All posts by 007admin

Microsft

MS13-090 – Critical: Cumulative Security Update of ActiveX Kill Bits – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (February 28, 2014): Bulletin revised to announce a detection change in the 2900986 update for Windows 8.1 for 32-bit Systems, Windows 8.1 for x64-based Systems, Windows RT 8.1, and Windows Server 2012 R2. This is a detection change only. There were no changes to the update files. Customers who have already successfully updated their systems do not need to take any action.
Summary: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability exists in the InformationCardSigninHelper Class ActiveX control. The vulnerability could allow remote code execution if a user views a specially crafted webpage with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Python

CVE-2014-1912

Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string. (CVSS:7.5) (Last Update:2014-05-10)

Nagios

CVE-2014-1878

Stack-based buffer overflow in the cmd_submitf function in cgi/cmd.c in Nagios Core, possibly 4.0.3rc1 and earlier, and Icinga before 1.8.6, 1.9 before 1.9.5, and 1.10 before 1.10.3 allows remote attackers to cause a denial of service (segmentation fault) via a long message to cmd.cgi. (CVSS:5.0) (Last Update:2014-02-28)

Debian

[BSA-093] Security Update for gnutls28

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Andreas Metzler  uploaded new packages for gnutls28 which fixed the
following security problems:

CVE-2014-1959 / DSA 2866-1 / GNUTLS-SA-2014-1
  Suman Jana reported that GnuTLS, deviating from the documented
  behavior considers a version 1 intermediate certificate as a CA
  certificate by default.

For the testing distribution (jessie) and the unstable distribution
(sid), this problem has been fixed in gnutls26/2.12.23-12 and
gnutls28/3.2.11-1.

For the stable distribution this problem has been fixed in
gnutls26/2.12.20-8. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJTCLAZAAoJEKVPAYVDghSE3KIP/ixlMQKA9H/v4FqWB2QOQIeY
QT67kgjrG/UKgEBk3pivvfWU8bSRA8SQ4AJXnKSMrkq6GkAEOBCFV8pVdHZV2pVZ
zUJ25vt4LX9cJHnOmMDSyC5Rrc/MH6/NnJWxIcZryc+XNOrzP0P00WqJ6fRfkZ/M
X7ktaICuNH5FqZ+P5ROdUrx+P8VX2y65vTTMrOTVPDYnn+hQBXXlQBK/7bUj0fkj
xsEP3XBLVqGrfJWzAxMCiOTMFgPzlc1MaQT2tCfIgHsWdATUYgKX8R5Nt+a2PrYo
S8IFrfpuXj9Kgamwj2ODs+lp7vDG2ftVTrTkaT4Mb7Xi0WdsTrM
Debian

[BSA-092] Security Update for pidgin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

intrigeri uploaded new packages for pidgin which fixed the
following security problems:

CVE-2013-6477
  Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by
  sending a message with a timestamp in the distant future.

CVE-2013-6478
  Pidgin could be crashed through overly wide tooltip windows.

CVE-2013-6479
  Jacob Appelbaum discovered that a malicious server or a "man in the middle"
  could send a malformed HTTP header resulting in denial of service.

CVE-2013-6481
  Daniel Atallah discovered that Pidgin could be crashed through malformed
  Yahoo! P2P messages.

CVE-2013-6482
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed MSN messages.

CVE-2013-6483
  Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be
  crashed through malformed XMPP messages.

CVE-2013-6484
  It was discovered that incorrect error handling when reading the response from
  a STUN server
NVD

CVE-2014-0322 (internet_explorer)

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.