-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:037 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : vorbis-tools Date : February 6, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated vorbis-tools package fixes security vulnerability: oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file (CVE-2014-9640). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9640 http://advisories.mageia.org/MGASA-2015-0051.html _______________________________________________________________________ Updated Packages: Mandriva Business
Monthly Archives: February 2015
Parisa Tabriz. Introducing Google’s ‘Security Princess’
Neither do princesses only appear in Disney movies nor is there only room for men in technology. There are various women in the ranks of the Mountain View giant but if we are talking about IT security, one of them stands out in particular. She chose her own nickname: she is Google’s ‘Security Princess‘.
She is Parisa Tabriz, one of the 250 engineers responsible for protecting Google Chrome users and the US company’s infrastructure and systems. Tabriz chose her title before a trip to Japan in which she had to give conferences on her work.
Even the White House has hired her services after suffering a cyberattack last October that affected the institution’s IT systems. At least that is what is said on Tabriz’s CV, where it appeared as a top secret mission. But do not look for ‘top secret’ on the document: she deleted this entry after the mission was made public. However, you can read that in November she collaborated with the US Digital Service.
Moi & my research adviser (wdo@uiuc) @ Thu lab cookie time (same as always); how great is that mustache? @eceILLINOIS pic.twitter.com/S9aBAJQqfC
— Parisa Tabriz (@laparisa) octubre 24, 2014
Parisa Tabriz is part of a team of hackers whose job is to basically think like a criminal. They sniff out software vulnerabilities and bugs that could be used by cybercriminals to access Internet users’ data. They have to find them before they do in order to fix them and prevent attacks.
She earned her engineering degree from the University of Illinois, where she discovered her passion for computing. There she joined a special club: its members met up on Friday nights to discuss the ins and outs of Internet security. At that time, Facebook did not even exist and nobody had heard of the ‘blue bird’.
That group of amateurs was particularly interested in steganography, the practice of concealing messages within another item, such as a text or photograph. It is actually a form of encryption used in Ancient Greece (the word comes from the Greek word ‘στεγανος’, which means concealed, and ‘γραφος’, meaning writing). The group used to conceal the information in images of cats that were sent via email.
Parisa joined Google in 2007 as part of the company’s IT security department. Now she is the leader of a team of 30 hackers who, from the US and Europe, prevent attacks related to the Chrome Internet browser.
As soon as the hackers discover a vulnerability, they fix it quickly, so they are constantly updating the software without users noticing their work. They work in the shadows so that your data and Internet purchases are kept secure.
In 2011, they discovered that the Dutch authority that manages Web security certificates (DigiNotar) had been hacked, affecting hundreds of thousands of Iranian Gmail users. All of the signs pointed to the perpetrator of the attack being the Iranian government and the volume of fraudulent certificates was so high that the agency had to close.
As well as leading the security army, Tabriz is responsible for hiring new experts to regenerate the ranks. One way of finding them is through contests and hackathons. Google organizes meetings in which independent hackers can look for bugs in its programs.
However, they must be careful. Some researchers could benefit from their findings and demand money for the information or even sell it to cybercriminals, who would use it for illicit purposes. Governments also use security holes in certain software to monitor companies and citizens.
Therefore, you have to know everything about the steps and advances in cybersecurity. Tabriz attends hacker conferences and meetings worldwide and gives seminars on her work to other members of the company.
The post Parisa Tabriz. Introducing Google’s ‘Security Princess’ appeared first on MediaCenter Panda Security.
[ MDVSA-2015:036 ] python-django
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:036 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : python-django Date : February 6, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated python-django packages fix security vulnerabilities: Jedediah Smith discovered that Django incorrectly handled underscores in WSGI headers. A remote attacker could possibly use this issue to spoof headers in certain environments (CVE-2015-0219). Mikko Ohtamaa discovered that Django incorrectly handled user-supplied redirect URLs. A remote attacker could possibly use this issue to perform a cross-site scripting attack (CVE-2015-0220). Alex Gaynor discovered that Django incorrectly handled reading files
[ MDVSA-2015:035 ] libvirt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:035 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : libvirt Date : February 6, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated libvirt packages fix security vulnerability: The XML getters for for save images and snapshots objects don't check ACLs for the VIR_DOMAIN_XML_SECURE flag and might possibly dump security sensitive information. A remote attacker able to establish a connection to libvirtd could use this flaw to cause leak certain limited information from the domain xml file (CVE-2015-0236). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CV
[ MDVSA-2015:034 ] jasper
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:034 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : jasper Date : February 6, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated jasper packages fix security vulnerabilities: An off-by-one flaw, leading to a heap-based buffer overflow, was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code (CVE-2014-8157). An unrestricted stack memory use flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code (CVE-2014-81
Making purchases with security in mind
For other shoppers, a lot of thought may go into the purchasing process. Price is certainly something to consider, but features, design, and reliability are also other factors that many consumers will look at before they make their final decision. With that said, one area that many people forget to think about when buying a new computer or electronic device is security.
With so many stories about hacks and malware in the news today, it’s easy to see why security should also be considered with any tech purchase. After all, a security problem can turn an otherwise satisfying purchase into a nightmare.
Because of this, when it comes to security, the first thing to do is understand what kinds of security features are included on board. Are there options to customize the security settings? How extensive are they?
Outside of the hardware itself, what options are there to install third-party security software? In addition to knowing this, it’s also important to know which third-party options will work best for you and the way that you use the hardware.
While the previously mentioned items would be considered before making the purchase, attention to security doesn’t end once the hardware has been paid for. From the moment the new device is first turned on, make sure that you customize the security settings and install the necessary security applications before doing anything else. The last thing you want to do is forget to take these steps and then pay for it later. Additionally, beyond just the first steps, security should continue to be something that you check in on throughout the life of the device.
Are you going to start making security a part of your checklist when buying computers and other devices?
The post Making purchases with security in mind appeared first on Avira Blog.
[ MDVSA-2015:033 ] java-1.7.0-openjdk
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:033 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : java-1.7.0-openjdk Date : February 6, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated java-1.7.0 packages fix security vulnerabilities: A flaw was found in the way the Hotspot component in OpenJDK verified bytecode from the class files. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions (CVE-2014-6601). Multiple improper permission check issues were discovered in the JAX-WS, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions (CVE-2015-0412, CVE-2015-04
MDVSA-2015:032: php
Multiple vulnerabilities has been discovered and corrected in php:
sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x
through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read
a .php file, does not properly consider the mapping’s length during
processing of an invalid file that begins with a # character and lacks
a newline character, which causes an out-of-bounds read and might (1)
allow remote attackers to obtain sensitive information from php-cgi
process memory by leveraging the ability to upload a .php file or (2)
trigger unexpected code execution if a valid PHP script is present
in memory locations adjacent to the mapping (CVE-2014-9427).
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image (CVE-2015-0232).
The updated php packages have been upgraded to the 5.5.21 version
which is not vulnerable to these issues.
Additionally, the timezonedb package has been upgraded to the latest
2015.1 version, the php-suhosin package has been upgraded to the
latest 0.9.37.1 and the PECL packages which requires so has been
rebuilt for php-5.5.21.
MDVSA-2015:031: busybox
Updated busybox packages fix security vulnerability:
The modprobe command in busybox before 1.23.0 uses the basename of
the module argument as the module to load, allowing arbitrary modules,
even when some kernel subsystems try to prevent this (CVE-2014-9645).
MDVSA-2015:030: bugzilla
Updated bugzilla packages fix security vulnerability:
Some code in Bugzilla does not properly utilize 3 arguments form
for open() and it is possible for an account with editcomponents
permissions to inject commands into product names and other attributes
(CVE-2014-8630).