Monthly Archives: April 2015

Fedora

Fedora 22 Security Update: dpkg-1.16.16-5.fc22

Resolved Bugs
1215287 – [Patch] Make dpkg-perl an arch-specific package
1210748 – CVE-2015-0840 dpkg: source package integrity verification bypass
1162166 – CVE-2014-8625 dpkg: format string vulnerability
1210749 – CVE-2015-0840 dpkg: source package integrity verification bypass [fedora-all]
1162168 – CVE-2014-8625 dpkg: format string vulnerability [fedora-all]<br
Fix build for all versions, previous try wasn’t correct and back with dpkg-perl-libexecdir.patch
Revert location of dpkg/parsechangelog . Security fix for CVE-2014-8625 and Security fix for CVE-2015-0840 Security fix for CVE-2014-8625 and Security fix for CVE-2015-0840

Full Disclosure

WordPress 4.2 stored XSS

Posted by Jouko Pynnonen on Apr 26

*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.

If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s…

Full Disclosure

#WorldPenguinDay or this cant be right, can it?

Posted by PIN on Apr 26

TL;DR version:

/* really? can other people confirm this behavior pls?
*
* if the guess is off for you, by how many, and can you please
* indicate what compiler version and flags you used?
*
* ive tried with gcc 4.9.2 and 4.8.3 only on kernel 4.0.0 and glibc 2.20
* i suspect its going to be an issue with the loader and kernel and
sys_mmap.
*
* gcc -m64 -s -fpic -pie -o mmap mmap.c
*/

#include <stdio.h>
#include <stdlib.h>…

Full Disclosure

Surveillance system used for censorship in Europe – Censorship attack combines packet injection and Heartbleed

Posted by Doug on Apr 26

Published here to resist censorship.

Surveillance system used for censorship in Europe

Censorship attack combines packet injection and Heartbleed

We all know there is censorship online. It happens in China. It happens
to “terrorists”. But we don’t believe it will happen to us.

As Eben Moglen[1] and Kaspersky[2] have pointed out, companies developing
crypto are prime targets no matter where they are. So you don’t have
to…

Fedora

Fedora EPEL 7 Security Update: dpkg-1.16.16-5.el7

Resolved Bugs
1149590 – Build dpkg for EPEL7
1092212 – CVE-2014-0471 dpkg: path traversal when unpacking a source package [epel-all]
1103026 – CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
1162166 – CVE-2014-8625 dpkg: format string vulnerability
1210748 – CVE-2015-0840 dpkg: source package integrity verification bypass
1092210 – CVE-2014-0471 dpkg: path traversal when unpacking a source package
1103028 – CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
1162169 – CVE-2014-8625 dpkg: format string vulnerability [epel-all]
1210750 – CVE-2015-0840 dpkg: source package integrity verification bypass [epel-all]<br
Fix build for all versions, previous try wasn’t correct and back with dpkg-perl-libexecdir.patch
Security update to 1.16.16

Fedora

Fedora EPEL 6 Security Update: dpkg-1.16.16-5.el6

Resolved Bugs
1092212 – CVE-2014-0471 dpkg: path traversal when unpacking a source package [epel-all]
1162166 – CVE-2014-8625 dpkg: format string vulnerability
1092210 – CVE-2014-0471 dpkg: path traversal when unpacking a source package
1162169 – CVE-2014-8625 dpkg: format string vulnerability [epel-all]
1103026 – CVE-2014-3864 CVE-2014-3865 dpkg: multiple directory traversal flaws in dpkg-source
1210748 – CVE-2015-0840 dpkg: source package integrity verification bypass
1103028 – CVE-2014-3865 CVE-2014-3864 dpkg: multiple directory traversal flaws in dpkg-source [epel-all]
1210750 – CVE-2015-0840 dpkg: source package integrity verification bypass [epel-all]<br
Fix build for all versions, previous try wasn’t correct and back with dpkg-perl-libexecdir.patch
Security update to 1.16.16