The Web Server component in TIBCO LogLogic Unity before 1.1.1 allows remote authenticated users to gain privileges, and consequently obtain sensitive information, via an HTTP request.
Monthly Archives: November 2015
CESA-2015:2078 Moderate CentOS 7 postgresqlSecurity Update
CentOS Errata and Security Advisory 2015:2078 Moderate Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-2078.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: dac984ae0f6ec9bbb3fbf89ab18387c911ecd381d0d42502212090583a255fb0 postgresql-9.2.14-1.el7_1.i686.rpm 48c8a0de83c28f79cc1a85f1b6572560860563610721ee7700d7ada688d25b4e postgresql-9.2.14-1.el7_1.x86_64.rpm da0f25e0fa38d0fc93d6b3817797b67ed1f5130e49c91477b19f27bde73770f7 postgresql-contrib-9.2.14-1.el7_1.x86_64.rpm 4ff2972830681f8b3878fb465c3b0eb93e315645eb5f8d32d19f04b983f563a6 postgresql-devel-9.2.14-1.el7_1.i686.rpm eae197326a7ae78b9f633c718d0e7eb48f5ac3520fe5ff787ab07dfb9a23ab79 postgresql-devel-9.2.14-1.el7_1.x86_64.rpm efd8026ec5026a22471688e0c19b2a53657c8d9a3333770829dbc12234c46e1c postgresql-docs-9.2.14-1.el7_1.x86_64.rpm 3897ca7ab0e9ed9df4c81c3e15da0ba069b74bd59c2e9743755e3654d8b3b712 postgresql-libs-9.2.14-1.el7_1.i686.rpm 4a409cfde77bc7b14f18a152e896ad3290aef94355a8c9ee993e9075b05160e9 postgresql-libs-9.2.14-1.el7_1.x86_64.rpm 89f5050225e4bc4ca162822ed0bdd16a0cf34f0b70fd0b2b3422a5850d37556d postgresql-plperl-9.2.14-1.el7_1.x86_64.rpm 35868c84234ab8afe3fdc05b181463f2161e2785fe0f55d21ec5368eb556c7a6 postgresql-plpython-9.2.14-1.el7_1.x86_64.rpm 2598a7f5e6b3d9fa1354fd373c039d7eec38e980b60af005a0051096d5e845a6 postgresql-pltcl-9.2.14-1.el7_1.x86_64.rpm bd457b9b0838e97e8dc54e8d730ac75da3ab297623bebaae23ec249c9da32fb2 postgresql-server-9.2.14-1.el7_1.x86_64.rpm 59674923b6e61253f8442a75ad7b1b671af6d8f3d02fac54ee9d93402c357f0a postgresql-test-9.2.14-1.el7_1.x86_64.rpm 7e81ff716e88e95e0157c53a02d2050c4858cce6d8fd22ace50287f18c481789 postgresql-upgrade-9.2.14-1.el7_1.x86_64.rpm Source: 7e684cc6556afa15a60582354c7a110461946416b70332fe09bbb499bd6f0aec postgresql-9.2.14-1.el7_1.src.rpm
CESA-2015:2086 Important CentOS 7java-1.6.0-openjdk Security Update
CentOS Errata and Security Advisory 2015:2086 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-2086.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: dbde32b3ea0f1870bd997de2978ae16c39b5702982e26641b1361e525d836a2a java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm 8c10f117b441e78024068c7d8aebdbe23ed46a772e739c2ec6c8fc5a9bd19300 java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm b9cc50e5cc098bd8cdec6d2c57ed9957b84b17140b20c4dff86116a321fb5743 java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm d7555996e4355cfd7f42227a7dcbc82760cb92dd0387c0e8943a62d58a96a85c java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm 242c990b1fb3bbbec7ae853077c9785752d1a11364241070004ed245a84fd564 java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el7_1.x86_64.rpm Source: 5ca8bb4d945891ee068baac317351d7a571cf7dbf8e28f94fb1b2e2679580aeb java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el7_1.src.rpm
Encrypt – Moderately Critical – Weak Encryption – SA-CONTRIB-2015-166
- Advisory ID: DRUPAL-SA-CONTRIB-2015-166
- Project: Encrypt (third-party module)
- Version: 7.x
- Date: 2015-November-18
- Security risk: 11/25 ( Moderately Critical) AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Default
- Vulnerability: Weak Encryption
Description
This module enables you to encrypt data within Drupal using a user-configurable encryption method and key provider.
The module did not sufficiently validate good configurations and api usage resulting in multiple potential weaknesses depending on module usage. The default encryption method could theoretically leak the key for known plaintexts. This vulnerability is mitigated by the fact that an attacker would need to have access to the encrypted data which is generally not possible without a breach of the database.
The default key provider uses the Drupal private key, which means that it could potentially be leaked which puts other elements of the site at risk. This vulnerability is mitigated by requiring the default combination of encryption method and key provider for the Drupal private key to be potentially leaked. Users of the module are likely to employ a key of their own creation, rather than use the Drupal private key.
Another encryption method included with the module uses a cipher that can leak structural information about the plaintext. This vulnerability is mitigated by the fact that it would only affect encryptions of large quantities of data, such as files and data of shorter lengths would not be affected.
The default key created by the module is generated by a MD5 hash, which is not as strong as using truly random bytes of data.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Encrypt 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Encrypt module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Encrypt module for Drupal 7.x, upgrade to Encrypt 7.x-2.2
Once installed, review your settings and alter it to use a key provider and encryption method that is not deprecated. If data was encrypted with a deprecated key provider or encryption method then you should also re-encrypt all that data.
Also see the Encrypt project page.
Reported by
- Heine Deelstra of the Drupal Security Team
Fixed by
- Rick Hawkins the module maintainer
- Greg Knaddison of the Drupal Security Team
- Heine Deelstra of the Drupal Security Team
- Chad DeGroot
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
CESA-2015:2086 Important CentOS 5java-1.6.0-openjdk Security Update
CentOS Errata and Security Advisory 2015:2086 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-2086.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: aa99f34b3c368695046b073a2065735f41b443f5014998662141472784808fc8 java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.i386.rpm 22a5e9945db46cbc09e28e944037f97e08ada786a29633fc0749c473bf27a75e java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11.i386.rpm 1c74dc66b90779a55849b0f2857c99ed7c44d0e4071bfd0afec944d85df32e2b java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11.i386.rpm 6fdbd6c9f8cf75a2e59755291275d4dd649ae80a723389495e5174eab93cdf20 java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11.i386.rpm 9cb01c62fa3a3c13e33a88fe3e121d9e0509a3fe1aadf1b13a45067046eecf4e java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11.i386.rpm x86_64: 647faf2b65173da2df9cb57b1fc4c55605474eb675b8695551d6ea51f695213c java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm 1e99cb89adbd0b8331adbef47eab6911df5fb042481c004dc9e55978c828acf0 java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm df9c09dc2debaf5315d92f63a2516ba59f1b1a21cf9b8c1817beaa3b76f2f700 java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm e85105b2fe6f41629828fcae5f78bc62bd3b4d4b3e41a27f06c333799c3e74cf java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm 3a46d303cfaff3b86d43d157a039181542895f45d109c77bd0f81540f69a75e0 java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el5_11.x86_64.rpm Source: 02ad1a69ec9a3b1832ec47ff1c4f13fcb54d45f55bf5d9907b6a582888b71bb8 java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el5_11.src.rpm
Carnegie Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking Tor
Carnegie Mellon University implied in a statement that it received a subpoena requesting its research on breaking Tor hidden services, and also implied it was not paid $1 million for the work as alleged by the Tor Project.
CESA-2015:2086 Important CentOS 6java-1.6.0-openjdk Security Update
CentOS Errata and Security Advisory 2015:2086 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-2086.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: e8af0bccd304323e1aa843eb766e70c14e41f10d37f36a10a119a2e5a0a29d99 java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.i686.rpm 1d5d0435df46b38dd76625bf74d399130fc880d253cce65cc56af02ae95369f6 java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.i686.rpm a1fb61dd21d3c39e76dd4b586616a0eb9f0e7385f4ffc0646b64caab8e39e023 java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.i686.rpm e6ef8834495a00342c6795c6350e481121ec1679a11faf111974a8e1cfb513e9 java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.i686.rpm 8746d8d277b92216022f72bde731eb208376ef80189ff9b537b39818af6191a4 java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.i686.rpm x86_64: 5aa22726ce93be62ff0833e0ff0a2258dd44b36968f9787c106ce7abac9de92b java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm 5fa7345e069a5d00c0257e1559ec8fe97a2f828306d5538a22c773f800c07181 java-1.6.0-openjdk-demo-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm ed681b21bbcb93543dffc3f82ed8bd93226ad1cdd640d4300c3656630664bce6 java-1.6.0-openjdk-devel-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm c83158d7a0c733b44279ccb95a66a87c137441e1a47c55be94d057e667289a23 java-1.6.0-openjdk-javadoc-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm a248aefa9bc1c02541ff465f6eb6f98a32072b6fef348adcdf924fd051d06151 java-1.6.0-openjdk-src-1.6.0.37-1.13.9.4.el6_7.x86_64.rpm Source: 5d935ad8df489bd9c6dcf51e5fa0cdb2eda17face6eccce30cccf8fbfd0312f3 java-1.6.0-openjdk-1.6.0.37-1.13.9.4.el6_7.src.rpm
CESA-2015:2081 Moderate CentOS 6 postgresqlSecurity Update
CentOS Errata and Security Advisory 2015:2081 Moderate Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-2081.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 0e97fe4a73fd3e52d253aa01a78d4a2c75e57415e62a2468dc8639352016e817 postgresql-8.4.20-4.el6_7.i686.rpm 54877c2fedcbdd30cc66941d449dc70077fc886fcac53e3d589e764452171354 postgresql-contrib-8.4.20-4.el6_7.i686.rpm 23992e58740882150065ac43e544b4f8aa53a942b9393e354faa7bf20411b4b4 postgresql-devel-8.4.20-4.el6_7.i686.rpm a4fc45d81815c93da5d5a3948eaba1f598937a0e6b80a7ced9de1958daa66158 postgresql-docs-8.4.20-4.el6_7.i686.rpm 217f335cc844426b53558859ae65f7e45b96e02ea2e3b267288f9404bbba9fd4 postgresql-libs-8.4.20-4.el6_7.i686.rpm 6e7534efb6c9eb1db98ec1e1e581a351cee2733f7d641decb390f6f60d448099 postgresql-plperl-8.4.20-4.el6_7.i686.rpm cc50decba345bf784b9821edb1c8f1921a708a4d9440f444ece54383c2bf005b postgresql-plpython-8.4.20-4.el6_7.i686.rpm b1d88b3f571a551d5438f3f397ecf79a1bbf45df822019160db4f22776e6a91e postgresql-pltcl-8.4.20-4.el6_7.i686.rpm 65e5d758024188f6ba096bc1c96754f45d6ce98944beddb9ecfa087dad9bf55f postgresql-server-8.4.20-4.el6_7.i686.rpm 9b4ddd7a4cf4ff7c24e91be92fa8062092e19672f3fb939817abd7d770eb9baa postgresql-test-8.4.20-4.el6_7.i686.rpm x86_64: 0e97fe4a73fd3e52d253aa01a78d4a2c75e57415e62a2468dc8639352016e817 postgresql-8.4.20-4.el6_7.i686.rpm 2cf6ecc14534ef1bb553da2743b1a2b7679ad6e076dd2301d241833c8288e02c postgresql-8.4.20-4.el6_7.x86_64.rpm 0cebe83b0f5f91d5055eec015539904d9d6c5c6e4a41848f0f39ddfebf54a082 postgresql-contrib-8.4.20-4.el6_7.x86_64.rpm 23992e58740882150065ac43e544b4f8aa53a942b9393e354faa7bf20411b4b4 postgresql-devel-8.4.20-4.el6_7.i686.rpm f02d225b9769f8a69c9a38bdc360e92b96d37b37db2c372ca020d597dea19dae postgresql-devel-8.4.20-4.el6_7.x86_64.rpm b001349770fb86984191de0d8a90d30d41dab95ca1467d8e31ef067cefd050b8 postgresql-docs-8.4.20-4.el6_7.x86_64.rpm 217f335cc844426b53558859ae65f7e45b96e02ea2e3b267288f9404bbba9fd4 postgresql-libs-8.4.20-4.el6_7.i686.rpm 252e3df351f8007191831d1c40b13e868811672d11c40a81fac17e3d213be926 postgresql-libs-8.4.20-4.el6_7.x86_64.rpm 54c0316956e115eb0c41c445a211675cff32f2628575765b368de7a735119350 postgresql-plperl-8.4.20-4.el6_7.x86_64.rpm 60e79f2a2d21dd3d8d8e1714ca063ecd5a2a302db824f9a735006c700bc351e7 postgresql-plpython-8.4.20-4.el6_7.x86_64.rpm ba395b85bb86749ddb58b1e43509412c684d0b18c7fe41052874073dafc926de postgresql-pltcl-8.4.20-4.el6_7.x86_64.rpm d189c260a6280f771eeed522750d4f7928fad095293fdd287f29b4dd2e8f6871 postgresql-server-8.4.20-4.el6_7.x86_64.rpm 77309a9e212b2f424990eae82510308ea036d9a40040162068be8b4f0a66a597 postgresql-test-8.4.20-4.el6_7.x86_64.rpm Source: b0eb57695234f5cc6f2ab2df3eef661726f065926a303cfa0278cc003ab24ed2 postgresql-8.4.20-4.el6_7.src.rpm
Bugtraq: WordPress Users Ultra Plugin [Unrestricted File Upload]
WordPress Users Ultra Plugin [Unrestricted File Upload]
Bugtraq: [security bulletin] HPSBGN03521 rev.1 – HP Operations Orchestration Central, Cross-Site Request Forgery (CSRF)
[security bulletin] HPSBGN03521 rev.1 – HP Operations Orchestration Central, Cross-Site Request Forgery (CSRF)