Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.
Monthly Archives: January 2015
CVE-2014-8268
QPR Portal before 2012.2.1 allows remote attackers to modify or delete notes via a direct request.
CVE-2015-0870
Cross-site scripting (XSS) vulnerability in hb.cgi in Nishishi Factory Fumy News Clipper 2.x before 2.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-0926
Labtech before 100.237 on Linux uses world-writable permissions for root-executed scripts, which allows local users to gain privileges by modifying a script file.
Fedora 20 Security Update: pigz-2.3.3-1.fc20
Resolved Bugs
1181045 – CVE-2015-1191 pigz: directory traversal vulnerability
1181046 – pigz: directory traversal vulnerability [fedora-all]<br
Update to 2.3.3, fixes CVE-2015-1191:
– Return zero exit code when only warnings are issued
– Increase speed of unlzw (Unix compress decompression)
– Update zopfli to current google state
– Allow larger maximum blocksize (-b), now 512 MiB
– Do not require that -d precede -N, -n, -T options
– Strip any path from header name for -dN or -dNT
– Remove use of PATH_MAX (PATH_MAX is not reliable)
– Do not abort on inflate data error, do remaining files
– Check gzip header CRC if present
– Improve decompression error detection and reporting
Fedora 21 Security Update: pigz-2.3.3-1.fc21
Resolved Bugs
1181045 – CVE-2015-1191 pigz: directory traversal vulnerability
1181046 – pigz: directory traversal vulnerability [fedora-all]<br
Update to 2.3.3, fixes CVE-2015-1191:
– Return zero exit code when only warnings are issued
– Increase speed of unlzw (Unix compress decompression)
– Update zopfli to current google state
– Allow larger maximum blocksize (-b), now 512 MiB
– Do not require that -d precede -N, -n, -T options
– Strip any path from header name for -dN or -dNT
– Remove use of PATH_MAX (PATH_MAX is not reliable)
– Do not abort on inflate data error, do remaining files
– Check gzip header CRC if present
– Improve decompression error detection and reporting
Fedora 20 Security Update: kernel-3.18.5-100.fc20
Resolved Bugs
1186448 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code
1186453 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code [fedora-all]<br
The 3.18.5 stable update contains a number of important fixes across the tree.
The 3.18.4 stable update contains a number new features and drivers as well as several important fixes across the tree.
Fedora 21 Security Update: kernel-3.18.5-200.fc21
Resolved Bugs
1186448 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code
1186453 – CVE-2015-0239 kernel: kvm: insufficient sysenter emulation when invoked from 16-bit code [fedora-all]<br
The 3.18.5 stable update contains a number of important fixes across the tree.
The 3.18.4 stable update contains a number of important fixes across the tree.
SnipSnap 0.5.2a / 1.0b1 / 1.0b2 Cross Site Scripting
SnipSnap versions 0.5.2a, 1.0b1, and 1.0b2 suffer from a cross site scripting vulnerability. This vulnerability was already previously discovered by Sony in February of 2012.
Fedora EPEL 7 Security Update: pigz-2.3.3-1.el7
Resolved Bugs
1181045 – CVE-2015-1191 pigz: directory traversal vulnerability
1181047 – pigz: directory traversal vulnerability [epel-all]<br
Update to 2.3.3, fixes CVE-2015-1191:
– Return zero exit code when only warnings are issued
– Increase speed of unlzw (Unix compress decompression)
– Update zopfli to current google state
– Allow larger maximum blocksize (-b), now 512 MiB
– Do not require that -d precede -N, -n, -T options
– Strip any path from header name for -dN or -dNT
– Remove use of PATH_MAX (PATH_MAX is not reliable)
– Do not abort on inflate data error, do remaining files
– Check gzip header CRC if present
– Improve decompression error detection and reporting