Resolved Bugs
1184028 – CVE-2015-1182 polarssl: remote attack using crafted certificates
1184029 – CVE-2015-1182 polarssl: remote attack using crafted certificates [fedora-all]<br
– Fix for CVE-2015-1182
Monthly Archives: January 2015
Fedora 21 Security Update: patch-2.7.1-12.fc21
Fedora 20 Security Update: dump-0.4-0.24.b44.fc20
Fedora 20 Security Update: patch-2.7.1-12.fc20
Fedora 20 Security Update: java-1.7.0-openjdk-1.7.0.75-2.5.4.2.fc20
Updated to security update of 20.1.2015
Re: full name disclosure information leak in google drive
Posted by Daniel Miller on Jan 21
On Wed, Jan 21, 2015 at 2:26 PM, kevin mcsheehan <kevin () mcsheehan com>
wrote:
I’m pretty sure Google doesn’t consider this sort of thing a vulnerability.
Here’s their “it’s not a bug” page for it:
https://sites.google.com/site/bughunteruniversity/nonvuln/discover-your-name-based-on-e-mail-address
Dan
full name disclosure information leak in google drive
Posted by kevin mcsheehan on Jan 21
exploit title: full name disclosure information leak in google drive
software link: https://drive.google.com/drive/#my-drive
author: kevin mcsheehan
website: http://mcsheehan.com
email: kevin () mcsheehan com
date: 01/20/15
source: http://mcsheehan.com/?p=15
description: google drive leaks the full name of a target email
address when said email address is associated with an uploaded file.
the full name is displayed whether or not the target…
CVE-2015-1169 – CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards.
Posted by J. Tozo on Jan 21
=====[Alligator Security Team – Security Advisory]========
CVE-2015-1169 – CAS Server 3.5.2 allows remote attackers to bypass LDAP
authentication via crafted wildcards.
Reporter: José Tozo < juniorbsd () gmail com >
=====[Table of Contents]==================================
1. Background
2. Detailed description
3. Other contexts & solutions
4. Timeline
5. References
=====[1. Background]======================================…
SA-CONTRIB-2015-029 – Corner – Cross Site Request Forgery (CSRF) – Unsupported
- Advisory ID: DRUPAL-SA-CONTRIB-2015-029
- Project: Corner (third-party module)
- Version: 6.x
- Date: 2015-January-21
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Request Forgery
Description
This module enables you to add configurable corners to your site.
A malicious user can cause an administrator to enable and disable corners by getting the administrator’s browser to make a request to a specially-crafted URL while the administrator is logged in.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- All versions of Corner module
Drupal core is not affected. If you do not use the contributed Corner module,
there is nothing you need to do.
Solution
If you use the Corner module you should uninstall it.
Also see the Corner project page.
Reported by
- Pere Orga provisional member of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
CVE-2015-0411
Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption.