Drupal has released updates to address multiple vulnerabilities. Exploitation of one of these vulnerabilities could allow a remote attacker to gain access to a system account, including an administrator’s.
Available updates include:
• Drupal core 6.36 for 6.x users • Drupal core 7.38 for 7.x users
US-CERT encourages users and administrators to review Drupal’s Security Advisory and apply the necessary updates.
SQL injection vulnerability in the EQ Event Calendar component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to eqfullevent. (CVSS:7.5) (Last Update:2015-06-19)
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, information leaks
or data corruption.
HP Security Bulletin HPSBGN03350 1 – A potential security vulnerability has been identified with HP SiteScope. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the TLS vulnerability known as the RC4 cipher Bar Mitzvah vulnerability, which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.
HP Security Bulletin HPSBGN03338 1 – A potential security vulnerability has been identified with HP Service Manager running SSLv3. The vulnerability could be exploited remotely to allow disclosure of information. Note: This is the SSLv3 vulnerability known as RC4 cipher Bar Mitzvah vulnerability. Revision 1 of this advisory.
Red Hat Security Advisory 2015-1123-01 – CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. A string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server A cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the ‘localhost’ or loopback interface.