Monthly Archives: March 2016
Google Buffs Up Its Encryption Credentials With New Transparency Report
More than a Billion Snapdragon-based Android Phones Vulnerable to Hacking
More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device.
Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm’s kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root
Fast Autocomplete – Critical – DOS vulnerability – SA-CONTRIB-2016-016
- Advisory ID: DRUPAL-SA-CONTRIB-2016-016
- Project: Fast Autocomplete (third-party module)
- Version: 7.x
- Date: 2016-March-16
- Security risk: 12/25 ( Moderately Critical) AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All
- Vulnerability: Denial of Service
Description
This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to “cache” suggestions making the autocomplete very fast.
The module doesn’t sufficiently validate the incoming language parameter in the request path when a json file of the module is requested resulting in folders being created in the public files directory where the module stores its json files. This vulnerability can be exploited to perform a DOS-attack by depletion of available inodes on the webserver.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Fast Autocomplete 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Fast Autocomplete module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Fast Autocomplete module for Drupal 7.x, upgrade to Fast Autocomplete 7.x-1.2
While version 7.x-1.1 is not vulnerable, it contains a major bug affecting functionality. Also see the Fast Autocomplete project page.
Reported by
Fixed by
- Harold Aling providing the patch
- Martijn van Wensen providing the patch
- Baris Wanschers reviewing/refining the patch
- Martijn Vermeulen the module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
CESA-2016:0459 Important CentOS 7 bind SecurityUpdate
CentOS Errata and Security Advisory 2016:0459 Important Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0459.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 137b51b4db465e884e85a02862bb4324cb2c09e36645833526af773f66400111 bind-9.9.4-29.el7_2.3.x86_64.rpm ad11b0805dc4914a6a1f941bbe7e7df05ca38ac8be38b352b4eb0bcfb1fa97ee bind-chroot-9.9.4-29.el7_2.3.x86_64.rpm f3ab05dd382137f5d2734f8a8da29ea548487ad7a2b785c1c132522ae5f93de1 bind-devel-9.9.4-29.el7_2.3.i686.rpm 78face375361ca7d3329e5e54b518b052e92c8952f2212eed89abd161b875286 bind-devel-9.9.4-29.el7_2.3.x86_64.rpm 0c4961ac609e396387eec4168854ff1b32935f4155419b5c7d724951df348d9f bind-libs-9.9.4-29.el7_2.3.i686.rpm babf3ef8173c0a14f80274a882f76f70bef8864ee7409fc5d267b2a02e135e2f bind-libs-9.9.4-29.el7_2.3.x86_64.rpm de3477a4ccc3c55f89b7b9cb3c493ffd9edfde9a57329f7a9f07439d012e45fe bind-libs-lite-9.9.4-29.el7_2.3.i686.rpm 0df8e93382797ca9e1be51309f0cd8fc4eb0c5f46f415927275a24b8fe1a834b bind-libs-lite-9.9.4-29.el7_2.3.x86_64.rpm f6601959c359db93b8a6a69759c22bb08797a392760ec27b8296d2bb739dba9f bind-license-9.9.4-29.el7_2.3.noarch.rpm 131a34fcc6265a0e5a31afeec0bdb8e589c3fdc1a965a1746d61234ffbea232e bind-lite-devel-9.9.4-29.el7_2.3.i686.rpm fcdb776b789de02025e3484657327b4800a92e8707264d93a61bb57e4a1ad6d2 bind-lite-devel-9.9.4-29.el7_2.3.x86_64.rpm d249990bdae9e1ca118b9e5f2cfa44b18fc8e70446cbf9f0c94ea827c36fd64e bind-pkcs11-9.9.4-29.el7_2.3.x86_64.rpm 7faa189d77dae6452816d7730ce80a4670011f1cab65890bdea5fd728162d8d4 bind-pkcs11-devel-9.9.4-29.el7_2.3.i686.rpm 1a384cf1fb2d08d5afc1a83243dc1f692d3036f37923df5511d312dab61d7d58 bind-pkcs11-devel-9.9.4-29.el7_2.3.x86_64.rpm cb8b648e67093a13ff8f5136123075d00ba84f1cb15dcdb54f29d92b423c344b bind-pkcs11-libs-9.9.4-29.el7_2.3.i686.rpm 58e866f4d01d36e90a80a70d75ef66d782a529276b134741d6619c6e217db2b9 bind-pkcs11-libs-9.9.4-29.el7_2.3.x86_64.rpm cc37699c9587edb1eed3f908abfb2cfbf3217c6885f5e86ed2361dbe278afabd bind-pkcs11-utils-9.9.4-29.el7_2.3.x86_64.rpm 3f578514afca458d225f8ae3c19b8a0c3c7658f94919eb45dd5835f5006652b4 bind-sdb-9.9.4-29.el7_2.3.x86_64.rpm 24591c4bad24906f632dabe0de509a6b87a8ffe5ae16d31072013655abe66b0e bind-sdb-chroot-9.9.4-29.el7_2.3.x86_64.rpm 9feb2f7fb778730f694343c030856a3585dfbe3d4bca300f6b4cd1ab53eefc1c bind-utils-9.9.4-29.el7_2.3.x86_64.rpm Source: eaff3e7cf4061acb9a123eb83c72b538ae94f6efd18dfa73beb77d8a81864179 bind-9.9.4-29.el7_2.3.src.rpm
Bugtraq: [slackware-security] git (SSA:2016-075-01)
[slackware-security] git (SSA:2016-075-01)
Bugtraq: [slackware-security] seamonkey (SSA:2016-075-02)
[slackware-security] seamonkey (SSA:2016-075-02)
Bugtraq: Reflected Cross-Site Scripting (XSS) Vulnerability in Litecart CMS
Reflected Cross-Site Scripting (XSS) Vulnerability in Litecart CMS
Bugtraq: [SECURITY] [DSA 3518-1] spip security update
[SECURITY] [DSA 3518-1] spip security update
Russia Rejects Google's Appeal and Orders to Stop Pre-Installing its own Android Apps
The Giant search engine Google has lost an anti-monopoly appeal in Russia against ruling related to its Android mobile OS
The Moscow Arbitration Court on Monday ruled that Google had violated its dominant position with the help of its free open source mobile platform “Android” by forcing its own apps and services like Youtube, Google Map, and others, on users — reducing competition.
The
