VARIoT IoT vulnerabilities database

ZTE ZXV10 W300 Router is a wireless router product of China ZTE Corporation. A Denial of Service vulnerability exists in the RomPager of ZTE ZXV10 W300 devices running 3.11.2.175_TC3086 firmware and T14.F7_5.0 hardware. An attacker could use this vulnerability to crash the affected device and cause a denial of service. ZTE ZXV10 W300 is prone to a denial-of-service vulnerability

Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not ensure visibility of the cursor after interaction with a Flash object and a DIV element, which makes it easier for remote attackers to conduct clickjacking attacks via JavaScript code that produces a fake cursor image. Mozilla Firefox and Thunderbird are prone to a clickjacking vulnerability. Successful exploits will allow an attacker to compromise the affected application or obtain sensitive information. Other attacks are also possible. This issue is fixed in Firefox 30. A security vulnerability exists in Mozilla Firefox 29.0.1 and earlier versions and Thunderbird 24.6 and earlier versions on the OS X platform. Remote attackers can use JavaScript code to exploit this vulnerability to carry out clickjacking attacks. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201504-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla Products: Multiple vulnerabilities Date: April 07, 2015 Bugs: #489796, #491234, #493850, #500320, #505072, #509050, #512896, #517876, #522020, #523652, #525474, #531408, #536564, #541316, #544056 ID: 201504-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, the worst of which may allow user-assisted execution of arbitrary code. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the =E2=80=98Mozilla Application Suite=E2=80=99. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/firefox < 31.5.3 >= 31.5.3 2 www-client/firefox-bin < 31.5.3 >= 31.5.3 3 mail-client/thunderbird < 31.5.0 >= 31.5.0 4 mail-client/thunderbird-bin < 31.5.0 >= 31.5.0 5 www-client/seamonkey < 2.33.1 >= 2.33.1 6 www-client/seamonkey-bin < 2.33.1 >= 2.33.1 7 dev-libs/nspr < 4.10.6 >= 4.10.6 ------------------------------------------------------------------- 7 affected packages Description =========== Multiple vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. Workaround ========== There are no known workarounds at this time. Resolution ========== All firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-31.5.3" All firefox-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-31.5.3" All thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-31.5.0"= All thunderbird-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-31.5.0" All seamonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.33.1" All seamonkey-bin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/seamonkey-bin-2.33.1" All nspr users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nspr-4.10.6" References ========== [ 1 ] CVE-2013-1741 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741 [ 2 ] CVE-2013-2566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566 [ 3 ] CVE-2013-5590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5590 [ 4 ] CVE-2013-5591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5591 [ 5 ] CVE-2013-5592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5592 [ 6 ] CVE-2013-5593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5593 [ 7 ] CVE-2013-5595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5595 [ 8 ] CVE-2013-5596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5596 [ 9 ] CVE-2013-5597 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5597 [ 10 ] CVE-2013-5598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5598 [ 11 ] CVE-2013-5599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5599 [ 12 ] CVE-2013-5600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5600 [ 13 ] CVE-2013-5601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5601 [ 14 ] CVE-2013-5602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5602 [ 15 ] CVE-2013-5603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5603 [ 16 ] CVE-2013-5604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5604 [ 17 ] CVE-2013-5605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605 [ 18 ] CVE-2013-5606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606 [ 19 ] CVE-2013-5607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607 [ 20 ] CVE-2013-5609 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5609 [ 21 ] CVE-2013-5610 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5610 [ 22 ] CVE-2013-5612 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5612 [ 23 ] CVE-2013-5613 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5613 [ 24 ] CVE-2013-5614 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5614 [ 25 ] CVE-2013-5615 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5615 [ 26 ] CVE-2013-5616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5616 [ 27 ] CVE-2013-5618 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5618 [ 28 ] CVE-2013-5619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5619 [ 29 ] CVE-2013-6671 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6671 [ 30 ] CVE-2013-6672 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6672 [ 31 ] CVE-2013-6673 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6673 [ 32 ] CVE-2014-1477 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1477 [ 33 ] CVE-2014-1478 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1478 [ 34 ] CVE-2014-1479 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1479 [ 35 ] CVE-2014-1480 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1480 [ 36 ] CVE-2014-1481 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1481 [ 37 ] CVE-2014-1482 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1482 [ 38 ] CVE-2014-1483 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1483 [ 39 ] CVE-2014-1485 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1485 [ 40 ] CVE-2014-1486 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1486 [ 41 ] CVE-2014-1487 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1487 [ 42 ] CVE-2014-1488 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1488 [ 43 ] CVE-2014-1489 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1489 [ 44 ] CVE-2014-1490 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1490 [ 45 ] CVE-2014-1491 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1491 [ 46 ] CVE-2014-1492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1492 [ 47 ] CVE-2014-1493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1493 [ 48 ] CVE-2014-1494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1494 [ 49 ] CVE-2014-1496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1496 [ 50 ] CVE-2014-1497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1497 [ 51 ] CVE-2014-1498 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1498 [ 52 ] CVE-2014-1499 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1499 [ 53 ] CVE-2014-1500 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1500 [ 54 ] CVE-2014-1502 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1502 [ 55 ] CVE-2014-1505 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1505 [ 56 ] CVE-2014-1508 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1508 [ 57 ] CVE-2014-1509 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1509 [ 58 ] CVE-2014-1510 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1510 [ 59 ] CVE-2014-1511 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1511 [ 60 ] CVE-2014-1512 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1512 [ 61 ] CVE-2014-1513 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1513 [ 62 ] CVE-2014-1514 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1514 [ 63 ] CVE-2014-1518 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1518 [ 64 ] CVE-2014-1519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1519 [ 65 ] CVE-2014-1520 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1520 [ 66 ] CVE-2014-1522 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1522 [ 67 ] CVE-2014-1523 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1523 [ 68 ] CVE-2014-1524 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1524 [ 69 ] CVE-2014-1525 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1525 [ 70 ] CVE-2014-1526 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1526 [ 71 ] CVE-2014-1529 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1529 [ 72 ] CVE-2014-1530 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1530 [ 73 ] CVE-2014-1531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1531 [ 74 ] CVE-2014-1532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1532 [ 75 ] CVE-2014-1533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1533 [ 76 ] CVE-2014-1534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1534 [ 77 ] CVE-2014-1536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1536 [ 78 ] CVE-2014-1537 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1537 [ 79 ] CVE-2014-1538 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1538 [ 80 ] CVE-2014-1539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1539 [ 81 ] CVE-2014-1540 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1540 [ 82 ] CVE-2014-1541 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1541 [ 83 ] CVE-2014-1542 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1542 [ 84 ] CVE-2014-1543 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1543 [ 85 ] CVE-2014-1544 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1544 [ 86 ] CVE-2014-1545 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1545 [ 87 ] CVE-2014-1547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1547 [ 88 ] CVE-2014-1548 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1548 [ 89 ] CVE-2014-1549 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1549 [ 90 ] CVE-2014-1550 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1550 [ 91 ] CVE-2014-1551 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1551 [ 92 ] CVE-2014-1552 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1552 [ 93 ] CVE-2014-1553 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1553 [ 94 ] CVE-2014-1554 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1554 [ 95 ] CVE-2014-1555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1555 [ 96 ] CVE-2014-1556 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1556 [ 97 ] CVE-2014-1557 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1557 [ 98 ] CVE-2014-1558 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1558 [ 99 ] CVE-2014-1559 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1559 [ 100 ] CVE-2014-1560 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1560 [ 101 ] CVE-2014-1561 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1561 [ 102 ] CVE-2014-1562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1562 [ 103 ] CVE-2014-1563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1563 [ 104 ] CVE-2014-1564 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1564 [ 105 ] CVE-2014-1565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1565 [ 106 ] CVE-2014-1566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1566 [ 107 ] CVE-2014-1567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1567 [ 108 ] CVE-2014-1568 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1568 [ 109 ] CVE-2014-1574 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1574 [ 110 ] CVE-2014-1575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1575 [ 111 ] CVE-2014-1576 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1576 [ 112 ] CVE-2014-1577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1577 [ 113 ] CVE-2014-1578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1578 [ 114 ] CVE-2014-1580 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1580 [ 115 ] CVE-2014-1581 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1581 [ 116 ] CVE-2014-1582 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1582 [ 117 ] CVE-2014-1583 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1583 [ 118 ] CVE-2014-1584 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1584 [ 119 ] CVE-2014-1585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1585 [ 120 ] CVE-2014-1586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1586 [ 121 ] CVE-2014-1587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1587 [ 122 ] CVE-2014-1588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1588 [ 123 ] CVE-2014-1589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1589 [ 124 ] CVE-2014-1590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1590 [ 125 ] CVE-2014-1591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1591 [ 126 ] CVE-2014-1592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1592 [ 127 ] CVE-2014-1593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1593 [ 128 ] CVE-2014-1594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1594 [ 129 ] CVE-2014-5369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5369 [ 130 ] CVE-2014-8631 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8631 [ 131 ] CVE-2014-8632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8632 [ 132 ] CVE-2014-8634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8634 [ 133 ] CVE-2014-8635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8635 [ 134 ] CVE-2014-8636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8636 [ 135 ] CVE-2014-8637 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8637 [ 136 ] CVE-2014-8638 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8638 [ 137 ] CVE-2014-8639 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8639 [ 138 ] CVE-2014-8640 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8640 [ 139 ] CVE-2014-8641 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8641 [ 140 ] CVE-2014-8642 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8642 [ 141 ] CVE-2015-0817 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0817 [ 142 ] CVE-2015-0818 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0818 [ 143 ] CVE-2015-0819 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0819 [ 144 ] CVE-2015-0820 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0820 [ 145 ] CVE-2015-0821 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0821 [ 146 ] CVE-2015-0822 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0822 [ 147 ] CVE-2015-0823 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0823 [ 148 ] CVE-2015-0824 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0824 [ 149 ] CVE-2015-0825 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0825 [ 150 ] CVE-2015-0826 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0826 [ 151 ] CVE-2015-0827 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0827 [ 152 ] CVE-2015-0828 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0828 [ 153 ] CVE-2015-0829 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0829 [ 154 ] CVE-2015-0830 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0830 [ 155 ] CVE-2015-0831 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0831 [ 156 ] CVE-2015-0832 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0832 [ 157 ] CVE-2015-0833 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0833 [ 158 ] CVE-2015-0834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0834 [ 159 ] CVE-2015-0835 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0835 [ 160 ] CVE-2015-0836 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0836 [ 161 ] VE-2014-1504 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201504-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0745-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0745.html Issue date: 2014-06-11 CVE Names: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-16, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0534, CVE-2014-0535, CVE-2014-0536) Multiple flaws in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1107822 - CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 flash-plugin: arbitrary code execution flaws (APSB14-16) 1107823 - CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 flash-plugin: multiple cross-site scripting flaws (APSB14-16) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0531.html https://www.redhat.com/security/data/cve/CVE-2014-0532.html https://www.redhat.com/security/data/cve/CVE-2014-0533.html https://www.redhat.com/security/data/cve/CVE-2014-0534.html https://www.redhat.com/security/data/cve/CVE-2014-0535.html https://www.redhat.com/security/data/cve/CVE-2014-0536.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-16.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTmB/VXlSAg2UNWIIRAui0AJ4ue6h6ArFI48FIv6w1DDNOEZDaBwCgsYtv djH8cHwfwVYfOzL8K4/neDs= =hqB0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.378 "= References ========== [ 1 ] CVE-2014-0531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0531 [ 2 ] CVE-2014-0532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0532 [ 3 ] CVE-2014-0533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0533 [ 4 ] CVE-2014-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0534 [ 5 ] CVE-2014-0535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0535 [ 6 ] CVE-2014-0536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0536 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0534. This vulnerability CVE-2014-0534 Is a different vulnerability.An attacker may be able to bypass access restrictions. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0745-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0745.html Issue date: 2014-06-11 CVE Names: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-16, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0534, CVE-2014-0535, CVE-2014-0536) Multiple flaws in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.378. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1107822 - CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 flash-plugin: arbitrary code execution flaws (APSB14-16) 1107823 - CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 flash-plugin: multiple cross-site scripting flaws (APSB14-16) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0531.html https://www.redhat.com/security/data/cve/CVE-2014-0532.html https://www.redhat.com/security/data/cve/CVE-2014-0533.html https://www.redhat.com/security/data/cve/CVE-2014-0534.html https://www.redhat.com/security/data/cve/CVE-2014-0535.html https://www.redhat.com/security/data/cve/CVE-2014-0536.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-16.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTmB/VXlSAg2UNWIIRAui0AJ4ue6h6ArFI48FIv6w1DDNOEZDaBwCgsYtv djH8cHwfwVYfOzL8K4/neDs= =hqB0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, conduct Cross-Site Scripting (XSS) attacks, or bypass security restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.378 "= References ========== [ 1 ] CVE-2014-0531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0531 [ 2 ] CVE-2014-0532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0532 [ 3 ] CVE-2014-0533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0533 [ 4 ] CVE-2014-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0534 [ 5 ] CVE-2014-0535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0535 [ 6 ] CVE-2014-0536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0536 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0535. This vulnerability CVE-2014-0535 Is a different vulnerability.An attacker may be able to bypass access restrictions. Attackers can exploit this issue to bypass certain security restrictions and perform unauthorized actions; this may aid in launching further attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0745-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0745.html Issue date: 2014-06-11 CVE Names: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-16, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0534, CVE-2014-0535, CVE-2014-0536) Multiple flaws in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.378. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1107822 - CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 flash-plugin: arbitrary code execution flaws (APSB14-16) 1107823 - CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 flash-plugin: multiple cross-site scripting flaws (APSB14-16) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0531.html https://www.redhat.com/security/data/cve/CVE-2014-0532.html https://www.redhat.com/security/data/cve/CVE-2014-0533.html https://www.redhat.com/security/data/cve/CVE-2014-0534.html https://www.redhat.com/security/data/cve/CVE-2014-0535.html https://www.redhat.com/security/data/cve/CVE-2014-0536.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-16.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTmB/VXlSAg2UNWIIRAui0AJ4ue6h6ArFI48FIv6w1DDNOEZDaBwCgsYtv djH8cHwfwVYfOzL8K4/neDs= =hqB0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, conduct Cross-Site Scripting (XSS) attacks, or bypass security restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.378 "= References ========== [ 1 ] CVE-2014-0531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0531 [ 2 ] CVE-2014-0532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0532 [ 3 ] CVE-2014-0533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0533 [ 4 ] CVE-2014-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0534 [ 5 ] CVE-2014-0535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0535 [ 6 ] CVE-2014-0536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0536 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0531 and CVE-2014-0532. This vulnerability CVE-2014-0531 and CVE-2014-0532 Is a different vulnerability.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0745-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0745.html Issue date: 2014-06-11 CVE Names: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-16, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0534, CVE-2014-0535, CVE-2014-0536) Multiple flaws in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.378. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1107822 - CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 flash-plugin: arbitrary code execution flaws (APSB14-16) 1107823 - CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 flash-plugin: multiple cross-site scripting flaws (APSB14-16) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0531.html https://www.redhat.com/security/data/cve/CVE-2014-0532.html https://www.redhat.com/security/data/cve/CVE-2014-0533.html https://www.redhat.com/security/data/cve/CVE-2014-0534.html https://www.redhat.com/security/data/cve/CVE-2014-0535.html https://www.redhat.com/security/data/cve/CVE-2014-0536.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-16.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTmB/VXlSAg2UNWIIRAui0AJ4ue6h6ArFI48FIv6w1DDNOEZDaBwCgsYtv djH8cHwfwVYfOzL8K4/neDs= =hqB0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, conduct Cross-Site Scripting (XSS) attacks, or bypass security restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.378 "= References ========== [ 1 ] CVE-2014-0531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0531 [ 2 ] CVE-2014-0532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0532 [ 3 ] CVE-2014-0533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0533 [ 4 ] CVE-2014-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0534 [ 5 ] CVE-2014-0535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0535 [ 6 ] CVE-2014-0536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0536 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0531 and CVE-2014-0533. This vulnerability CVE-2014-0531 and CVE-2014-0533 Is a different vulnerability.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0745-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0745.html Issue date: 2014-06-11 CVE Names: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-16, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0534, CVE-2014-0535, CVE-2014-0536) Multiple flaws in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.378. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1107822 - CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 flash-plugin: arbitrary code execution flaws (APSB14-16) 1107823 - CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 flash-plugin: multiple cross-site scripting flaws (APSB14-16) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0531.html https://www.redhat.com/security/data/cve/CVE-2014-0532.html https://www.redhat.com/security/data/cve/CVE-2014-0533.html https://www.redhat.com/security/data/cve/CVE-2014-0534.html https://www.redhat.com/security/data/cve/CVE-2014-0535.html https://www.redhat.com/security/data/cve/CVE-2014-0536.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-16.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTmB/VXlSAg2UNWIIRAui0AJ4ue6h6ArFI48FIv6w1DDNOEZDaBwCgsYtv djH8cHwfwVYfOzL8K4/neDs= =hqB0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, conduct Cross-Site Scripting (XSS) attacks, or bypass security restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.378 "= References ========== [ 1 ] CVE-2014-0531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0531 [ 2 ] CVE-2014-0532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0532 [ 3 ] CVE-2014-0533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0533 [ 4 ] CVE-2014-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0534 [ 5 ] CVE-2014-0535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0535 [ 6 ] CVE-2014-0536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0536 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0532 and CVE-2014-0533. This vulnerability CVE-2014-0532 and CVE-2014-0533 Is a different vulnerability.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2014:0745-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0745.html Issue date: 2014-06-11 CVE Names: CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-16, listed in the References section. Multiple flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content. (CVE-2014-0534, CVE-2014-0535, CVE-2014-0536) Multiple flaws in flash-plugin could allow an attacker to conduct cross-site scripting (XSS) attacks if a victim were tricked into visiting a specially crafted web page. (CVE-2014-0531, CVE-2014-0532, CVE-2014-0533) All users of Adobe Flash Player should install this updated package, which upgrades Flash Player to version 11.2.202.378. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1107822 - CVE-2014-0534 CVE-2014-0535 CVE-2014-0536 flash-plugin: arbitrary code execution flaws (APSB14-16) 1107823 - CVE-2014-0531 CVE-2014-0532 CVE-2014-0533 flash-plugin: multiple cross-site scripting flaws (APSB14-16) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.378-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.378-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: flash-plugin-11.2.202.378-1.el6.i686.rpm x86_64: flash-plugin-11.2.202.378-1.el6.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-0531.html https://www.redhat.com/security/data/cve/CVE-2014-0532.html https://www.redhat.com/security/data/cve/CVE-2014-0533.html https://www.redhat.com/security/data/cve/CVE-2014-0534.html https://www.redhat.com/security/data/cve/CVE-2014-0535.html https://www.redhat.com/security/data/cve/CVE-2014-0536.html https://access.redhat.com/security/updates/classification/#critical https://helpx.adobe.com/security/products/flash-player/apsb14-16.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTmB/VXlSAg2UNWIIRAui0AJ4ue6h6ArFI48FIv6w1DDNOEZDaBwCgsYtv djH8cHwfwVYfOzL8K4/neDs= =hqB0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, conduct Cross-Site Scripting (XSS) attacks, or bypass security restrictions. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.378 "= References ========== [ 1 ] CVE-2014-0531 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0531 [ 2 ] CVE-2014-0532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0532 [ 3 ] CVE-2014-0533 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0533 [ 4 ] CVE-2014-0534 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0534 [ 5 ] CVE-2014-0535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0535 [ 6 ] CVE-2014-0536 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0536 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform. Multiple products UEFI There is a vulnerability in the firmware. Multiple products UEFI The firmware includes OS of API From UEFI Variables 'Setup' There is a vulnerability that can be tampered with. For more information INTEL-SA-00038 Please confirm. INTEL-SA-00038 https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00038&languageid=en-frOS By a user with administrator rights UEFI May be tampered with. as a result, Secure Boot Security functions such as (DoS) There is a possibility of being attacked. UEFI, the full name of \"Unified Extensible Firmware Interface\", is a standard that describes the type interface in detail. On some systems, the operating system API can be used to override this variable, allowing local attackers to exploit the vulnerability to modify UEFI variables. Attackers with physical access to the computer running the vulnerable firmware can exploit this issue to bypass certain security restrictions and trigger denial-of-service conditions. NOTE: Very limited information is currently available regarding this issue. We will update this BID as more information emerges

Cross-site scripting (XSS) vulnerability in the web management interface in Cisco AsyncOS on the Email Security Appliance (ESA) 8.0, Web Security Appliance (WSA) 8.0 (.5 Hot Patch 1) and earlier, and Content Security Management Appliance (SMA) 8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted parameter, as demonstrated by the date_range parameter to monitor/reports/overview on the IronPort ESA, aka Bug IDs CSCun07998, CSCun07844, and CSCun07888. Cisco AsyncOS Multiple products that run on have cross-site scripting vulnerabilities. Cisco AsyncOS Multiple products that run on the date_range Cross-site scripting vulnerability due to parameters (CWE-79) Exists. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') http://cwe.mitre.org/data/definitions/79.htmlAn arbitrary script may be executed on the user's web browser. The Cisco IronPort family of products is a widely used mail encryption gateway, and AsyncOS is the operating system used by the product. The vulnerability stems from a program failing to properly filter user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of the affected site user's browser, stealing cookie-based authentication credentials. And launch other attacks. This issue is being tracked by Cisco Bug IDs CSCun07998, CSCun07844 and CSCun07888. Cisco AsyncOS on Email Security Appliance (ESA) and others are products of Cisco (Cisco). Cisco ESA is an email security appliance. Cisco Content Security Management Appliance (SMA) is a content security management appliance. Cisco Web Security Appliance (WSA) is a set of network security appliances

The Real Time Monitoring Tool (RTMT) implementation in Cisco Unified Communications Manager (Unified CM) allows remote authenticated users to (1) read or (2) delete arbitrary files via a crafted URL, aka Bug IDs CSCuo17302 and CSCuo17199. Vendors report this vulnerability Bug ID CSCuo17302 ,and CSCuo17199 Published as.Crafted by a remotely authenticated user URL Any file via (1) Read or (2) It may be deleted. An attacker can exploit these issues to download or delete arbitrary files, which may aid in further attacks. These issues are being tracked by Cisco Bug ID CSCuo17302 and CSCuo17199. Real Time Monitoring Tool (RTMT) is one of the real-time monitoring tools. A security vulnerability exists in Cisco Unified CM's RTMT

IBM CICS Transaction Server 3.1, 3.2, 4.1, 4.2, and 5.1 on z/OS does not properly implement CEMT transactions, which allows remote authenticated users to cause a denial of service (storage overlay) by using a 3270 emulator to send an invalid 3270 data stream. IBM CICS Transaction Server is a transaction processing server that runs primarily on IBM System z mainframes based on IBM z/OS. An unspecified security vulnerability exists in IBM CICS Transaction Server. Little is known about this issue or its effects at this time. We will update this BID as more information emerges

The web framework in VOSS in Cisco Unified Communications Domain Manager (CDM) does not properly implement access control, which allows remote attackers to obtain potentially sensitive user information by visiting an unspecified BVSMWeb web page, aka Bug IDs CSCun46071 and CSCun46101. Vendors have confirmed this vulnerability Bug ID CSCun46071 and CSCun46101 It is released as.Unspecified by a third party BVSMWeb Web By accessing the page, important user information may be obtained. Successfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks. This issue is being tracked by Cisco Bug ID CSCun46071 and CSCun46101. This component features scalable, distributed, and highly available enterprise Voice over IP call processing

The web framework in Cisco WebEx Meeting Server does not properly restrict the content of reply messages, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug IDs CSCuj81685, CSCuj81688, CSCuj81665, CSCuj81744, and CSCuj81661. Vendors have confirmed this vulnerability Bug ID CSCuj81685 , CSCuj81688 , CSCuj81665 , CSCuj81744 ,and CSCuj81661 It is released as.Skillfully crafted by a third party URL You may get important information through. Cisco WebEx Meeting Server is prone to a user-enumeration vulnerability. An attacker may leverage this issue to harvest valid user accounts, which may aid in brute-force attacks. This issue being tracked by Cisco Bug IDs CSCuj81685, CSCuj81688, CSCuj81665, CSCuj81744, CSCuj81661, and CSCuj81655. Cisco WebEx Meeting Server is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

Cisco Wireless LAN Controller (WLC) devices allow remote attackers to cause a denial of service (NULL pointer dereference and device restart) via a zero value in Cisco Discovery Protocol packet data that is not properly handled during SNMP polling, aka Bug ID CSCuo12321. Vendors have confirmed this vulnerability Bug ID CSCuo12321 It is released as. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. The Cisco WLC is responsible for system-wide wireless LAN functions such as security policy, intrusion protection, RF management, quality of service, and mobility. Attackers can exploit this issue to restart the affected device, denying service to legitimate users. The vulnerability stems from the fact that the program does not properly check for null values ​​in Cisco Discovery Protocol packets

Sagem 2604 Router is a router product of French company Sagem. A password leak vulnerability exists in the Sagem 2604 Router running 3.21a4G firmware, which is due to a design error. An attacker could use this vulnerability to obtain the root user password. This may lead to other attacks. Sagem 2604 running firmware version 3.21a4G is vulnerable; other versions may also be affected

The System Landscape Directory (SLD) in SAP NetWeaver allows remote attackers to modify information via vectors related to adding a system. SAP is the world's leading provider of enterprise management software solutions. SAP System Landscape Directory is prone to an unauthorized-access vulnerability. Successful exploits will allow attackers to gain unauthorized access and modify sensitive information, which may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Onapsis Security Advisory 2014-020: SAP SLD Information Tampering 1. Impact on Business ===================== By exploiting this vulnerability, a remote unauthenticated attacker might be able to modify technical information about the SAP systems potentially leading to a full compromise of all business information. Risk Level: High 2. Advisory Information ======================= - -- Public Release Date: 2014-06-06 - -- Subscriber Notification Date: 2014-06-06 - -- Last Revised: 2014-06-06 - -- Security Advisory ID: ONAPSIS-2014-020 - -- Onapsis SVS ID: ONAPSIS-SVS00081 - -- Researchers: Jordan Santarsieri, Pablo Muller, Juan Perez-Etchegoyen - -- Initial Base CVSS v2: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 3. Vulnerability Information ============================ - -- Vendor: SAP - -- Affected Components: * SAP System Landscape Directory (available in all SAP JAVA App Servers) (Check SAP Note 1939334 for detailed information on affected releases) - -- Vulnerability Class: Improper Handling of Insufficient Permissions or Privileges (CWE-280) - -- Remotely Exploitable: Yes - -- Locally Exploitable: No - -- Authentication Required: No - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-020 4. 5. Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability. 6. Solution =========== SAP has released SAP Note 1939334 which provide patched versions of the affected components. The patches can be downloaded from https://service.sap.com/sap/support/notes/1939334. Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks. 7. 2014-02-11: SAP releases security patches. 2014-05-30: Onapsis notifies availability of security advisory to security mailing lists. About Onapsis, Inc. =================== Onapsis provides innovative security software solutions to protect ERP systems from cyber-attacks. Through unmatched ERP security, compliance and continuous monitoring products, Onapsis secures the business-critical infrastructure of its global customers against espionage, sabotage and financial fraud threats. Onapsis X1, the company's flagship product, is the industry's first comprehensive solution for the automated security assessment of SAP platforms. Being the first and only SAP-certified solution of its kind, Onapsis X1 allows customers to perform automated Vulnerability Assessments, Security & Compliance Audits and Penetration Tests over their entire SAP platform. Onapsis is backed by the Onapsis Research Labs, a world-renowned team of SAP & ERP security experts who are continuously invited to lecture at the leading IT security conferences, such as RSA and BlackHat, and featured by mainstream media such as CNN, Reuters, IDG and New York Times. For further information about our solutions, please contact us at info@onapsis.com and visit our website at www.onapsis.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlOR3fUACgkQz3i6WNVBcDWrjwCdFC60a5sqq2hol1xAYYt0NczH fZwAn0St6TPuqLg210wpu2LM+bTDNY2S =2YwW -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------

SAP Transaction Data Pool has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. SAP is the world's leading provider of enterprise management software solutions. SAP's multiple components have hard-coded usernames that allow attackers to exploit vulnerabilities to obtain sensitive information. These components include: SAP Project System SAP Structures SAP Project-Oriented Procurement SAP Brazil Specific Add-On SAP Oil Industry Solution Traders and Schedulers Workbench SAP Upgrade Tools SAP Web Services Tool SAP CCMS Monitoring SAP Transaction Data Pool SAP Capacity Leveling SAP Open Hub Service. Multiple SAP Components are prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application

SAP Open Hub Service has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. SAP is the world's leading provider of enterprise management software solutions. SAP's multiple components have hard-coded usernames that allow attackers to exploit vulnerabilities to obtain sensitive information. These components include: SAP Project System SAP Structures SAP Project-Oriented Procurement SAP Brazil Specific Add-On SAP Oil Industry Solution Traders and Schedulers Workbench SAP Upgrade Tools SAP Web Services Tool SAP CCMS Monitoring SAP Transaction Data Pool SAP Capacity Leveling SAP Open Hub Service. Multiple SAP Components are prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application

The SAP Trader's and Scheduler's Workbench (TSW) for SAP Oil & Gas has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. SAP is the world's leading provider of enterprise management software solutions. SAP's multiple components have hard-coded usernames that allow attackers to exploit vulnerabilities to obtain sensitive information. These components include: SAP Project System SAP Structures SAP Project-Oriented Procurement SAP Brazil Specific Add-On SAP Oil Industry Solution Traders and Schedulers Workbench SAP Upgrade Tools SAP Web Services Tool SAP CCMS Monitoring SAP Transaction Data Pool SAP Capacity Leveling SAP Open Hub Service. Multiple SAP Components are prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application