Monthly Archives: January 2015

Ubuntu

USN-2487-1: OpenJDK 7 vulnerabilities

Ubuntu Security Notice USN-2487-1

27th January, 2015

openjdk-7 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in OpenJDK 7.

Software description

  • openjdk-7
    – Open Source Java implementation

Details

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure, data integrity and availability. An attacker could
exploit these to cause a denial of service or expose sensitive data over
the network. (CVE-2014-3566, CVE-2014-6587, CVE-2014-6601, CVE-2015-0395,
CVE-2015-0408, CVE-2015-0412)

Several vulnerabilities were discovered in the OpenJDK JRE related to
information disclosure. An attacker could exploit these to expose sensitive
data over the network. (CVE-2014-6585, CVE-2014-6591, CVE-2015-0400,
CVE-2015-0407)

A vulnerability was discovered in the OpenJDK JRE related to
information disclosure and integrity. An attacker could exploit this to
expose sensitive data over the network. (CVE-2014-6593)

A vulnerability was discovered in the OpenJDK JRE related to integrity and
availability. An attacker could exploit this to cause a denial of service.
(CVE-2015-0383)

A vulnerability was discovered in the OpenJDK JRE related to availability.
An attacker could this exploit to cause a denial of service.
(CVE-2015-0410)

A vulnerability was discovered in the OpenJDK JRE related to data
integrity. (CVE-2015-0413)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
openjdk-7-jre-zero

7u75-2.5.4-1~utopic1
openjdk-7-source

7u75-2.5.4-1~utopic1
icedtea-7-jre-jamvm

7u75-2.5.4-1~utopic1
openjdk-7-jre-lib

7u75-2.5.4-1~utopic1
openjdk-7-jre-headless

7u75-2.5.4-1~utopic1
openjdk-7-jre

7u75-2.5.4-1~utopic1
Ubuntu 14.04 LTS:
openjdk-7-jre-zero

7u75-2.5.4-1~trusty1
openjdk-7-source

7u75-2.5.4-1~trusty1
icedtea-7-jre-jamvm

7u75-2.5.4-1~trusty1
openjdk-7-jre-lib

7u75-2.5.4-1~trusty1
openjdk-7-jre-headless

7u75-2.5.4-1~trusty1
openjdk-7-jre

7u75-2.5.4-1~trusty1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

This update contains a known regression in the Zero alternative Java
Virtual Machine on PowerPC and a future update will correct this issue. See
https://launchpad.net/bugs/1415282 for details. We apologize for the
inconvenience.

References

CVE-2014-3566,

CVE-2014-6585,

CVE-2014-6587,

CVE-2014-6591,

CVE-2014-6593,

CVE-2014-6601,

CVE-2015-0383,

CVE-2015-0395,

CVE-2015-0400,

CVE-2015-0407,

CVE-2015-0408,

CVE-2015-0410,

CVE-2015-0412,

CVE-2015-0413

Avast

Infographic: Privacy tips for business

Privacy plays a growing part in customer buying decisions. With every data breach, trust is eroded further.

Privacy and security are intertwined when it comes to our individual information. Consumers are becoming increasingly aware of the value of their personal data, so that means that businesses have to step up and do a better job of securing that data. Identity theft is the #1 fear of consumers, but for your business the risk is loss of trust and brand damage.

Since trust is the core of any transaction it’s important to know how privacy factors into your customer’s buying decisions. Research shows that almost 40% of consumers made buying decisions based upon privacy. When looking at who these people are, it was found that these individuals are aged 46-65 and have the highest incomes. But don’t rely on the business of the younger generation to supplant that once trust is lost; 27% of millenials abandoned an online purchase in the past month due to privacy or security concerns.

To mark Data Privacy Day on January 28, the following Privacy is Good for Business tips were created by privacy experts in civil-society, non-profit, government and industry and aspire to help business address the public’s growing privacy concerns:

DPD-Privacy-is-Good-for-Business-2014_1_13

  • If you collect it, protect it. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access.
  • Be open and honest about how you collect, use and share consumers’ personal information. Think about how the consumer may expect their data to be used.
  • Build trust by doing what you say you will do. Communicate clearly and concisely to the public about what privacy means to your organization and the steps you take to achieve and maintain privacy.
  • Create a culture of privacy in your organization. Explain to and educate employees about the importance and impact of protecting consumer and employee information as well as the role they play in keeping it safe.
  • Don’t count on your privacy notice as your only tool to educate consumers about your data practices.
  • Conduct due diligence and maintain oversight of partners and vendors. You are also responsible for how they collect and use personal information.
Full Disclosure

Qualys Security Advisory CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow

Posted by Qualys Security Advisory on Jan 28

Qualys Security Advisory CVE-2015-0235

GHOST: glibc gethostbyname buffer overflow

–[ Contents ]—————————————————————-

1 – Summary
2 – Analysis
3 – Mitigating factors
4 – Case studies
5 – Exploitation
6 – Acknowledgments

–[ 1 – Summary ]————————————————————-

During a code audit performed internally at Qualys, we discovered a
buffer overflow in the…

Full Disclosure

Reflecting XSS vulnerabilities in CMS Saurus v. 4.7 (CE)

Posted by Steffen Rösemann on Jan 28

Advisory: Reflecting XSS vulnerabilities in CMS Saurus v. 4.7 (CE)
Advisory ID: SROEADV-2015-05
Author: Steffen Rösemann
Affected Software: CMS Saurus v. 4.7 (CE, released: 12.08.2014)
Vendor URL: http://www.saurus.info
Vendor Status: patched
CVE-ID: –

==========================
Vulnerability Description:
==========================

The administrative backend of the Content Management System Saurus CMS v.
4.7 (Community edition, released:…

Full Disclosure

CVE-2015-1042 – Mantis BugTracker 1.2.19 – URL Redirection to Untrusted Site ('Open Redirect')

Posted by Popovici, Alejo (LATCO – Buenos Aires) on Jan 28

Mantis BugTracker 1.2.19 URL Redirection to Untrusted Site (‘Open Redirect’)

******************************************************************************

– Affected Vendor: Mantis
– Affected System: BugTracker 1.2.19
– Vulnerabilities’ Status: Fixed

******************************************************************************

– Associated CWEs:

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)…

Full Disclosure

[AMPLIA-ARA100614] OS X Gatekeeper Bypass Vulnerability

Posted by Amplia Security Advisories on Jan 28

OS X Gatekeeper Bypass Vulnerability
Amplia Security – Amplia Security Research Advisory (AMPLIA-ARA100614)

Advisory ID: AMPLIA-ARA100614
Advisory URL:
http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html,
http://www.ampliasecurity.com/advisories/AMPLIA-ARA100614.txt
Date Published: 01-07-2015
Vendors Contacted: Apple (www.apple.com) (notified 10-06-2014)
Release Mode: Coordinated Release
Last Updated: 01-27-2105…

US-CERT

Apple Releases Security Updates for OS X, Safari, iOS and Apple TV

Original release date: January 27, 2015

Apple has released security updates for OS X, Safari, iOS and Apple TV to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system.

Updates available include:

  • OS X v10.10.2 and Security Update 2015-001 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10 and v10.10.1
  • Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1
  • iOS 8.1.3 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later
  • Apple TV 7.0.3 for Apple TV 3rd generation and later

US-CERT encourages users and administrators to review Apple security updates HT204244, HT204243HT204245 and HT204246, and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Security

Clam AntiVirus Toolkit 0.98.6

Clam AntiVirus is an anti-virus toolkit for Unix. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a commandline scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use in your own software.