This is a maintenance and bugfix release that upgrades NSS to the
latest 3.18 version and NSPR to the latest 4.10.8 version which
resolves various upstream bugs.
Additionally the rootcerts package has also been updated to the
latest version as of 2015-03-26, which adds, removes, and distrusts
several certificates.
Red Hat Enterprise Linux: Updated docker packages that fix one security issue are now available for
Red Hat Enterprise Linux 7 Extras.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-1843
Researchers have seen an uptick in Adobe Flash .SWF files being used to trigger malicious iFrames across websites.
Versions of the JBoss Seam 2 framework prior to 2.2.1CR2 fail to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This Metasploit module leverages RCE to upload and execute a meterpreter payload. Versions of the JBoss AS admin-console are known to be vulnerable to this exploit, without requiring authentication. Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7. This Metasploit module provides a more efficient method of exploitation – it does not loop to find desired Java classes and methods. NOTE: the check for upload success is not 100% accurate. NOTE 2: The module uploads the meterpreter JAR and a JSP to launch it.
Report highlights WatchGuard’s modular platform approach, ability to continually innovate to keep up-to-date with ever-changing threat landscape
Mandriva Linux Security Advisory 2015-192 – Multiple vulnerabilities has been discovered and corrected in subversion. Subversion HTTP servers with FSFS repositories are vulnerable to a remotely triggerable excessive memory use with certain REPORT requests. Subversion mod_dav_svn and svnserve are vulnerable to a remotely triggerable assertion DoS vulnerability for certain requests with dynamically evaluated revision numbers. Subversion HTTP servers allow spoofing svn:author property values for new revisions. The updated packages have been upgraded to the 1.7.20 and 1.8.13 versions where these security flaws has been fixed.
Debian Linux Security Advisory 3212-1 – Multiple security issues have been found in Icedove, Debian’s version of use-after-frees and other implementation errors may lead to the execution of arbitrary code, the bypass of security restrictions or denial of service.
HP Security Bulletin HPSBST03195 1 – Potential security vulnerabilities have been identified with HP 3PAR Service Processor (SP) running OpenSSL and Bash. The OpenSSL vulnerability known as “Heartbleed” which could be exploited remotely resulting in disclosure of information. The SSLv3 vulnerability known as “Padding Oracle on Downgraded Legacy Encryption” also known as “Poodle”, which could be exploited remotely resulting in disclosure of information. The Bash Shell vulnerability known as “Shellshock” which could be exploited remotely resulting in execution of code. Revision 1 of this advisory.
HP Security Bulletin HPSBHF03300 1 – Potential security vulnerabilities have been identified with HP Network Products running OpenSSL. The SSLv3 vulnerability known as “Padding Oracle on Downgraded Legacy Encryption” also known as “POODLE”, which could be exploited remotely resulting in disclosure of information. Other vulnerabilities which could be remotely exploited resulting in Denial of Service (DoS) and unauthorized access. Revision 1 of this advisory.
Earlier this week, a list of 25 worst sporting passwords was released by SplashData, and includes a whole raft of easily guessable passwords, the most common being “baseball” and “football”.
In fact, baseball and football are so common that they appeared on the list of overall worst passwords published earlier in 2015.
It goes without saying that if you see your password among this list it really is time to change it. Having a weak password can make it easy for attackers or scammers to gain access to your accounts and the data stored within.
Creating a strong password is much easier than winning the World Series and in a few simple steps you can have a password that can help keep your data secure while also being easy to remember.
For tips on what to avoid when getting a new password, be sure to check out this video from AVG Security Expert Michael McKinnon.
