Posted by oststrom (public) on Oct 13
Hash: SHA1
*Preliminary VulnNote*
CVE-2014-2023 – Tapatalk for vbulletin 4.x – multiple blind sql injection
(pre-auth)
============================================================================
========
Overview
——–
date : 10/12/2014
cvss : 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N) base
cwe : 89
vendor : Tapatalk Inc
product : Tapatalk for vBulletin 4.x
versions affected: latest (to…
Posted by Dirk-Willem van Gulik on Oct 13
Security Advisory
DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
CVE-2014-3671
references:
CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278
CVE-2014-7186 and, CVE-2014-7187
* Summary:
Above CVEs detail a number of flaws in bash prior related to the parsing
of environment variables (aka BashBug, Shellshock). Several networked
vectors for…
Posted by E Boogie on Oct 13
I’ve done a little more testing and what I’ve found is pretty startling.
I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass worked.
I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and
the CSP bypass also worked.
If you are so kind, please use ejj.io/test.php to test this for me. If it
worked, please press the “IT WORKED” button.
This way I can compile a large finger print of…
Resolved Bugs
1133439 – CVE-2014-5447 CVE-2014-5448 CVE-2014-5449 CVE-2014-5450 zarafa: multiple default permission issues
1133442 – zarafa: multiple default permission issues [epel-all]<br
Zarafa Collaboration Platform 7.1.11 final R1 [46050]
=====================================================
General
——-
This R1 release of the 7.1.11 final release addresses the WebAccess install problem on RPM-based systems and resolves the dependencies problems under Ubuntu 14.04.
Backend
——-
* ZCP-12472: zarafa-search crashes on ubuntu 14.0.4 LTS
* ZCP-12405: zarafa-search do not start on Ubuntu 14.04
* ZCP-12581: config files are being saved as config.cfg.dpkg-new on ubuntu 14.04
* ZCP-12570: install.sh for Ubuntu 14.04
* ZCP-12582: installing webaccess on rhel based systems result in scriptlet failed, exit status 1
Zarafa Collaboration Platform 7.1.11 final [45875]
==================================================
General
——-
This release brings a few new features while maintaining stability. With this release we address a few segfaults in zarafa-search to match this final release.
Backend
——-
* ZCP-11809: zarafa-gateway is unable to create RTF text stream
* ZCP-11862: zarafa-backup zarafa-restore breaks textfiles
* ZCP-11934: Enhance MariaDB support by modifying sql_mode
* ZCP-12012: zarafa-server segfaults when running zarafa-stats –system
* ZCP-12097: Disposition-Notification-To double colons in middle of line. dagent crashes
* ZCP-12110: Segfault zarafa-server 7.1.8 R1
* ZCP-12127: Support for Apache 2.4
* ZCP-12134: Randomly lost e-mail attachments in e-mails
* ZCP-12266: [BIG5] Customer requires an option to set the default character encoding of incoming mail when no encoding is set.
* ZCP-12269: public folder shows MAPI_E_STORE_FULL when creating new element
* ZCP-12272: WebAccess: .htaccess is not marked as a configuration file in rpm
* ZCP-12436: jpegPhoto included twice in ldap.propmap.cfg
* ZCP-12500: Zarafa stores rfc enforced linebreaks as actual line breaks
* ZCP-12511: zarafa-gateway is unable to create RTF text stream
* ZCP-12537: ical issue when password contains a colon
* ZCP-12547: As a hoster I need a way to reduce the performance impact on LDAP caused by zarafa-licensed.
* ZCP-12563: Create configuration setting to indicate if folder owners automatically get full access rights or not
* ZCP-12548: zarafa-search segfault
Resolved Bugs
965511 – davfs2 package should be built with PIE flags<br
Add global harderning flags – RHBZ 965511
Pour yourself a cup of coffee; this could take a while.
We are all used to the monthly Patch Tuesdays from Microsoft and Adobe, but this month the quarterly updates from Oracle, the parent of problem child Java SE, coincide, making it a pretty big day for securing your system. Avast experts agree that one of the most important steps you can take to securing your data and devices is to make sure that you keep your software up-to-date.
Microsoft
Microsoft leads off the normal Patch Tuesday with the release of 9 security updates across products including a critical patch of Internet Explorer, all supported versions of Windows, and the .NET development framework.
Oracle
Oracle’s Critical Patch Update is a collection of patches for multiple security vulnerabilities. It contains 155 new security fixes across hundreds of Oracle products; 25 of them for Oracle Java SE. Oracle warns that “these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. “ That’s not good, if you were wondering.
“I would suggest removing Java if possible or at least turning it off in all your browsers,” advises Jiri Sejtko, director of AVAST Virus Lab operations. Here are removal instructions for the most popular browsers: How do I disable Java in my browser?
Adobe
It is hoped that Adobe’s Tuesday update will include a plug for the big Digital Editions e-book and PDF reader hole, but more likely it will be next week. In a statement to the American Library Association, Adobe reports they “expect an update to be available no later than the week of October 20†in terms of transmission of reader data.
Tuesday’s patch will probably include a fix for bugs in Adobe Flash Player.
avast! Software Updater shows you an overview of all your outdated software applications, so you can keep them up to date and eliminate any security vulnerabilities. All avast! security products inform you whenever any of your 3rd party applications are out-of-date and you can apply updates manually by clicking the ‘Fix now’ button next to each conflicting application. avast! Premier can be configured to perform these updates automatically.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
CMS Subkarma suffers from cross site scripting and remote SQL injection vulnerabilities. Note that this finding houses site-specific data.
