Monthly Archives: December 2014

Ubuntu

USN-2434-1: JasPer vulnerability

Leave a comment

Ubuntu Security Notice USN-2434-1

8th December, 2014

jasper vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

JasPer could be made to crash or run programs as your login if it opened a
specially crafted file.

Software description

  • jasper
    – Library for manipulating JPEG-2000 files

Details

Jose Duart discovered that JasPer incorrectly handled certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libjasper1

1.900.1-debian1-2ubuntu0.1
Ubuntu 14.04 LTS:
libjasper1

1.900.1-14ubuntu3.1
Ubuntu 12.04 LTS:
libjasper1

1.900.1-13ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9029

Ubuntu

USN-2434-2: Ghostscript vulnerability

Leave a comment

Ubuntu Security Notice USN-2434-2

8th December, 2014

ghostscript vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 10.04 LTS

Summary

Ghostscript could be made to crash or run programs as your login if it
opened a specially crafted file.

Software description

  • ghostscript
    – PostScript and PDF interpreter

Details

USN-2434-1 fixed a vulnerability in JasPer. This update provides the
corresponding fix for the JasPer library embedded in the Ghostscript
package.

Original advisory details:

Jose Duart discovered that JasPer incorrectly handled certain malformed
JPEG-2000 image files. If a user were tricked into opening a specially
crafted JPEG-2000 image file, a remote attacker could cause JasPer to crash
or possibly execute arbitrary code with user privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.04 LTS:
libgs8

8.71.dfsg.1-0ubuntu5.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-9029

Full Disclosure

Interesting Backdoor

Leave a comment

Posted by Alfred Baroti on Dec 09

Hi,
I was wondering if someone found something similar with this. I didn’t find anything similar with this before.

Here is:

root () pay1-test:~# ssh zimadmin () 0
zimadmin () 0’s password:
——-;i——————————————
—–.,if——————————————
—–,tLE,————–..:;ji———————
—-;ittL;———-.;;;tjfGj.———————…

Full Disclosure

Humhub SQL injection and multiple persistent XSS vulnerabilities

Leave a comment

Posted by A. W. on Dec 09

[+] Humhub [1] SQL injection vulnerability
[+] Discovered by: Jos Wetzels, Emiel Florijn
[+] Affects: Humhub <= 0.10.0-rc.1

The Humhub social networking kit versions 0.10.0-rc.1 and prior suffer
from an SQL injection vulnerability, which has now been resolved in
cooperation with the vendor [2], in its notification listing
functionality allowing an attacker to obtain backend database access.
In the actionIndex() function located in…

Security

ISC Releases Security Updates for BIND

Leave a comment

Original release date: December 08, 2014

The Internet Systems Consortium (ISC) has released security updates to address multiple vulnerabilities in BIND, one of which may allow a remote attacker to cause a denial of service.

Updates available include:

  • BIND 9 version 9.9.6-P1
  • BIND 9 version 9.10.1-P1

Users and administrators are encouraged to review ISC Knowledge Base Articles AA-01216 and AA-01217 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.