VARIoT IoT vulnerabilities database

Directory traversal vulnerability in Siemens WinCC (TIA Portal) 11 allows remote authenticated users to read HMI web-application source code and user-defined scripts via a crafted URL. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions

Cross-site scripting (XSS) vulnerability in the HMI web application in Siemens WinCC (TIA Portal) 11 allows remote authenticated users to inject arbitrary web script or HTML via unspecified data. Siemens SIMATIC WinCC is a set of automatic data acquisition and monitoring (SCADA) system of German Siemens (Siemens). The system provides process monitoring, data acquisition and other functions

The Schneider Electric Magelis XBT HMI controller has a default password for authentication of configuration uploads, which makes it easier for remote attackers to bypass intended access restrictions via crafted configuration data. The Schneider Electric Magelis XBT HMI controller is a human interface controller. Successfully exploiting this issue may allow an attacker to bypass security restrictions and perform unauthorized actions

The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.12 allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. PHP is prone to multiple arbitrary file-disclosure vulnerabilities because it fails to sanitize user-supplied input. An authenticated attacker can exploit these vulnerabilities to view arbitrary files within the context of the affected application. Other attacks are also possible. Note: These issues are the result of an incomplete fix for the issues described in BID 58766 (PHP 'ext/soap/php_xml.c' Multiple Arbitrary File Disclosure Vulnerabilities). Versions prior to PHP 5.3.22 and 5.4.13 are vulnerable. PHP (PHP: Hypertext Preprocessor, PHP: Hypertext Preprocessor) is an open source general-purpose computer scripting language jointly maintained by the PHP Group and the open source community. The language is mainly used for Web development and supports a variety of databases and operating systems. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201408-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: August 29, 2014 Bugs: #459904, #472204, #472558, #474656, #476570, #481004, #483212, #485252, #492784, #493982, #501312, #503630, #503670, #505172, #505712, #509132, #512288, #512492, #513032, #516994, #519932, #520134, #520438 ID: 201408-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in PHP, the worst of which could lead to remote execution of arbitrary code. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.5.16 >= 5.5.16 *>= 5.4.32 *>= 5.3.29 Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact ====== A context-dependent attacker can cause arbitrary code execution, create a Denial of Service condition, read or write arbitrary files, impersonate other servers, hijack a web session, or have other unspecified impact. Additionally, a local attacker could gain escalated privileges. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP 5.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.5.16" All PHP 5.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.32" All PHP 5.3 users should upgrade to the latest version. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.29" References ========== [ 1 ] CVE-2011-4718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4718 [ 2 ] CVE-2013-1635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1635 [ 3 ] CVE-2013-1643 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1643 [ 4 ] CVE-2013-1824 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1824 [ 5 ] CVE-2013-2110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2110 [ 6 ] CVE-2013-3735 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3735 [ 7 ] CVE-2013-4113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4113 [ 8 ] CVE-2013-4248 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4248 [ 9 ] CVE-2013-4635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4635 [ 10 ] CVE-2013-4636 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4636 [ 11 ] CVE-2013-6420 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6420 [ 12 ] CVE-2013-6712 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6712 [ 13 ] CVE-2013-7226 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7226 [ 14 ] CVE-2013-7327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7327 [ 15 ] CVE-2013-7345 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7345 [ 16 ] CVE-2014-0185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0185 [ 17 ] CVE-2014-0237 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0237 [ 18 ] CVE-2014-0238 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0238 [ 19 ] CVE-2014-1943 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1943 [ 20 ] CVE-2014-2270 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2270 [ 21 ] CVE-2014-2497 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2497 [ 22 ] CVE-2014-3597 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3597 [ 23 ] CVE-2014-3981 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3981 [ 24 ] CVE-2014-4049 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4049 [ 25 ] CVE-2014-4670 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4670 [ 26 ] CVE-2014-5120 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5120 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201408-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-09-12-1 OS X Mountain Lion v10.8.5 and Security Update 2013-004 OS X Mountain Lion v10.8.5 and Security Update 2013-004 is now available and addresses the following: Apache Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to cross-site scripting. These issues were addressed by updating Apache to version 2.2.24. CVE-ID CVE-2012-0883 CVE-2012-2687 CVE-2012-3499 CVE-2012-4558 Bind Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in BIND Description: Multiple vulnerabilities existed in BIND, the most serious of which may lead to a denial of service. These issues were addressed by updating BIND to version 9.8.5-P1. CVE-2012-5688 did not affect Mac OS X v10.7 systems. CVE-ID CVE-2012-3817 CVE-2012-4244 CVE-2012-5166 CVE-2012-5688 CVE-2013-2266 Certificate Trust Policy Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Root certificates have been updated Description: Several certificates were added to or removed from the list of system roots. The complete list of recognized system roots may be viewed via the Keychain Access application. ClamAV Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5 Impact: Multiple vulnerabilities in ClamAV Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating ClamAV to version 0.97.8. CVE-ID CVE-2013-2020 CVE-2013-2021 CoreGraphics Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JBIG2 encoded data in PDF files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1025 : Felix Groebert of the Google Security Team ImageIO Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of JPEG2000 encoded data in PDF files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1026 : Felix Groebert of the Google Security Team Installer Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Packages could be opened after certificate revocation Description: When Installer encountered a revoked certificate, it would present a dialog with an option to continue. The issue was addressed by removing the dialog and refusing any revoked package. CVE-ID CVE-2013-1027 IPSec Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: An attacker may intercept data protected with IPSec Hybrid Auth Description: The DNS name of an IPSec Hybrid Auth server was not being matched against the certificate, allowing an attacker with a certificate for any server to impersonate any other. This issue was addressed by properly checking the certificate. CVE-ID CVE-2013-1028 : Alexander Traud of www.traud.de Kernel Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: A local network user may cause a denial of service Description: An incorrect check in the IGMP packet parsing code in the kernel allowed a user who could send IGMP packets to the system to cause a kernel panic. The issue was addressed by removing the check. CVE-ID CVE-2013-1029 : Christopher Bohn of PROTECTSTAR INC. Mobile Device Management Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Passwords may be disclosed to other local users Description: A password was passed on the command-line to mdmclient, which made it visible to other users on the same system. The issue was addressed by communicating the password through a pipe. CVE-ID CVE-2013-1030 : Per Olofsson at the University of Gothenburg OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in OpenSSL Description: Multiple vulnerabilities existed in OpenSSL, the most serious of which may lead to disclosure of user data. These issues were addressed by updating OpenSSL to version 0.9.8y. CVE-ID CVE-2012-2686 CVE-2013-0166 CVE-2013-0169 PHP Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP, the most serious of which may lead to arbitrary code execution. These issues were addressed by updating PHP to version 5.3.26. CVE-ID CVE-2013-1635 CVE-2013-1643 CVE-2013-1824 CVE-2013-2110 PostgreSQL Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Multiple vulnerabilities in PostgreSQL Description: Multiple vulnerabilities exist in PostgreSQL, the most serious of which may lead to data corruption or privilege escalation. This update addresses the issues by updating PostgreSQL to version 9.0.13. CVE-ID CVE-2013-1899 CVE-2013-1900 CVE-2013-1901 CVE-2013-1902 CVE-2013-1903 Power Management Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: The screen saver may not start after the specified time period Description: A power assertion lock issue existed. This issue was addressed through improved lock handling. CVE-ID CVE-2013-1031 QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8 to v10.8.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of 'idsc' atoms in QuickTime movie files. This issue was addressed through additional bounds checking. CVE-ID CVE-2013-1032 : Jason Kratzer working with iDefense VCP Screen Lock Available for: OS X Mountain Lion v10.8 to v10.8.4 Impact: A user with screen sharing access may be able to bypass the screen lock when another user is logged in Description: A session management issue existed in the screen lock's handling of screen sharing sessions. This issue was addressed through improved session tracking. CVE-ID CVE-2013-1033 : Jeff Grisso of Atos IT Solutions, Sebastien Stormacq Note: OS X Mountain Lion v10.8.5 also addresses an issue where certain Unicode strings could cause applications to unexpectedly terminate. OS X Mountain Lion v10.8.5 and Security Update 2013-004 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.5, or Security Update 2013-004. For OS X Mountain Lion v10.8.4 The download file is named: OSXUpd10.8.5.dmg Its SHA-1 digest is: a74ab6d9501778437e7afba0bbed47b776a52b11 For OS X Mountain Lion v10.8 and v10.8.3 The download file is named: OSXUpdCombo10.8.5.dmg Its SHA-1 digest is: cb798ac9b97ceb2d8875af040ce4ff06187d61f2 For OS X Lion v10.7.5 The download file is named: SecUpd2013-004.dmg Its SHA-1 digest is: dbc50fce7070f83b93b866a21b8f5c6e65007fa0 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-004.dmg Its SHA-1 digest is: 44a77edbd37732b865bc21a9aac443a3cdc47355 For Mac OS X v10.6.8 The download file is named: SecUpd2013-004.dmg Its SHA-1 digest is: d07d5142a2549270f0d2eaddb262b41bb5c16b61 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-004.dmg Its SHA-1 digest is: 8f9abe93f7f9427cf86b89bd67df948a85537dbc Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJSMiPGAAoJEPefwLHPlZEw9qMP/17D4Q8velZ3H4AumPzHqqB4 QxPcuv8PXzhi55epUm2bzNfXR9A5L9KvzEsmggqxO2/ESO0zfeKgAmXXjCI3z5Qc +WkHgqowjwXU9cbjyDkhwb/ylXml+vCSIv2m9eXXNRTRi0rm9ZLSI/JMSRfLMojQ bZbzQSoSpuGaOeOOWESKCf9zBXFG6DBGo0wg3z8Bkywjtp/7bfddPAFHxIdhjDDN 1IgmhPRnP6NEdNSfR6RwF94M+hyiJ2I2DIDZTIo+6B4Ne90bEYdBiQmSxwKFAyc3 H9VFfB8XmrtA2k4DhE6Ow2jD/Y//QKz6TbyZNSQawXxuPsj43v6/T6BsWdfddGbQ hDGU85e7z7a4gmIPuS3DjMhSEyAixL/B3vKYBaZltH6JBCcPuLvGrU7nAiJa7KGQ 8MToOyv42TSj95drFzysk5fcO0MIUH5xiGlaU+ScEdBSpIpHDfpjeJYPqxHeGFaa V2xCGw1vMYbMoxNzRL0FPPdUxJkyBHvuzZXh6c6fATuQIPCtwejpPrYEo7x7RRpl ytsVLe3V27j7IfWb62nI+mNVfH5m+YgK4SGK5DSq8Nm1Lk0w4HXmTtrhOCogsJ2I yoqeg/XakiSdxZxhSa9/ZZsMB+D1B8siNzCj0+U0k4zYjxEA0GdSu/dYRVT62oIn vBrJ5gm+nnyRe2TUMAwz =h9hc -----END PGP SIGNATURE-----

Multiple cross-site request forgery (CSRF) vulnerabilities in the web-based management utility on the NEC AtermWR9500N, AtermWR8600N, AtermWR8370N, AtermWR8160N, AtermWM3600R, and AtermWM3450RN routers allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device. Sen UENO of Tricorder Co. Ltd., Hiroshi Kumagai and Kimura Youichi reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user views a malicious page while logged in, settings of the product may be initialized, or the product may be rebooted. NEC aterm is a number of wireless routing devices. Because the application allows users to perform certain operations through HTTP requests without performing any validity check, the attacker can exploit the vulnerability to perform specific operations when the logged-in administrator accesses a malicious website. action. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks

lockdownd in Lockdown in Apple iOS before 6.1.3 does not properly consider file types during the permission-setting step of a backup restoration, which allows local users to change the permissions of arbitrary files via a backup that contains a pathname with a symlink. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local security-bypass vulnerability. An attacker with physical access to the affected device can exploit this issue to change permissions on arbitrary files. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-19-1 iOS 6.1.3 iOS 6.1.3 is now available and addresses the following: dyld Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute unsigned code Description: A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed by refusing to load an executable with overlapping segments. CVE-ID CVE-2013-0977 : evad3rs Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to determine the address of structures in the kernel Description: An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context. This issue was addressed by not changing permissions on any file with a symlink in its path. CVE-ID CVE-2013-0979 : evad3rs Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A logic issue existed in the handling of emergency calls from the lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2013-0980 : Christopher Heffley of theMedium.ca, videosdebarraquito USB Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code in the kernel Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers. CVE-ID CVE-2013-0981 : evad3rs WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue existed in the handling of SVG files. This issue was addressed through improved type checking. CVE-ID CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.1.3". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRR36/AAoJEPefwLHPlZEwj+8P/j2CxTtGz790dpfS5+3k02AV JmdOZjAxzEtsc/j5XfpyGdvOBAfTEK+llt/tQ6C3dK+KlB9otDwvgz3K0DFls1fM p0OVw4E6Ao2qfDG02eqGdPldYMejTxlH1AGs4mW6ZdfM2mAZLn+Bmm3dCkcJ2PGn s9bYZBQdnQySkd1/l6lc2dj5zpjmsWMtr0dLVyiq39jDA1E5oA+iAEJ45BT3mxeA SKn44+xhpVQATAz4H5tYaxQAFt9hmJbzkvH8VoMLzoJNSrodBjB9WPtLPX95P/eg 88F2RshnpjrKnlWcbzzyEQWt7j2hxtjvJufGxdtOQXLIUp4wGlqQeTmCso/cqQPV UlLUbbRNr4et9wS2EWlYymywcIwtYlFlgslNiV9zzLWKo6Hv79oSr3KAYaI1kn48 v1FS8OvZswQrsUwCb73WMVdh0RoEMPYPptkzB76ivk/KCcj+CUqC+fFm84JDTM4D eS+dLkA+p2mdhYNCPkmbPTbSdSfOK4rKU90RHCvxq04b+8KM/iHA7xQ0rpibK6ba Ya47zOgnRRzvFghYazasvC5LSPVsQolz+D5wWOMyL5iVWDXYhzFXJ2H45ZgmO73k +tcKHXKCSN9IdYmtEG/nOLiKCU6V7W9Sk42Sl6Eyb3cKhKgPtsaWUybHiDi8XjV8 oiKBfq9i2nsbqLTdlCIO =f4N8 -----END PGP SIGNATURE-----

The ARM prefetch abort handler in the kernel in Apple iOS before 6.1.3 and Apple TV before 5.2.1 does not ensure that it has been invoked in an abort context, which makes it easier for local users to bypass the ASLR protection mechanism via crafted code. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local information-disclosure vulnerability. Local attackers can leverage this issue to gain access to sensitive information. Information obtained may aid in further attacks. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. Through specially crafted code, a local attacker can exploit this vulnerability to bypass the ASLR protection mechanism. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-19-1 iOS 6.1.3 iOS 6.1.3 is now available and addresses the following: dyld Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute unsigned code Description: A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed by refusing to load an executable with overlapping segments. CVE-ID CVE-2013-0977 : evad3rs Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to determine the address of structures in the kernel Description: An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context. CVE-ID CVE-2013-0978 : evad3rs Lockdown Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to change permissions on arbitrary files Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path. CVE-ID CVE-2013-0979 : evad3rs Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A logic issue existed in the handling of emergency calls from the lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2013-0980 : Christopher Heffley of theMedium.ca, videosdebarraquito USB Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code in the kernel Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers. CVE-ID CVE-2013-0981 : evad3rs WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue existed in the handling of SVG files. This issue was addressed through improved type checking. CVE-ID CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.1.3". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRR36/AAoJEPefwLHPlZEwj+8P/j2CxTtGz790dpfS5+3k02AV JmdOZjAxzEtsc/j5XfpyGdvOBAfTEK+llt/tQ6C3dK+KlB9otDwvgz3K0DFls1fM p0OVw4E6Ao2qfDG02eqGdPldYMejTxlH1AGs4mW6ZdfM2mAZLn+Bmm3dCkcJ2PGn s9bYZBQdnQySkd1/l6lc2dj5zpjmsWMtr0dLVyiq39jDA1E5oA+iAEJ45BT3mxeA SKn44+xhpVQATAz4H5tYaxQAFt9hmJbzkvH8VoMLzoJNSrodBjB9WPtLPX95P/eg 88F2RshnpjrKnlWcbzzyEQWt7j2hxtjvJufGxdtOQXLIUp4wGlqQeTmCso/cqQPV UlLUbbRNr4et9wS2EWlYymywcIwtYlFlgslNiV9zzLWKo6Hv79oSr3KAYaI1kn48 v1FS8OvZswQrsUwCb73WMVdh0RoEMPYPptkzB76ivk/KCcj+CUqC+fFm84JDTM4D eS+dLkA+p2mdhYNCPkmbPTbSdSfOK4rKU90RHCvxq04b+8KM/iHA7xQ0rpibK6ba Ya47zOgnRRzvFghYazasvC5LSPVsQolz+D5wWOMyL5iVWDXYhzFXJ2H45ZgmO73k +tcKHXKCSN9IdYmtEG/nOLiKCU6V7W9Sk42Sl6Eyb3cKhKgPtsaWUybHiDi8XjV8 oiKBfq9i2nsbqLTdlCIO =f4N8 -----END PGP SIGNATURE-----

The IOUSBDeviceFamily driver in the USB implementation in the kernel in Apple iOS before 6.1.3 and Apple TV before 5.2.1 accesses pipe object pointers that originated in userspace, which allows local users to gain privileges via crafted code. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local arbitrary code-execution vulnerability. Local attackers can exploit this issue to execute arbitrary code in the kernel. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. The vulnerability stems from the fact that the program can access the transfer object pointer from the user control by default. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-19-1 iOS 6.1.3 iOS 6.1.3 is now available and addresses the following: dyld Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute unsigned code Description: A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed by refusing to load an executable with overlapping segments. CVE-ID CVE-2013-0977 : evad3rs Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to determine the address of structures in the kernel Description: An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context. CVE-ID CVE-2013-0978 : evad3rs Lockdown Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to change permissions on arbitrary files Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path. CVE-ID CVE-2013-0979 : evad3rs Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A logic issue existed in the handling of emergency calls from the lock screen. This issue was addressed through improved lock state management. This issue was addressed by performing additional validation of pipe object pointers. CVE-ID CVE-2013-0981 : evad3rs WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue existed in the handling of SVG files. This issue was addressed through improved type checking. CVE-ID CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.1.3". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRR36/AAoJEPefwLHPlZEwj+8P/j2CxTtGz790dpfS5+3k02AV JmdOZjAxzEtsc/j5XfpyGdvOBAfTEK+llt/tQ6C3dK+KlB9otDwvgz3K0DFls1fM p0OVw4E6Ao2qfDG02eqGdPldYMejTxlH1AGs4mW6ZdfM2mAZLn+Bmm3dCkcJ2PGn s9bYZBQdnQySkd1/l6lc2dj5zpjmsWMtr0dLVyiq39jDA1E5oA+iAEJ45BT3mxeA SKn44+xhpVQATAz4H5tYaxQAFt9hmJbzkvH8VoMLzoJNSrodBjB9WPtLPX95P/eg 88F2RshnpjrKnlWcbzzyEQWt7j2hxtjvJufGxdtOQXLIUp4wGlqQeTmCso/cqQPV UlLUbbRNr4et9wS2EWlYymywcIwtYlFlgslNiV9zzLWKo6Hv79oSr3KAYaI1kn48 v1FS8OvZswQrsUwCb73WMVdh0RoEMPYPptkzB76ivk/KCcj+CUqC+fFm84JDTM4D eS+dLkA+p2mdhYNCPkmbPTbSdSfOK4rKU90RHCvxq04b+8KM/iHA7xQ0rpibK6ba Ya47zOgnRRzvFghYazasvC5LSPVsQolz+D5wWOMyL5iVWDXYhzFXJ2H45ZgmO73k +tcKHXKCSN9IdYmtEG/nOLiKCU6V7W9Sk42Sl6Eyb3cKhKgPtsaWUybHiDi8XjV8 oiKBfq9i2nsbqLTdlCIO =f4N8 -----END PGP SIGNATURE-----

dyld in Apple iOS before 6.1.3 and Apple TV before 5.2.1 does not properly manage the state of file loading for Mach-O executable files, which allows local users to bypass intended code-signing requirements via a file that contains overlapping segments. Apple iOS for the iPhone, the iPod touch, and the iPad is prone to a local security-bypass vulnerability. Successful exploits will allow local attackers to bypass certain security restrictions and execute arbitrary code on the affected device. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-03-19-1 iOS 6.1.3 iOS 6.1.3 is now available and addresses the following: dyld Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute unsigned code Description: A state management issue existed in the handling of Mach-O executable files with overlapping segments. This issue was addressed by refusing to load an executable with overlapping segments. CVE-ID CVE-2013-0977 : evad3rs Kernel Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to determine the address of structures in the kernel Description: An information disclosure issue existed in the ARM prefetch abort handler. This issue was addressed by panicking if the prefetch abort handler is not being called from an abort context. CVE-ID CVE-2013-0978 : evad3rs Lockdown Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to change permissions on arbitrary files Description: When restoring from backup, lockdownd changed permissions on certain files even if the path to the file included a symbolic link. This issue was addressed by not changing permissions on any file with a symlink in its path. CVE-ID CVE-2013-0979 : evad3rs Passcode Lock Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A person with physical access to the device may be able to bypass the screen lock Description: A logic issue existed in the handling of emergency calls from the lock screen. This issue was addressed through improved lock state management. CVE-ID CVE-2013-0980 : Christopher Heffley of theMedium.ca, videosdebarraquito USB Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: A local user may be able to execute arbitrary code in the kernel Description: The IOUSBDeviceFamily driver used pipe object pointers that came from userspace. This issue was addressed by performing additional validation of pipe object pointers. CVE-ID CVE-2013-0981 : evad3rs WebKit Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid cast issue existed in the handling of SVG files. This issue was addressed through improved type checking. CVE-ID CVE-2013-0912 : Nils and Jon from MWR Labs working with HP TippingPoint's Zero Day Initiative Installation note: This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. The version after applying this update will be "6.1.3". Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRR36/AAoJEPefwLHPlZEwj+8P/j2CxTtGz790dpfS5+3k02AV JmdOZjAxzEtsc/j5XfpyGdvOBAfTEK+llt/tQ6C3dK+KlB9otDwvgz3K0DFls1fM p0OVw4E6Ao2qfDG02eqGdPldYMejTxlH1AGs4mW6ZdfM2mAZLn+Bmm3dCkcJ2PGn s9bYZBQdnQySkd1/l6lc2dj5zpjmsWMtr0dLVyiq39jDA1E5oA+iAEJ45BT3mxeA SKn44+xhpVQATAz4H5tYaxQAFt9hmJbzkvH8VoMLzoJNSrodBjB9WPtLPX95P/eg 88F2RshnpjrKnlWcbzzyEQWt7j2hxtjvJufGxdtOQXLIUp4wGlqQeTmCso/cqQPV UlLUbbRNr4et9wS2EWlYymywcIwtYlFlgslNiV9zzLWKo6Hv79oSr3KAYaI1kn48 v1FS8OvZswQrsUwCb73WMVdh0RoEMPYPptkzB76ivk/KCcj+CUqC+fFm84JDTM4D eS+dLkA+p2mdhYNCPkmbPTbSdSfOK4rKU90RHCvxq04b+8KM/iHA7xQ0rpibK6ba Ya47zOgnRRzvFghYazasvC5LSPVsQolz+D5wWOMyL5iVWDXYhzFXJ2H45ZgmO73k +tcKHXKCSN9IdYmtEG/nOLiKCU6V7W9Sk42Sl6Eyb3cKhKgPtsaWUybHiDi8XjV8 oiKBfq9i2nsbqLTdlCIO =f4N8 -----END PGP SIGNATURE-----

IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote attackers to cause a denial of service (daemon outage) via a crafted authentication request. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability due to an issue in processing authentication requests. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.SSH access may become unavailable until the next reboot as a result of processing an authentication request. VxWorks is an embedded real-time operating system. VxWorks is prone to a denial-of-service vulnerability. VxWorks 6.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network

IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote authenticated users to cause a denial of service (daemon outage) via a crafted packet. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability due to an issue in the processing directly after the SSH connection is established. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.SSH access may become unavailable until the next reboot when receiving a specially crafted packet after a SSH connection is established. VxWorks is an embedded real-time operating system. An attacker can pass a specially crafted packet, causing a denial of service. VxWorks is prone to a denial-of-service vulnerability. Remote attackers can exploit this issue to cause denial-of-service conditions for legitimate users. VxWorks 6.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network

IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote authenticated users to cause a denial of service (daemon outage) via a crafted pty request. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service vulnerability due to an issue in processing pty requests. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Receiving a specially crafted pty request packet may cause SSH access to be unavailable until the next reboot. VxWorks is an embedded real-time operating system. An attacker can cause a denial of service through a specially crafted private request. VxWorks is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an affected SSH access to be unavailable, denying service to legitimate users. VxWorks version 6.5 through version 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network

IPSSH (aka the SSH server) in Wind River VxWorks 6.5 through 6.9 allows remote attackers to execute arbitrary code or cause a denial of service (daemon hang) via a crafted public-key authentication request. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability. The SSH server (IPSSH) implementation in VxWorks contains a denial-of-service (DoS) vulnerability due to an issue in the processing authentication requests. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. In addition, arbitrary code may be executed on the server. VxWorks is an embedded real-time operating system. Wind River VxWorks is a set of real-time operating systems for the Internet of Things developed by Wind River. Vulnerabilities in IPSSH (aka SSH Server) in Wind River VxWorks 6.5 to 6.9. VxWorks is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an affected SSH access to be unavailable, denying service to legitimate users. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed. VxWorks 6.5 through version 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network

The WebCLI component in Wind River VxWorks 5.5 through 6.9 allows remote authenticated users to cause a denial of service (CLI session crash) via a crafted command string. The VxWorks WebCLI contains a denial-of-service (DoS) vulnerability. The VxWorks WebCLI contains a denial-of-service (DoS) vulnerability due to an issue in parsing command strings. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.An attacker that can login to a CLI session may cause the current CLI session to crash. VxWorks is an embedded real-time operating system. A denial of service vulnerability exists in VxWorks WebCLI. VxWorks 5.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network

The web server in Wind River VxWorks 5.5 through 6.9 allows remote attackers to cause a denial of service (daemon crash) via a crafted URI. The VxWorks Web Server contains a denial-of-service vulnerability. The VxWorks Web Server contains a denial-of-service (DoS) vulnerability. Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.When a user accesses the VxWorks Web Server using a specially crafted URL, the server may crash. VxWorks is an embedded real-time operating system. Attackers can exploit this issue to crash the application, denying service to legitimate users. VxWorks 5.5 through 6.9 are vulnerable; other versions may also be affected. Vendor affected: TP-Link (http://tp-link.com) Products affected: * All TP-Link VxWorks-based devices (confirmed by vendor) * All "2-series" switches (confirmed by vendor) * TL-SG2008 semi-managed switch (confirmed by vendor) * TL-SG2216 semi-managed switch (confirmed by vendor) * TL-SG2424 semi-managed switch (confirmed by vendor) * TL-SG2424P semi-managed switch (confirmed by vendor) * TL-SG2452 semi-managed switch (confirmed by vendor) Vulnerabilities: * All previously-reported VxWorks vulnerabilities from 6.6.0 on; at the very least: * CVE-2013-0716 (confirmed by vendor) * CVE-2013-0715 (confirmed by vendor) * CVE-2013-0714 (confirmed by vendor) * CVE-2013-0713 (confirmed by vendor) * CVE-2013-0712 (confirmed by vendor) * CVE-2013-0711 (confirmed by vendor) * CVE-2010-2967 (confirmed by vendor) * CVE-2010-2966 (confirmed by vendor) * CVE-2008-2476 (confirmed by vendor) * SSLv2 is available and cannot be disabled unless HTTPS is completely disabled (allows downgrade attacks) (confirmed by vendor) * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot be disabled (allows downgrade attacks) (confirmed by vendor) Design flaws: * Telnet is available and cannot be disabled (confirmed by vendor) * SSHv1 enabled by default if SSH is enabled (confirmed by vendor) Vendor response: TP-Link are not convinced that these flaws should be repaired. TP-Link's Internet presence -- or at least DNS -- is available only intermittently. Most emails bounced. Lost contact with vendor, but did confirm that development lead is now on holiday and will not return for at least a week. Initial vendor reaction was to recommend purchase of "3-series" switches. Vendor did not offer reasons why "3-series" switches would be more secure, apart from lack of telnet service. Vendor confirmed that no development time can be allocated to securing "2-series" product and all focus has shifted to newer products. (TL-SG2008 first product availability July 2014...) Vendor deeply confused about security of DES/3DES, MD5, claimed that all security is relative. ("...[E]ven SHA-1 can be cracked, they just have different security level.") Fix availability: None. Work-arounds advised: None possible. Remove products from network

Cisco IOS is a popular Internet operating system. An insecure password hash vulnerability exists in Cisco IOS and IOS XE. An attacker can exploit a vulnerability to perform a brute force attack and obtain a password for unauthorized access. This may aid in other attacks

Multiple cross-site request forgery (CSRF) vulnerabilities in index.cgi on the Verizon FIOS Actiontec MI424WR-GEN3I router with firmware 40.19.36 allow remote attackers to hijack the authentication of administrators for requests that (1) add administrative accounts via the username and user_level parameters or (2) enable remote administration via the is_telnet_primary and is_telnet_secondary parameters. The Verizon FIOS Actiontec router model MI424WR-GEN3I is susceptible to cross-site request forgery attacks. (CWE-352). Successful exploits can result in privileged commands running on the affected devices, including enabling remote access to the web administration interface. This may lead to further network-based attacks. Verizon FIOS is a wireless fiber optic broadband router produced by Verizon in the United States

The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a &#x3a; sequence. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-ruby/rails < 2.3.18 >= 2.3.18 * ------------------------------------------------------------------- NOTE: Packages marked with asterisks require manual intervention! Description =========== Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to execute arbitrary SQL commands, change parameter names for form inputs and make changes to arbitrary records in the system, bypass intended access restrictions, render arbitrary views, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby on Rails 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18" NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running "rake rails:update" inside the application directory. NOTE: This is a legacy GLSA and stable updates for Ruby on Rails, including the unaffected version listed above, are no longer available from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1 branches, however these packages are not currently stable. References ========== [ 1 ] CVE-2010-3933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933 [ 2 ] CVE-2011-0446 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446 [ 3 ] CVE-2011-0447 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447 [ 4 ] CVE-2011-0448 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448 [ 5 ] CVE-2011-0449 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449 [ 6 ] CVE-2011-2929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929 [ 7 ] CVE-2011-2930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930 [ 8 ] CVE-2011-2931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931 [ 9 ] CVE-2011-2932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932 [ 10 ] CVE-2011-3186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186 [ 11 ] CVE-2013-0155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155 [ 12 ] CVE-2013-0156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156 [ 13 ] CVE-2013-0276 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276 [ 14 ] CVE-2013-0277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277 [ 15 ] CVE-2013-0333 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333 [ 16 ] CVE-2013-1854 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854 [ 17 ] CVE-2013-1855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855 [ 18 ] CVE-2013-1856 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856 [ 19 ] CVE-2013-1857 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-28.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (squeeze), these problems have been fixed in version 2.3.5-1.2+squeeze8. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in the version 3.2.6-5 of ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3, version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002 OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now available and addresses the following: CFNetwork Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies. CVE-ID CVE-2013-0982 : Alexander Traud of www.traud.de CoreAnimation Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking. CVE-ID CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson CoreMedia Playback Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks. CVE-ID CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation CUPS Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface. CVE-ID CVE-2012-5519 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may execute arbitrary code with system privileges on systems with Directory Service enabled Description: An issue existed in the directory server's handling of messages from the network. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion or OS X Mountain Lion systems. CVE-ID CVE-2013-0984 : Nicolas Economou of Core Security Disk Management Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user may disable FileVault Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication. CVE-ID CVE-2013-0985 OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There were known attacks on the confidentiality of TLS 1.0 when compression was enabled. This issue was addressed by disabling compression in OpenSSL. CVE-ID CVE-2012-4929 : Juliano Rizzo and Thai Duong OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Multiple vulnerabilities in OpenSSL Description: OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key. Further information is available via the OpenSSL website at http://www.openssl.org/news/ CVE-ID CVE-2011-1945 CVE-2011-3207 CVE-2011-3210 CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0050 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 QuickDraw Manager Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PICT images. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'enof' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of QTIF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0987 : roob working with iDefense VCP QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: Multiple vulnerabilities in Ruby on Rails Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. These issues were addressed by updating Ruby on Rails to version 2.3.18. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility. CVE-ID CVE-2013-0155 CVE-2013-0276 CVE-2013-0277 CVE-2013-0333 CVE-2013-1854 CVE-2013-1855 CVE-2013-1856 CVE-2013-1857 SMB Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An authenticated user may be able to write files outside the shared directory Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control. CVE-ID CVE-2013-0990 : Ward van Wanrooij Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed. Note: OS X Mountain Lion v10.8.4 includes the content of Safari 6.0.5. For further details see "About the security content of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785 OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.4, or Security Update 2013-002. For OS X Mountain Lion v10.8.3 The download file is named: OSXUpd10.8.4.dmg Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e For OS X Mountain Lion v10.8 and v10.8.2 The download file is named: OSXUpdCombo10.8.4.dmg Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3 For OS X Lion v10.7.5 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e For Mac OS X v10.6.8 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5 N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq 8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t 6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77 gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V +VoeoamqaQqZGyOiObbU =vG2v -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Subscription Asset Manager 1.4 security update Advisory ID: RHSA-2014:1863-01 Product: Red Hat Subscription Asset Manager Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html Issue date: 2014-11-17 CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2014-0130 ===================================================================== 1. Summary: Updated Subscription Asset Manager 1.4 packages that fix multiple security issues are now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Subscription Asset Manager for RHEL 6 Server - noarch 3. Description: Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. Red Hat Subscription Asset Manager is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130) A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected. (CVE-2013-1854) Two cross-site scripting (XSS) flaws were found in Action Pack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Action Pack. (CVE-2013-1855, CVE-2013-1857) It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-1854, Charlie Somerville as the original reporter of CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857, Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the original reporter of CVE-2013-6414, and Ankit Gupta as the original reporter of CVE-2013-6415. All Subscription Asset Manager users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue 6. Package List: Red Hat Subscription Asset Manager for RHEL 6 Server: Source: katello-1.4.3.28-1.el6sam_splice.src.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm noarch: katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1854 https://access.redhat.com/security/cve/CVE-2013-1855 https://access.redhat.com/security/cve/CVE-2013-1857 https://access.redhat.com/security/cve/CVE-2013-4491 https://access.redhat.com/security/cve/CVE-2013-6414 https://access.redhat.com/security/cve/CVE-2013-6415 https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y SoVal0zNgx0pwtSAkS1q5/0= =i5aK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences. Ruby on Rails is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The vulnerability is fixed in the following versions: Ruby on Rails 2.3.18, 3.1.12, and 3.2.13. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-ruby/rails < 2.3.18 >= 2.3.18 * ------------------------------------------------------------------- NOTE: Packages marked with asterisks require manual intervention! Description =========== Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to execute arbitrary SQL commands, change parameter names for form inputs and make changes to arbitrary records in the system, bypass intended access restrictions, render arbitrary views, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby on Rails 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18" NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running "rake rails:update" inside the application directory. NOTE: This is a legacy GLSA and stable updates for Ruby on Rails, including the unaffected version listed above, are no longer available from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1 branches, however these packages are not currently stable. References ========== [ 1 ] CVE-2010-3933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933 [ 2 ] CVE-2011-0446 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446 [ 3 ] CVE-2011-0447 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447 [ 4 ] CVE-2011-0448 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448 [ 5 ] CVE-2011-0449 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449 [ 6 ] CVE-2011-2929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929 [ 7 ] CVE-2011-2930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930 [ 8 ] CVE-2011-2931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931 [ 9 ] CVE-2011-2932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932 [ 10 ] CVE-2011-3186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186 [ 11 ] CVE-2013-0155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155 [ 12 ] CVE-2013-0156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156 [ 13 ] CVE-2013-0276 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276 [ 14 ] CVE-2013-0277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277 [ 15 ] CVE-2013-0333 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333 [ 16 ] CVE-2013-1854 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854 [ 17 ] CVE-2013-1855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855 [ 18 ] CVE-2013-1856 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856 [ 19 ] CVE-2013-1857 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-28.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (squeeze), these problems have been fixed in version 2.3.5-1.2+squeeze8. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in the version 3.2.6-5 of ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3, version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002 OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now available and addresses the following: CFNetwork Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies. CVE-ID CVE-2013-0982 : Alexander Traud of www.traud.de CoreAnimation Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking. CVE-ID CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson CoreMedia Playback Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks. CVE-ID CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation CUPS Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface. CVE-ID CVE-2012-5519 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may execute arbitrary code with system privileges on systems with Directory Service enabled Description: An issue existed in the directory server's handling of messages from the network. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion or OS X Mountain Lion systems. CVE-ID CVE-2013-0984 : Nicolas Economou of Core Security Disk Management Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user may disable FileVault Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication. CVE-ID CVE-2013-0985 OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There were known attacks on the confidentiality of TLS 1.0 when compression was enabled. This issue was addressed by disabling compression in OpenSSL. CVE-ID CVE-2012-4929 : Juliano Rizzo and Thai Duong OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Multiple vulnerabilities in OpenSSL Description: OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key. Further information is available via the OpenSSL website at http://www.openssl.org/news/ CVE-ID CVE-2011-1945 CVE-2011-3207 CVE-2011-3210 CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0050 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 QuickDraw Manager Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PICT images. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'enof' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of QTIF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0987 : roob working with iDefense VCP QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: Multiple vulnerabilities in Ruby on Rails Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility. CVE-ID CVE-2013-0155 CVE-2013-0276 CVE-2013-0277 CVE-2013-0333 CVE-2013-1854 CVE-2013-1855 CVE-2013-1856 CVE-2013-1857 SMB Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An authenticated user may be able to write files outside the shared directory Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control. CVE-ID CVE-2013-0990 : Ward van Wanrooij Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed. Note: OS X Mountain Lion v10.8.4 includes the content of Safari 6.0.5. For further details see "About the security content of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785 OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.4, or Security Update 2013-002. For OS X Mountain Lion v10.8.3 The download file is named: OSXUpd10.8.4.dmg Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e For OS X Mountain Lion v10.8 and v10.8.2 The download file is named: OSXUpdCombo10.8.4.dmg Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3 For OS X Lion v10.7.5 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e For Mac OS X v10.6.8 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5 N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq 8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t 6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77 gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V +VoeoamqaQqZGyOiObbU =vG2v -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Subscription Asset Manager 1.4 security update Advisory ID: RHSA-2014:1863-01 Product: Red Hat Subscription Asset Manager Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html Issue date: 2014-11-17 CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2014-0130 ===================================================================== 1. Summary: Updated Subscription Asset Manager 1.4 packages that fix multiple security issues are now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Subscription Asset Manager for RHEL 6 Server - noarch 3. Description: Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. Red Hat Subscription Asset Manager is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130) A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected. (CVE-2013-1854) Two cross-site scripting (XSS) flaws were found in Action Pack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Action Pack. (CVE-2013-1855, CVE-2013-1857) It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-1854, Charlie Somerville as the original reporter of CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857, Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the original reporter of CVE-2013-6414, and Ankit Gupta as the original reporter of CVE-2013-6415. All Subscription Asset Manager users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue 6. Package List: Red Hat Subscription Asset Manager for RHEL 6 Server: Source: katello-1.4.3.28-1.el6sam_splice.src.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm noarch: katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1854 https://access.redhat.com/security/cve/CVE-2013-1855 https://access.redhat.com/security/cve/CVE-2013-1857 https://access.redhat.com/security/cve/CVE-2013-4491 https://access.redhat.com/security/cve/CVE-2013-6414 https://access.redhat.com/security/cve/CVE-2013-6415 https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y SoVal0zNgx0pwtSAkS1q5/0= =i5aK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method. (DoS) There are vulnerabilities that are put into a state.By a third party where Denial of service via crafted inputs to methods (DoS) There is a possibility of being put into a state. Ruby on Rails is prone to a denial-of-service vulnerability. Remote attackers can exploit this issue to cause denial-of-service conditions. Versions prior to Ruby on Rails 3.2.13, 3.1.12, and 2.3.18 are vulnerable. Active Record implements object-relational mapping for accessing database entries using objects. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-ruby/rails < 2.3.18 >= 2.3.18 * ------------------------------------------------------------------- NOTE: Packages marked with asterisks require manual intervention! Description =========== Multiple vulnerabilities have been discovered in Ruby on Rails. Please review the CVE identifiers referenced below for details. Furthermore, a remote attacker may be able to execute arbitrary SQL commands, change parameter names for form inputs and make changes to arbitrary records in the system, bypass intended access restrictions, render arbitrary views, inject arbitrary web script or HTML, or conduct cross-site request forgery (CSRF) attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby on Rails 2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.18" NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running "rake rails:update" inside the application directory. NOTE: This is a legacy GLSA and stable updates for Ruby on Rails, including the unaffected version listed above, are no longer available from Gentoo. It may be possible to upgrade to the 3.2, 4.0, or 4.1 branches, however these packages are not currently stable. References ========== [ 1 ] CVE-2010-3933 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3933 [ 2 ] CVE-2011-0446 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0446 [ 3 ] CVE-2011-0447 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0447 [ 4 ] CVE-2011-0448 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0448 [ 5 ] CVE-2011-0449 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0449 [ 6 ] CVE-2011-2929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2929 [ 7 ] CVE-2011-2930 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2930 [ 8 ] CVE-2011-2931 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2931 [ 9 ] CVE-2011-2932 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2932 [ 10 ] CVE-2011-3186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3186 [ 11 ] CVE-2013-0155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0155 [ 12 ] CVE-2013-0156 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0156 [ 13 ] CVE-2013-0276 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0276 [ 14 ] CVE-2013-0277 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0277 [ 15 ] CVE-2013-0333 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0333 [ 16 ] CVE-2013-1854 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1854 [ 17 ] CVE-2013-1855 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1855 [ 18 ] CVE-2013-1856 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1856 [ 19 ] CVE-2013-1857 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1857 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-28.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . For the stable distribution (squeeze), these problems have been fixed in version 2.3.5-1.2+squeeze8. For the testing distribution (wheezy) and the unstable distribution (sid), these problems have been fixed in the version 3.2.6-5 of ruby-activerecord-3.2, version 2.3.14-6 of ruby-activerecord-2.3, version 2.3.14-7 of ruby-activesupport-2.3, version 3.2.6-6 of ruby-actionpack-3.2 and in version 2.3.14-5 of ruby-actionpack-2.3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2013-06-04-1 OS X Mountain Lion v10.8.4 and Security Update 2013-002 OS X Mountain Lion v10.8.4 and Security Update 2013-002 is now available and addresses the following: CFNetwork Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker with access to a user's session may be able to log into previously accessed sites, even if Private Browsing was used Description: Permanent cookies were saved after quitting Safari, even when Private Browsing was enabled. This issue was addressed by improved handling of cookies. CVE-ID CVE-2013-0982 : Alexander Traud of www.traud.de CoreAnimation Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: An unbounded stack allocation issue existed in the handling of text glyphs. This could be triggered by maliciously crafted URLs in Safari. The issue was addressed through improved bounds checking. CVE-ID CVE-2013-0983 : David Fifield of Stanford University, Ben Syverson CoreMedia Playback Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized memory access issue existed in the handling of text tracks. This issue was addressed by additional validation of text tracks. CVE-ID CVE-2013-1024 : Richard Kuo and Billy Suguitan of Triemt Corporation CUPS Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user in the lpadmin group may be able to read or write arbitrary files with system privileges Description: A privilege escalation issue existed in the handling of CUPS configuration via the CUPS web interface. A local user in the lpadmin group may be able to read or write arbitrary files with system privileges. This issue was addressed by moving certain configuration directives to cups-files.conf, which can not be modified from the CUPS web interface. CVE-ID CVE-2012-5519 Directory Service Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: A remote attacker may execute arbitrary code with system privileges on systems with Directory Service enabled Description: An issue existed in the directory server's handling of messages from the network. By sending a maliciously crafted message, a remote attacker could cause the directory server to terminate or execute arbitrary code with system privileges. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion or OS X Mountain Lion systems. CVE-ID CVE-2013-0984 : Nicolas Economou of Core Security Disk Management Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: A local user may disable FileVault Description: A local user who is not an administrator may disable FileVault using the command-line. This issue was addressed by adding additional authentication. CVE-ID CVE-2013-0985 OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An attacker may be able to decrypt data protected by SSL Description: There were known attacks on the confidentiality of TLS 1.0 when compression was enabled. This issue was addressed by disabling compression in OpenSSL. CVE-ID CVE-2012-4929 : Juliano Rizzo and Thai Duong OpenSSL Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Multiple vulnerabilities in OpenSSL Description: OpenSSL was updated to version 0.9.8x to address multiple vulnerabilities, which may lead to denial of service or disclosure of a private key. Further information is available via the OpenSSL website at http://www.openssl.org/news/ CVE-ID CVE-2011-1945 CVE-2011-3207 CVE-2011-3210 CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 CVE-2012-0050 CVE-2012-2110 CVE-2012-2131 CVE-2012-2333 QuickDraw Manager Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2 Impact: Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PICT images. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0975 : Tobias Klein working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'enof' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted QTIF file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of QTIF files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0987 : roob working with iDefense VCP QuickTime Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: Viewing a maliciously crafted FPX file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of FPX files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0988 : G. Geshev working with HP's Zero Day Initiative QuickTime Available for: OS X Mountain Lion v10.8 to v10.8.3 Impact: Playing a maliciously crafted MP3 file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of MP3 files. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-0989 : G. Geshev working with HP's Zero Day Initiative Ruby Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8 Impact: Multiple vulnerabilities in Ruby on Rails Description: Multiple vulnerabilities existed in Ruby on Rails, the most serious of which may lead to arbitrary code execution on systems running Ruby on Rails applications. This issue may affect OS X Lion or OS X Mountain Lion systems that were upgraded from Mac OS X 10.6.8 or earlier. Users can update affected gems on such systems by using the /usr/bin/gem utility. CVE-ID CVE-2013-0155 CVE-2013-0276 CVE-2013-0277 CVE-2013-0333 CVE-2013-1854 CVE-2013-1855 CVE-2013-1856 CVE-2013-1857 SMB Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.3 Impact: An authenticated user may be able to write files outside the shared directory Description: If SMB file sharing is enabled, an authenticated user may be able to write files outside the shared directory. This issue was addressed through improved access control. CVE-ID CVE-2013-0990 : Ward van Wanrooij Note: Starting with OS X 10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed. Note: OS X Mountain Lion v10.8.4 includes the content of Safari 6.0.5. For further details see "About the security content of Safari 6.0.5" at http://http//support.apple.com/kb/HT5785 OS X Mountain Lion v10.8.4 and Security Update 2013-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The Software Update utility will present the update that applies to your system configuration. Only one is needed, either OS X Mountain Lion v10.8.4, or Security Update 2013-002. For OS X Mountain Lion v10.8.3 The download file is named: OSXUpd10.8.4.dmg Its SHA-1 digest is: 9cf99aa1293cefdac0fb9a24ea133c80f8237b5e For OS X Mountain Lion v10.8 and v10.8.2 The download file is named: OSXUpdCombo10.8.4.dmg Its SHA-1 digest is: 3c95d0c8d0c7f43339a5f4e137e386dd5fe409c3 For OS X Lion v10.7.5 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: cfc3bd0941d7c5838aee9e92ee087d78abff3ce7 For OS X Lion Server v10.7.5 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: 34dff575a145e13404e7a2ee8a390d3e7c56fb5e For Mac OS X v10.6.8 The download file is named: SecUpd2013-002.dmg Its SHA-1 digest is: 5da54b38ffb8c147925c3018a8f5bf30ad4ac5b1 For Mac OS X Server v10.6.8 The download file is named: SecUpdSrvr2013-002.dmg Its SHA-1 digest is: b20271f019930fe894c2247a6d5e05f00568b583 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJRrjkiAAoJEPefwLHPlZEwW+AP/0x/cHS3VPY0/a98Xpmdfkdb eo9Ns5FKw6mIkUftrN6qwNAgFXWqQXNIbJ3q8ZnoxcFPakhYyPSp4XowpR79l7kG B2ZrdTx9aIn2bfHZ+h4cE8XnVL8qUDz2RxFopOGbb+wpJxl8/fehDmWokC5wCeF5 N7mnwW2s37QL73BmAMRdi6CYcJCKwhZWGFWmqiNvpFlUP+kcjU/UM1MAzOu0xsiA PD6NrWeUOWfFrcQgx/pspWGvrFyV4FLu+0wQBl9f/DiQNrwVXIr85rHtah+b1NCU pteSxQwb4kRojXdPm4+I3LKoghzGR8xD6+Xl6KdYgReSW89Di4bKM3WpbRLqhRuq 8kv38Gk3/vZDfAnuNQX09dE6EgJ0DVu86SoRQZ1iYRQoLrizVsOvyVQUojZhT47t 6l44L/5cNJd7EcaC8hdmr44cCZdMPDEqoKzn2BavH62WYXbZMPlHBDo/H2ujUUec i7XU7LA1Upw57X4wmIUU4QrlBhNBh39yRKh3katAklayFBjOMEyyL57gURvd6O77 gFOQpUQ6kgqwgQCrtNT6R96igfyu7cVxYW7XchZDHgA3n/YWOAVvXkVeeQ5OUGzC O0UYLMBpPka31yfWP23QaXpV+LW462raI6LnMvRP1245RhokTTThZw6/9xochK2V +VoeoamqaQqZGyOiObbU =vG2v -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Subscription Asset Manager 1.4 security update Advisory ID: RHSA-2014:1863-01 Product: Red Hat Subscription Asset Manager Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html Issue date: 2014-11-17 CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2014-0130 ===================================================================== 1. Summary: Updated Subscription Asset Manager 1.4 packages that fix multiple security issues are now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Subscription Asset Manager for RHEL 6 Server - noarch 3. Description: Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. Red Hat Subscription Asset Manager is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130) A flaw was found in the way Ruby on Rails handled hashes in certain queries. (CVE-2013-1854) Two cross-site scripting (XSS) flaws were found in Action Pack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Action Pack. (CVE-2013-1855, CVE-2013-1857) It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-1854, Charlie Somerville as the original reporter of CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857, Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the original reporter of CVE-2013-6414, and Ankit Gupta as the original reporter of CVE-2013-6415. All Subscription Asset Manager users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue 6. Package List: Red Hat Subscription Asset Manager for RHEL 6 Server: Source: katello-1.4.3.28-1.el6sam_splice.src.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm noarch: katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1854 https://access.redhat.com/security/cve/CVE-2013-1855 https://access.redhat.com/security/cve/CVE-2013-1857 https://access.redhat.com/security/cve/CVE-2013-4491 https://access.redhat.com/security/cve/CVE-2013-6414 https://access.redhat.com/security/cve/CVE-2013-6415 https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y SoVal0zNgx0pwtSAkS1q5/0= =i5aK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce