US-CERT is aware of a Bash vulnerability affecting Unix-based operating systems such as Linux and Mac OS X. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. Â US-CERT recommends users and administrators review the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. A GNU Bash patch is also available for experienced users and administrators to implement.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:186
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : bash
Date : September 24, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override or
bypass environment restrictions to execute shell commands. Certain
services and applications allow remote unauthenticated attackers to
provide environment variables, allowing them to exploit this issue
(CVE-2014-6271).
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
https://rhn.redhat.co
SEATTLE–A typical phishing or Web-based malware attack usually isn’t terribly complex. But they need a few things in order to work, and one of the key components often is a malicious domain. Researchers spend a lot of time identifying and taking these domains down, but some researchers now are trying to stay a step ahead […]
A vulnerability in the Mozilla NSS library could allow an attacker to forge an RSA signature, such as an SSL certificate. The package is often included in 3rd party software, including Linux distributions, Google Chrome, and others. It is possible that other cryptographic libraries may be similarly affected.
US-CERT recommends users and administrators review Vulnerability Note VU#772676, Mozilla Foundation Security Advisory 2014-73, and Google Stable Channel Update Blog for additional information and mitigation details.
SEATTLE–For many years, Microsoft and other large software vendors resisted the idea of providing bug bounties or other financial incentives for researchers to report vulnerabilities. That changed when the landscape began to shift and more researchers began reporting vulnerabilities through brokers or selling them on the open market. While bounties have now become commonplace, simply […]
A critical remote code execution vulnerability in Bash, present in almost all Linux, UNIX and Mac OS X deployments, has been discovered. Experts advise immediate patching.
This module enables you to easily add SMS and VOIP functionality to your website by leveraging the Twilio cloud Voip and SMS service.
The module doesn’t expose its own permissions for administration including viewing and editing the Twilio authentication tokens. It relies only on “access administration pages” permission which is frequently granted to less-trusted users.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access administration pages”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Twilio 7.x-1.x versions prior to 7.x-1.9.
Drupal core is not affected. If you do not use the contributed Twilio module,
there is nothing you need to do.
Solution
Install the latest version:
If you use the Twiliio module for Drupal 7.x, upgrade to Twilio 7.x-1.9
The Webform Patched module is a fork of the Webform module with Token support added. The module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.
The module doesn’t sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “create webform content”.
CVE identifier(s) issued
A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
Webform Patched 6.x-3.x versions prior to 6.x-3.20.
Webform Patched 7.x-3.x versions prior to 7.x-3.20.
Drupal core is not affected. If you do not use the contributed Webform Patched module,
there is nothing you need to do.