-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:053 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tomcat6 Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tomcat6 packages fix security vulnerabilities: Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data (CVE-2014-0075). java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and
Monthly Archives: March 2015
[ MDVSA-2015:052 ] tomcat
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:052 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tomcat Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tomcat packages fix security vulnerabilities: Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286). Apache Tomcat 7.x before 7.0.50 processes chunked transfer codi
Samba smbd ServerPasswordSet RPC Memory Corruption (CVE-2015-0240)
This protection will detect and block attempts to exploit this vulnerability.
AVG Launches Secure Sign-On for Service Providers and Small Businesses
AMSTERDAM and SAN FRANCISCO – March 3, 2015 – AVG Technologies N.V. (NYSE: AVG), the online security company for 197 million active users, today announced the immediate availability of AVG Business Secure Sign-On (SSO). Underpinned by technology from identity management leader, Centrify, AVG Business SSO works to provide AVG partners and business owners with a simple way to control company data on employees’ mobile devices and cloud applications.
“AVG Business SSO allows AVG partners to offer much needed help to those small business customers who are struggling with the issues of bring your own device (BYOD) and password management,” said Lee Frankham, director of Simpology, an AVG Business partner in the UK. “Now, we can roll out services that give our customers simple, secure management of their users’ mobile device data and applications in a matter of a few clicks.”
“Mass ownership of personal mobile devices, the adoption of popular consumer cloud services like Skype and Dropbox for business purposes and the impact of the Internet of Things have been the catalysts for true ‘business without walls’,” said Mike Foreman, General Manager, AVG Business. “Business in a fully connected environment puts smaller firms at risk of data breaches. AVG Business SSO for the first time makes it simple for businesses without big budgets or in-house IT staff to keep company confidential data safe, private and within their control, even while it is shared with employee-owned mobile devices and externally hosted cloud services.”
Key features of AVG Business SSO are:
- Centralized control of cloud and mobile apps/data for one-click authentication of end-user mobile devices – single secure sign-on with multi-factor authentication (MFA) for any device unifies identity and mobile device management to give simplified control of mobile data
- Affordable identity policy, verification and mobile device management service – including via Active Directory
- Efficient password management – eliminates risk from easy-to-remember, reused and/or improperly managed passwords, improves end user productivity by eliminating the need to remember multiple passwords and reduces volume of helpdesk calls resulting from forgotten passwords
- Large range of business applications – support for more than 2,500 of the most popular Cloud-based business apps including Office 365, Salesforce, Webex, Facebook, LinkedIn and many more helping IT providers monetize mobile and cloud management services.
###
About Centrify
Centrify provides unified identity management across cloud, mobile and data center environments that delivers single sign-on (SSO) for users and a simplified identity infrastructure for IT. Centrify’s unified identity management software and cloud-based Identity-as-a-Service (IDaaS) solutions leverage an organization’s existing identity infrastructure to enable single sign-on, multi-factor authentication, privileged identity management, auditing for compliance and enterprise mobility management. Centrify customers can typically reduce their total cost of identity management and compliance by more than 50 percent, while improving business agility and overall security. Centrify is used by more than 5,000 customers worldwide, including nearly half of the Fortune 50 and more than 60 Federal agencies. For more information, please visit http://www.centrify.com/.
About AVG Technologies
AVG is the online security company providing leading software and services to secure devices, data and people. Over 197 million active users, as of December 31, 2014, use AVG´s products and services. AVG’s Consumer portfolio includes internet security, performance optimization, and personal privacy and identity protection for mobile devices and desktops. The AVG Business portfolio – delivered by managed service providers, VARs and resellers – offers IT administration, control and reporting, integrated security, and mobile device management that simplify and protect businesses.
All trademarks are the property of their respective owners.
Media Contacts:
US
Holly Luka
Waggener Edstrom for AVG
+ 1 (415) 547 7054
UK
Paul Shlackman
PR Manager, SMB & Channel
+44 (0)7792 121510
Note to Editors:
AVG Business sells and markets a comprehensive, integrated set of cloud security and remote monitoring and management (RMM) software applications that are designed from the ground up to simplify the lives of IT providers, Managed Service Providers (MSPs) and their small-to-medium sized business customers.
The portfolio comprises AVG Business CloudCare, a cloud-based administration platform offering resellers a simple way to implement and manage services such as antivirus, content filtering, online backup and email security services for their customers; AVG Business Managed Workplace, an open eco-system Remote Monitoring & Management tool; and AVG Business Secure Sign-On, a cloud-based identity policy, verification and mobile device management service.
Supported by a worldwide network of more than 10,000 partners, AVG’s strong IT security heritage complements its proven strength as an RMM provider and partner to help smaller IT companies and MSPs transition and flourish as fully-fledged managed services businesses.
[ MDVSA-2015:051 ] sympa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:051 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : sympa Date : March 3, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated sympa packages fix security vulnerability: A vulnerability have been discovered in Sympa web interface that allows access to files on the server filesystem. This breach allows to send to a list or a user any file readable by the Sympa user, located on the server filesystem, using the Sympa web interface newsletter posting area (CVE-2015-1306). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1306 http://advisories.mageia.or
Symantec Web Gateway 5 restore.php Command Injection
This Metasploit module exploits a command injection vulnerability found in Symantec Web Gateway’s setting restoration feature. The filename portion can be used to inject system commands into a syscall function, and gain control under the context of HTTP service. For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user. However, for version 5.2.1, you must be an administrator.
DSA-3179 icedove – security update
Multiple security issues have been found in Icedove, Debian’s version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and implementation errors may lead to the execution of arbitrary
code or information disclosure.
Mandriva Linux Security Advisory 2015-050
Mandriva Linux Security Advisory 2015-050 – It was reported that a crafted diff file can make patch eat memory and later segfault. It was reported that the versions of the patch utility that support Git-style patches are vulnerable to a directory traversal flaw. This could allow an attacker to overwrite arbitrary files by applying a specially crafted patch, with the privileges of the user running patch. GNU patch before 2.7.4 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.
Fedora 22 Security Update: cups-filters-1.0.66-1.fc22
New upstream bug-fix release which fixes a security flaw in cups-browsed.
Fedora 22 Security Update: librsync-1.0.0-1.fc22,csync2-1.34-15.fc22,duplicity-0.6.25-3.fc22,rdiff-backup-1.2.8-14.fc22
Resolved Bugs
1126718 – librsync: rsync: checksum collisions leading to a denial of service [fedora-all]
1126712 – CVE-2014-8242 librsync: MD4 collision file corruption<br
Changes in librsync 1.0.0 (2015-01-23)
======================================
* SECURITY: CVE-2014-8242: librsync previously used a truncated MD4 “strong” check sum to match blocks. However, MD4 is not cryptographically strong. It’s possible that an attacker who can control the contents of one part of a file could use it to control other regions of the file, if it’s transferred using librsync/rdiff. For example this might occur in a database, mailbox, or VM image containing some attacker-controlled data. To mitigate this issue, signatures will by default be computed with a 256-bit BLAKE2 hash. Old versions of librsync will complain about a bad magic number when given these signature files. Backward compatibility can be obtained using the new `rdiff sig –hash=md4` option or through specifying the “signature magic” in the API, but this should not be used when either the old or new file contain untrusted data. Deltas generated from those signatures will also use BLAKE2 during generation, but produce output that can be read by old versions. See https://github.com/librsync/librsync/issues/5. Thanks to Michael Samuel for reporting this and offering an initial patch.
* Various build fixes, thanks Timothy Gu.
* Improved rdiff man page from Debian.
* Improved librsync.spec file for building RPMs.
* Fixed bug #1110812 ‘internal error: job made no progress’; on large files.
* Moved hosting to https://github.com/librsync/librsync/
* Travis-CI.org integration test at https://travis-ci.org/librsync/librsync/
* Remove bundled copy of popt; it must be installed separately.
* You can set `$LIBTOOLIZE` before running `autogen.sh`, for example on OS X Homebrew where it is called `glibtoolize`.