Ubuntu Security Notice 2563-1 – Sun Baoliang discovered a use after free flaw in the Linux kernel’s SCTP (Stream Control Transmission Protocol) subsystem during INIT collisions. A remote attacker could exploit this flaw to cause a denial of service (system crash) or potentially escalate their privileges on the system. Marcelo Leitner discovered a flaw in the Linux kernel’s routing of packets to too many different dsts/too fast. A remote attacker can exploit this flaw to cause a denial of service (system crash). Various other issues were also addressed.
Monthly Archives: April 2015
Your identity has already been stolen, ‘Catch Me If You Can’ subject warns US citizens
The reformed conman that the 2002 film ‘Catch Me If You Can’ is based on has told The Times that anyone living in the US or UK has already had their identity stolen.
The post Your identity has already been stolen, ‘Catch Me If You Can’ subject warns US citizens appeared first on We Live Security.
AT&T Pays Record $25m Over Customer Data Theft
Police Take Down Beebone Botnet
Drug Pump's Security Flaw Lets Hackers Raise Dose Limits
France's TV5Monde Hit By ISIL Hackers
Does your company have a security threat on the payroll?
While security used to be an afterthought for many businesses, it’s now something that they realize cannot be ignored. Much of the focus is placed on keeping threats out, but too few companies focus on the threats that may already be internal. And we’re not talking about malware.
What we’re talking about are employees of the companies themselves. Here you have people who are paid to be a part of the company, and along with those jobs comes a high level of trust. The more exposure that these employees have to sensitive systems and data, the more that they’re trusted to deal with them in the proper way. Most of the time that trust is well founded because the employees have worked hard to advance their careers and gain that level of trust, but sometimes it can cause security problems.
There is a reason for which the BYOD policy should become a hot topic in the IT department of every company. Allowing employees to use their personal devices at work can cause incredible damage. Even so, there is also a less discussed threat for businesses to take into consideration.
Just think about what can happen if an employee suddenly becomes disgruntled. In certain situations, someone who used to be a trustworthy employee can suddenly become a security threat to the company.
It’s not hard to see how an employee with access could start to steal data, publicize confidential information, or infect the internal network in some other way. While outside threats can be monitored, detected, and acted upon, many internal threats can be invisible until it’s too late.
With that in mind, companies need to start paying more attention to what’s going on internally. While they shouldn’t view all of their employees as criminals, they should keep their eyes open for signs of an employee who might be tempted to cause some problems.
The post Does your company have a security threat on the payroll? appeared first on Avira Blog.
Fedora EPEL 6 Security Update: perl-Test-Signature-1.11-1.el6,perl-Module-Signature-0.78-1.el6
Resolved Bugs
965126 – License metadata do not reflect cpansign license
1209911 – perl-Module-Signature: unsigned files interpreted as signed in some circumstances
1209915 – perl-Module-Signature: arbitrary code execution during test phase
1209917 – perl-Module-Signature: arbitrary code execution when verifying module signatures
1209918 – perl-Module-Signature: arbitrary modules loading in some circumstances
1209922 – perl-Module-Signature: various flaws [epel-all]<br
This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a “skip” parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.
Security issues:
* Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.
* When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute
automatically during “make test”.
* Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.
* Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the ‘.’ path in @INC.
Fedora EPEL 5 Security Update: perl-Test-Signature-1.11-1.el5,perl-Module-Signature-0.78-1.el5
Resolved Bugs
965126 – License metadata do not reflect cpansign license
1209911 – perl-Module-Signature: unsigned files interpreted as signed in some circumstances
1209915 – perl-Module-Signature: arbitrary code execution during test phase
1209917 – perl-Module-Signature: arbitrary code execution when verifying module signatures
1209918 – perl-Module-Signature: arbitrary modules loading in some circumstances
1209922 – perl-Module-Signature: various flaws [epel-all]<br
This update addresses various security issues in perl-Module-Signature as described below. The default behavior is also changed so as to ignore any MANIFEST.SKIP files unless a “skip” parameter is specified. An updated version of perl-Test-Signature that accounts for the changed default behavior is included in this update.
Security issues:
* Module::Signature before version 0.75 could be tricked into interpreting the unsigned portion of a SIGNATURE file as the signed portion due to faulty parsing of the PGP signature boundaries.
* When verifying the contents of a CPAN module, Module::Signature before version 0.75 ignored some files in the extracted tarball that were not listed in the signature file. This included some files in the t/ directory that would execute
automatically during “make test”.
* Module::Signature before version 0.75 used two argument open() calls to read the files when generating checksums from the signed manifest. This allowed embedding arbitrary shell commands into the SIGNATURE file that would execute during the signature verification process.
* Module::Signature before version 0.75 has been loading several modules at runtime inside the extracted module directory. Modules like Text::Diff are not guaranteed to be available on all platforms and could be added to a malicious
module so that they would load from the ‘.’ path in @INC.
Google pulls Chrome screenshot extension, after it leaks personal data
A Chrome extension designed for taking and annotating screenshots has been found to be leaking sensitive data from its 1.2 million users.
The post Google pulls Chrome screenshot extension, after it leaks personal data appeared first on We Live Security.
