Posted by Asterisk Security Team on Apr 14
Asterisk Project Security Advisory – AST-2016-005
Product Asterisk
Summary TCP denial of service in PJProject
Nature of Advisory Crash/Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Critical…
The Zero Day Initiative has publicly disclosed a pair of serious vulnerabilities in Apple QuickTime for Windows that will not be patched because Apple is deprecating the product.
Original release date: April 14, 2016
Microsoft Windows with Apple QuickTime installed
According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1]
All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1]
The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] [3]
Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.
Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime page. [4]
This product is provided subject to this Notification and this Privacy & Use policy.
The April 18th tax deadline is quickly approaching in the United States, and the Internal Revenue Service (IRS) is warning people that scammers are stepping up their game by impersonating IRS workers with fake phone calls and phishing emails.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0004
Synopsis: VMware product updates address a critical security issue in
the VMware Client Integration Plugin
Issue date: 2016-04-14
Updated on: 2016-04-14 (Initial Advisory)
CVE number: CVE-2016-2076
1. Summary
VMware vCenter Server, vCloud Director (vCD), vRealize Automation
(vRA) Identity Appliance, and the Client Integration Plugin (CIP)
updates address a critical security issue.
2. Relevant Releases
vCenter Server 6.0
vCenter Server 5.5 U3a, U3b, U3c
vCloud Director 5.5.5
vRealize Automation Identity Appliance 6.2.4
3. Problem Description
a. Critical VMware Client Integration Plugin incorrect session
handling
The VMware Client Integration Plugin does not handle session content
in a safe way. This may allow for a Man in the Middle attack or Web
session hijacking in case the user of the vSphere Web Client visits
a malicious Web site.
The vulnerability is present in versions of CIP that shipped with:
- vCenter Server 6.0 (any 6.0 version up to 6.0 U2)
- vCenter Server 5.5 U3a, U3b, U3c
- vCloud Director 5.5.5
- vRealize Automation Identity Appliance 6.2.4
In order to remediate the issue, both the server side (i.e. vCenter
Server, vCloud Director, and vRealize Automation Identity Appliance)
and the client side (i.e. CIP of the vSphere Web Client) will need
to be updated.
The steps to remediate the issue are as follows:
A) Install an updated version of:
- vCenter Server,
- vCloud Director,
- vRealize Automation Identity Appliance,
B) Subsequently update the Client Integration Plugin on the system
from which the vSphere Web Client is used.
Updating the plugin on vSphere and vRA Identity Appliance is
explained in VMware Knowledge Base article 2145066.
Updating the plugin on vCloud Director is initiated by a prompt
when connecting the vSphere Web Client to the updated version of
vCloud Director.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2076 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
====================== ============= ======= =============
vCenter Server 6.0 any 6.0 U2 *
vCenter Server 5.5 U3a - U3c any 5.5 U3d *
vCenter Server 5.1 any not affected
vCenter Server 5.0 any not affected
vCloud Director 8.0.x Windows not affected **
vCloud Director 5.6.x Windows not affected
vCloud Director 5.5.5 Windows 5.5.6 *
vRA Identity Appliance 7.x Linux not affected
vRA Identity Appliance 6.2.4 Linux 6.2.4.1 *
Client Integration see text Windows, see item B above
Plugin above Mac OS
* After installing the updated version, the Client Integration Plugin
will need to be updated on all systems from which the vSphere Web
Client is used to connect to vCenter Server, vCloud Director and
vRealize Automation Identity Manager.
** vCloud Director 8.0.0 did not ship with a vulnerable CIP version,
and vCloud Director 8.0.1 shipped with the updated version of the
CIP.
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
vCenter Server
--------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
http://pubs.vmware.com/Release_Notes/en/vsphere/55/vsphere-vcenter-server-5
5u3d-release-notes.html
vCloud Director
---------------
Downloads and Documentation:
https://www.vmware.com/go/download/vcloud-director
http://pubs.vmware.com/Release_Notes/en/vcd/556/rel_notes_vcloud_director_5
56.html
VMware vRealize Automation 6.2.4.1
----------------------------------
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_manage
ment/vmware_vrealize_automation/6_2
(select "Go to Downloads" and scroll down to "Security Update")
http://pubs.vmware.com/Release_Notes/en/vra/vrealize-automation-624-release
- -notes.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2076
VMware Knowledge Base article 2145066
kb.vmware.com/kb/2145066
- ------------------------------------------------------------------------
6. Change log
2016-04-14 VMSA-2016-0004
Initial security advisory in conjunction with the release of VMware
vSphere 5.5 U3d and vCloud Director 5.5.6 on 2016-04-14.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFXD+2rDEcm8Vbi9kMRAkavAJ9Jh0+7d46fu6t24ZTbfi+gZqNhNACfbiip
CTomNkThpHn4T6WPTz8LAuw=
=DZIG
-----END PGP SIGNATURE-----
Microsoft is suing the Department of Justice (DoJ) to protest the gag order that prevents technology companies from telling their customers when their cloud data is handed over to authorities.
In layman’s terms, the Electronic Communications Privacy Act (ECPA) allows the government to issue gag orders saying that the people or companies involved in a legal case cannot talk about the case or
[SECURITY] [DSA 3548-1] samba security update
[SECURITY] [DSA 3548-2] samba regression update
Django CMS v3.2.3 – Filter Bypass & Persistent Vulnerability
Mybb Cms (private.php Page) Denial Of Service Vulnerability