C. R. Oldham | 21 Aug 18:44 2014

Revised: Salt 2014.1.10 released

Greetings,

We are pleased to announce the 2014.1.10 release of Salt. The release notes can be found here: 

http://docs.saltstack.com/en/latest/topics/releases/2014.1.10.html

The sources are available on pypi:

https://pypi.python.org/pypi/salt/2014.1.10

Salt 2014.1.10 fixes security issues documented by CVE-2014-3563: Insecure tmp-file creation in
seed.py, salt-ssh, and salt-cloud. Upgrading is recommended.

Special thanks to Kurt Seifried at Red Hat for investigating these issues and bringing them to our
attention (and also letting me know that my first post got mangled somehow).

--

-- 
C. R. Oldham, Platform Engineer, SaltStack, Inc.
801-564-4673 / cr@... / https://github.com/cro

Tristan Cacqueray | 21 Aug 16:09 2014

[OSSA 2014-028] Glance store DoS through disk space exhaustion (CVE-2014-5356)

OpenStack Security Advisory: 2014-028
CVE: CVE-2014-5356
Date: August 21, 2014
Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).

Juno (development branch) fix:
https://review.openstack.org/91764

Icehouse fix:
https://review.openstack.org/115280

Havana fix:
https://review.openstack.org/115289

Notes:
This fix will be included in the Juno-3 development milestone and in
future 2013.2.4 and 2014.1.3 releases.

(Continue reading)

C. R. Oldham | 21 Aug 00:01 2014
Murray McAllister | 21 Aug 08:31 2014
Picon

CVE request: possible overflow in vararg functions

Good morning,

An overflow was reported to have been fixed in Lua 5.2.2. A reproducer 
and patch are available from:

http://www.lua.org/bugs.html#5.2.2-1

The reproducer affects older versions too (such as 5.1.4). One way an 
attacker could trigger this issue is if they can control parameters to a 
loadstring call (an eval in Lua, http://en.wikipedia.org/wiki/Eval#Lua).

Could a CVE please be assigned if one has not been already?

Some notes:

valgrind shows this crashes with invalid writes, but I am not sure if 
this is really a stack or heap overflow but something else. In 
luaD_precall():

330       for (; n < p->numparams; n++)
331         setnilvalue(L->top++);  /* complete missing arguments */

This goes through 49 times with the reproducer (?possibly lifting what 
Lua thinks is the stack into the heap area?).

After that finishes:

333       ci = next_ci(L);

Results in a call to luaE_extendCI(), where the issue is triggered while 
(Continue reading)

Arun Babu Neelicattu | 20 Aug 18:27 2014
Picon

CVE Request: Multiple issues in com.ning:async-http-client

Hi,

We noticed these issues were filed upstream and were never assigned 
CVE(s). Can we please get CVE(s) assigned to the following issues 
please?

1. async-http-client: SSL/TLS certificate verification disabled
https://github.com/AsyncHttpClient/async-http-client/issues/352

2. async-http-client: No SSL HostName verification
https://github.com/AsyncHttpClient/async-http-client/issues/197

Cheers,
Arun
--

-- 
Arun Neelicattu / Red Hat Product Security
PGP: 0xC244393B 5229 F596 474F 00A1 E416  CF8B 36F5 5054 C244 393B

David Jorm | 20 Aug 06:18 2014
Picon

CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack

Hi All

I noticed that the fix for CVE-2012-5784 was incomplete. The code added 
to check that the server hostname matches the domain name in the 
subject's CN field was flawed. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can spoof a valid 
certificate using a specially crafted subject.

Note that Axis 1 is EOL upstream, and the incomplete patch for 
CVE-2012-5784 was never merged upstream. It was, however, shipped by 
various vendors, including Debian and Red Hat. I do not believe Axis 2 
is affected.

The incomplete patch:

https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch

Is attached to this issue:

https://issues.apache.org/jira/browse/AXIS-2883

The flaw exists in the getCN(String) method. An attacker could craft a 
subject that includes a CN in a field other than the CN, and this CN 
would be used when validating the hostname.

Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this 
issue from the Red Hat CNA. I have now made this issue public:

https://access.redhat.com/security/cve/CVE-2014-3596

(Continue reading)

Tristan Cacqueray | 19 Aug 22:18 2014

[OSSA 2014-027] Persistent XSS in Horizon Host Aggregates interface (CVE-2014-3594)

OpenStack Security Advisory: 2014-027
CVE: CVE-2014-3594
Date: August 19, 2014
Title: Persistent XSS in Horizon Host Aggregates interface
Reporters: Dennis Felsch and Mario Heiderich (Ruhr-University Bochum)
Products: Horizon
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.2

Description:
Dennis Felsch and Mario Heiderich from the Horst Görtz Institute for
IT-Security, Ruhr-University Bochum reported a persistent XSS in
Horizon. A malicious administrator may conduct a persistent XSS attack
by registering a malicious host aggregate in Horizon Host Aggregate
interface. Once executed in a legitimate context this attack may reveal
another admin token, potentially resulting in a lateral privilege
escalation. All Horizon setups are affected.

Juno (development branch) fix:
https://review.openstack.org/115310

Icehouse fix:
https://review.openstack.org/115311

Havana fix:
https://review.openstack.org/115313

Notes:
This fix will be included in the Juno-3 development milestone and in
future 2013.2.4 and 2014.1.3 releases.

(Continue reading)

Tristan Cacqueray | 19 Aug 16:43 2014

CVE request for vulnerability in OpenStack Glance

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although
an advisory was not sent yet.

Title: Glance store DoS through disk space exhaustion
Reporter: Thomas Leaman (HP), Stuart McLaren (HP)
Products: Glance
Versions: up to 2013.2.3 and 2014.1 to 2014.1.1

Description:
Thomas Leaman and Stuart McLaren from Hewlett Packard reported a
vulnerability in Glance. By uploading a large enough image to a Glance
store, an authenticated user may fill the store space because the
image_size_cap configuration option is not honored. This may prevent
further image upload and/or cause service disruption. Note that the
import method is not affected. All Glance setups using API v2 are
affected (unless you use a policy to restrict/disable image upload).

References:
https://launchpad.net/bugs/1315321

Thanks in advance,

--

-- 
Tristan Cacqueray
OpenStack Vulnerability Management Team
Marcus Meissner | 19 Aug 15:08 2014
Picon

incomplete fix for CVE-2014-4611: kernel: integer overflow in lz4_uncompress

Hi,

Jan Beulich writes in our bug for CVE-2014-4611:

https://bugzilla.novell.com/show_bug.cgi?id=883949#c12

Jan Beulich <jbeulich@...> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jbeulich@...

--- Comment #12 from Jan Beulich <jbeulich@...> 2014-08-15 21:42:33 UTC ---
Except that it has been determined quite some time ago that all three fixes
having gone in upstream so far don't really fix anything. I posted a patch that
I think actually addresses the issue (https://lkml.org/lkml/2014/7/4/288), but
till now no-one cared to comment on it, apply it, or point out what's still
wrong, despite the ping 3 weeks later (https://lkml.org/lkml/2014/7/25/23). It
was - instead of the insufficient Linux ones - in fact meanwhile applied to the
Xen clone of that code.

Perhaps the kernel folks want to look at it again if they missed it so far.

Ciao, Marcus

Jacopo Cappellato | 19 Aug 10:06 2014
Picon

[CVE-2014-0232] Apache OFBiz Cross-site scripting (XSS) vulnerability

CVE-2014-0232: Apache OFBiz Cross-site scripting (XSS) vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache OFBiz 11.04.01 to 11.04.04
Apache OFBiz 12.04.01 to 11.04.03
The unsupported Apache OFBiz 09.04.x, 10.04.x versions may be also affected

Description:
Result and error messages returned by some OFBiz services could be a vector for XSS attacks.

Mitigation:
11.04.x users should upgrade to 11.04.05
12.04.x users should upgrade to 12.04.04

http://svn.apache.org/r1608698

Credit:
This issue was discovered by Gregory Draperi.

References:

http://ofbiz.apache.org/download.html#vulnerabilities

Henri Salo | 19 Aug 11:42 2014
Picon

CVE request: WordPress plugin wp-source-control remote path traversal file access

Product: WordPress plugin wp-source-control
Plugin page: https://wordpress.org/plugins/wp-source-control/
Developer: https://profiles.wordpress.org/mmdeveloper/

Vulnerability Type: Remote Path Traversal File Access
Vulnerable Versions: All. Current is 3.0.0
Fixed Version: N/A

Vulnerability Details:

Wp Source Control plugin for WordPress contains a flaw that allows traversing
outside of a restricted path. The issue is due to the downloadfiles/download.php
script not properly sanitizing user input, specifically path traversal style
attacks (e.g. '../'). With a specially crafted request, a remote attacker can
gain access to arbitrary files, which can be read by web server process.

Root cause:

Unsanitized user input to file_get_contents() function.

Proof-of-concept:

/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php

Notes:

Vendor contact details unknown.

This vulnerability can be used to get WordPress database address, username and
password, which can be used in certain environments to elevate privileges and
(Continue reading)


Gmane