Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. (CVSS:4.3) (Last Update:2013-12-30)
Monthly Archives: December 2013
WatchGuard Technologies' Top 8 Security Predictions for 2014
Could a Hollywood hack come true? Will there be a U.S. Healthcare.gov data breach? Should you expect CryptoLocker clones?
CVE-2013-7127 (mac_os_x, safari)
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
CVE-2013-3140 (internet_explorer)
Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted CMarkup object, aka “Internet Explorer Use After Free Vulnerability.”
CVE-2013-5045 (internet_explorer)
Microsoft Internet Explorer 10 and 11 allows local users to bypass the Protected Mode protection mechanism, and consequently gain privileges, by leveraging the ability to execute sandboxed code, aka “Internet Explorer Elevation of Privilege Vulnerability.”
WatchGuard Technologies Named 'Best Next Gen Firewall Vendor'
Strong channel commitment in the Middle East Region drives award recognition
CVE-2013-7020 (debian_linux, ffmpeg)
The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not properly enforce certain bit-count and colorspace constraints, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data.
CVE-2013-6410 (debian_linux, nbd, ubuntu_linux)
nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.
UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0007.1
Synopsis: VMware ESX third party update for Service Console package sudo
Issue date: 2013-05-30
Updated on: 2013-12-05
CVE number: CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------
1. Summary
VMware ESX third party update for Service Console package sudo
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201305001
3. Problem Description
a. Service Console update for sudo
The service console package sudo is updated to version
1.7.2p1-14.el5_8.3
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMwareProductRunningReplace with/
ProductVersiononApply Patch
============================================
ESXianyESXinot affected
ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi and ESX
--------------------------
http://www.vmware.com/patchmgr/download.portal
ESX 4.1
-------
File: ESX410-201312001.zip
Build: 1368001
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG
ESX 4.0
-------
File: ESX400-201305001.zip
Build: 1070634
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440
- - -----------------------------------------------------------------------
6. Change log
2013-05-30 VMSA-2013-0007
Initial security advisory in conjunction with the release of ESX 4.0
patches on 2013-05-30.
2013-12-05 VMSA-2013-0007.1
Security advisory update in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----
UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0007.1
Synopsis: VMware ESX third party update for Service Console package sudo
Issue date: 2013-05-30
Updated on: 2013-12-05
CVE number: CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------
1. Summary
VMware ESX third party update for Service Console package sudo
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201305001
3. Problem Description
a. Service Console update for sudo
The service console package sudo is updated to version
1.7.2p1-14.el5_8.3
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMwareProductRunningReplace with/
ProductVersiononApply Patch
============================================
ESXianyESXinot affected
ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi and ESX
--------------------------
http://www.vmware.com/patchmgr/download.portal
ESX 4.1
-------
File: ESX410-201312001.zip
Build: 1368001
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG
ESX 4.0
-------
File: ESX400-201305001.zip
Build: 1070634
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440
- - -----------------------------------------------------------------------
6. Change log
2013-05-30 VMSA-2013-0007
Initial security advisory in conjunction with the release of ESX 4.0
patches on 2013-05-30.
2013-12-05 VMSA-2013-0007.1
Security advisory update in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----