Posted by C0r3dump3d on Apr 28
Curiously we had the same problem when we tried to communicate to
Wordpress the vulnerability CVE-2014-9034
(https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034). We
tried, repeatedly, to contact WP through HackerOne and email, but did
not respond. Only through the intervention of the CERT/CC, and last
about six months they showed the necessary interest.
Andres.
El 27/04/15 a las 23:33, Winni Neessen escribió:
Red Hat Security Advisory 2015-0891-01 – KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM, in environments managed by Red Hat Enterprise Linux OpenStack Platform. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host’s QEMU process address space with attacker-provided data. This issue was found by Paolo Bonzini of Red Hat.
Wing FTP Server Admin version 4.4.5 suffers from cross site request forgery and cross site scripting vulnerabilities.
Resolved Bugs
1212386 – CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy
1212389 – CVE-2015-3306 proftpd: unauthenticated copying of files via SITE CPFR/CPTO allowed by mod_copy [epel-all]<br
Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module’s SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by unauthenticated clients
Upstream report: http://bugs.proftpd.org/show_bug.cgi?id=4169
Note that mod_copy is not loaded/enabled by default in the EPEL-7 package.
WordPress quickly turned around a patch for a stored cross-site scripting zero-day vulnerability in the CMS’ core engine.
Red Hat Security Advisory 2015-0888-01 – Red Hat Enterprise Virtualization Manager 3.5.1 is now available. It was discovered that the permissions to allow or deny snapshot creation were ignored during live storage migration of a VM’s disk between storage domains. An attacker able to live migrate a disk between storage domains could use this flaw to cause a denial of service. It was discovered that a directory shared between the ovirt-engine-dwhd service and a plug-in used during the service’s startup had incorrect permissions. A local user could use this flaw to access files in this directory, which could potentially contain sensitive information.
Ubuntu Security Notice 2581-1 – Tavis Ormandy discovered that NetworkManager incorrectly filtered paths when requested to read modem device contexts. A local attacker could possibly use this issue to bypass privileges and manipulate modem device configuration or read arbitrary files.
Higinio Ochoa, a former hacker who went by the name “wOrmer” when online, talks about it on Reply All. He recounts how he got the ultimate punishment for his crime: “I’m not to touch any computer, smartphone or device that has internet connectivity. That would be against my rules.”
Just imagine how hard it would be for you to not be allowed and use the internet. It’s everywhere nowadays – you shop online, you chat with your friends and family online, you sometimes even have a job that requires you to be online all the time!
Ochoa is a programmer, which means he still works with computers. Not being allowed on the internet makes this job pretty weird though: He codes from his home in Austin, but in order to get whatever he did to his boss, he has to actually print and mail it because he is – of course – not allowed to use an email program.
Find out more about how Ochoa lives without the net in the digital age in this article on Digg or listen to the Reply All podcast over here. He also talks about what he did to get arrested and his first computer experience.
The post Banned From the Internet: The Life of an Ex-Hacker appeared first on Avira Blog.
OFAC will soon be enforcing economic and trade sanctions against individuals and groups outside the United States that use cyber attacks to threaten U.S. foreign policy, national security or economic stability.
The post OFAC! An acronym that cybersecurity professionals need to know appeared first on We Live Security.
The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.