Updated less package fixes security vulnerability:
Malformed UTF-8 data could have caused an out of bounds read
in the UTF-8 decoding routines, causing an invalid read access
(CVE-2014-9488).
Monthly Archives: April 2015
RHSA-2015:0797-1: Moderate: xorg-x11-server security update
Red Hat Enterprise Linux: Updated xorg-x11-server packages that fix one security issue are now
available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2015-0255
USN-2566-1: dpkg vulnerability
Ubuntu Security Notice USN-2566-1
9th April, 2015
dpkg vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
- Ubuntu 10.04 LTS
Summary
dpkg could be tricked into bypassing source package signature checks.
Software description
- dpkg
– Debian package management system
Details
Jann Horn discovered that dpkg incorrectly validated signatures when
extracting local source packages. If a user or an automated system were
tricked into unpacking a specially crafted source package, a remote
attacker could bypass signature verification checks.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 14.10:
-
libdpkg-perl
1.17.13ubuntu1.1
- Ubuntu 14.04 LTS:
-
libdpkg-perl
1.17.5ubuntu5.4
- Ubuntu 12.04 LTS:
-
libdpkg-perl
1.16.1.2ubuntu7.6
- Ubuntu 10.04 LTS:
-
dpkg-dev
1.15.5.6ubuntu4.10
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
Cybercrime Fighting Group Takes Down Beebone Botnet – The New York Times
Bitcoin Flaws Beckon Hackers – Info Security
It’s Time to Research New Ways to Fight Ddos Attacks – CSO
High-tech TV: How Realistic Is the Hacking in Prime-Time Shows? – Engadget
Hidden backdoor API to root privileges in Apple OS X
Posted by Jeffrey Walton on Apr 10
https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/
The Admin framework in Apple OS X contains a hidden backdoor API to
root privileges. It’s been there for several years (at least since
2011), I found it in October 2014 and it can be exploited to escalate
privileges to root from any user account in the system.
The intention was probably to serve the “System Preferences” app and
systemsetup…
Fusion Engage v1.0.5 (WordPress Plugin) Local File Disclosure
Posted by Why Know on Apr 10
Fusion Engage is a commercial wordpress plugin sold by internet marketer (and known scammer) Precious Ngwu to.. I’m
actually not sure. Something to do with video embedding.
Anyway, it has a LFD. Here’s the relevant code..
function fe_get_sv_html(){
global $wpdb, $video_db, $ann_db;
print(file_get_contents($_POST[‘video’]));
wp_die();…
CVE-2015-2247
Unspecified vulnerability in Boosted Boards skateboards allows physically proximate attackers to modify skateboard movement, cause human injury, or cause physical damage via vectors related to an “injection attack” that blocks and hijacks a Bluetooth signal.