Monthly Archives: May 2015
Securing Smart Cities: Leading Security Experts Join Forces to Make Modern Cities Safer
Securing Smart Cities: Leading Security Experts Join Forces to Make Modern Cities Safer
Fedora EPEL 6 Security Update: php-ZendFramework-1.12.13-1.el6
Resolved Bugs
1223763 – CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
1215712 – CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability<br
**Zend Framework 1.12.13**
* 567: Cast int and float to string when creating headers
**Zend Framework 1.12.12**
* 493: PHPUnit not being installed
* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase
* 513: Save time and space when cloning PHPUnit
* 515: !IE conditional comments bug
* 516: Zend_Locale does not honor parentLocale configuration
* 518: Run travis build also on PHP 7 builds
* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress
* 536: Zend_Measure_Number convert some decimal numbers to roman with space char
* 537: Extend view renderer controller fix (#440)
* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server
* 541: Fixed errors in tests on PHP7
* 542: Correctly reset the sub-path when processing routes
* 545: Fixed path delimeters being stripped by chain routes affecting later routes
* 546: TravisCI: Skip memcache(d) on PHP 5.2
* 547: Session Validators throw ‘general’ Session Exception during Session start
* 550: Notice “Undefined index: browser_version”
* 557: doc: Zend Framework Dependencies table unreadable
* 559: Fixes a typo in Zend_Validate messages for SK
* 561: Zend_Date not expected year
* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation
**Security**
* **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.
Fedora EPEL 7 Security Update: ntfs-3g-2015.3.14-2.el7
Fedora EPEL 7 Security Update: ipsec-tools-0.8.2-1.el7
Resolved Bugs
1154906 – Please upgrade to ipsec-tools-0.8.2 to fix port 4500 vs 500 isakmp initiator issue
952413 – Enhancement request: Include support for Calling-Station-Id attribute for xauth RADIUS requests – PATCH
1223419 – CVE-2015-4047 ipsec-tools: NULL pointer dereference in racoon/gssapi.c
1223421 – ipsec-tools: NULL pointer dereference in racoon/gssapi.c [epel-7]<br
Upgraded to 0.8.2, fix for CVE-2015-4047, support for Calling-Station-Id
Fedora EPEL 7 Security Update: php-ZendFramework-1.12.13-1.el7
Resolved Bugs
1223763 – CVE-2015-3154 php-ZendFramework: php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability [epel-all]
1215712 – CVE-2015-3154 php-ZendFramework2: ZF2015-04: Potential header and mail injection vulnerability<br
**Zend Framework 1.12.13**
* 567: Cast int and float to string when creating headers
**Zend Framework 1.12.12**
* 493: PHPUnit not being installed
* 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase
* 513: Save time and space when cloning PHPUnit
* 515: !IE conditional comments bug
* 516: Zend_Locale does not honor parentLocale configuration
* 518: Run travis build also on PHP 7 builds
* 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress
* 536: Zend_Measure_Number convert some decimal numbers to roman with space char
* 537: Extend view renderer controller fix (#440)
* 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server
* 541: Fixed errors in tests on PHP7
* 542: Correctly reset the sub-path when processing routes
* 545: Fixed path delimeters being stripped by chain routes affecting later routes
* 546: TravisCI: Skip memcache(d) on PHP 5.2
* 547: Session Validators throw ‘general’ Session Exception during Session start
* 550: Notice “Undefined index: browser_version”
* 557: doc: Zend Framework Dependencies table unreadable
* 559: Fixes a typo in Zend_Validate messages for SK
* 561: Zend_Date not expected year
* 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation
**Security**
* **ZF2015-04**: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.
Fedora EPEL 6 Security Update: ntfs-3g-2015.3.14-2.el6
Is your “secret answer†hard to guess?
When it comes to recovering our account details, we are all familiar with questions such as “what is the name of your favorite sports team” or “what city were you born in”. Know the answer to this question and you’re well on your way to resetting a password and getting back into your account.
However, Google has just released a paper documenting its findings after analyzing the strength of hundreds of millions of secret questions and answers.
The findings led the search giant to conclude that “secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”
The most obvious example of a weak secret question in action was the answer to “what is your favorite food”, giving hackers a 19.7% chance of cracking it in a single guess among English-speaking users.
On the other hand, just as with passwords, secure answers to secret questions are often very difficult to remember. One example of a strong secret answer was “what is your frequent flyer number” but that only had a recall rate of 22%.
So if easy to remember answers are too simple and secure answers are too difficult to remember, what should we do?
The most important recommendation that Google provided to adding extra security to the account recovery process was to add an SMS or secondary email address. Just like adding two-factor authentication for a password, including one of these two extra steps will help dramatically reduce the risk that an attacker could maliciously recover your account details.
For more information on Google’s report check out the infographic below:
Where is my phone? Avast Anti-Theft knows.
Giri got his stolen phone back because of Avast Anti-Theft
A stranger broke into Giri C’s house last September. The thief looked through Giri’s belongings for something of value. He found a MotoE Phone and grabbed it. Mobile phones are an easy target because the thief can just slip in a new SIM card and resell the phone on the black market.
What this thief didn’t know was that Giri had installed Avast Anti-Theft protection. Avast Anti-Theft allows you to set up your desktop account or use a friend’s phone to remotely locate your device, lock it, activate the remote siren, or wipe its data clean.
When the SIM card is changed without the right permissions, Anti-Theft recognizes it and notifies you of the new number and geo-location so you can maintain contact with your phone. You can also activate a loud, customizable siren, which screams at maximum volume if the thief tries to silence it.
Giri reported the robbery to the local Bangalore police, and after a few days he received a call saying that someone had turned the phone into the station.
”When I received the phone from the police,” Giri told us, “the phone was giving the SIREN sound that my mobile is stolen due to the settings I have configured. I understand that the person who had stolen it might have tried replacing the SIM but he was not able to do it as it has locked the phone and the weird sound frightened him.”
The siren continuously and loudly says the following, by default, when activated: “This device has been lost or stolen!”. In the advanced settings of Avast Mobile Security you can customize what message the siren will sound, if you do not want to use the pre-set message. You can do this under “Select Sound File” or “Record Siren Sound”.
“I feel I recovered my stolen mobile only because of AVAST,” said Giri. “I thank your company for such a wonderful and useful product.”
Giri added a tip for other Android phone owners:
“More than using just anti-virus, it’s better to use software with proper tracking available which will be useful to avoid misuse of the phone, as similar features are not available in Android.”
Avast Anti-Theft is available on Google Play, where it can be downloaded for free.
Share your story with Avast
Have you experienced an attack or breach of your home network? Had your phone lost and/or stolen? We’d like to hear from you about your experience and how Avast saved the day — write to us with your story at [email protected]. If we post it on our blog, then we will send you an Avast goodie box. 