VARIoT IoT vulnerabilities database
| VAR-201305-0292 | CVE-2013-2728 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites. Please review the CVE identifiers referenced below for
details.
Impact
======
A remote attacker could entice a user to open specially crafted SWF
content, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
Furthermore, a remote attacker may be able to bypass access
restrictions.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.310"
References
==========
[ 1 ] CVE-2012-5248
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5248
[ 2 ] CVE-2012-5248
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5248
[ 3 ] CVE-2012-5249
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5249
[ 4 ] CVE-2012-5249
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5249
[ 5 ] CVE-2012-5250
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5250
[ 6 ] CVE-2012-5250
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5250
[ 7 ] CVE-2012-5251
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5251
[ 8 ] CVE-2012-5251
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5251
[ 9 ] CVE-2012-5252
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5252
[ 10 ] CVE-2012-5252
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5252
[ 11 ] CVE-2012-5253
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5253
[ 12 ] CVE-2012-5253
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5253
[ 13 ] CVE-2012-5254
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5254
[ 14 ] CVE-2012-5254
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5254
[ 15 ] CVE-2012-5255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5255
[ 16 ] CVE-2012-5255
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5255
[ 17 ] CVE-2012-5256
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5256
[ 18 ] CVE-2012-5256
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5256
[ 19 ] CVE-2012-5257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5257
[ 20 ] CVE-2012-5257
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5257
[ 21 ] CVE-2012-5258
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5258
[ 22 ] CVE-2012-5258
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5258
[ 23 ] CVE-2012-5259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5259
[ 24 ] CVE-2012-5259
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5259
[ 25 ] CVE-2012-5260
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5260
[ 26 ] CVE-2012-5260
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5260
[ 27 ] CVE-2012-5261
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5261
[ 28 ] CVE-2012-5261
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5261
[ 29 ] CVE-2012-5262
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5262
[ 30 ] CVE-2012-5262
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5262
[ 31 ] CVE-2012-5263
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5263
[ 32 ] CVE-2012-5263
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5263
[ 33 ] CVE-2012-5264
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5264
[ 34 ] CVE-2012-5264
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5264
[ 35 ] CVE-2012-5265
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5265
[ 36 ] CVE-2012-5265
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5265
[ 37 ] CVE-2012-5266
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5266
[ 38 ] CVE-2012-5266
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5266
[ 39 ] CVE-2012-5267
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5267
[ 40 ] CVE-2012-5267
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5267
[ 41 ] CVE-2012-5268
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5268
[ 42 ] CVE-2012-5268
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5268
[ 43 ] CVE-2012-5269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5269
[ 44 ] CVE-2012-5269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5269
[ 45 ] CVE-2012-5270
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5270
[ 46 ] CVE-2012-5270
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5270
[ 47 ] CVE-2012-5271
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5271
[ 48 ] CVE-2012-5271
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5271
[ 49 ] CVE-2012-5272
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5272
[ 50 ] CVE-2012-5272
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5272
[ 51 ] CVE-2012-5274
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5274
[ 52 ] CVE-2012-5275
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5275
[ 53 ] CVE-2012-5276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5276
[ 54 ] CVE-2012-5277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5277
[ 55 ] CVE-2012-5278
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5278
[ 56 ] CVE-2012-5279
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5279
[ 57 ] CVE-2012-5280
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5280
[ 58 ] CVE-2012-5676
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5676
[ 59 ] CVE-2012-5677
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5677
[ 60 ] CVE-2012-5678
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5678
[ 61 ] CVE-2013-0504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0504
[ 62 ] CVE-2013-0630
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0630
[ 63 ] CVE-2013-0633
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0633
[ 64 ] CVE-2013-0634
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0634
[ 65 ] CVE-2013-0637
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0637
[ 66 ] CVE-2013-0638
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0638
[ 67 ] CVE-2013-0639
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0639
[ 68 ] CVE-2013-0642
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0642
[ 69 ] CVE-2013-0643
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0643
[ 70 ] CVE-2013-0644
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0644
[ 71 ] CVE-2013-0645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0645
[ 72 ] CVE-2013-0646
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0646
[ 73 ] CVE-2013-0647
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0647
[ 74 ] CVE-2013-0648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0648
[ 75 ] CVE-2013-0649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0649
[ 76 ] CVE-2013-0650
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0650
[ 77 ] CVE-2013-1365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1365
[ 78 ] CVE-2013-1366
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1366
[ 79 ] CVE-2013-1367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1367
[ 80 ] CVE-2013-1368
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1368
[ 81 ] CVE-2013-1369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1369
[ 82 ] CVE-2013-1370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1370
[ 83 ] CVE-2013-1371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1371
[ 84 ] CVE-2013-1372
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1372
[ 85 ] CVE-2013-1373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1373
[ 86 ] CVE-2013-1374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1374
[ 87 ] CVE-2013-1375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1375
[ 88 ] CVE-2013-1378
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1378
[ 89 ] CVE-2013-1379
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1379
[ 90 ] CVE-2013-1380
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1380
[ 91 ] CVE-2013-2555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2555
[ 92 ] CVE-2013-2728
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2728
[ 93 ] CVE-2013-3343
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3343
[ 94 ] CVE-2013-3344
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3344
[ 95 ] CVE-2013-3345
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3345
[ 96 ] CVE-2013-3347
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3347
[ 97 ] CVE-2013-3361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3361
[ 98 ] CVE-2013-3362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3362
[ 99 ] CVE-2013-3363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3363
[ 100 ] CVE-2013-5324
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5324
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201309-06.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201305-0208 | CVE-2013-3335 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, and CVE-2013-3334. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 ,and CVE-2013-3334 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0207 | CVE-2013-3334 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0204 | CVE-2013-3333 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0200 | CVE-2013-3329 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0203 | CVE-2013-3332 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0202 | CVE-2013-3331 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0201 | CVE-2013-3330 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0199 | CVE-2013-3328 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0198 | CVE-2013-3327 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3326, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0197 | CVE-2013-3326 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3325, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3325 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0196 | CVE-2013-3325 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3324, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3324 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201305-0192 | CVE-2013-3324 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.86 and 11.x before 11.7.700.202 on Windows and Mac OS X, before 10.3.183.86 and 11.x before 11.2.202.285 on Linux, before 11.1.111.54 on Android 2.x and 3.x, and before 11.1.115.58 on Android 4.x; Adobe AIR before 3.7.0.1860; and Adobe AIR SDK & Compiler before 3.7.0.1860 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2728, CVE-2013-3325, CVE-2013-3326, CVE-2013-3327, CVE-2013-3328, CVE-2013-3329, CVE-2013-3330, CVE-2013-3331, CVE-2013-3332, CVE-2013-3333, CVE-2013-3334, and CVE-2013-3335. This vulnerability CVE-2013-2728 , CVE-2013-3325 , CVE-2013-3326 , CVE-2013-3327 , CVE-2013-3328 , CVE-2013-3329 , CVE-2013-3330 , CVE-2013-3331 , CVE-2013-3332 , CVE-2013-3333 , CVE-2013-3334 ,and CVE-2013-3335 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code within the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. Adobe AIR is a cross-operating system runtime environment that can be used to build and configure cross-platform desktop RIA (Rich Internet Applications) applications. Vulnerabilities in versions prior to 0.1860; Adobe AIR SDK & Compiler prior to 3.7.0.1860. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: flash-plugin security update
Advisory ID: RHSA-2013:0825-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0825.html
Issue date: 2013-05-15
CVE Names: CVE-2013-2728 CVE-2013-3324 CVE-2013-3325
CVE-2013-3326 CVE-2013-3327 CVE-2013-3328
CVE-2013-3329 CVE-2013-3330 CVE-2013-3331
CVE-2013-3332 CVE-2013-3333 CVE-2013-3334
CVE-2013-3335
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes multiple security issues
is now available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. These
vulnerabilities are detailed in the Adobe Security bulletin APSB13-14,
listed in the References section. Specially-crafted SWF content could cause
flash-plugin to crash or, potentially, execute arbitrary code when a victim
loads a page containing the malicious SWF content.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
962895 - flash-plugin: multiple code execution flaws (APSB13-14)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-11.2.202.285-1.el5.i386.rpm
x86_64:
flash-plugin-11.2.202.285-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-11.2.202.285-1.el6.i686.rpm
x86_64:
flash-plugin-11.2.202.285-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2013-2728.html
https://www.redhat.com/security/data/cve/CVE-2013-3324.html
https://www.redhat.com/security/data/cve/CVE-2013-3325.html
https://www.redhat.com/security/data/cve/CVE-2013-3326.html
https://www.redhat.com/security/data/cve/CVE-2013-3327.html
https://www.redhat.com/security/data/cve/CVE-2013-3328.html
https://www.redhat.com/security/data/cve/CVE-2013-3329.html
https://www.redhat.com/security/data/cve/CVE-2013-3330.html
https://www.redhat.com/security/data/cve/CVE-2013-3331.html
https://www.redhat.com/security/data/cve/CVE-2013-3332.html
https://www.redhat.com/security/data/cve/CVE-2013-3333.html
https://www.redhat.com/security/data/cve/CVE-2013-3334.html
https://www.redhat.com/security/data/cve/CVE-2013-3335.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb13-14.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFRk0+VXlSAg2UNWIIRAkH8AJ4qnX1dCu9PQZVRQTc+jd80f3eHuQCgpBlA
pCXFdmTpNYaaRsAS+FVd7h4=
=8nby
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201306-0226 | CVE-2013-1862 | Apache HTTP Server Terminal Escape Sequence in Logs Command Injection Vulnerability |
CVSS V2: 5.1 CVSS V3: - Severity: MEDIUM |
mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. Apache HTTP Server is prone to a command-injection vulnerability because it fails to adequately sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary commands in the context of the application. ==========================================================================
Ubuntu Security Notice USN-1903-1
July 15, 2013
apache2 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in the Apache HTTP Server. A remote attacker could use this issue to cause the server to
stop responding, resulting in a denial of service. (CVE-2013-1896)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 13.04:
apache2.2-common 2.2.22-6ubuntu5.1
Ubuntu 12.10:
apache2.2-common 2.2.22-6ubuntu2.3
Ubuntu 12.04 LTS:
apache2.2-common 2.2.22-1ubuntu1.4
Ubuntu 10.04 LTS:
apache2.2-common 2.2.14-5ubuntu8.12
In general, a standard system update will make all the necessary changes. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update
2014-001
OS X Mavericks 10.9.2 and Security Update 2014-001 is now available
and addresses the following:
Apache
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in Apache
Description: Multiple vulnerabilities existed in Apache, the most
serious of which may lead to cross-site scripting. These issues were
addressed by updating Apache to version 2.2.26.
CVE-ID
CVE-2013-1862
CVE-2013-1896
App Sandbox
Available for: OS X Mountain Lion v10.8.5
Impact: The App Sandbox may be bypassed
Description: The LaunchServices interface for launching an
application allowed sandboxed apps to specify the list of arguments
passed to the new process. A compromised sandboxed application could
abuse this to bypass the sandbox. This issue was addressed by
preventing sandboxed applications from specifying arguments. This
issue does not affect systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR
ATS
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A memory corruption issue existed in the handling of
handling of Type 1 fonts. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1254 : Felix Groebert of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A memory corruption issue existed in the handling of
Mach messages passed to ATS. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1262 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: An arbitrary free issue existed in the handling of Mach
messages passed to ATS. This issue was addressed through additional
validation of Mach messages.
CVE-ID
CVE-2014-1255 : Meder Kydyraliev of the Google Security Team
ATS
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: The App Sandbox may be bypassed
Description: A buffer overflow issue existed in the handling of Mach
messages passed to ATS. This issue was addressed by additional bounds
checking.
CVE-ID
CVE-2014-1256 : Meder Kydyraliev of the Google Security Team
Certificate Trust Policy
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Root certificates have been updated
Description: The set of system root certificates has been updated.
The complete list of recognized system roots may be viewed via the
Keychain Access application.
CFNetwork Cookies
Available for: OS X Mountain Lion v10.8.5
Impact: Session cookies may persist even after resetting Safari
Description: Resetting Safari did not always delete session cookies
until Safari was closed. This issue was addressed through improved
handling of session cookies. This issue does not affect systems
running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett
CoreAnimation
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreAnimation's
handling of images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1258 : Karl Smith of NCC Group
CoreText
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Applications that use CoreText may be vulnerable to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in CoreText in the handling
of Unicode fonts. This issue is addressed through improved bounds
checking.
CVE-ID
CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs
curl
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: When using curl to connect to an HTTPS URL containing
an IP address, the IP address was not validated against the
certificate. This issue does not affect systems prior to OS X
Mavericks v10.9.
CVE-ID
CVE-2014-1263 : Roland Moriz of Moriz GmbH
Data Security
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of
the connection. This issue was addressed by restoring missing
validation steps.
CVE-ID
CVE-2014-1266
Date and Time
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: An unprivileged user may change the system clock
Description: This update changes the behavior of the systemsetup
command to require administrator privileges to change the system
clock.
CVE-ID
CVE-2014-1265
File Bookmark
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a file with a maliciously crafted name may lead to
an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of file
names. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1259
Finder
Available for: OS X Mavericks 10.9 and 10.9.1
Impact: Accessing a file's ACL via Finder may lead to other users
gaining unauthorized access to files
Description: Accessing a file's ACL via Finder may corrupt the ACLs
on the file. This issue was addressed through improved handling of
ACLs.
CVE-ID
CVE-2014-1264
ImageIO
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed by better JPEG handling.
CVE-ID
CVE-2013-6629 : Michal Zalewski
IOSerialFamily
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: Executing a malicious application may result in arbitrary
code execution within the kernel
Description: An out of bounds array access existed in the
IOSerialFamily driver. This issue was addressed through additional
bounds checking. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5139 : @dent1zt
LaunchServices
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5
Impact: A file could show the wrong extension
Description: An issue existed in the handling of certain unicode
characters that could allow filenames to show incorrect extensions.
The issue was addressed by filtering unsafe unicode characters from
display in filenames. This issue does not affect systems running OS X
Mavericks v10.9 or later.
CVE-ID
CVE-2013-5178 : Jesse Ruderman of Mozilla Corporation, Stephane Sudre
of Intego
NVIDIA Drivers
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Executing a malicious application could result in arbitrary
code execution within the graphics card
Description: An issue existed that allowed writes to some trusted
memory on the graphics card. This issue was addressed by removing the
ability of the host to write to that memory.
CVE-ID
CVE-2013-5986 : Marcin KoĆcielnicki from the X.Org Foundation
Nouveau project
CVE-2013-5987 : Marcin KoĆcielnicki from the X.Org Foundation
Nouveau project
PHP
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Multiple vulnerabilities in PHP
Description: Multiple vulnerabilities existed in PHP, the most
serious of which may have led to arbitrary code execution. These
issues were addressed by updating PHP to version 5.4.22 on OS X
Mavericks v10.9, and 5.3.28 on OS X Lion and Mountain Lion.
CVE-ID
CVE-2013-4073
CVE-2013-4113
CVE-2013-4248
CVE-2013-6420
QuickLook
Available for: OS X Mountain Lion v10.8.5
Impact: Downloading a maliciously crafted Microsoft Office file may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in QuickLook's
handling of Microsoft Office files. Downloading a maliciously crafted
Microsoft Office file may have led to an unexpected application
termination or arbitrary code execution. This issue does not affect
systems running OS X Mavericks 10.9 or later.
CVE-ID
CVE-2014-1260 : Felix Groebert of the Google Security Team
QuickLook
Available for: OS X Mountain Lion v10.8.5,
OS X Mavericks 10.9 and 10.9.1
Impact: Downloading a maliciously crafted Microsoft Word document
may lead to an unexpected application termination or arbitrary code
execution
Description: A double free issue existed in QuickLook's handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ftab'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1246 : An anonymous researcher working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
'dref' atoms. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1247 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'ldat'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1248 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Viewing a maliciously crafted PSD image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PSD
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1249 : dragonltx of Tencent Security Team
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An out of bounds byte swapping issue existed in the
handling of 'ttfo' elements. This issue was addressed through
improved bounds checking.
CVE-ID
CVE-2014-1250 : Jason Kratzer working with iDefense VCP
QuickTime
Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5,
OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1
Impact: Playing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of 'stsz'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2014-1245 : Tom Gallagher & Paul Bates working with HP's Zero Day
Initiative
Secure Transport
Available for: OS X Mountain Lion v10.8.5
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite used a block cipher in CBC mode.
To address these issues for applications using Secure Transport, the
1-byte fragment mitigation was enabled by default for this
configuration.
CVE-ID
CVE-2011-3389 : Juliano Rizzo and Thai Duong
OS X Mavericks v10.9.2 includes the content of Safari 7.0.2.
OS X Mavericks v10.9.2 and Security Update 2014-001 may be obtained from
the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTDNeoAAoJEPefwLHPlZEwaRAP/3i/2qRvNv6JqmE9p48uEyXn
mlxwXpMyop+vrgMmuiSP14EGSv06HO04PNUtaWPxm7tVYXu0tMtjDcYdIu40TAy6
U0T6QhRZC/uag1DCvdEOvqRUajKmmPtHTCJ6OsQGtGJHlEM+S5XgxRr7qgfkHMfb
OlqFsgpdL/AAiYNfzItN2C+r2Lfwro6LDlxhikpASojlMFQrk8nJ6irRv617anSZ
3DwJW2iJxNfpVrgqA1Nrx1fkrPmeT/8jgGuEP6RaKiWIbfXjRG5BW9WuarMqmaP8
C6XoTaJaqEO9zb7F2uJR0HIYpJd065y/xiYNm91yDWIjdrO3wVgNVPGo1pHVyYsY
Y7lcyHUVJortKF8SHquw0j3Ujeugu8iWp6ND/00/4dGvwb0jzrxPUxkEmJ43130O
t2Obtxdsaa+ub8cZHDN93WB3FQR5hd+KaeXLJC55q0qYY8o8zqdPqXAlYAP2gUQX
iB4Bs7NAh2CNJWNTtk2soTjZOwPvPLSPZ6I3w5i0HVP7HQl5K8chjihAwSeyezCZ
q5gxCiK0lBW88AUd9n3L7ZOW2Rg53mh6+RiUL/VQ7TfidoP417VDKum300pZkgNv
kBCklX9ya7QeLjOMnbnsTk32qG+TiDPgiGZ5IrK6C6T26dexJWbm8tuwPjy5r8mI
aiYIh+SzR0rBdMZRgyzv
=+DAJ
-----END PGP SIGNATURE-----
.
A buffer overflow when reading digest password file with very long
lines in htdigest was discovered (PR 54893). The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 6.1.1 update
Advisory ID: RHSA-2013:1208-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1208.html
Issue date: 2013-09-04
CVE Names: CVE-2012-3499 CVE-2012-4558 CVE-2013-1862
CVE-2013-1896 CVE-2013-1921 CVE-2013-2172
CVE-2013-4112
=====================================================================
1. Summary:
Red Hat JBoss Enterprise Application Platform 6.1.1, which fixes multiple
security issues, various bugs, and adds enhancements, is now available for
Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server - i386, noarch, x86_64
3. Description:
Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
This release serves as a replacement for Red Hat JBoss Enterprise
Application Platform 6.1.0, and includes bug fixes and enhancements. Refer
to the 6.1.1 Release Notes for information on the most significant of these
changes, available shortly from
https://access.redhat.com/site/documentation/
Security fixes:
Cross-site scripting (XSS) flaws were found in the mod_info, mod_status,
mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could
possibly use these flaws to perform XSS attacks if they were able to make
the victim's browser generate an HTTP request with a specially-crafted Host
header. (CVE-2012-3499)
Cross-site scripting (XSS) flaws were found in the mod_proxy_balancer
module's manager web interface. If a remote attacker could trick a user,
who was logged into the manager web interface, into visiting a
specially-crafted URL, it would lead to arbitrary web script execution in
the context of the user's manager interface session. (CVE-2012-4558)
A flaw was found in the way the mod_dav module handled merge requests. An
attacker could use this flaw to send a crafted merge request that contains
URIs that are not configured for DAV, causing the httpd child process to
crash. (CVE-2013-1896)
A flaw was found in the way Apache Santuario XML Security for Java
validated XML signatures. Santuario allowed a signature to specify an
arbitrary canonicalization algorithm, which would be applied to the
SignedInfo XML fragment. A remote attacker could exploit this to spoof an
XML signature via a specially-crafted XML signature block. (CVE-2013-2172)
It was found that mod_rewrite did not filter terminal escape sequences from
its log file. If a victim viewed
the log file with a terminal emulator, it could result in arbitrary command
execution with the privileges of that user. (CVE-2013-1862)
The data file used by PicketBox Vault to store encrypted passwords contains
a copy of its own admin key. The file is encrypted using only this admin
key, not the corresponding JKS key. A local attacker with permission to
read the vault data file could read the admin key from the file, and use it
to decrypt the file and read the stored passwords in clear text.
(CVE-2013-1921)
A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on
an adjacent network to reuse the credentials from a previous successful
authentication. This could be exploited to read diagnostic information
(information disclosure) and attain limited remote code execution.
(CVE-2013-4112)
Warning: Before applying this update, back up your existing Red Hat JBoss
Enterprise Application Platform installation and deployed applications.
Refer to the Solution section for further details.
All users of Red Hat JBoss Enterprise Application Platform 6.1.0 on Red Hat
Enterprise Linux 6 are advised to upgrade to these updated packages. The
JBoss server process must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied. Also, back up any customized
Red Hat JBoss Enterprise Application Platform 6 configuration files. On
update, the configuration files that have been locally modified will not be
updated. The updated version of such files will be stored as the rpmnew
files. Make sure to locate any such files after the update and merge any
changes manually.
For more details, refer to the Release Notes for Red Hat JBoss Enterprise
Application Platform 6.1.1, available shortly from
https://access.redhat.com/site/documentation/
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
915883 - CVE-2012-3499 httpd: multiple XSS flaws due to unescaped hostnames
915884 - CVE-2012-4558 httpd: XSS flaw in mod_proxy_balancer manager interface
948106 - CVE-2013-1921 JBoss PicketBox: Insecure storage of masked passwords
953729 - CVE-2013-1862 httpd: mod_rewrite allows terminal escape sequences to be written to the log file
983489 - CVE-2013-4112 JGroups: Authentication via cached credentials
983549 - CVE-2013-1896 httpd: mod_dav DoS (httpd child process crash) via a URI MERGE request with source URI not handled by mod_dav
985025 - Upgrade jbossweb to 7.2.2.Final-redhat-1
985061 - Upgrade jboss-as-console to 1.5.5.Final-redhat-1
985173 - Upgrade jboss-hal to 1.5.6.Final-redhat-1
989597 - Upgrade jbossws-common to 2.1.3.Final-redhat-1
989606 - Upgrade jboss-stdio to 1.0.2.GA-redhat-1
990636 - Upgrade jboss-aesh to 0.33.6-redhat-1
990657 - Upgrade jaxbintros to 1.0.2.GA-redhat-5
990662 - Upgrade picketlink-federation to 2.1.6.2.Final-redhat-2
990671 - Upgrade jbossts to 4.17.7.Final-redhat-3
990686 - Upgrade jboss-logmanager to 1.4.3.Final-redhat-1
995115 - Upgrade hornetq to 2.3.5.Final-redhat-1
995290 - Upgrade jgroups to 3.2.10.Final-redhat-1
995563 - Upgrade picketbox to 4.0.17.SP2-redhat-1
996313 - Upgrade hornetq-native to 2.3.5.Final-redhat-1
999263 - CVE-2013-2172 Apache Santuario XML Security for Java: XML signature spoofing
6. Package List:
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server:
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-commons-beanutils-1.8.3-12.redhat_3.2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-commons-daemon-jsvc-eap6-1.0.15-2.redhat_2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-cxf-2.6.8-8.redhat_7.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/apache-cxf-xjc-utils-2.6.0-2.redhat_4.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/hibernate4-4.2.0-7.SP1_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/hornetq-2.3.5-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/hornetq-native-2.3.5-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/httpd-2.2.22-25.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/infinispan-5.2.7-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/ironjacamar-1.0.19-1.Final_redhat_2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jaxbintros-1.0.2-16.GA_redhat_6.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-aesh-0.33.7-2.redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-appclient-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-cli-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-client-all-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-clustering-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-cmp-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-configadmin-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-connector-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-console-1.5.6-2.Final_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-controller-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-controller-client-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-deployment-repository-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-deployment-scanner-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-domain-http-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-domain-management-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-ee-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-ee-deployment-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-ejb3-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-embedded-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-host-controller-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jacorb-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jaxr-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jaxrs-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jdr-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jmx-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jpa-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jsf-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-jsr77-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-logging-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-mail-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-management-client-content-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-messaging-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-modcluster-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-naming-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-network-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-osgi-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-osgi-configadmin-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-osgi-service-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-platform-mbean-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-pojo-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-process-controller-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-protocol-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-remoting-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-sar-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-security-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-server-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-system-jmx-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-threads-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-transactions-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-version-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-web-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-webservices-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-weld-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-as-xts-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-ejb-client-1.0.23-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-hal-1.5.7-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-invocation-1.1.2-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-jsp-api_2.2_spec-1.0.1-6.Final_redhat_2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-logmanager-1.4.3-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-marshalling-1.3.18-1.GA_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-modules-1.2.2-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-remote-naming-1.0.7-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-security-negotiation-2.2.5-2.Final_redhat_2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jboss-stdio-1.0.2-1.GA_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-appclient-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-bundles-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-core-7.2.1-6.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-domain-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-javadocs-7.2.1-2.Final_redhat_10.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-modules-eap-7.2.1-9.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-product-eap-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-standalone-7.2.1-6.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossas-welcome-content-eap-7.2.1-5.Final_redhat_10.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossts-4.17.7-4.Final_redhat_4.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossweb-7.2.2-1.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossws-common-2.1.3-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossws-cxf-4.1.4-7.Final_redhat_7.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jbossws-spi-2.1.3-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jcip-annotations-eap6-1.0-4.redhat_4.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/jgroups-3.2.10-1.Final_redhat_2.2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/log4j-jboss-logmanager-1.0.2-1.Final_redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/netty-3.6.6-2.Final_redhat_1.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/opensaml-2.5.1-2.redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/openws-1.4.2-10.redhat_4.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/picketbox-4.0.17-3.SP2_redhat_2.1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/picketlink-federation-2.1.6.3-2.Final_redhat_2.2.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/wss4j-1.6.10-1.redhat_1.ep6.el6.src.rpm
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/JBEAP/SRPMS/xml-security-1.5.5-1.redhat_1.ep6.el6.src.rpm
i386:
apache-commons-daemon-jsvc-eap6-1.0.15-2.redhat_2.ep6.el6.i386.rpm
apache-commons-daemon-jsvc-eap6-debuginfo-1.0.15-2.redhat_2.ep6.el6.i386.rpm
hornetq-native-2.3.5-1.Final_redhat_1.ep6.el6.i386.rpm
hornetq-native-debuginfo-2.3.5-1.Final_redhat_1.ep6.el6.i386.rpm
httpd-2.2.22-25.ep6.el6.i386.rpm
httpd-debuginfo-2.2.22-25.ep6.el6.i386.rpm
httpd-devel-2.2.22-25.ep6.el6.i386.rpm
httpd-tools-2.2.22-25.ep6.el6.i386.rpm
jbossas-hornetq-native-2.3.5-1.Final_redhat_1.ep6.el6.i386.rpm
mod_ssl-2.2.22-25.ep6.el6.i386.rpm
noarch:
apache-commons-beanutils-1.8.3-12.redhat_3.2.ep6.el6.noarch.rpm
apache-cxf-2.6.8-8.redhat_7.1.ep6.el6.noarch.rpm
apache-cxf-xjc-utils-2.6.0-2.redhat_4.1.ep6.el6.noarch.rpm
cxf-xjc-boolean-2.6.0-2.redhat_4.1.ep6.el6.noarch.rpm
cxf-xjc-dv-2.6.0-2.redhat_4.1.ep6.el6.noarch.rpm
cxf-xjc-ts-2.6.0-2.redhat_4.1.ep6.el6.noarch.rpm
hibernate4-4.2.0-7.SP1_redhat_1.ep6.el6.noarch.rpm
hibernate4-core-4.2.0-7.SP1_redhat_1.ep6.el6.noarch.rpm
hibernate4-entitymanager-4.2.0-7.SP1_redhat_1.ep6.el6.noarch.rpm
hibernate4-envers-4.2.0-7.SP1_redhat_1.ep6.el6.noarch.rpm
hibernate4-infinispan-4.2.0-7.SP1_redhat_1.ep6.el6.noarch.rpm
hornetq-2.3.5-2.Final_redhat_2.1.ep6.el6.noarch.rpm
infinispan-5.2.7-1.Final_redhat_1.ep6.el6.noarch.rpm
infinispan-cachestore-jdbc-5.2.7-1.Final_redhat_1.ep6.el6.noarch.rpm
infinispan-cachestore-remote-5.2.7-1.Final_redhat_1.ep6.el6.noarch.rpm
infinispan-client-hotrod-5.2.7-1.Final_redhat_1.ep6.el6.noarch.rpm
infinispan-core-5.2.7-1.Final_redhat_1.ep6.el6.noarch.rpm
ironjacamar-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-common-api-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-common-impl-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-common-spi-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-core-api-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-core-impl-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-deployers-common-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-jdbc-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-spec-api-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
ironjacamar-validator-1.0.19-1.Final_redhat_2.ep6.el6.noarch.rpm
jaxbintros-1.0.2-16.GA_redhat_6.ep6.el6.noarch.rpm
jboss-aesh-0.33.7-2.redhat_2.1.ep6.el6.noarch.rpm
jboss-as-appclient-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-cli-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-client-all-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-clustering-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-cmp-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-configadmin-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-connector-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-console-1.5.6-2.Final_redhat_2.1.ep6.el6.noarch.rpm
jboss-as-controller-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-controller-client-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-deployment-repository-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-deployment-scanner-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-domain-http-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-domain-management-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-ee-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-ee-deployment-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-ejb3-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-embedded-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-host-controller-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jacorb-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jaxr-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jaxrs-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jdr-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jmx-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jpa-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jsf-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-jsr77-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-logging-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-mail-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-management-client-content-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-messaging-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-modcluster-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-naming-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-network-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-osgi-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-osgi-configadmin-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-osgi-service-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-platform-mbean-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-pojo-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-process-controller-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-protocol-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-remoting-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-sar-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-security-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-server-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-system-jmx-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-threads-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-transactions-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-version-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-web-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-webservices-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-weld-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-as-xts-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jboss-ejb-client-1.0.23-1.Final_redhat_1.ep6.el6.noarch.rpm
jboss-hal-1.5.7-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jboss-invocation-1.1.2-1.Final_redhat_1.ep6.el6.noarch.rpm
jboss-jsp-api_2.2_spec-1.0.1-6.Final_redhat_2.ep6.el6.noarch.rpm
jboss-logmanager-1.4.3-1.Final_redhat_1.ep6.el6.noarch.rpm
jboss-marshalling-1.3.18-1.GA_redhat_1.1.ep6.el6.noarch.rpm
jboss-modules-1.2.2-1.Final_redhat_1.ep6.el6.noarch.rpm
jboss-remote-naming-1.0.7-1.Final_redhat_1.ep6.el6.noarch.rpm
jboss-security-negotiation-2.2.5-2.Final_redhat_2.ep6.el6.noarch.rpm
jboss-stdio-1.0.2-1.GA_redhat_1.ep6.el6.noarch.rpm
jbossas-appclient-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-bundles-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-core-7.2.1-6.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-domain-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-javadocs-7.2.1-2.Final_redhat_10.ep6.el6.noarch.rpm
jbossas-modules-eap-7.2.1-9.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-product-eap-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-standalone-7.2.1-6.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossas-welcome-content-eap-7.2.1-5.Final_redhat_10.1.ep6.el6.noarch.rpm
jbossts-4.17.7-4.Final_redhat_4.ep6.el6.noarch.rpm
jbossweb-7.2.2-1.Final_redhat_1.1.ep6.el6.noarch.rpm
jbossws-common-2.1.3-1.Final_redhat_1.ep6.el6.noarch.rpm
jbossws-cxf-4.1.4-7.Final_redhat_7.ep6.el6.noarch.rpm
jbossws-spi-2.1.3-1.Final_redhat_1.ep6.el6.noarch.rpm
jcip-annotations-eap6-1.0-4.redhat_4.ep6.el6.noarch.rpm
jgroups-3.2.10-1.Final_redhat_2.2.ep6.el6.noarch.rpm
log4j-jboss-logmanager-1.0.2-1.Final_redhat_1.ep6.el6.noarch.rpm
netty-3.6.6-2.Final_redhat_1.1.ep6.el6.noarch.rpm
opensaml-2.5.1-2.redhat_2.1.ep6.el6.noarch.rpm
openws-1.4.2-10.redhat_4.1.ep6.el6.noarch.rpm
picketbox-4.0.17-3.SP2_redhat_2.1.ep6.el6.noarch.rpm
picketlink-federation-2.1.6.3-2.Final_redhat_2.2.ep6.el6.noarch.rpm
wss4j-1.6.10-1.redhat_1.ep6.el6.noarch.rpm
xml-security-1.5.5-1.redhat_1.ep6.el6.noarch.rpm
x86_64:
apache-commons-daemon-jsvc-eap6-1.0.15-2.redhat_2.ep6.el6.x86_64.rpm
apache-commons-daemon-jsvc-eap6-debuginfo-1.0.15-2.redhat_2.ep6.el6.x86_64.rpm
hornetq-native-2.3.5-1.Final_redhat_1.ep6.el6.x86_64.rpm
hornetq-native-debuginfo-2.3.5-1.Final_redhat_1.ep6.el6.x86_64.rpm
httpd-2.2.22-25.ep6.el6.x86_64.rpm
httpd-debuginfo-2.2.22-25.ep6.el6.x86_64.rpm
httpd-devel-2.2.22-25.ep6.el6.x86_64.rpm
httpd-tools-2.2.22-25.ep6.el6.x86_64.rpm
jbossas-hornetq-native-2.3.5-1.Final_redhat_1.ep6.el6.x86_64.rpm
mod_ssl-2.2.22-25.ep6.el6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-3499.html
https://www.redhat.com/security/data/cve/CVE-2012-4558.html
https://www.redhat.com/security/data/cve/CVE-2013-1862.html
https://www.redhat.com/security/data/cve/CVE-2013-1896.html
https://www.redhat.com/security/data/cve/CVE-2013-1921.html
https://www.redhat.com/security/data/cve/CVE-2013-2172.html
https://www.redhat.com/security/data/cve/CVE-2013-4112.html
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/site/documentation/
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2013 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFSJ4RUXlSAg2UNWIIRAkONAJ9Gj4TeEJd7Dh9Yjd2ixoHf3Ww08wCgmeRo
TN/pCGYMRQOd86d72g1mzjI=
=8oZG
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library
| VAR-201307-0482 | CVE-2013-2070 | nginx of http/modules/ngx_http_proxy_module.c Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028. Nginx is prone to a remote security vulnerability.
Attackers can exploit this issue to a cause a denial-of-service condition or obtain sensitive information. nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: nginx: Multiple vulnerabilities
Date: October 06, 2013
Bugs: #458726, #468870
ID: 201310-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in nginx, the worst of which
may allow execution of arbitrary code.
Background
==========
nginx is a robust, small, and high performance HTTP and reverse proxy
server.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-servers/nginx < 1.4.1-r2 >= 1.4.1-r2
Description
===========
Multiple vulnerabilities have been discovered in nginx. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could send a specially crafted request, possibly
resulting in execution of arbitrary code with the privileges of the
process, or a Denial of Service condition.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All nginx users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/nginx-1.4.1-r2"
References
==========
[ 1 ] CVE-2013-0337
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0337
[ 2 ] CVE-2013-2028
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2028
[ 3 ] CVE-2013-2070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2070
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-04.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2721-1 security@debian.org
http://www.debian.org/security/ Nico Golde
July 07, 2013 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : nginx
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-2070
Debian Bug : 708164
A buffer overflow has been identified in nginx, a small, powerful,
scalable web/proxy server, when processing certain chunked transfer
encoding requests if proxy_pass to untrusted upstream HTTP servers is
used.
The oldstable distribution (squeeze), is not affected by this problem.
For the stable distribution (wheezy), this problem has been fixed in
version 1.2.1-2.2+wheezy1.
For the unstable distribution (sid), this problem has been fixed in
version 1.4.1-1.
We recommend that you upgrade your nginx packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJR2ZOuAAoJEM1LKvOgoKqqTjsQAMKVFfBMx5Xu6XB6jXXM+2CL
+m0TyjQp9oKTlTkZpE18fbQviCVk+A1jZZbHdEZlJnEdy0XvXvJpaN6DiNi10IVi
kRQkMBtusXI7Bshh4Z/xWh6on9s//06mQzQzymnMQfcKDcg91Z159xPYi86mlxH5
dnf9/XirRwCokM5PI8duw1YJg2aMUpr5wYi14LVpC93ic5UoL3olwtbWcIAJy6VP
auORGQLFTUCljpyEtZXku8mD168RnSubP6FZGRfar3JvywBX4MgK/+KnGXuZKZ6H
MNDgVrb8hrkzQJQWvycZjhYUhurqSkR17VgJnwiyHxOxP9Sw6adWoH5aRGwoklhH
0d48CMlunJFvYtFEY8rQqiXBLAyZ09CnrEwgQa3hlugGWkRPVxnKmaghOwXZNXez
o8RjCYEOdD2BppUc8RJZYz3UYq+WdVKv499HcgKGscol9aJ8XCYoq/G67697EaPF
NUFaL3ApZ7rGiuUsx82FujIRs2rjuvQTe9Wiz2jRh0/BjuKarL/TG3r3SVD5/nDX
6j4ngF8eFDmf2ZfxQM1/Ug2ReO+gglnVZyYy4Kn/fxTTwFMLvznR+2lygAJQs/aM
CsRN7KQhDdL1FgELvapLYyfcweeq41NJGwIvD7y3O7JKAlO44IO3XcvdAOHWLY2f
8xcpghy474tAclbQPQUi
=4eCV
-----END PGP SIGNATURE-----
| VAR-201306-0348 | CVE-2013-4629 | Huawei Video Conference system For Huawei viewpoint VP9610 and VP9620 Vulnerability in unit hijacking sessions |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
The Huawei viewpoint VP9610 and VP9620 units for the Huawei Video Conference system do not update the Session ID upon successful establishment of a login session, which allows remote authenticated users to hijack sessions via an unspecified interception method. Huawei VP9610 and VP9620 are prone to a session-hijacking vulnerability.
An attacker can exploit this issue to hijack user sessions and gain unauthorized access to the affected applications
| VAR-201305-0268 | CVE-2013-1136 | Cisco Aggregation Services Router Route Processor Run on Cisco IOS Service disruption in (DoS) Vulnerability made into a state |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
The crypto engine process in Cisco IOS on Aggregation Services Router (ASR) Route Processor 2 does not properly manage memory, which allows local users to cause a denial of service (route processor crash) by creating multiple tunnels and then examining encryption statistics, aka Bug ID CSCuc52193. Cisco IOS is the interconnected network operating system used on most Cisco system routers and network switches. Cisco IOS is prone to a local denial-of-service vulnerability.
A local attacker can exploit this issue to crash the system, resulting in denial-of-service conditions.
This issue is being tracked by Cisco bug ID CSCuc52193
| VAR-201305-0366 | No CVE | Fujitsu Desktop Update Permission Elevation Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Fujitsu is an ICT integrated service provider that provides industry solutions for the global market. There is a privilege elevation vulnerability in Fujitsu Desktop Update that allows malicious programs to execute in the context of the current user.
The application is registered as control panel item via
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{070B64FF-795D-4DAA-88AD-6D3277C7E445}]
@="Fujitsu DeskUpdate"
The "shell object" with GUID {070B64FF-795D-4DAA-88AD-6D3277C7E445} is
registered with
[HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}]
@="Fujitsu DeskUpdate"
"InfoTip"=expand:"@C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe,-132"
"System.ControlPanel.Category"=dword:00000005
"System.Software.TasksFileUrl"="C:\\Program Files (x86)\\Fujitsu\DeskUpdate\\duconfig.xml"
[HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\DefaultIcon]
@=expand:"C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe,-0"
[HKLM\SOFTWARE\Classes\CLSID\{070B64FF-795D-4DAA-88AD-6D3277C7E445}\Shell\Open\Command]
@="C:\\Program Files (x86)\\Fujitsu\\DeskUpdate\\DeskUpdate.exe"
The last entry is a pathname with unquoted spaces and allows the
execution of the rogue programs "C:\Program.exe" and/or
"C:\Program Files.exe", as documented in
<http://msdn.microsoft.com/library/ms682425.aspx>
Stefan Kanthak
PS: long pathnames containing spaces exist for about 20 years
now in Windows, EVERY developer should know how to use them
properly, and EVERY QA should check their proper use!
| VAR-201305-0154 | CVE-2013-1220 | Cisco Unified Customer Voice Portal of CallServer Service disruption in components (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The CallServer component in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 allows remote attackers to cause a denial of service (call-acceptance outage) via malformed SIP INVITE messages, aka Bug ID CSCua65148. Vendors have confirmed this vulnerability Bug ID CSCua65148 It is released as.Malformed by a third party SIP INVITE Service disruption via message ( Stop receiving ) There is a possibility of being put into a state.
Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions.
This issue is being tracked by Cisco Bug ID CSCua65148. A remote attacker can exploit this vulnerability through malformed SIP INVITE packets to cause denial of service (interruption of call reception)
| VAR-201305-0155 | CVE-2013-1221 | Cisco Unified Customer Voice Portal of Tomcat Web Management Vulnerability to execute arbitrary code in function |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Tomcat Web Management feature in Cisco Unified Customer Voice Portal (CVP) Software before 9.0.1 ES 11 does not properly configure Tomcat components, which allows remote attackers to execute arbitrary code via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCub38384. Vendors have confirmed this vulnerability Bug ID CSCub38384 It is released as.Skillfully crafted by a third party (1) HTTP Or (2) HTTPS Arbitrary code may be executed via a request. Cisco Unified Customer Voice Portal is prone to a remote privilege-escalation vulnerability.
Attackers can exploit this issue to gain elevated privileges in the context of the affected application. Successful exploits may aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCub38384.
Versions prior to Unified Customer Voice Portal (CVP) 9.0.1 ES 11 are vulnerable. The vulnerability stems from the fact that the program does not properly configure the Tomcat component