Debian Linux Security Advisory 3057-2 – The update for libxml2 issued as DSA-3057-1 caused regressions due to an incomplete patch to address CVE-2014-3660. Updated packages are available to address this problem.
Monthly Archives: April 2015
Ubuntu Security Notice USN-2558-1
Ubuntu Security Notice 2558-1 – It was discovered that Mailman incorrectly handled special characters in list names. A local attacker could use this issue to perform a path traversal attack and execute arbitrary code as the Mailman user.
Is Hotel Wi-Fi Safe?
Recently, a new authentication vulnerability was identified in the firmware of routers that are used in hotels around the world.
This means that new files can be written to the routers and then potentially all connected machines (meaning hotel guests) could become infected.
Public Wi-Fi is not a new risk as these networks are unencrypted and send all your data in clear text, unless of course the web site you are visiting offers encryption.
Why does it matter that your data is unencrypted? Imagine all your regular post arriving at home written on postcards so that anyone in the delivery chain could read them. It would be a huge invasion of your privacy and unacceptable.
The risk of similar but you just can’t see that it was all sent for others to read, should they be so inclined.
Stay safe while using public Wi-Fi
- When using public Wi-Fi in café’s, airports, hotels or even when visiting a place of work that has guest Wi-Fi you should always be cautious on which services you use while connected.
- Where possible use a virtual private network (VPN). This will encrypt the data being send over the public Wi-Fi network that you are connected to, or put another way it will put your mail back in envelopes.
- Many scammers set up fake Wi-Fi networks to conduct what is known as a man in the middle attack. If you are in a hotel or airport, make sure you are using the legitimate free Wi-Fi service.
For more tips on keeping your data safe while using public Wi-Fi, check out the infographic below.
Reflected Cross-Site Scripting vulnerability in asdoc generated documentation
Posted by Securify B.V. on Apr 07
————————————————————————
Reflected Cross-Site Scripting vulnerability in asdoc generated
documentation
————————————————————————
Radjnies Bhansingh, March 2014
————————————————————————
Abstract
————————————————————————
A reflected Cross-Site scripting…
Will humans soon be banned from driving?
A driverless car recently made the journey from the Golden Gate Bridge in California and drove cross-country to New York City. The voyage was the longest autonomous drive attempt in the U.S., and has put driverless vehicles in the news again.
The successful journey brought to mind a recent prediction from Elon Musk, the founder of electric car manufacturer Tesla:
“[Legislators] may outlaw driving cars because it’s too dangerous… You can’t have a person driving a two-ton death machine”.
While at first this might seem radical, I feel it’s a potentially realistic image of the future.
With Tesla, Google, Apple, and most major automakers working on self-driving cars, it’s a safe bet they will be commonplace in the next decade.
For his part, Musk drew a relationship with elevators: When elevators first came about, each had an elevator operator. But as people became more used to the technology, and elevators became more safe and efficient, the operators went away.
Certainly, there is a lot to consider with the day of the self-driving cars coming. At the Nvidia conference, which debuted the firm’s computer platform for driverless cars, security issues with autonomous cars were also highlighted.
As Musk noted, there are some basic security concerns to deal with to make sure that people won’t be able to hack into vehicles.
“We’ve put a lot of effort into that, and we’ve had third parties try to hack it,” Musk said. He also said the threat of hackers taking over cars becomes more significant if the steering wheel and brake pedal disappear. Until then, he says drivers can override any potential problems.
As we’ve reported previously, car hacking is already happening today with automated, smart devices including car locks. Imagine when the entire car is vulnerable?
According to a recent congressional inquiry by Senator Ed Markey, there is a widespread absence of security and privacy protection being taken into consideration as automakers race to embrace the technology without considering the implications.
Clearly, the automotive and cybersecurity industries need to monitor autonomous technology very carefully, and adapt where needed.
Put simply, cars are another piece…a big piece… of the entire landscape of the Internet of Things, and if we are going to leave the driving to technology, we must make sure that it’s safe and secure.
MDVSA-2015:196: cups-filters
Updated cups-filters package fixes security vulnerability:
cups-browsed in cups-filters before 1.0.66 contained a bug in the
remove_bad_chars() function, where it failed to reliably filter
out illegal characters if there were two or more subsequent illegal
characters, allowing execution of arbitrary commands with the rights
of the lp user, using forged print service announcements on DNS-SD
servers (CVE-2015-2265).
MDVSA-2015:195: python-django
A vulnerability has been discovered and corrected in python-django:
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x,
1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does
not properly validate URLs, which allows remote attackers to conduct
cross-site scripting (XSS) attacks via a control character in a URL,
as demonstrated by a x08javascript: URL (CVE-2015-2317).
The updated packages provides a solution for this security issue.
MDVSA-2015:193: libtasn1
Updated libtasn1 packages fix security vulnerability:
The libtasn1 library before version 4.4 is vulnerable to a two-byte
stack overflow in asn1_der_decoding (CVE-2015-2806).
RHSA-2015:0788-1: Moderate: novnc security update
Red Hat Enterprise Linux: An updated novnc package that fixes one security issue is now available for
Red Hat Enterprise Linux OpenStack Platform 6.0.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
CVE-2013-7436
RHSA-2015:0783-1: Important: kernel security and bug fix update
Red Hat Enterprise Linux: Updated kernel packages that fix two security issues and two bugs are now
available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2014-8159, CVE-2014-8867