cmanager 0.32 does not properly enforce nesting when modifying cgroup properties, which allows local users to set cgroup values for all cgroups via unspecified vectors.
Monthly Archives: January 2015
CVE-2014-9221
strongSwan 4.5.x through 5.2.x before 5.2.1 allows remote attackers to cause a denial of service (invalid pointer dereference) via a crafted IKEv2 Key Exchange (KE) message with Diffie-Hellman (DH) group 1025.
CVE-2014-9493
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.
CVE-2014-9569
Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Business Client (NWBC) for HTML 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) roundtrips parameter, aka SAP Security Note 2051285.
CVE-2015-0361
Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.
Call for papers – BSides Ljubljana – March 12th, 2015 in Ljubljana, Slovenia
Posted by Andraz Sraka on Jan 07
-=[ #BSidesLjubljana ]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Event info:
#BSidesLjubljana – http://bsidesljubljana.si
Date: March 12th, 2015
Venue: Ljubljana, Slovenia, Europe
CFP: http://bsidesljubljana.si/cfp/
-=[ CALL FOR PAPERS ]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
First Security B-Sides Ljubljana [1] is about to *happen*.
BSides is community driven information security conference
that will be held March 12th in Ljubljana, Slovenia,…
SA-CONTRIB-2015-010 – Log Watcher – Cross Site Request Forgery (CSRF)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-010
- Project: Log Watcher (third-party module)
- Version: 6.x
- Date: 2015-January-07
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Request Forgery
Description
Log Watcher allows you to monitor your site logs in a systematic way by setting up scheduled aggregations for specific log types.
The report administration links are not properly protected from CSRF. A malicious user could cause a log administrator to enable, disable, or delete a Log Watcher report by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator was logged in.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Log Watcher 6.x-1.x versions prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Log Watcher module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Log Watcher module for Drupal 6.x, upgrade to Log Watcher 6.x-1.2
Also see the Log Watcher project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
- David Norman the module maintainer
Coordinated by
- Owen Barton of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
The Privacy Fear Factor: How Tech Is Failing To Serve the 50+
As Ann Karpf, the British journalist and sociologist reported in her January 4, 2015 New York Times Op-Ed piece on “The Liberation of Growing Old”: “Ageism has been described as prejudice against one’s future self. It tells us that age is our defining characteristic and that, as midnight strikes on a milestone birthday, we will become nothing but old — emptied of our passions, abilities and experience, infused instead with frailty and decline.”
Well said. But sadly, this is a construct that, while wrong, pretty much rings true when we look at how tech companies market to Boomers and Seniors – aka, those aged 50+ — at present.
Indeed, two in five Boomers and Seniors think tech companies patronize them according to our survey of 50+ as part of our most recent edition of the AVG Digital Diaries consumer research series.
However, the majority of 50+ that we surveyed do NOT consider themselves novice users. Most of us consider ourselves “average” tech users (76%); 10% think of ourselves as experts –and only 16% describe themselves as novice.
Earlier this week, I highlighted these findings at the Lifelong Tech Summit as part of the 2015 Consumer Electronics Show in Las Vegas.
I was honored and delighted to address the assemblage on the topic because I believe the tech industry in general overlooks – if not neglects – the 50+ consumer segment.
Equally important, my talk on “The Privacy Fear Factor,” focused on what the tech industry needs to do to better serve the needs of the 50+ market – around the issues of data protection and online privacy. This has become an everyday issue and question of fundamental human rights for all of us at any age.
This is especially true for those 50+. We fiercely believe at AVG that regardless of age, people need to know that they don’t have to give up their privacy every time they go online.
But the nagging question remains: why are Boomers and Seniors being undervalued and/or patronized by our industry when they represent a $3 trillion opportunity (U.S. dollars in disposable income).
“why are Boomers and Seniors so undervalued when they represent a $3 trillion opportunity?”.
A basic tenet of marketing is that you have to first understand a market’s dynamics before you can address a market. And therein lays the heart of the issue.
In my view, the industry needs an attitude adjustment regarding the 50+ market. And I look forward to continuing dialogue on this topic – and in addressing this important demographic.
I’ll close with more of Karpf ‘s eloquent take on aging:
“How to enable the growing numbers of old people to live comfortable, meaningful lives is a fundamental issue of equality, with benefits for all. If we make the world better for old people, we make it better for everyone, from stroller pushers to wheelchair-users.”
CVE-2014-3779
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.
CVE-2014-8993
Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev40, 7.6.0 before 7.6.0-rev32, and 7.6.1 before 7.6.1-rev11 allows remote attackers to inject arbitrary web script or HTML via a crafted XHTML file with the application/xhtml+xml MIME type.