Severity Rating: Important
Revision Note: V1.0 (June 9, 2015): Bulletin published.
Summary: This security update resolves a vulnerability in Microsoft Active Directory Federation Services (AD FS). The vulnerability could allow elevation of privilege if an attacker submits a specially crafted URL to a target site that, due to the vulnerability, fails to properly sanitize script embedded in the URL. Once an attacker has successfully submitted specially crafted script to a target site, any webpage on that site that contains the specially crafted script is a potential vector for cross-site scripting attacks.
Monthly Archives: June 2015
MS15-061 – Important: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057839) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (June 9, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS15-064 – Important: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3062157) – Version: 1.0
Severity Rating: Important
Revision Note: V1.0 (June 9, 2015): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an instant messenger or email message that takes them to the attacker’s website, and then convince them to click the specially crafted URL.
AVG Signs Mobile Security Partnership with ZTE
AMSTERDAM – June 9, 2015 – AVG® Technologies N.V. (NYSE: AVG), the online security company™ for more than 200 million monthly active users, announced today a new global partnership with leading telecommunications equipment, networks and mobile devices company, ZTE, to become a provider of mobile security across its range of devices. From May 2015, ZTE smartphones and tablets come pre-installed with AVG’s flagship AVG AntiVirus PRO for Android™ app, giving ZTE customers the peace of mind that they have protection on their mobile devices.
“For many of us, our smartphones have become the primary device that we spend most time with, but ensuring mobile security can sometimes be an afterthought,” said Ms. Wang Xuemei, Business Manager at ZTE. “Our customers will be able to rely on our partnership with AVG to help take the worry out of connecting to their favorite websites, apps and using online services through their ZTE smartphones and tablets. We are committed to mobile security and strive to provide the best mobile experience possible to all of our users.”
Under the terms of the partnership, ZTE customers will receive a free, 60-day trial of the AVG AntiVirus PRO for Android™ app. After the trial, they can either choose to keep the enhanced features by purchasing the annual subscription or retain AVG AntiVirus FREE for Android™, which still ensures their smartphone or tablet will have core protection.
“There’s huge momentum in the adoption of mobile services in key emerging markets. The flipside of this growth is that it attracts attention – for example, we recently identified a new vulnerability in a popular app that could easily be exploited by hackers to become malicious,” said David Ferguson, Senior Vice President, Revenue & Business Operations, AVG Technologies. “As we focus on helping to secure people, devices, and data across the globe, this partnership will ensure that new and existing mobile users have peace of mind by being protected from the outset, whether simply enjoying their favorite games or using useful online tools for banking or shopping.”
Bugtraq: [SECURITY] [DSA 3281-1] Debian Security Team PGP/GPG key change notice
[SECURITY] [DSA 3281-1] Debian Security Team PGP/GPG key change notice
Bugtraq: AnimaGallery 2.6 (theme and lang cookie parameter) Local File Include Vulnerability
AnimaGallery 2.6 (theme and lang cookie parameter) Local File Include Vulnerability
Bugtraq: Symphony CMS XSS Vulnerability
Symphony CMS XSS Vulnerability
Bugtraq: [SECURITY] [DSA 3282-1] strongswan security update
[SECURITY] [DSA 3282-1] strongswan security update
RHBA-2015:1079-1: libkkc bug fix update
Red Hat Enterprise Linux: Updated libkkc packages that fix one bug are now available for Red Hat
Enterprise Linux 7.
USN-2628-1: strongSwan vulnerability
Ubuntu Security Notice USN-2628-1
8th June, 2015
strongswan vulnerability
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.04
- Ubuntu 14.10
- Ubuntu 14.04 LTS
Summary
strongSwan could be made to expose sensitive information over the network.
Software description
- strongswan
– IPsec VPN solution
Details
Alexander E. Patrakov discovered that strongSwan incorrectly handled
certain IKEv2 setups. A malicious server could possibly use this issue to
obtain user credentials.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.04:
-
strongswan-ike
5.1.2-0ubuntu5.2
- Ubuntu 14.10:
-
strongswan-ike
5.1.2-0ubuntu3.3
- Ubuntu 14.04 LTS:
-
strongswan-ike
5.1.2-0ubuntu2.3
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.