Full Disclosure
Posted by Asterisk Security Team on Oct 25
On September 8, the Asterisk development team released the AST-2016-007
security advisory. The security advisory involved an RTP resource
exhaustion that could be targeted due to a flaw in the “allowoverlap”
option of chan_sip. Due to new information presented to us by Walter
Doekes, we have made the following updates to the advisory.
In the “Description” section, the following text has been added:
UPDATE (20 October,…
Posted by fwagglechop on Oct 24
I know ancient PHP apps is kinda cheating, but there are people running this…
Abstract
——–
“daloRADIUS is an advanced RADIUS web management application aimed at
managing hotspots and general-purpose ISP deployments. It features
user management, graphical reporting, accounting, a billing engine and
integrates with GoogleMaps for geo-locating.”[1]
While auditing this software for a business we found multiple
potential security…
Posted by Apple Product Security on Oct 24
APPLE-SA-2016-10-24-5 watchOS 3.1
watchOS 3.1 is now available and addresses the following:
CoreGraphics
Available for: All Apple Watch models
Impact: Viewing a maliciously crafted JPEG file may lead to arbitrary
code execution
Description: A memory corruption issue was addressed through improved
memory handling.
CVE-2016-4673: Marco Grassi (@marcograss) of KeenLab (@keen_lab),
Tencent
FontParser
Available for: All Apple Watch models
Impact:…
Posted by Apple Product Security on Oct 24
APPLE-SA-2016-10-24-4 tvOS 10.0.1
tvOS 10.0.1 is now available and addresses the following:
CFNetwork Proxies
Available for: Apple TV (4th generation)
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: A phishing issue existed in the handling of proxy
credentials. This issue was addressed by removing unsolicited proxy
password authentication prompts.
CVE-2016-7579: Jerry Decime…
Posted by Apple Product Security on Oct 24
APPLE-SA-2016-10-24-3 Safari 10.0.1
Safari 10.0.1 is now available and addresses the following:
WebKit
Available for: OS X Yosemite v10.10.5, OS X El Capitan v10.11.6,
and macOS Sierra 10.12
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution
Description: Multiple memory corruption issues were addressed
through improved memory handling.
CVE-2016-4666: Apple
WebKit
Available for: OS X Yosemite v10.10.5, OS X…
Posted by Apple Product Security on Oct 24
APPLE-SA-2016-10-24-2 macOS Sierra 10.12.1
macOS Sierra 10.12.1 is now available and addresses the following:
AppleGraphicsControl
Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6
Impact: An application may be able to execute arbitrary code with
kernel privileges
Description: A memory corruption issue was addressed through improved
lock state checking.
CVE-2016-4662: Apple
AppleSMC
Available for: macOS Sierra 10.12
Impact: A…
Posted by Apple Product Security on Oct 24
APPLE-SA-2016-10-24-1 iOS 10.1
iOS 10.1 is now available and addresses the following:
CFNetwork Proxies
Available for: iPhone 5 and later, iPad 4th generation and later,
iPod touch 6th generation and later
Impact: An attacker in a privileged network position may be able to
leak sensitive user information
Description: A phishing issue existed in the handling of proxy
credentials. This issue was addressed by removing unsolicited proxy
password…
Posted by [CXSEC] on Oct 24
Apple macOS 10.12.1/iOS 10 SecureTransport SSL handshake OCSP MiTM and DoS
Credit: Maksymilian Arciemowicz (https://cxsecurity.com/)
URL: https://cxsecurity.com/issue/WLB-2016100213
— 0. Description —-
The latest macOS and iOS have weak OCSP validation process which allow
attacker to send OCSP requests (up to 200k) in name of victim during
MiTM attack.
— 1. MiTM and handshake OCSP verification —
Apple’s SecureTransport trusts and…
Posted by mohamed sayed on Oct 24
Dear Team ,
Hope this email finds you well , Please be informed that i found a Major
Security vulnerability in the Main Cisco Web Site https://www.cisco.com/
*Introduction*
The vulnerability allows a remote hacker to force Victim`s browser to send
reset password for their accounts and then the Hacker will be able to take
the ownership of this account.
———————-
*Description and Steps To reproduce the issue *
1-Go to Main Cisco…
Posted by John Strander on Oct 23