Murray McAllister | 23 Sep 03:28 2014
Picon

CVE-2014-3653 Foreman: XSS flaw on template preview screen

Good morning,

CVE-2014-3653 was assigned to a cross-site scripting flaw in Foreman's 
template preview screen (templates are shared amongst users):

http://projects.theforeman.org/issues/7483
https://github.com/sodabrew/foreman/issues/1

No Red Hat bug yet, but it will be accessible via 
bugzilla.redhat.com/CVE-2014-3653 once it is filed.

Cheers,

--
Murray McAllister / Red Hat Product Security

Jakub Wilk | 19 Sep 22:10 2014
Picon

python-requests: CVE-2014-1829, CVE-2014-1830: password disclosure on redirect

FYI: a while ago python-requests 2.3.0 was released, with the following 
bugfix:

* No longer expose Authorization or Proxy-Authorization headers on 
redirect. Fix CVE-2014-1829 and CVE-2014-1830 respectively.

References:
https://bugs.debian.org/733108
https://github.com/kennethreitz/requests/issues/1885
https://bugzilla.redhat.com/show_bug.cgi?id=1046626

--

-- 
Jakub Wilk

Christey, Steven M. | 17 Sep 21:31 2014
Picon

CVE ID Syntax Change - Deadline Approaching


As we approach the end of 2014, CVE identifiers are getting closer and
closer to the magic CVE-2014-9999 mark, which means that MITRE will be
issuing a 5-digit CVE ID within a matter of months, in accordance with
the new syntax that was selected in 2013 (basically using 5, 6, or
even more digits as needed).  Some people are still unaware that this
change has happened or have been slow to implement it.

Once a CVE identifier is issued using the new syntax, some security
products and processes could break or report incorrect vulnerability
identifiers, making vulnerability management more difficult.  Consider
a product that stops processing an XML document because its validation
step assumes that CVE IDs have only 4 digits.  Perhaps worse, consider
a critical vulnerability in a popular product that is given a 5-digit
CVE ID, which is inadvertently and silently truncated to a 4-digit ID
for a low-priority issue in a rarely-used product.  We know of at
least 5 different products or services that have had problems.
Custom, in-house software is not necessarily immune, either.

MITRE has been assigning CVE IDs faster than ever; we're up to
CVE-2014-6446 even though it's only September, which puts us on pace
to exceed 9000 for 2014 by the end of the year - and the rate of
assignment could increase in the coming months.  Even if we don't
reach 10,000 CVE-2014-xxxx identifiers by the end of 2014, MITRE will
be issuing at least one 5-digit identifier no later than January 13,
2015, to ensure that all software is tested for support of the new
syntax.

To help people address this problem, we have created a web page about
the ID syntax change, including the product features most likely to be
(Continue reading)

Alex Gaynor | 17 Sep 16:14 2014
Picon

Twisted Security Issue


Hello all,

The twisted security project has identified, fixed, and released a
release fixing a security issue, I would like a CVE assigned:

Title: trustRoot not respected in HTTP client
Reporter: Alex Gaynor and David Reid (Rackspace)
Products: Twisted (14.0 only).
Description:
When specifying the trustRoot (CA store) for the HTTP client, Twisted
did not respect the user's specification, and always used the default
of the platform trust. This means that users attempting to use this
feature to implement certificate pinning, or otherwise restrict the
trust CAs would still have accepted any certificate signed by a CA.

Twisted 14.0.1 has been issued to resolve this issue; (Distributors
should note that this release has failing tests, and that a 14.0.2
release will be issued tomorrow, this does not effect the fix, only
the tests).

Alex

--
"I disapprove of what you say, but I will defend to the death your
right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
Grant Murphy | 17 Sep 13:35 2014
Picon

CVE request for vulnerability in OpenStack keystonemiddleware

A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: TLS cert verification option not honoured in paste configs
Reporter: Qin Zhao (IBM)
Products: keystonemiddleware, python-keystoneclient
Versions: versions up to 1.1.1 (keystonemiddleware), versions up to 0.10.1
(python-keystoneclient)

Description:
Qin Zhao from IBM reported a vulnerability in keystonemiddleware (formerly
shipped as python-keystoneclient). When the 'insecure' SSL option is set in 
a paste configuration file it is effectively ignored, regardless of its 
value.  As a result certificate verification will be disabled, leaving TLS
connections open to MITM attacks. All versions of keystonemiddleware with
TLS settings configured via a paste.ini file are affected by this flaw.

References:
http://launchpad.net/bugs/1353315

Thanks in advance,

--
Grant Murphy
OpenStack Vulnerability Management Team

Raphael Geissert | 17 Sep 12:02 2014
Picon

CVE request: [CIFS] Possible null ptr deref in SMB2_tcon

Hi,

Commit 18f39e7b[1] of the linux kernel repository fixes a remote null
pointer dereference on the client when it resolves DFS referrals but
the server deletes the IPC$ share. The commit has already been merged
for the 3.16, 3.14, and 3.10 branches.

Could a CVE id be assigned please?

Thanks in advance.

[1]https://github.com/torvalds/linux/commit/18f39e7be0121317550d03e267e3ebd4dbfbb3ce

Cheers,
--

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Arun Babu Neelicattu | 17 Sep 06:10 2014
Picon

Duplicate Request: CVE-2013-4444 as a duplicate of CVE-2013-2185

Recently Apache Tomcat issued an advisory [1] for CVE-2013-4444 [2]. However, this flaw was reported to
the Apache Tomcat Security team last year. We were instructed that Apache Tomcat team did not consider
this a vulnerability. Red Hat Product Security handled this issue as CVE-2013-2185 [3] in our affected products.

We request that CVE-2013-4444 be marked as a duplicate of CVE-2013-2185.

-arun

[1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.40
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4444
[3] https://bugzilla.redhat.com/CVE-2013-2185

--

-- 
Arun Neelicattu / Red Hat Product Security
PGP: 0xC244393B 5229 F596 474F 00A1 E416  CF8B 36F5 5054 C244 393B

Tristan Cacqueray | 16 Sep 21:31 2014

[OSSA 2014-029] Configuration option leak through Keystone catalog (CVE-2014-3621)

OpenStack Security Advisory: 2014-029
CVE: CVE-2014-3621
Date: September 16, 2014

Title: Configuration option leak through Keystone catalog
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: up to 2013.2.3 and 2014.1 versions up to 2014.1.2.1

Description:
Brant Knudson from IBM reported a vulnerability in Keystone catalog url
replacement. By creating a malicious endpoint a privileged user may
reveal configuration options resulting in sensitive information, like
master admin_token, being exposed through the service url. All Keystone
setups that allow non-admin users to create endpoints are affected.

Juno (development branch) fix:
https://review.openstack.org/121889

Icehouse fix:
https://review.openstack.org/121890

Havana fix:
https://review.openstack.org/121891

Notes:
This fix will be included in the Juno release 2014.2.0 and in future
stable 2013.2.4 and 2014.1.3 releases.

References:
(Continue reading)

Simon McVittie | 16 Sep 18:05 2014
Picon

CVE-2014-3635 to 3639: security issues in D-Bus < 1.8.8


D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.

Alban Crequy and Simon McVittie at Collabora Ltd. discovered and fixed
several security flaws in the reference implementation of
dbus-daemon, the D-Bus message bus daemon. fd.o #83622 is a heap
overflow and could potentially be exploited to alter data or executable
code; the rest are denial-of-service issues.

For the stable branch these are fixed in dbus 1.8.8.

For the old stable branch, these are fixed in dbus 1.6.24. Older
branches are not supported.

CVE-2014-3635 (fd.o #83622)
---------------------------

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83622
Category: CWE-805: Buffer Access with Incorrect Length Value
Impact: heap data corruption, worst-case: arbitrary code execution
Access required: local
Mitigation: 32-bit platforms are not vulnerable
Versions believed to be vulnerable: dbus >= 1.3.0
Credit: discovered and fixed by Simon McVittie

When using the default Unix-socket-based transport, dbus-daemon accepts
and forwards file descriptors (fds) attached to D-Bus messages
(Continue reading)

Grant Murphy | 15 Sep 16:58 2014
Picon

CVE request for vulnerability in OpenStack Neutron


A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public, although an
advisory was not sent yet.

Title: Admin-only network attributes may be reset to defaults by
non-privileged users
Reporter: Elena Ezhova (Mirantis)
Products: Neutron
Versions: up to 2013.2.4 and 2014.1 versions up to 2014.1.2

Description:
Elena Ezhova from Mirantis reported a vulnerability in Neutron. By updating
a network attribute with a default value a non-privileged user may reset
admin-only network attributes. This may lead to unexpected behavior with
security implications for operators with a custom policy.json, or in some
extreme cases network outages resulting in denial of service. All
deployments using neutron networking are affected by this flaw.

References:
https://launchpad.net/bugs/1357379

Thanks in advance,

--
Grant Murphy
OpenStack Vulnerability Management Team
Marcus Meissner | 15 Sep 13:48 2014
Picon

CVE Request: libceph auth token overflow

Hi,

spotted by Brad, has no CVE id yet.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8

libceph: do not hard code max auth ticket len

We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for
any moderate setups and, in case tickets themselves are not encrypted, leads to
buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't -
it's just a memcpy() wrapper). Since the buffer is allocated dynamically
anyway, allocated it a bit later, at the point where we know how much is going
to be needed.

Fixes: http://tracker.ceph.com/issues/8979

Ciao, marcus


Gmane