Network Solutions Webmail suffers from cross site scripting, cross site request forgery, password reset, information disclosure and various other security vulnerabilities.
Monthly Archives: April 2015
Red Hat Security Advisory 2015-0795-01
Red Hat Security Advisory 2015-0795-01 – KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM, in environments managed by Red Hat Enterprise Linux OpenStack Platform. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host’s QEMU process address space with attacker-provided data. This issue was discovered by Paolo Bonzini of Red Hat.
Red Hat Security Advisory 2015-0797-01
Red Hat Security Advisory 2015-0797-01 – X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A buffer over-read flaw was found in the way the X.Org server handled XkbGetGeometry requests. A malicious, authorized client could use this flaw to disclose portions of the X.Org server memory, or cause the X.Org server to crash using a specially crafted XkbGetGeometry request. This issue was discovered by Olivier Fourdan of Red Hat.
Ubuntu Security Notice USN-2566-1
Ubuntu Security Notice 2566-1 – Jann Horn discovered that dpkg incorrectly validated signatures when extracting local source packages. If a user or an automated system were tricked into unpacking a specially crafted source package, a remote attacker could bypass signature verification checks.
Turned Android auto-updates off? Manually update Anti-Theft to stay protected.
Remember to update Avast Anti-Theft if you don’t get automatic updates.
Notice: Coming updates will affect remote command capabilities in past versions of Avast Anti-Theft. Manually update Anti-Theft to stay protected.
Due to coming changes in push notifications, previous versions of Avast Anti-Theft will no longer be able to receive commands from your my.avast.com account. If your applications are automatically updated from Google Play, it’s not necessary to do anything – you can use Anti-Theft normally. However, if you have automatic updates switched off, please manually update Avast Anti-Theft to the latest version. This will allow you to remotely control your device from your Avast account. Commands sent via SMS will continue to work as usual, as well as any data sent to your Avast account.
How do I use Avast Anti-Theft to recover my lost Android device?
During set-up you were asked to provide one or two friend’s phone numbers. If you haven’t done that step, do so now. The Avast Anti-Theft installation and configuration FAQ shows the steps.
You can use the friend’s phone to receive an Avast Anti-Theft SMS notification in case your device is lost or stolen or to recover the Avast PIN in case you forget it.
Usually the first thing a thief does is change the SIM card. When Anti-Theft detects a SIM change, it will lock the phone and SMS all the details to the friend’s numbers you set up in the app.
As long as you have updated your app, you can track and control your device remotely using SMS commands from your friend’s phone or from your Avast account. All SMS commands begin with your password. For example, if you set 2222 as your password, the lock command would look like this: 2222 LOCK.
You can find all the SMS commands on the Avast Free Mobile Security page.
MDVA-2015:009: java-1.8.0-openjdk
A dependency problem was discovered with the MDVSA-2015:198 advisory
that prevented some of the provided packages from being installed,
this advisory solves this problem.
MDVSA-2015:203: batik
Updated batik packages fix security vulnerability:
Nicolas Gregoire and Kevin Schaller discovered that Batik would load
XML external entities by default. If a user or automated system were
tricked into opening a specially crafted SVG file, an attacker could
possibly obtain access to arbitrary files or cause resource consumption
(CVE-2015-0250).
MDVSA-2015:202: ntp
Multiple vulnerabilities has been found and corrected in ntp:
The symmetric-key feature in the receive function in ntp_proto.c
in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC
field has a nonzero length, which makes it easier for man-in-the-middle
attackers to spoof packets by omitting the MAC (CVE-2015-1798).
The symmetric-key feature in the receive function in ntp_proto.c
in ntpd in NTP before 4.2.8p2 performs state-variable updates
upon receiving certain invalid packets, which makes it easier
for man-in-the-middle attackers to cause a denial of service
(synchronization loss) by spoofing the source IP address of a peer
(CVE-2015-1799).
The updated packages provides a solution for these security issues.
MDVSA-2015:201: arj
Multiple vulnerabilities has been found and corrected in arj:
Jakub Wilk discovered that arj follows symlinks created during
unpacking of an arj archive. A remote attacker could use this flaw
to perform a directory traversal attack if a user or automated
system were tricked into processing a specially crafted arj archive
(CVE-2015-0556).
Jakub Wilk discovered that arj does not sufficiently protect from
directory traversal while unpacking an arj archive containing
file paths with multiple leading slashes. A remote attacker could
use this flaw to write to arbitrary files if a user or automated
system were tricked into processing a specially crafted arj archive
(CVE-2015-0557).
Jakub Wilk and Guillem Jover discovered a buffer overflow vulnerability
in arj. A remote attacker could use this flaw to cause an application
crash or, possibly, execute arbitrary code with the privileges of
the user running arj (CVE-2015-2782).
The updated packages provides a solution for these security issues.
MDVSA-2015:200: mediawiki
Updated mediawiki packages fix security vulnerabilities:
In MediaWiki before 1.23.9, one could circumvent the SVG MIME blacklist
for embedded resources. This allowed an attacker to embed JavaScript
in the SVG (CVE-2015-2931).
In MediaWiki before 1.23.9, the SVG filter to prevent injecting
JavaScript using animate elements was incorrect (CVE-2015-2932).
In MediaWiki before 1.23.9, a stored XSS vulnerability exists due
to the way attributes were expanded in MediaWiki’s Html class, in
combination with LanguageConverter substitutions (CVE-2015-2933).
In MediaWiki before 1.23.9, MediaWiki’s SVG filtering could be bypassed
with entity encoding under the Zend interpreter. This could be used
to inject JavaScript (CVE-2015-2934).
In MediaWiki before 1.23.9, one could bypass the style filtering for
SVG files to load external resources. This could violate the anonymity
of users viewing the SVG (CVE-2015-2935).
In MediaWiki before 1.23.9, MediaWiki versions using PBKDF2 for
password hashing (not the default for 1.23) are vulnerable to DoS
attacks using extremely long passwords (CVE-2015-2936).
In MediaWiki before 1.23.9, MediaWiki is vulnerable to Quadratic
Blowup DoS attacks, under both HHVM and Zend PHP (CVE-2015-2937).
In MediaWiki before 1.23.9, the MediaWiki feature allowing a user to
preview another user’s custom JavaScript could be abused for privilege
escalation (CVE-2015-2938).
In MediaWiki before 1.23.9, function names were not sanitized in Lua
error backtraces, which could lead to XSS (CVE-2015-2939).
In MediaWiki before 1.23.9, the CheckUser extension did not prevent
CSRF attacks on the form allowing checkusers to look up sensitive
information about other users. Since the use of CheckUser is logged,
the CSRF could be abused to defame a trusted user or flood the logs
with noise (CVE-2015-2940).
The mediawiki package has been updated to version 1.23.9, fixing
these issues and other bugs.