[security bulletin] HPSBGN03688 rev.1 – HPE Operations Orchestration, Remote Code Execution
Monthly Archives: January 2017
Permissions by Term — Critical – Multiple vulnerabilities – SA-CONTRIB-2017-001
- Advisory ID: DRUPAL-SA-CONTRIB-2017-001
- Project: Permissions by Term (third-party module)
- Version: 8.x
- Date: 2017-January-04
- Security risk: 15/25 ( Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All
- Vulnerability: Access bypass, Information Disclosure
Description
The Permissions by Term module extends Drupal functionality by restricting access to single nodes via taxonomy terms. Taxonomy terms are part of the Drupal core functionality. Taxonomy term permissions can be coupled to specific user accounts and/or user roles.
Enabling the module unintentionally gives access to all unpublished nodes to anonymous users
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Permissions by Term 8.x-1.x versions prior to 8.x-1.11.
Drupal core is not affected. If you do not use the contributed Permissions by Term module, there is nothing you need to do.
Solution
If you use the Permissions by Term module for Drupal 8.x, upgrade to Permissions by Term 8.x-1.11.
Also see the Permissions by Term project page.
Reported by
Fixed by
- Peter Majmesku (jepSter) – the module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
RHSA-2017:0014-1: Moderate: ghostscript security update
Red Hat Enterprise Linux: An update for ghostscript is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2013-5653, CVE-2016-7977, CVE-2016-7979, CVE-2016-8602
RHSA-2017:0013-1: Moderate: ghostscript security update
Red Hat Enterprise Linux: An update for ghostscript is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
CVE-2013-5653, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602
USN-3163-1: NSS vulnerabilities
Ubuntu Security Notice USN-3163-1
4th January, 2017
nss vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in NSS.
Software description
- nss
– Network Security Service library
Details
It was discovered that NSS incorrectly handled certain invalid
Diffie-Hellman keys. A remote attacker could possibly use this flaw to
cause NSS to crash, resulting in a denial of service. This issue only
applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-5285)
Hubert Kario discovered that NSS incorrectly handled Diffie Hellman client
key exchanges. A remote attacker could possibly use this flaw to perform a
small subgroup confinement attack and recover private keys. This issue only
applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2016-8635)
Franziskus Kiefer discovered that NSS incorrectly mitigated certain timing
side-channel attacks. A remote attacker could possibly use this flaw to
recover private keys. (CVE-2016-9074)
This update refreshes the NSS package to version 3.26.2 which includes
the latest CA certificate bundle.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.10:
-
libnss3
2:3.26.2-0ubuntu0.16.10.1
- Ubuntu 16.04 LTS:
-
libnss3
2:3.26.2-0ubuntu0.16.04.2
- Ubuntu 14.04 LTS:
-
libnss3
2:3.26.2-0ubuntu0.14.04.3
- Ubuntu 12.04 LTS:
-
libnss3
2:3.26.2-0ubuntu0.12.04.1
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.
References
The year in security: Trends 2017
In this feature, we capture some of the key ideas discussed in ESET’s latest trends paper for 2017, Security Held Ransom.
The post The year in security: Trends 2017 appeared first on WeLiveSecurity
Atlassian Confluence 5.9.12 Cross Site Scripting
Tempest Security Intelligence Advisory ADV-3/2016 – Atlassian Confluence version 5.9.12 is vulnerable to persistent cross site scripting because it fails to securely validate user controlled data, thus making it possible for an attacker to supply crafted input in order to harm users. The bug occurs at pages carrying attached files, even though the attached file name parameter is correctly sanitized upon submission, it is possible for an attacker to later edit the attached file name property and supply crafted data (i.e HTML tags and script code) without the occurrence of any security checks, resulting in an exploitable persistent cross site scripting injection.
Red Hat Security Advisory 2017-0013-01
Red Hat Security Advisory 2017-0013-01 – The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: It was found that the ghostscript functions getenv, filenameforall and .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable, list directory and retrieve file content respectively, from the target.
Red Hat Security Advisory 2017-0014-01
Red Hat Security Advisory 2017-0014-01 – The Ghostscript suite contains utilities for rendering PostScript and PDF documents. Ghostscript translates PostScript code to common bitmap formats so that the code can be displayed or printed. Security Fix: It was found that the ghostscript functions getenv, filenameforall and .libfile did not honor the -dSAFER option, usually used when processing untrusted documents, leading to information disclosure. A specially crafted postscript document could read environment variable, list directory and retrieve file content respectively, from the target.
Ubuntu Security Notice USN-3163-1
Ubuntu Security Notice 3163-1 – It was discovered that NSS incorrectly handled certain invalid Diffie-Hellman keys. A remote attacker could possibly use this flaw to cause NSS to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Hubert Kario discovered that NSS incorrectly handled Diffie Hellman client key exchanges. A remote attacker could possibly use this flaw to perform a small subgroup confinement attack and recover private keys. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Various other issues were also addressed.