Could a Hollywood hack come true? Will there be a U.S. Healthcare.gov data breach? Should you expect CryptoLocker clones?
WatchGuard Technologies' Top 8 Security Predictions for 2014
All posts by 007admin
CVE-2013-7127 (mac_os_x, safari)
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
CVE-2013-3140 (internet_explorer)
Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted CMarkup object, aka “Internet Explorer Use After Free Vulnerability.”
CVE-2013-5045 (internet_explorer)
Microsoft Internet Explorer 10 and 11 allows local users to bypass the Protected Mode protection mechanism, and consequently gain privileges, by leveraging the ability to execute sandboxed code, aka “Internet Explorer Elevation of Privilege Vulnerability.”
WatchGuard Technologies Named 'Best Next Gen Firewall Vendor'
Strong channel commitment in the Middle East Region drives award recognition
CVE-2013-7020 (debian_linux, ffmpeg)
The read_header function in libavcodec/ffv1dec.c in FFmpeg before 2.1 does not properly enforce certain bit-count and colorspace constraints, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted FFV1 data.
CVE-2013-6410 (debian_linux, nbd, ubuntu_linux)
nbd-server in Network Block Device (nbd) before 3.5 does not properly check IP addresses, which might allow remote attackers to bypass intended access restrictions via an IP address that has a partial match in the authfile configuration file.
UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0007.1
Synopsis: VMware ESX third party update for Service Console package sudo
Issue date: 2013-05-30
Updated on: 2013-12-05
CVE number: CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------
1. Summary
VMware ESX third party update for Service Console package sudo
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201305001
3. Problem Description
a. Service Console update for sudo
The service console package sudo is updated to version
1.7.2p1-14.el5_8.3
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMwareProductRunningReplace with/
ProductVersiononApply Patch
============================================
ESXianyESXinot affected
ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi and ESX
--------------------------
http://www.vmware.com/patchmgr/download.portal
ESX 4.1
-------
File: ESX410-201312001.zip
Build: 1368001
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG
ESX 4.0
-------
File: ESX400-201305001.zip
Build: 1070634
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440
- - -----------------------------------------------------------------------
6. Change log
2013-05-30 VMSA-2013-0007
Initial security advisory in conjunction with the release of ESX 4.0
patches on 2013-05-30.
2013-12-05 VMSA-2013-0007.1
Security advisory update in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----
UPDATED VMSA-2013-0007.1 VMware ESX third partyupdate for Service Console package sudo
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2013-0007.1
Synopsis: VMware ESX third party update for Service Console package sudo
Issue date: 2013-05-30
Updated on: 2013-12-05
CVE number: CVE-2012-2337, CVE-2012-3440
- - -----------------------------------------------------------------------
1. Summary
VMware ESX third party update for Service Console package sudo
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
VMware ESX 4.0 without patch ESX400-201305001
3. Problem Description
a. Service Console update for sudo
The service console package sudo is updated to version
1.7.2p1-14.el5_8.3
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-2337 and CVE-2012-3440 to the issues
addressed in this update.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMwareProductRunningReplace with/
ProductVersiononApply Patch
============================================
ESXianyESXinot affected
ESX4.1ESXESX410-201312401-SG
ESX4.0ESXESX400-201305402-SG
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
ESXi and ESX
--------------------------
http://www.vmware.com/patchmgr/download.portal
ESX 4.1
-------
File: ESX410-201312001.zip
Build: 1368001
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG
ESX 4.0
-------
File: ESX400-201305001.zip
Build: 1070634
md5sum: c9ac91d3d803c7b7cb9df401c20b91c0
sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411
https://kb.vmware.com/kb/2044240
ESX400-201305001 contains ESX400-201305402-SG
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2337
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3440
- - -----------------------------------------------------------------------
6. Change log
2013-05-30 VMSA-2013-0007
Initial security advisory in conjunction with the release of ESX 4.0
patches on 2013-05-30.
2013-12-05 VMSA-2013-0007.1
Security advisory update in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- - -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUgMACgkQDEcm8Vbi9kOk1QCfSIni5b2S0/kH5GOrBijlsGIq
HgoAoJqxCyke7a/OO3aGzBXZaZLZeLa4
=8fBO
-----END PGP SIGNATURE-----
NEW VMSA-2013-0015 VMware ESX updates to thirdparty libraries
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMware Security Advisory
Advisory ID: VMSA-2013-0015
Synopsis: VMware ESX updates to third party libraries
Issue date: 2013-12-05
Updated on: 2013-12-05 (initial release)
CVE numbers: --- kernel (service console) ---
CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164,
CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237,
CVE-2013-2232
--- nss and nspr (service console) ---
CVE-2013-0791, CVE-2013-1620
- -------------------------------------------------------------------------
1. Summary
VMware has updated several third party libraries in ESX that address
multiple security vulnerabilities.
2. Relevant releases
VMware ESX 4.1 without patch ESX410-201312001
3. Problem Description
a. Update to ESX service console kernel
The ESX service console kernel is updated to resolve multiple
security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147,
CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234,
CVE-2013-2237, CVE-2013-2232 to these issues.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312401-SG
ESX 4.0 ESX patch pending
b. Update to ESX service console NSPR and NSS
This patch updates the ESX service console Netscape Portable
Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve
multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2013-0791 and CVE-2013-1620 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============== ======== ======= =================
ESXi any ESXi not applicable
ESX 4.1 ESX ESX410-201312403-SG
ESX 4.0 ESX patch pending
4. Solution
Please review the patch/release notes for your product and
version and verify the checksum of your downloaded file.
ESX 4.1
-------
File: ESX410-201312001.zip
md5sum: c35763a84db169dd0285442d4129cc18
sha1sum: ee8e1b8d2d383422ff0dde04749c5d89e77d8e40
http://kb.vmware.com/kb/2061209
ESX410-201312001 contains ESX410-201312401-SG and ESX410-201312403-SG.
5. References
--- kernel (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2372
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2232
--- NSPR and NSS (service console) ---
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
- -------------------------------------------------------------------------
6. Change log
2013-12-05 VMSA-2013-0015
Initial security advisory in conjunction with the release of ESX 4.1
patches on 2013-12-05.
- -------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2013 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlKhUEEACgkQDEcm8Vbi9kMhDACfV3FNa6tlAK39I+nriVr462NJ
TtwAnRcl4PAICCPknirkUT804VlueHwZ
=cimI
-----END PGP SIGNATURE-----