Security fix for CVE-2016-8864
Monthly Archives: November 2016
bind99-9.9.9-2.P4.fc23
Security fix for CVE-2016-8864
Google to Red Flag ‘Repeat Offender’ Websites
Google’s Safe Browsing program expands to include “Repeat Offender” websites in blacklisting program.
bind-9.10.4-2.P4.fc23
Security fix for CVE-2016-8864
bind-9.10.4-2.P4.fc25
Security fix for CVE-2016-8864
Views Send – Moderately Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2016-061
- Advisory ID: DRUPAL-SA-CONTRIB-2016-061
- Project: Views Send (third-party module)
- Version: 7.x
- Date: 2016-November-09
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
The Views Send module enables you to send mail to multiple users from a View.
The module doesn’t sufficiently filter potential user-supplied data when previewing the e-mail which can lead to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “mass mailing with views_send”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Views Send 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Views Send module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Views Send module for Drupal 7.x, upgrade to Views Send 7.x-1.3
Also see the Views Send project page.
Reported by
Fixed by
- Hans Fredrik Nordhaug the module maintainer
Coordinated by
- David Snopek of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
bind-9.10.4-2.P4.fc24
Security fix for CVE-2016-8864
Microsoft Patches Windows Zero-Day Flaw Disclosed by Google
Microsoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical Windows kernel vulnerability (CVE-2016-7255) that had yet to be patched.
The company criticized Google’s move, claiming that the disclosure of the vulnerability, which was being exploited in the wild, put its customers “at potential risk.”
<!– adsense –>
The vulnerability affects
PCMan FTP Server 2.0.7 LIST Buffer Overflow
PCMan FTP server version 2.0.7 LIST command buffer overflow exploit.
VBScript RegExpComp::PnodeParse out-of-bounds read details (MSIE 8-11, IIS, CScript.exe/WScript.exe)
Posted by Berend-Jan Wever on Nov 09
Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I’ve not released before. This is the sixth
entry in that series.
The below information is available in more detail on my blog at
http://blog.skylined.nl/20161108001.html. There you can find a repro
that triggered this issue in addition to the information below.
Follow me on http://twitter.com/berendjanwever for daily browser bugs.
VBScript…