ProjectSend version r561 suffers from cross site request forgery, cross site scripting, and remote shell upload vulnerabilities.
Monthly Archives: April 2015
WordPress Exquisite Ultimate Newspaper 1.3.3 Cross Site Scripting
WordPress Exquisite Ultimate Newspaper theme version 1.3.3 suffers from a cross site scripting vulnerability.
Bugtraq: [ MDVSA-2015:211 ] glusterfs
[ MDVSA-2015:211 ] glusterfs
Bugtraq: Open-Xchange Security Advisory 2015-04-27
Open-Xchange Security Advisory 2015-04-27
Bugtraq: [ MDVSA-2015:212 ] java-1.7.0-openjdk
[ MDVSA-2015:212 ] java-1.7.0-openjdk
Bugtraq: [CORE-2015-0008] – InFocus IN3128HD Projector Multiple Vulnerabilities
[CORE-2015-0008] – InFocus IN3128HD Projector Multiple Vulnerabilities
WordPress Releases Security Update
Original release date: April 27, 2015
WordPress 4.2 and prior versions contain critical cross-site scripting vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected website.
Users and administrators are encouraged to review the WordPress Security Release and upgrade to WordPress 4.2.1.
This product is provided subject to this Notification and this Privacy & Use policy.
MDVSA-2015:212: java-1.7.0-openjdk
Updated java-1.7.0 packages fix security vulnerabilities:
An off-by-one flaw, leading to a buffer overflow, was found in the
font parsing code in the 2D component in OpenJDK. A specially crafted
font file could possibly cause the Java Virtual Machine to execute
arbitrary code, allowing an untrusted Java application or applet to
bypass Java sandbox restrictions (CVE-2015-0469).
A flaw was found in the way the Hotspot component in OpenJDK
handled phantom references. An untrusted Java application or applet
could use this flaw to corrupt the Java Virtual Machine memory and,
possibly, execute arbitrary code, bypassing Java sandbox restrictions
(CVE-2015-0460).
A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE
to raise an exception, possibly causing an application using JSSE to
exit unexpectedly (CVE-2015-0488).
A flaw was discovered in the Beans component in OpenJDK. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions (CVE-2015-0477).
A directory traversal flaw was found in the way the jar tool extracted
JAR archive files. A specially crafted JAR archive could cause jar
to overwrite arbitrary files writable by the user running jar when
the archive was extracted (CVE-2005-1080, CVE-2015-0480).
It was found that the RSA implementation in the JCE component in
OpenJDK did not follow recommended practices for implementing RSA
signatures (CVE-2015-0478).
MDVSA-2015:211: glusterfs
Updated glusterfs packages fix security vulnerability:
glusterfs was vulnerable to a fragment header infinite loop denial
of service attack (CVE-2014-3619).
Also, the glusterfsd SysV init script was failing to properly start
the service. This was fixed by replacing it with systemd unit files
for the service that work properly (mga#14049).
MDVSA-2015:210: qemu
Updated qemu packages fix security vulnerabilities:
A denial of service flaw was found in the way QEMU handled malformed
Physical Region Descriptor Table (PRDT) data sent to the host’s IDE
and/or AHCI controller emulation. A privileged guest user could use
this flaw to crash the system (rhbz#1204919).
It was found that the QEMU’s websocket frame decoder processed incoming
frames without limiting resources used to process the header and the
payload. An attacker able to access a guest’s VNC console could use
this flaw to trigger a denial of service on the host by exhausting
all available memory and CPU (CVE-2015-1779).