Cross-site scripting (XSS) vulnerability in CloudBees Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812.
Monthly Archives: October 2015
CVE-2015-1814
The API token-issuing service in CloudBees Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a “forced API token change” involving anonymous users.
CVE-2015-5742
VeeamVixProxy in Veeam Backup & Replication (B&R) before 8.0 update 3 stores local administrator credentials in log files with world-readable permissions, which allows local users to obtain sensitive information by reading the files.
CVE-2015-7377
Cross-site scripting (XSS) vulnerability in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the invitaion_code parameter in a pie-register page to the default URI.
CVE-2015-7682
Multiple SQL injection vulnerabilities in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allow remote administrators to execute arbitrary SQL commands via the (1) select_invitaion_code_bulk_option or (2) invi_del_id parameter in the pie-invitation-codes page to wp-admin/admin.php.
CVE-2015-7683
Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php.
CVE-2015-7856
OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
Update for centos-release-openstack
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The CentOS Cloud SIG ( https://wiki.centos.org/SpecialInterestGroup/Cloud ) is releasing a new OpenStack metadata package called centos-release-openstack-kilo that replaces centos-release-openstack. Metadata packages in CentOS are used to setup the repositories used by the package manager ( yum ) and the signing keys used to validate content installed from the corresponding repositories. The present metadata package, called centos-release-openstack, does not allow for us to have multiple OpenStack versions available to users, without adding many layers of complexity to the install and update process. This new OpenStack metadata package ( centos-release-openstack-kilo ) effectively sets up the mechanics required for us to deliver OpenStack Liberty as an alternative to users who might prefer the newer codebase, once it's available. However, we would like to still support the users who have a Kilo install at the moment, and would like to run that as long as updates are available for Kilo itself. Kilo to Liberty update process will require administrative actions, for details see "Upgrade Notes" in upstream release notes https://wiki.openstack.org/wiki/ReleaseNotes/Liberty The metadata rpm for OpenStack Liberty will be called centos-release-openstack-liberty and users will be able to install it once released. For more information on our progress with that effort, please join the Cloud SIG meetings that are held weekly on #centos-devel on irc.freenode.net or join us on the centos-devel mailing list ( https://lists.centos.org/ ). The updated metadata package, centos-release-openstack-kilo, is now available on all CentOS mirrors, and can be installed by running either 'yum update centos-release-openstack' or 'yum install centos-release-openstack-kilo' - -- Karanbir Singh, Project Lead, The CentOS Project +44-207-0999389 | http://www.centos.org/ | twitter.com/CentOS GnuPG Key : http://www.karan.org/publickey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJWIT6SAAoJEI3Oi2Mx7xbt5OUH/AoA9RW3H2w2YxzRFDkZJOS9 GFuxBSxX7C1hQ+u/5XQlEYx/hj4oaJSeWEBd5bOCyCxVJRSFakUy2LjenErbaX5n QiUdYtaDh2MP72doiGTbOyMpRbJT9jnbuSrSzd4t9oEVGOWyP+gLlaU0QhL4ST3t 01m1Z6vxd0VYmXWpGYH1gK65GEymYNb5vE/MwLFq+Apm2DXELKoPgtwRkwyiT19d aV+xT4f2qLrtI5YMVKspjNxKYOX72yExzrbcaUersTbTmsJB9zCrbi3sqAy/BOv9 jnCpG677EHre6R23ipQ36rUSi401FC8dnN89kO3+joUBtqsPYZw6P8p9brKKC68= =T+80 -----END PGP SIGNATURE-----
Adobe Releases Security Updates for Flash Player
Original release date: October 16, 2015
Adobe has released security updates to address multiple vulnerabilities in Flash Player. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
Users and administrators are encouraged to review Adobe Security Bulletin APSB15-27 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Apple Patches Productivity Software; Mozilla Updates Firefox with Security Fix
Apple and Mozilla on Thursday released patches, addressing vulnerabilities that put private user data at risk.