CentOS Errata and Security Advisory 2016:1138 Moderate Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-1138.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: e47c5002da71e2ae26beb75c5606d5014c2d9bd6c9e2372ab770a73af0194567 squid-3.1.23-16.el6_8.4.i686.rpm x86_64: d4a0380af389fc303e5db2764893651d0f8f320e22af7e240346e99379213a01 squid-3.1.23-16.el6_8.4.x86_64.rpm Source: 17e493babcd6f109e5feb8087ebbc60e5d4c938cb8a071343e134204cedb4079 squid-3.1.23-16.el6_8.4.src.rpm
Monthly Archives: May 2016
Information Disclosure in "MMC directmail subscription" (mmc_directmail_subscription)
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: 0.9.6 and below
Vulnerability Type: Information Disclosure
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C
Problem Description: The extension discloses personal data of newsletter subscribers. Such data might be cached and indexed by search engines.
Solution: An updated version 0.9.7 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/mmc_directmail_subscription/0.9.7/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Loek Hilgersom who discovered the vulnerability.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Multiple vulnerabilities in extension "http:BL Blocking" (mh_httpbl)
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: 1.1.7 and below
Vulnerability Type: SQL injection, Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:P/E:F/RL:O/RC:C (What’s that?)
Problem Description: Failing to properly escape user input, the extension is susceptible to SQL Injection and Cross-Site Scripting. The SQL Injection vulnerability is exploitable only by user having access to the backend module.
Solution: An updated version 1.1.8 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/mh_httpbl/1.1.8/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Thanks to Wouter van Dongen who discovered and reported the vulnerability.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Non-Persistent Cross-Site Scripting in extension "Static Methods since 2007" (div2007)
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.6.8 and below
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What’s that?)
Problem Description: Using an own version of the class GeneralUtility the extension div2007 is susceptible to Non-Persistent Cross-Site Scripting. Further information can be found in the TYPO3-CORE-SA-2015-009 advisory.
Solution: An updated version 1.6.9 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/div2007/1.6.9/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Stephan Großberndt who discovered and reported the vulnerability.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Non-Persistent Cross-Site Scripting in extension "Static Methods since 2007" (div2007)
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 1.6.8 and below
Vulnerability Type: Cross-Site Scripting
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C (What’s that?)
Problem Description: Using an own version of the class GeneralUtility the extension div2007 is susceptible to Non-Persistent Cross-Site Scripting. Further information can be found in the TYPO3-CORE-SA-2015-009 advisory.
Solution: An updated version 1.6.9 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/div2007/1.6.9/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Stephan Großberndt who discovered and reported the vulnerability.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Information Disclosure in extension "Questionnaire" (ke_questionnaire)
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 2.5.8 and below
Vulnerability Type: Information Disclosure
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:W/RL:W/RC:C (What’s that?)
CVE: CVE-2014-3758
Problem Description: Files containing the answered questionnaires are stored in the “typo3temp” directory within the TYPO3 installation. As the extension uses predictable names for the questionnaire answer forms it is easy to guess file names and download answer files.
Solution: An updated version 3.0.14 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/ke_questionnaire/3.0.14/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Patrick Hof and Henri Salo who reported the vulnerability.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
SQL Injection in extension "Browser – TYPO3 without PHP" (browser)
Release Date: May 31, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 7.4.8 and below
Vulnerability Type: SQL Injection
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)
Problem Description: The extension fails to properly sanitize user input and is vulnerable to SQL Injection. This vulnerability is only exploitable if the Development Reporting System (DRS) is enabled and any filter is used. DRS is disabled by default.
Solution: An updated version 7.5.0 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/browser/7.5.0/t3x/. Users of the extension are advised to update the extension as soon as possible.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
A third of consumers willing to ditch their friends for their smartphone. Psychological study discovers new era of 'digital best friends'.
Study finds that 93 percent willingly give away their smartphone PIN when asked.