Monthly Archives: February 2015

Security

Red Hat Security Advisory 2015-0133-01

Red Hat Security Advisory 2015-0133-01 – IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.

AVG

Newsweek’s Cover Art Controversy

It’s interesting to parse the controversy stirred up by the cover of Newsweek magazine’s February 6, 2015 issue.  But it’s the art illustrating the story “What Silicon Valley Thinks of Women,” not the article itself that is causing all the stir.

The cover is a drawing of a faceless woman in a mini-skirt and heels, with her hemline being lifted up – and, some would say poked –with a cursor.

Reaction to the illustration was immediate (at least in Silicon Valley) and has been on-going. Divided opinions have been aired on blogs, social media and the Today show.

The article itself illustrates some well-documented facts about how working women fare in the tech world in Silicon Valley. Chief among them: the enormous gender gap in tech jobs and how difficult it is for women-led businesses to find funding from VCs, underscored by a dearth of women VC partners.  This thesis is supported by the recent findings of research by Babson College, among others, that I’ve also written about previously.

In a very informal polling of some of my Silicon Valley women friends, four out of five thought the cover accurately characterized the article.

For some, the woman without facial features – besides red lipstick – proved a compelling example of misogyny. For another camp, the cover illustration perpetuated a stereotype and the gender problem in tech.

The cover’s designer, Edel Rodriguez, defended himself and talked about what he was trying to achieve in an interview on the industry website, GigaOM.

“The subject of the article is how women are treated in Silicon Valley. It details the sexual harassment, jokes and treatment that women put up with in the industry. The image represents this harassment. A woman should have the right to dress however she pleases without this happening to them. These men have grown up around technology and video games their entire lives. They see women as objects that they can mistreat. The image conveys the exact moment when the harassment is symbolically taking place.” The full article/interview with Rodriguez can be found here.

Many agree on one thing: the cover art has fulfilled its mission of drawing attention and getting people to read the piece on an important topic!

My thoughts: First, I was happy that Newsweek focused on this important topic and ran a cover story on the challenges of women in tech.  Second: Art is always a matter of personal preference. But in this case, I’m in the camp of don’t blame the art. It’s art imitating real life.

But I do want to say that from my experience there are many companies in Silicon Valley who don’t participate in the harassment depicted in the article and there are many people who advocate for women. As proven with this article, there’s growing momentum in the tech world to address the gender gap. And that’s very good news.

As anyone who has followed my blog posts knows, I am a strong advocate of advancing this discussion.  It’s the basis for a conversation I look forward to leading during my session “Boardroom or Baby” at SXSW 2015.
Speak_IA

Fedora

Fedora EPEL 6 Security Update: moodle-2.6.8-1.el6

Resolved Bugs
1183695 – CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [epel-6]
1183694 – CVE-2015-0218 CVE-2015-0212 CVE-2015-0213 CVE-2015-0211 CVE-2015-0216 CVE-2015-0217 CVE-2015-0214 CVE-2015-0215 moodle: new update fixes several security issues [fedora-all]<br
The following security notifications have now been made public:
==============================================================================
MSA-15-0001: Insufficient access check in LTI module
Description: Absence of capability check in AJAX backend script could
allow any enrolled user to search the list of registered
tools
Issue summary: mod/lti/ajax.php security problems
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47920
CVE identifier: CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920
==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page
Description: Course summary on course request pending approval page was
displayed to the manager unescaped and could be used for
XSS attack
Issue summary: XSS in course request pending approval page (Privilege
Escalation?)
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Skylar Kelty
Issue no.: MDL-48368
Workaround: Grant permission moodle/course:request only to trusted
users
CVE identifier: CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368
==============================================================================
MSA-15-0003: CSRF possible in Glossary module
Description: Two files in the Glossary module lacked a session key check
potentially allowing cross-site request forgery
Issue summary: Multiple CSRF in mod glossary
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Ankit Agarwal
Issue no.: MDL-48106
CVE identifier: CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106
==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services
Description: Through web-services it was possible to access
messaging-related functions such as people search even if
messaging is disabled on the site
Issue summary: Messages external functions doesn’t check if messaging is
enabled
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Juan Leyva
Issue no.: MDL-48329
Workaround: Disable web services or disable individual message-related
functions
CVE identifier: CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329
==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services
Description: Through web-services it was possible to get information
about calendar events which user did not have enough
permissions to see
Issue summary: calendar/externallib.php lacks
self::validate_context($context);
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-48017
CVE identifier: CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017
==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Description: Users with capability to grade in Lesson module were not
reported as users with XSS risk but their feedback was
displayed without cleaning
Issue summary: mod/lesson:grade capability missing RISK_XSS but essay
feedback is displayed with noclean=true
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1
Versions fixed: 2.8.2
Reported by: Damyon Wiese
Issue no.: MDL-48034
CVE identifier: CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034
==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter
Description: Not optimal regular expression in the filter could be
exploited to create extra server load or make particular
page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin
Description: It was possible to forge a request to logout users even
when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver
configuration
CVE identifier: CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
==============================================================================

Fedora

Fedora EPEL 7 Security Update: roundcubemail-1.0.5-1.el7

Resolved Bugs
1188203 – CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [epel-all]
1188202 – CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [fedora-all]<br
Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3

Fedora

Fedora EPEL 6 Security Update: roundcubemail-1.0.5-1.el6

Resolved Bugs
1188203 – CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [epel-all]
1188202 – CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [fedora-all]<br
Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.
http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3

Fedora

Fedora EPEL 6 Security Update: puppetlabs-stdlib-4.5.1-2.20150121git7a91f20.el6

Resolved Bugs
1182578 – CVE-2015-1029 puppetlabs-stdlib: local information leakage and local privilege escalation vulnerability
1182580 – CVE-2015-1029 puppetlabs-stdlib: local information leakage and local privilege escalation vulnerability [epel-all]
1182579 – CVE-2015-1029 puppetlabs-stdlib: local information leakage and local privilege escalation vulnerability [fedora-all]<br
Install metadata.json for Puppet to pick stdlib release when “puppet module list” is called
Security fix for CVE-2015-1029
Security fix for CVE-2015-1029
Security fix for CVE-2015-1029