Monthly Archives: July 2015
Patched Apple QuickTime Vulnerability Details Disclosed
Researchers at Cisco Talos released details on a use-after-free vulnerability in Apple QuickTime that could lead to remote code execution.
Fedora EPEL 6 Security Update: python-pip-7.1.0-1.el6
Resolved Bugs
1066692 – CVE-2013-5123 python-pip: insecure software download with mirroring support
1160136 – CVE-2013-5123 python-pip: insecure software download with mirroring support [epel-all]
1224999 – CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125
1230954 – CVE-2013-7440 python-pip: python: wildcard matching rules do not follow RFC 6125 [epel-all]<br
Newest version of pip that fixes bunch of security issues and brings new features.
Fedora EPEL 7 Security Update: python-pip-7.1.0-1.el7
Resolved Bugs
1066692 – CVE-2013-5123 python-pip: insecure software download with mirroring support
1160136 – CVE-2013-5123 python-pip: insecure software download with mirroring support [epel-all]
1224999 – CVE-2013-7440 python: wildcard matching rules do not follow RFC 6125
1230954 – CVE-2013-7440 python-pip: python: wildcard matching rules do not follow RFC 6125 [epel-all]<br
Newest version of pip that fixes bunch of security issues and brings new features.
Fedora EPEL 6 Security Update: drupal7-feeds-2.0-0.12.alpha9.el6
Resolved Bugs
1232973 – drupal7-feeds-2.0-alpha9 is available
955516 – drupal7-feeds-2.0-alpha8 is available<br
– Update to 2.0-alpha9
– Release notes can be found at https://www.drupal.org/node/2507273
Fix slight problem with versioning
Update to upstream alpha8 release for bug fixes, see http://drupal.org/node/1978108 for list of fixed bugs
Eastern England councils in slew of data breach errors
A series of more than 160 data breaches have struck local authorities in Norfolk, Suffolk and Cambridgeshire over the past year, according to new reports.
The post Eastern England councils in slew of data breach errors appeared first on We Live Security.
Americans face Digital Amnesia as connected devices are increasingly trusted to recall memories
Frontend login Session Fixation
Component Type: TYPO3 CMS
Release Date: July 1, 2015
Vulnerable subcomponent: Frontend Logon
Vulnerability Type: Session Fixation
Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE: not assigned yet
Problem Description: It has been discovered that TYPO3 is susceptible to session fixation. If a user authenticates while anonymous session data is present, the session id is not changed. This makes it possible for attackers to generate a valid session id, trick users into using this session id (e.g. by leveraging a different Cross-Site Scripting vulnerability) and then maybe getting access to an authenticated session.
Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Credits: Thanks to Helmut Hummel who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Cross-Site Scripting in 3rd party library Flowplayer
Component Type: TYPO3 CMS
Release Date: July 1, 2015
Vulnerable subcomponent: Backend
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
CVE: not assigned yet
Problem Description: It has been discovered, that version of the third party flash player flowplayer is vulnerable to Cross-Site Scripting. No authentication is required to exploit this vulnerability.
Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Credits: Thanks to Wouter van Dongen who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Information Disclosure possibility exploitable by Editors
Component Type: TYPO3 CMS
Release Date: July 1, 2015
Vulnerable subcomponent: Backend
Vulnerability Type: Information Disclosure
Affected Versions: Versions 6.2.0 to 6.2.13, 7.0.0 to 7.3.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:OF/RC:C
CVE: not assigned yet
Problem Description: It has been discovered, that editors with access to the file list module could list all files and folders in the root directory of a TYPO3 installation. Modification of files or listing further nested directories was not possible.
Solution: Update to TYPO3 versions 6.2.14 or 7.3.1 that fix the problem described.
Credits: Thanks to Helmut Hummel who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.