VARIoT IoT vulnerabilities database
| VAR-201303-0130 | CVE-2013-0977 | Apple iOS and Apple TV of dyld Vulnerabilities that can bypass code signing requests |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
dyld in Apple iOS before 6.1.3 and Apple TV before 5.2.1 does not properly manage the state of file loading for Mach-O executable files, which allows local users to bypass intended code-signing requirements via a file that contains overlapping segments. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local security-bypass vulnerability.
Successful exploits will allow local attackers to bypass certain security restrictions and execute arbitrary code on the affected device. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-03-19-1 iOS 6.1.3
iOS 6.1.3 is now available and addresses the following:
dyld
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute unsigned code
Description: A state management issue existed in the handling of
Mach-O executable files with overlapping segments. This issue was
addressed by refusing to load an executable with overlapping
segments.
CVE-ID
CVE-2013-0977 : evad3rs
Kernel
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to determine the address of
structures in the kernel
Description: An information disclosure issue existed in the ARM
prefetch abort handler. This issue was addressed by panicking if the
prefetch abort handler is not being called from an abort context.
CVE-ID
CVE-2013-0978 : evad3rs
Lockdown
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to change permissions on arbitrary
files
Description: When restoring from backup, lockdownd changed
permissions on certain files even if the path to the file included a
symbolic link. This issue was addressed by not changing permissions
on any file with a symlink in its path.
CVE-ID
CVE-2013-0979 : evad3rs
Passcode Lock
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A person with physical access to the device may be able to
bypass the screen lock
Description: A logic issue existed in the handling of emergency
calls from the lock screen. This issue was addressed through improved
lock state management.
CVE-ID
CVE-2013-0980 : Christopher Heffley of theMedium.ca,
videosdebarraquito
USB
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: A local user may be able to execute arbitrary code in the
kernel
Description: The IOUSBDeviceFamily driver used pipe object pointers
that came from userspace. This issue was addressed by performing
additional validation of pipe object pointers.
CVE-ID
CVE-2013-0981 : evad3rs
WebKit
Available for: iPhone 3GS and later,
iPod touch (4th generation) and later, iPad 2 and later
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: An invalid cast issue existed in the handling of SVG
files. This issue was addressed through improved type checking.
CVE-ID
CVE-2013-0912 : Nils and Jon from MWR Labs working with HP
TippingPoint's Zero Day Initiative
Installation note:
This update is available through iTunes and Software Update on your
iOS device, and will not appear in your computer's Software Update
application, or in the Apple Downloads site. Make sure you have an
Internet connection and have installed the latest version of iTunes
from www.apple.com/itunes/
iTunes and Software Update on the device will automatically check
Apple's update server on its weekly schedule. When an update is
detected, it is downloaded and the option to be installed is
presented to the user when the iOS device is docked. We recommend
applying the update immediately if possible. Selecting Don't Install
will present the option the next time you connect your iOS device.
The automatic update process may take up to a week depending on the
day that iTunes or the device checks for updates. You may manually
obtain the update via the Check for Updates button within iTunes, or
the Software Update on your device. The version after applying this update
will be "6.1.3".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRR36/AAoJEPefwLHPlZEwj+8P/j2CxTtGz790dpfS5+3k02AV
JmdOZjAxzEtsc/j5XfpyGdvOBAfTEK+llt/tQ6C3dK+KlB9otDwvgz3K0DFls1fM
p0OVw4E6Ao2qfDG02eqGdPldYMejTxlH1AGs4mW6ZdfM2mAZLn+Bmm3dCkcJ2PGn
s9bYZBQdnQySkd1/l6lc2dj5zpjmsWMtr0dLVyiq39jDA1E5oA+iAEJ45BT3mxeA
SKn44+xhpVQATAz4H5tYaxQAFt9hmJbzkvH8VoMLzoJNSrodBjB9WPtLPX95P/eg
88F2RshnpjrKnlWcbzzyEQWt7j2hxtjvJufGxdtOQXLIUp4wGlqQeTmCso/cqQPV
UlLUbbRNr4et9wS2EWlYymywcIwtYlFlgslNiV9zzLWKo6Hv79oSr3KAYaI1kn48
v1FS8OvZswQrsUwCb73WMVdh0RoEMPYPptkzB76ivk/KCcj+CUqC+fFm84JDTM4D
eS+dLkA+p2mdhYNCPkmbPTbSdSfOK4rKU90RHCvxq04b+8KM/iHA7xQ0rpibK6ba
Ya47zOgnRRzvFghYazasvC5LSPVsQolz+D5wWOMyL5iVWDXYhzFXJ2H45ZgmO73k
+tcKHXKCSN9IdYmtEG/nOLiKCU6V7W9Sk42Sl6Eyb3cKhKgPtsaWUybHiDi8XjV8
oiKBfq9i2nsbqLTdlCIO
=f4N8
-----END PGP SIGNATURE-----
| VAR-201303-0247 | CVE-2013-0711 | VxWorks SSH server (IPSSH) denial-of-service (DoS) vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote attackers to cause a denial of service (daemon outage) via a crafted authentication request. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability due to an issue in processing authentication requests. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.SSH access may become unavailable until the next reboot as a result of processing an authentication request. VxWorks is an embedded real-time operating system. VxWorks is prone to a denial-of-service vulnerability.
VxWorks 6.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network
| VAR-201303-0233 | CVE-2013-0712 | VxWorks SSH server (IPSSH) denial-of-service (DoS) vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote authenticated users to cause a denial of service (daemon outage) via a crafted packet. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability due to an issue in the processing directly after the SSH connection is established. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.SSH access may become unavailable until the next reboot when receiving a specially crafted packet after a SSH connection is established. VxWorks is an embedded real-time operating system. An attacker can pass a specially crafted packet, causing a denial of service. VxWorks is prone to a denial-of-service vulnerability.
Remote attackers can exploit this issue to cause denial-of-service conditions for legitimate users.
VxWorks 6.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network
| VAR-201303-0234 | CVE-2013-0713 | VxWorks SSH server (IPSSH) denial-of-service (DoS) vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote authenticated users to cause a denial of service (daemon outage) via a crafted pty request. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service vulnerability due to an issue in processing pty requests. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Receiving a specially crafted pty request packet may cause SSH access to be unavailable until the next reboot. VxWorks is an embedded real-time operating system. An attacker can cause a denial of service through a specially crafted private request. VxWorks is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected SSH access to be unavailable, denying service to legitimate users.
VxWorks version 6.5 through version 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network
| VAR-201303-0235 | CVE-2013-0714 | VxWorks SSH server (IPSSH) denial-of-service (DoS) vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote attackers to execute arbitrary code or cause a denial of service (daemon hang) via a crafted public-key authentication request. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability due to an issue in the processing authentication requests. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. In addition, arbitrary code may be executed on the server. VxWorks is an embedded real-time operating system. Wind River VxWorks is a set of real-time operating systems for the Internet of Things developed by Wind River.
Vulnerabilities in IPSSH (aka SSH Server) in Wind River VxWorks 6.5 to 6.9. VxWorks is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected SSH access to be unavailable, denying service to legitimate users. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed.
VxWorks 6.5 through version 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network
| VAR-201303-0236 | CVE-2013-0715 | VxWorks WebCLI Denial of service vulnerability |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
The WebCLI component in Wind River VxWorks 5.5 through 6.9 allows remote authenticated users to cause a denial of service (CLI session crash) via a crafted command string. The VxWorks WebCLI contains a denial-of-service (DoS) vulnerability. The VxWorks WebCLI contains a denial-of-service (DoS) vulnerability due to an issue in parsing command strings. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can login to a CLI session may cause the current CLI session to crash. VxWorks is an embedded real-time operating system. A denial of service vulnerability exists in VxWorks WebCLI.
VxWorks 5.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network
| VAR-201303-0237 | CVE-2013-0716 | VxWorks Web Server Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web server in Wind River VxWorks 5.5 through 6.9 allows remote attackers to cause a denial of service (daemon crash) via a crafted URI. The VxWorks Web Server contains a denial-of-service vulnerability. The VxWorks Web Server contains a denial-of-service (DoS) vulnerability. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.When a user accesses the VxWorks Web Server using a specially crafted URL, the server may crash. VxWorks is an embedded real-time operating system.
Attackers can exploit this issue to crash the application, denying service to legitimate users.
VxWorks 5.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com)
Products affected:
* All TP-Link VxWorks-based devices (confirmed by vendor)
* All "2-series" switches (confirmed by vendor)
* TL-SG2008 semi-managed switch (confirmed by vendor)
* TL-SG2216 semi-managed switch (confirmed by vendor)
* TL-SG2424 semi-managed switch (confirmed by vendor)
* TL-SG2424P semi-managed switch (confirmed by vendor)
* TL-SG2452 semi-managed switch (confirmed by vendor)
Vulnerabilities:
* All previously-reported VxWorks vulnerabilities from 6.6.0 on;
at the very least:
* CVE-2013-0716 (confirmed by vendor)
* CVE-2013-0715 (confirmed by vendor)
* CVE-2013-0714 (confirmed by vendor)
* CVE-2013-0713 (confirmed by vendor)
* CVE-2013-0712 (confirmed by vendor)
* CVE-2013-0711 (confirmed by vendor)
* CVE-2010-2967 (confirmed by vendor)
* CVE-2010-2966 (confirmed by vendor)
* CVE-2008-2476 (confirmed by vendor)
* SSLv2 is available and cannot be disabled unless HTTPS is
completely disabled (allows downgrade attacks)
(confirmed by vendor)
* SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
be disabled (allows downgrade attacks)
(confirmed by vendor)
Design flaws:
* Telnet is available and cannot be disabled (confirmed by vendor)
* SSHv1 enabled by default if SSH is enabled (confirmed by vendor)
Vendor response:
TP-Link are not convinced that these flaws should be repaired.
TP-Link's Internet presence -- or at least DNS -- is available only
intermittently. Most emails bounced. Lost contact with vendor, but
did confirm that development lead is now on holiday and will not
return for at least a week.
Initial vendor reaction was to recommend purchase of "3-series"
switches. Vendor did not offer reasons why "3-series" switches would
be more secure, apart from lack of telnet service. Vendor confirmed
that no development time can be allocated to securing "2-series"
product and all focus has shifted to newer products.
(TL-SG2008 first product availability July 2014...)
Vendor deeply confused about security of DES/3DES, MD5, claimed that
all security is relative. ("...[E]ven SHA-1 can be cracked, they just
have different security level.")
Fix availability:
None.
Work-arounds advised:
None possible. Remove products from network
| VAR-201303-0475 | No CVE | Cisco IOS and IOS XE Unsecure Password Hash Vulnerabilities |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
Cisco IOS is a popular Internet operating system. An insecure password hash vulnerability exists in Cisco IOS and IOS XE. An attacker can exploit a vulnerability to perform a brute force attack and obtain a password for unauthorized access. This may aid in other attacks
| VAR-201303-0222 | CVE-2013-0126 | Verizon Fios Actiontec model MI424WR-GEN3I router vulnerable to cross-site request forgery |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters. The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352).
Successful exploits can result in privileged commands running on the affected devices, including enabling remote access to the web administration interface. This may lead to further network-based attacks. Verizon FIOS is a wireless fiber optic broadband router produced by Verizon in the United States
| VAR-201303-0426 | CVE-2013-1857 | Ruby on Rails of Action Pack Cross-site scripting vulnerability in component |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/rails < 2.3.18 >= 2.3.18 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
Description
===========
Multiple vulnerabilities have been discovered in Ruby on Rails. Please
review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to
execute arbitrary SQL commands, change parameter names for form inputs
and make changes to arbitrary records in the system, bypass intended
access restrictions, render arbitrary views, inject arbitrary web
script or HTML, or conduct cross-site request forgery (CSRF) attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Ruby on Rails 2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18"
NOTE: All applications using Ruby on Rails should also be configured to
use the latest version available by running "rake rails:update" inside
the application directory.
NOTE: This is a legacy GLSA and stable updates for Ruby on Rails,
including the unaffected version listed above, are no longer available
from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1
branches, however these packages are not currently stable.
References
==========
[ 1 ] CVE-2010-3933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933
[ 2 ] CVE-2011-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446
[ 3 ] CVE-2011-0447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447
[ 4 ] CVE-2011-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448
[ 5 ] CVE-2011-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449
[ 6 ] CVE-2011-2929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929
[ 7 ] CVE-2011-2930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930
[ 8 ] CVE-2011-2931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931
[ 9 ] CVE-2011-2932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932
[ 10 ] CVE-2011-3186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186
[ 11 ] CVE-2013-0155
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155
[ 12 ] CVE-2013-0156
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156
[ 13 ] CVE-2013-0276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276
[ 14 ] CVE-2013-0277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277
[ 15 ] CVE-2013-0333
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333
[ 16 ] CVE-2013-1854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854
[ 17 ] CVE-2013-1855
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855
[ 18 ] CVE-2013-1856
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856
[ 19 ] CVE-2013-1857
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-28.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (squeeze), these problems have been fixed in
version 2.3.5-1.2+squeeze8.
For the testing distribution (wheezy) and the unstable distribution (sid),
these problems have been fixed in the version 3.2.6-5 of
ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3,
version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of
ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update
2013-002
OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now
available and addresses the following:
CFNetwork
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker with access to a user's session may be able to
log into previously accessed sites, even if Private Browsing was used
Description: Permanent cookies were saved after quitting Safari,
even when Private Browsing was enabled. This issue was addressed by
improved handling of cookies.
CVE-ID
CVE-2013-0982 : Alexander Traud of www.traud.de
CoreAnimation
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of text glyphs. This could be triggered by maliciously
crafted URLs in Safari. The issue was addressed through improved
bounds checking.
CVE-ID
CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson
CoreMedia Playback
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of text tracks. This issue was addressed by additional
validation of text tracks.
CVE-ID
CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation
CUPS
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user in the lpadmin group may be able to read or
write arbitrary files with system privileges
Description: A privilege escalation issue existed in the handling of
CUPS configuration via the CUPS web interface. A local user in the
lpadmin group may be able to read or write arbitrary files with
system privileges. This issue was addressed by moving certain
configuration directives to cups-files.conf, which can not be
modified from the CUPS web interface.
CVE-ID
CVE-2012-5519
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may execute arbitrary code with system
privileges on systems with Directory Service enabled
Description: An issue existed in the directory server's handling of
messages from the network. This issue was
addressed through improved bounds checking. This issue does not
affect OS X Lion or OS X Mountain Lion systems.
CVE-ID
CVE-2013-0984 : Nicolas Economou of Core Security
Disk Management
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user may disable FileVault
Description: A local user who is not an administrator may disable
FileVault using the command-line. This issue was addressed by adding
additional authentication.
CVE-ID
CVE-2013-0985
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of TLS
1.0 when compression was enabled. This issue was addressed by
disabling compression in OpenSSL.
CVE-ID
CVE-2012-4929 : Juliano Rizzo and Thai Duong
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Multiple vulnerabilities in OpenSSL
Description: OpenSSL was updated to version 0.9.8x to address
multiple vulnerabilities, which may lead to denial of service or
disclosure of a private key. Further information is available via the
OpenSSL website at http://www.openssl.org/news/
CVE-ID
CVE-2011-1945
CVE-2011-3207
CVE-2011-3210
CVE-2011-4108
CVE-2011-4109
CVE-2011-4576
CVE-2011-4577
CVE-2011-4619
CVE-2012-0050
CVE-2012-2110
CVE-2012-2131
CVE-2012-2333
QuickDraw Manager
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PICT
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'enof'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted QTIF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
QTIF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-0987 : roob working with iDefense VCP
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted FPX file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FPX files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative
QuickTime
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Playing a maliciously crafted MP3 file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of MP3 files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative
Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in Ruby on Rails
Description: Multiple vulnerabilities existed in Ruby on Rails, the
most serious of which may lead to arbitrary code execution on systems
running Ruby on Rails applications. These issues were addressed by
updating Ruby on Rails to version 2.3.18. This issue may affect OS X
Lion or OS X Mountain Lion systems that were upgraded from Mac OS X
10.6.8 or earlier. Users can update affected gems on such systems by
using the /usr/bin/gem utility.
CVE-ID
CVE-2013-0155
CVE-2013-0276
CVE-2013-0277
CVE-2013-0333
CVE-2013-1854
CVE-2013-1855
CVE-2013-1856
CVE-2013-1857
SMB
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An authenticated user may be able to write files outside the
shared directory
Description: If SMB file sharing is enabled, an authenticated user
may be able to write files outside the shared directory. This issue
was addressed through improved access control.
CVE-ID
CVE-2013-0990 : Ward van Wanrooij
Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP)
applications downloaded from the Internet need to be signed with
a Developer ID certificate. Gatekeeper will check downloaded
Java Web Start applications for a signature and block such
applications from launching if they are not properly signed.
Note: OS X Mountain Lion v10.8.4 includes the content of
Safari 6.0.5. For further details see "About the security content
of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785
OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be
obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.4, or Security Update
2013-002.
For OS X Mountain Lion v10.8.3
The download file is named: OSXUpd10.8.4.dmg
Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e
For OS X Mountain Lion v10.8 and v10.8.2
The download file is named: OSXUpdCombo10.8.4.dmg
Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3
For OS X Lion v10.7.5
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7
For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e
For Mac OS X v10.6.8
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb
eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG
B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5
N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA
PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU
pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq
8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t
6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec
i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77
gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC
O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V
+VoeoamqaQqZGyOiObbU
=vG2v
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Subscription Asset Manager 1.4 security update
Advisory ID: RHSA-2014:1863-01
Product: Red Hat Subscription Asset Manager
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html
Issue date: 2014-11-17
CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857
CVE-2013-4491 CVE-2013-6414 CVE-2013-6415
CVE-2014-0130
=====================================================================
1. Summary:
Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Subscription Asset Manager for RHEL 6 Server - noarch
3. Description:
Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)
A flaw was found in the way Ruby on Rails handled hashes in certain
queries. A remote attacker could use this flaw to perform a denial of
service (resource consumption) attack by sending specially crafted queries
that would result in the creation of Ruby symbols, which were never garbage
collected. (CVE-2013-1854)
Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.
All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS
1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue
6. Package List:
Red Hat Subscription Asset Manager for RHEL 6 Server:
Source:
katello-1.4.3.28-1.el6sam_splice.src.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm
noarch:
katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-1854
https://access.redhat.com/security/cve/CVE-2013-1855
https://access.redhat.com/security/cve/CVE-2013-1857
https://access.redhat.com/security/cve/CVE-2013-4491
https://access.redhat.com/security/cve/CVE-2013-6414
https://access.redhat.com/security/cve/CVE-2013-6415
https://access.redhat.com/security/cve/CVE-2014-0130
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y
SoVal0zNgx0pwtSAkS1q5/0=
=i5aK
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201303-0424 | CVE-2013-1855 | Ruby on Rails of Action Pack Component cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. Ruby on Rails is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The vulnerability is fixed in the following versions:
Ruby on Rails 2.3.18, 3.1.12, and 3.2.13.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/rails < 2.3.18 >= 2.3.18 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
Description
===========
Multiple vulnerabilities have been discovered in Ruby on Rails. Please
review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to
execute arbitrary SQL commands, change parameter names for form inputs
and make changes to arbitrary records in the system, bypass intended
access restrictions, render arbitrary views, inject arbitrary web
script or HTML, or conduct cross-site request forgery (CSRF) attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Ruby on Rails 2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18"
NOTE: All applications using Ruby on Rails should also be configured to
use the latest version available by running "rake rails:update" inside
the application directory.
NOTE: This is a legacy GLSA and stable updates for Ruby on Rails,
including the unaffected version listed above, are no longer available
from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1
branches, however these packages are not currently stable.
References
==========
[ 1 ] CVE-2010-3933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933
[ 2 ] CVE-2011-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446
[ 3 ] CVE-2011-0447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447
[ 4 ] CVE-2011-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448
[ 5 ] CVE-2011-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449
[ 6 ] CVE-2011-2929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929
[ 7 ] CVE-2011-2930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930
[ 8 ] CVE-2011-2931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931
[ 9 ] CVE-2011-2932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932
[ 10 ] CVE-2011-3186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186
[ 11 ] CVE-2013-0155
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155
[ 12 ] CVE-2013-0156
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156
[ 13 ] CVE-2013-0276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276
[ 14 ] CVE-2013-0277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277
[ 15 ] CVE-2013-0333
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333
[ 16 ] CVE-2013-1854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854
[ 17 ] CVE-2013-1855
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855
[ 18 ] CVE-2013-1856
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856
[ 19 ] CVE-2013-1857
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-28.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (squeeze), these problems have been fixed in
version 2.3.5-1.2+squeeze8.
For the testing distribution (wheezy) and the unstable distribution (sid),
these problems have been fixed in the version 3.2.6-5 of
ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3,
version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of
ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update
2013-002
OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now
available and addresses the following:
CFNetwork
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker with access to a user's session may be able to
log into previously accessed sites, even if Private Browsing was used
Description: Permanent cookies were saved after quitting Safari,
even when Private Browsing was enabled. This issue was addressed by
improved handling of cookies.
CVE-ID
CVE-2013-0982 : Alexander Traud of www.traud.de
CoreAnimation
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of text glyphs. This could be triggered by maliciously
crafted URLs in Safari. The issue was addressed through improved
bounds checking.
CVE-ID
CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson
CoreMedia Playback
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of text tracks. This issue was addressed by additional
validation of text tracks.
CVE-ID
CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation
CUPS
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user in the lpadmin group may be able to read or
write arbitrary files with system privileges
Description: A privilege escalation issue existed in the handling of
CUPS configuration via the CUPS web interface. A local user in the
lpadmin group may be able to read or write arbitrary files with
system privileges. This issue was addressed by moving certain
configuration directives to cups-files.conf, which can not be
modified from the CUPS web interface.
CVE-ID
CVE-2012-5519
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may execute arbitrary code with system
privileges on systems with Directory Service enabled
Description: An issue existed in the directory server's handling of
messages from the network. This issue was
addressed through improved bounds checking. This issue does not
affect OS X Lion or OS X Mountain Lion systems.
CVE-ID
CVE-2013-0984 : Nicolas Economou of Core Security
Disk Management
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user may disable FileVault
Description: A local user who is not an administrator may disable
FileVault using the command-line. This issue was addressed by adding
additional authentication.
CVE-ID
CVE-2013-0985
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of TLS
1.0 when compression was enabled. This issue was addressed by
disabling compression in OpenSSL.
CVE-ID
CVE-2012-4929 : Juliano Rizzo and Thai Duong
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Multiple vulnerabilities in OpenSSL
Description: OpenSSL was updated to version 0.9.8x to address
multiple vulnerabilities, which may lead to denial of service or
disclosure of a private key. Further information is available via the
OpenSSL website at http://www.openssl.org/news/
CVE-ID
CVE-2011-1945
CVE-2011-3207
CVE-2011-3210
CVE-2011-4108
CVE-2011-4109
CVE-2011-4576
CVE-2011-4577
CVE-2011-4619
CVE-2012-0050
CVE-2012-2110
CVE-2012-2131
CVE-2012-2333
QuickDraw Manager
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PICT
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'enof'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted QTIF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
QTIF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-0987 : roob working with iDefense VCP
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted FPX file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FPX files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative
QuickTime
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Playing a maliciously crafted MP3 file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of MP3 files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative
Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in Ruby on Rails
Description: Multiple vulnerabilities existed in Ruby on Rails, the
most serious of which may lead to arbitrary code execution on systems
running Ruby on Rails applications. This issue may affect OS X
Lion or OS X Mountain Lion systems that were upgraded from Mac OS X
10.6.8 or earlier. Users can update affected gems on such systems by
using the /usr/bin/gem utility.
CVE-ID
CVE-2013-0155
CVE-2013-0276
CVE-2013-0277
CVE-2013-0333
CVE-2013-1854
CVE-2013-1855
CVE-2013-1856
CVE-2013-1857
SMB
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An authenticated user may be able to write files outside the
shared directory
Description: If SMB file sharing is enabled, an authenticated user
may be able to write files outside the shared directory. This issue
was addressed through improved access control.
CVE-ID
CVE-2013-0990 : Ward van Wanrooij
Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP)
applications downloaded from the Internet need to be signed with
a Developer ID certificate. Gatekeeper will check downloaded
Java Web Start applications for a signature and block such
applications from launching if they are not properly signed.
Note: OS X Mountain Lion v10.8.4 includes the content of
Safari 6.0.5. For further details see "About the security content
of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785
OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be
obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.4, or Security Update
2013-002.
For OS X Mountain Lion v10.8.3
The download file is named: OSXUpd10.8.4.dmg
Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e
For OS X Mountain Lion v10.8 and v10.8.2
The download file is named: OSXUpdCombo10.8.4.dmg
Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3
For OS X Lion v10.7.5
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7
For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e
For Mac OS X v10.6.8
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb
eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG
B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5
N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA
PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU
pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq
8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t
6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec
i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77
gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC
O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V
+VoeoamqaQqZGyOiObbU
=vG2v
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Subscription Asset Manager 1.4 security update
Advisory ID: RHSA-2014:1863-01
Product: Red Hat Subscription Asset Manager
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html
Issue date: 2014-11-17
CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857
CVE-2013-4491 CVE-2013-6414 CVE-2013-6415
CVE-2014-0130
=====================================================================
1. Summary:
Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Subscription Asset Manager for RHEL 6 Server - noarch
3. Description:
Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)
A flaw was found in the way Ruby on Rails handled hashes in certain
queries. A remote attacker could use this flaw to perform a denial of
service (resource consumption) attack by sending specially crafted queries
that would result in the creation of Ruby symbols, which were never garbage
collected. (CVE-2013-1854)
Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.
All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS
1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue
6. Package List:
Red Hat Subscription Asset Manager for RHEL 6 Server:
Source:
katello-1.4.3.28-1.el6sam_splice.src.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm
noarch:
katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-1854
https://access.redhat.com/security/cve/CVE-2013-1855
https://access.redhat.com/security/cve/CVE-2013-1857
https://access.redhat.com/security/cve/CVE-2013-4491
https://access.redhat.com/security/cve/CVE-2013-6414
https://access.redhat.com/security/cve/CVE-2013-6415
https://access.redhat.com/security/cve/CVE-2014-0130
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y
SoVal0zNgx0pwtSAkS1q5/0=
=i5aK
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201303-0434 | CVE-2013-1854 | Ruby on Rails of Active Record Service disruption in components (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. (DoS) There are vulnerabilities that are put into a state.By a third party where Denial of service via crafted inputs to methods (DoS) There is a possibility of being put into a state. Ruby on Rails is prone to a denial-of-service vulnerability.
Remote attackers can exploit this issue to cause denial-of-service conditions.
Versions prior to Ruby on Rails 3.2.13, 3.1.12, and 2.3.18 are vulnerable. Active Record implements object-relational mapping
for accessing database entries using objects.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-ruby/rails < 2.3.18 >= 2.3.18 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
Description
===========
Multiple vulnerabilities have been discovered in Ruby on Rails. Please
review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to
execute arbitrary SQL commands, change parameter names for form inputs
and make changes to arbitrary records in the system, bypass intended
access restrictions, render arbitrary views, inject arbitrary web
script or HTML, or conduct cross-site request forgery (CSRF) attacks.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Ruby on Rails 2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18"
NOTE: All applications using Ruby on Rails should also be configured to
use the latest version available by running "rake rails:update" inside
the application directory.
NOTE: This is a legacy GLSA and stable updates for Ruby on Rails,
including the unaffected version listed above, are no longer available
from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1
branches, however these packages are not currently stable.
References
==========
[ 1 ] CVE-2010-3933
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933
[ 2 ] CVE-2011-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446
[ 3 ] CVE-2011-0447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447
[ 4 ] CVE-2011-0448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448
[ 5 ] CVE-2011-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449
[ 6 ] CVE-2011-2929
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929
[ 7 ] CVE-2011-2930
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930
[ 8 ] CVE-2011-2931
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931
[ 9 ] CVE-2011-2932
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932
[ 10 ] CVE-2011-3186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186
[ 11 ] CVE-2013-0155
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155
[ 12 ] CVE-2013-0156
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156
[ 13 ] CVE-2013-0276
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276
[ 14 ] CVE-2013-0277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277
[ 15 ] CVE-2013-0333
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333
[ 16 ] CVE-2013-1854
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854
[ 17 ] CVE-2013-1855
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855
[ 18 ] CVE-2013-1856
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856
[ 19 ] CVE-2013-1857
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201412-28.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2014 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
For the stable distribution (squeeze), these problems have been fixed in
version 2.3.5-1.2+squeeze8.
For the testing distribution (wheezy) and the unstable distribution (sid),
these problems have been fixed in the version 3.2.6-5 of
ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3,
version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of
ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update
2013-002
OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now
available and addresses the following:
CFNetwork
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker with access to a user's session may be able to
log into previously accessed sites, even if Private Browsing was used
Description: Permanent cookies were saved after quitting Safari,
even when Private Browsing was enabled. This issue was addressed by
improved handling of cookies.
CVE-ID
CVE-2013-0982 : Alexander Traud of www.traud.de
CoreAnimation
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Visiting a maliciously crafted site may lead to an
unexpected application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of text glyphs. This could be triggered by maliciously
crafted URLs in Safari. The issue was addressed through improved
bounds checking.
CVE-ID
CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson
CoreMedia Playback
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of text tracks. This issue was addressed by additional
validation of text tracks.
CVE-ID
CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation
CUPS
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user in the lpadmin group may be able to read or
write arbitrary files with system privileges
Description: A privilege escalation issue existed in the handling of
CUPS configuration via the CUPS web interface. A local user in the
lpadmin group may be able to read or write arbitrary files with
system privileges. This issue was addressed by moving certain
configuration directives to cups-files.conf, which can not be
modified from the CUPS web interface.
CVE-ID
CVE-2012-5519
Directory Service
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: A remote attacker may execute arbitrary code with system
privileges on systems with Directory Service enabled
Description: An issue existed in the directory server's handling of
messages from the network. By sending a maliciously crafted message,
a remote attacker could cause the directory server to terminate or
execute arbitrary code with system privileges. This issue was
addressed through improved bounds checking. This issue does not
affect OS X Lion or OS X Mountain Lion systems.
CVE-ID
CVE-2013-0984 : Nicolas Economou of Core Security
Disk Management
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: A local user may disable FileVault
Description: A local user who is not an administrator may disable
FileVault using the command-line. This issue was addressed by adding
additional authentication.
CVE-ID
CVE-2013-0985
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An attacker may be able to decrypt data protected by SSL
Description: There were known attacks on the confidentiality of TLS
1.0 when compression was enabled. This issue was addressed by
disabling compression in OpenSSL.
CVE-ID
CVE-2012-4929 : Juliano Rizzo and Thai Duong
OpenSSL
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Multiple vulnerabilities in OpenSSL
Description: OpenSSL was updated to version 0.9.8x to address
multiple vulnerabilities, which may lead to denial of service or
disclosure of a private key. Further information is available via the
OpenSSL website at http://www.openssl.org/news/
CVE-ID
CVE-2011-1945
CVE-2011-3207
CVE-2011-3210
CVE-2011-4108
CVE-2011-4109
CVE-2011-4576
CVE-2011-4577
CVE-2011-4619
CVE-2012-0050
CVE-2012-2110
CVE-2012-2131
CVE-2012-2333
QuickDraw Manager
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.2
Impact: Opening a maliciously crafted PICT image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PICT
images. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of 'enof'
atoms. This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)
working with HP's Zero Day Initiative
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted QTIF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the handling of
QTIF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2013-0987 : roob working with iDefense VCP
QuickTime
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,
OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: Viewing a maliciously crafted FPX file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FPX files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative
QuickTime
Available for: OS X Mountain Lion v10.8 to v10.8.3
Impact: Playing a maliciously crafted MP3 file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of MP3 files.
This issue was addressed through improved bounds checking.
CVE-ID
CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative
Ruby
Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8
Impact: Multiple vulnerabilities in Ruby on Rails
Description: Multiple vulnerabilities existed in Ruby on Rails, the
most serious of which may lead to arbitrary code execution on systems
running Ruby on Rails applications. This issue may affect OS X
Lion or OS X Mountain Lion systems that were upgraded from Mac OS X
10.6.8 or earlier. Users can update affected gems on such systems by
using the /usr/bin/gem utility.
CVE-ID
CVE-2013-0155
CVE-2013-0276
CVE-2013-0277
CVE-2013-0333
CVE-2013-1854
CVE-2013-1855
CVE-2013-1856
CVE-2013-1857
SMB
Available for: OS X Lion v10.7 to v10.7.5,
OS X Lion Server v10.7 to v10.7.5,
OS X Mountain Lion v10.8 to v10.8.3
Impact: An authenticated user may be able to write files outside the
shared directory
Description: If SMB file sharing is enabled, an authenticated user
may be able to write files outside the shared directory. This issue
was addressed through improved access control.
CVE-ID
CVE-2013-0990 : Ward van Wanrooij
Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP)
applications downloaded from the Internet need to be signed with
a Developer ID certificate. Gatekeeper will check downloaded
Java Web Start applications for a signature and block such
applications from launching if they are not properly signed.
Note: OS X Mountain Lion v10.8.4 includes the content of
Safari 6.0.5. For further details see "About the security content
of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785
OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be
obtained from the Software Update pane in System Preferences,
or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
OS X Mountain Lion v10.8.4, or Security Update
2013-002.
For OS X Mountain Lion v10.8.3
The download file is named: OSXUpd10.8.4.dmg
Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e
For OS X Mountain Lion v10.8 and v10.8.2
The download file is named: OSXUpdCombo10.8.4.dmg
Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3
For OS X Lion v10.7.5
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7
For OS X Lion Server v10.7.5
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e
For Mac OS X v10.6.8
The download file is named: SecUpd2013-002.dmg
Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2013-002.dmg
Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb
eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG
B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5
N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA
PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU
pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq
8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t
6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec
i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77
gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC
O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V
+VoeoamqaQqZGyOiObbU
=vG2v
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Subscription Asset Manager 1.4 security update
Advisory ID: RHSA-2014:1863-01
Product: Red Hat Subscription Asset Manager
Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html
Issue date: 2014-11-17
CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857
CVE-2013-4491 CVE-2013-6414 CVE-2013-6415
CVE-2014-0130
=====================================================================
1. Summary:
Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Subscription Asset Manager for RHEL 6 Server - noarch
3. Description:
Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)
A flaw was found in the way Ruby on Rails handled hashes in certain
queries. (CVE-2013-1854)
Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.
All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability
921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css
921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS
1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue
6. Package List:
Red Hat Subscription Asset Manager for RHEL 6 Server:
Source:
katello-1.4.3.28-1.el6sam_splice.src.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm
noarch:
katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm
katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm
ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm
ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm
ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm
ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm
ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm
ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm
ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm
ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2013-1854
https://access.redhat.com/security/cve/CVE-2013-1855
https://access.redhat.com/security/cve/CVE-2013-1857
https://access.redhat.com/security/cve/CVE-2013-4491
https://access.redhat.com/security/cve/CVE-2013-6414
https://access.redhat.com/security/cve/CVE-2013-6415
https://access.redhat.com/security/cve/CVE-2014-0130
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y
SoVal0zNgx0pwtSAkS1q5/0=
=i5aK
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
| VAR-201303-0507 | No CVE | Polycom HDX Series Security bypass vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Polycom HDX Series are prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and gain unauthorized root access to the affected device; this may aid in launching further attacks.
| VAR-201303-0256 | CVE-2013-0674 | Siemens WinCC RegReader ActiveX Control Buffer Overflow Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Buffer overflow in the RegReader ActiveX control in Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, allows remote attackers to execute arbitrary code via a long parameter. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Code. Multiple information-disclosure vulnerabilities
2. A directory-traversal vulnerability
3. Failed exploit attempts will result in a denial-of-service conditions
| VAR-201303-0257 | CVE-2013-0675 | Siemens WinCC CCEServer Buffer Overflow Vulnerability |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Buffer overflow in CCEServer (aka the central communications component) in Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, allows remote attackers to cause a denial of service via a crafted packet. A buffer overflow vulnerability exists in CCEServer in versions of Siemens WinCC prior to 7.2 used in SIMATIC PCS7. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC 7.2, Siemens SIMATIC PCS 7 8.0 SP1 versions have information disclosure, directory traversal, buffer overflow security vulnerabilities, which can be exploited by attackers to obtain sensitive information, any system files, and execute arbitrary applications in the context of applications using ActiveX controls. Code. Multiple information-disclosure vulnerabilities
2. A directory-traversal vulnerability
3. Failed exploit attempts will result in a denial-of-service conditions
| VAR-201303-0258 | CVE-2013-0676 | Siemens SIMATIC WinCC And PCS 7 Multiple Security Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, does not properly assign privileges for the database containing WebNavigator credentials, which allows remote authenticated users to obtain sensitive information via a SQL query. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC 7.2, Siemens SIMATIC PCS 7 8.0 SP1 versions have information disclosure, directory traversal, buffer overflow security vulnerabilities, which can be exploited by attackers to obtain sensitive information, any system files, and execute arbitrary applications in the context of applications using ActiveX controls. Code. Multiple information-disclosure vulnerabilities
2. A directory-traversal vulnerability
3. Failed exploit attempts will result in a denial-of-service conditions
| VAR-201303-0259 | CVE-2013-0677 | Siemens SIMATIC WinCC And PCS 7 Multiple Security Vulnerabilities |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
The web server in Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, allows remote attackers to obtain sensitive information or cause a denial of service via a crafted project file. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Code. Multiple information-disclosure vulnerabilities
2. A directory-traversal vulnerability
3. Failed exploit attempts will result in a denial-of-service conditions
| VAR-201303-0260 | CVE-2013-0678 | Siemens SIMATIC WinCC And PCS 7 Multiple Security Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, does not properly represent WebNavigator credentials in a database, which makes it easier for remote authenticated users to obtain sensitive information via a SQL query. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC 7.2, Siemens SIMATIC PCS 7 8.0 SP1 versions have information disclosure, directory traversal, buffer overflow security vulnerabilities, which can be exploited by attackers to obtain sensitive information, any system files, and execute arbitrary applications in the context of applications using ActiveX controls. Code. Multiple information-disclosure vulnerabilities
2. A directory-traversal vulnerability
3. Failed exploit attempts will result in a denial-of-service conditions
| VAR-201303-0261 | CVE-2013-0679 | Siemens SIMATIC WinCC And PCS 7 Multiple Security Vulnerabilities |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in the web server in Siemens WinCC before 7.2, as used in SIMATIC PCS7 before 8.0 SP1 and other products, allows remote authenticated users to read arbitrary files via vectors involving a query for a pathname. Siemens SIMATIC WinCC is a monitoring control and data acquisition SCADA and human machine interface HMI system. Siemens SIMATIC PCS is a process control system. Siemens SIMATIC WinCC 7.2, Siemens SIMATIC PCS 7 8.0 SP1 versions have information disclosure, directory traversal, buffer overflow security vulnerabilities, which can be exploited by attackers to obtain sensitive information, any system files, and execute arbitrary applications in the context of applications using ActiveX controls. Code. Multiple information-disclosure vulnerabilities
2. A directory-traversal vulnerability
3. Failed exploit attempts will result in a denial-of-service conditions
| VAR-201303-0456 | No CVE | Polycom HDX Series ‘ H.323 </ formatting string vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Polycom HDX Series devices are prone to a format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function.
An attacker may exploit this issue to execute arbitrary code with root access in the context of the vulnerable device. Failed exploit attempts will likely result in a denial-of-service condition.