's root directory.  The files will not be served, but attackers can determine
whether or not the file exists.

This only impacts Rails applications that enable static file serving at
runtime.  For example, the application's production configuration will say:

  config.serve_static_assets = true

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases 
-------- 
The 3.2.20, 4.0.11, 4.1.7 & 4.2.0.beta3 releases are available at the normal locations. 

Workarounds 
----------- 
To work around this issue, set config.serve_static_assets = false in an initializer.  This work around
will not be possible in all hosting environments and upgrading is advised.
(Continue reading)

Dave Horsfall | 30 Oct 19:30 2014

Some weird Apache redirection exploit?

May not be Apache-specfic, but as it's the most popular server out 
there...

What is it trying to do?  I've never seen it in my logs before.

117.27.254.25 - - [31/Oct/2014:05:16:15 +1100] "GET
?redirect:${%23w%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),%23w.println('[/ok-helo.wang]'),%23w.flush(),%23w.close()}
HTTP/1.1" 200 7543 "-" "Python-urllib/2.6"

The perp (or rather, the 0wn3d box) is somewhere in China.  When decoded, it
comes out as

GET ?redirect:${#w=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),#w.println('[/ok-helo.wang]'),#w.flush(),#w.close()}

but I'm none the wiser.

--

-- 
Dave Horsfall (VK2KFU)  "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)

Valery Sizov | 30 Oct 16:41 2014

CVE request for GitLab groups API

Hello,
I would like to request a CVE identifier for a vulnerability in the groups
API of GitLab.

Affected versions:
The groups API vulnerability affects GitLab 6.0 and up.

Impact:
The vulnerability patched by this release allows a guest user to delete the
owner of a group and to assign any other member as owner through the groups
API.

You can read more details here
https://about.gitlab.com/2014/10/30/gitlab-7-4-3-released/
Bastien ROUCARIES | 29 Oct 16:17 2014
Picon

Request cve for imagemagick security problem (DOS)

Hi,

I request a CVE indentifier for imagemagick.

Removing profile from jpg image create infinite loop with at least
6.8.9.6 version.

Version 6.7.7.10 is not affected.

Version 6.8.9.9 and more recent are fixed.

You could lead to do by doing convert test.jpg +profile '!icc,*' out.jpg

I could be exploited through imagick and thus maybe remotly exploitable.

Moreinformation https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872
and fix is
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26399#p116146

Thanks

Bastien

Alistair Crooks | 28 Oct 17:50 2014
Picon

ftp(1) can be made execute arbitrary commands by malicious webserver

Hi,

Despite being old, tnftp(1) is quite widely used, hence this request.

Could we get a CVE issued for this one, please?

Sorry about the lack of warning, I wasn't aware of the issue before
the fixes were committed to the repo.

FreeBSD and Dragonfly have been informed, as has Apple, and I have
received a boilerplate reply from Apple.  The issue is present in
10.10 (Yosemite).

Thanks,
Alistair
---
Security Officer, NetBSD

Just a quick heads-up, and sorry that no notice was given - the issue
is that a malicious server can cause ftp(1) to execute arbitrary
commands:

   If you do "ftp http://server/path/file.txt" and don't specify an output
   filename with -o, the ftp program can be tricked into executing
   arbitrary commands.

   The FTP client will follow HTTP redirects, and uses the part of the
   path after the last / from the last resource it accesses as the output
   filename (as long as -o is not specified).

(Continue reading)

Tristan Cacqueray | 28 Oct 17:13 2014

[OSSA 2014-038] Nova network DoS through API filtering (CVE-2014-3708)

OpenStack Security Advisory: 2014-038
CVE: CVE-2014-3708
Date: October 28, 2014
Title: Nova network DoS through API filtering
Reporter: Mohammed Naser (Vexxhost)
Products: Nova
Versions: up to 2014.1.3, and 2014.2

Description:
Mohammed Naser from Vexxhost reported a vulnerability in Nova API
filters. By listing active servers using an ip filter, an authenticated
user may overload nova-network or neutron-server process, resulting in a
denial of services. All Nova setups are affected.

Kilo (development branch) fix:
https://review.openstack.org/131460

Juno fix:
https://review.openstack.org/131462

Icehouse fix:
https://review.openstack.org/131461

Notes:
This fix will be included in future 2014.1.4 and 2014.2.1 releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3708
https://launchpad.net/bugs/1358583

(Continue reading)

Petr Matousek | 27 Oct 12:12 2014
Picon

CVE-2014-4877 wget: FTP symlink arbitrary filesystem access

It was found that wget was susceptible to a symlink attack which could
create arbitrary files, directories or symbolic links and set their
permissions when retrieving a directory recursively through FTP.

Upstream fix:
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=18b0979357ed7dc4e11d4f2b1d7e0f5932d82aa7

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1139181

--

-- 
Petr Matousek / Red Hat Product Security
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA


Gmane