Multiple cross-site request forgery (CSRF) vulnerabilities in the GD Star Rating plugin 19.22 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct (1) SQL injection attacks via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php or (2) cross-site scripting (XSS) attacks via unspecified vectors.
CVE-2014-2839
SQL injection vulnerability in the GD Star Rating plugin 19.22 for WordPress allows remote administrators to execute arbitrary SQL commands via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php.
CVE-2014-6268
The evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU.
CEBA-2015:0026 CentOS 5 openssl BugFix Update
CentOS Errata and Bugfix Advisory 2015:0026 Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0026.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: c51d4d7112d8378dfe6a0c2db25cbd354add6719d32b8ed9ff0a360a2c4f2845 openssl-0.9.8e-32.el5_11.i386.rpm 8aa95692d839bedf943ed731773b6ee508d5c32093cacfb5876f0d0ca3e19704 openssl-0.9.8e-32.el5_11.i686.rpm 8db507128fe18d9e2649097753f0d65342ccb8117d34d16b9d4effcd1519f2bc openssl-devel-0.9.8e-32.el5_11.i386.rpm fb599d51d7c0a6c5bccd3548fa76b820e84b82c266615c2814b52e8b466a3752 openssl-perl-0.9.8e-32.el5_11.i386.rpm x86_64: 8aa95692d839bedf943ed731773b6ee508d5c32093cacfb5876f0d0ca3e19704 openssl-0.9.8e-32.el5_11.i686.rpm 289f5940753e6d3942a4ddf12c96f0f3b37685eccf5ca1709ccb46c620fed2d2 openssl-0.9.8e-32.el5_11.x86_64.rpm 8db507128fe18d9e2649097753f0d65342ccb8117d34d16b9d4effcd1519f2bc openssl-devel-0.9.8e-32.el5_11.i386.rpm 203860bd05d32689b27f615bf5e9ccd3a41329fe8adc420c883f479437db11ee openssl-devel-0.9.8e-32.el5_11.x86_64.rpm e0eda057349ff33bb14189da006aab9e9eda2b5a14c1efe351e1728e2ca5db4e openssl-perl-0.9.8e-32.el5_11.x86_64.rpm Source: c26a2660f5e767c292e4eac69840ad29e83ee39966d6379fdba633d2a6696cf0 openssl-0.9.8e-32.el5_11.src.rpm
Certificate Transparency Moves Forward With First Independent Log
The Certificate Transparency scheme proposed by Google engineers has taken a couple of significant steps forward recently, with the approval of the first independent certificate log and the passing of a deadline for all extended validation certificates to be CT-compliant or lose the green indicator in Google Chrome. On Jan. 1, a CT log operated by […]
[ MDVA-2015:002 ] mariadb
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2015:002 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : mariadb Date : January 12, 2015 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: This is a maintenance and bugfix release that upgrades MariaDB to the latest 5.5.41 version which resolves various upstream bugs. _______________________________________________________________________ References: https://mariadb.com/kb/en/mariadb-5541-changelog/ _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: cb4243c231be6a9e3e75ec7203acfe74 mbs1/x86_64/lib64mariadb18-5.5.41-1.mbs1.x86_64.rpm 6f80a336dc7b0a4f60a64e6d977eaca0 mbs1/x86_64
Obama calls for 30 day data breach notification and greater student privacy
President Barack Obama is today to propose legislation that would ensure companies inform customers of any leaks within 30 days of a data breach, reports Physorg.
The post Obama calls for 30 day data breach notification and greater student privacy appeared first on We Live Security.
Update on Red Hat Enterprise Linux 6 and FIPS 140 validations
Red Hat achieved its latest successful FIPS 140 validation back in April 2013. Since then, a lot has happened. There have been well publicized attacks on cryptographic protocols, weaknesses in implementations, and changing government requirements. With all of these issues in play, we want to explain what we are doing about it.
One of the big changes was that we enabled support of Elliptic Curve Cryptography (ECC) and Elliptic Curve Diffie Hellman (ECDH) in Red Hat Enterprise Linux to meet the National Institute of Standards and Technology’s (NIST’s) “Suite B” requirements taking effect this year. Because we added new ciphers, we knew we needed to re-certify. Re-certification brings many advantages to our government customers, who not only benefit from the re-certification, but they also maintain coverage from our last FIPS 140 validation effort. One advantage of re-certification is that we have picked up fixes for BEAST, Lucky 13, Heartbleed, Poodle, and some lesser known vulnerabilities around certificate validation. It should be noted that these attacks are against higher level protocols that are not part of any crypto primitives covered by a FIPS validation. But, knowing the fixes are in the packages under evaluation should give customers additional peace of mind.
The Red Hat Enterprise Linux 6 re-certification is now under way. It includes reworked packages to meet all the updated requirements that NIST has put forth taking effect Jan. 1, 2014, such as a new Deterministic Random Bit Generator (DRGB) as specified in SP 800-90A (PDF); an updated RSA key generation technique as specified in FIPS 186-4 (PDF); and updated key sizes and algorithms as specified in SP 800-131A (PDF).
Progress on the certification is moving along – we’ve completed review and preliminary testing and are now applying for Cryptographic Algorithm Validation System (CAVS) certificates. After that, we’ll submit validation paperwork to NIST. All modules being re-certified are currently listed on NIST’s Modules in Process page, except Volume Encryption (dm-crypt). Its re-certification is taking a different route because the change is so minor thus not needing CAVS testing. We are expecting the certifications to be completed early this year.
The arrival of toy drones
Drones have landed – as one of the hottest gifts over this past holiday season and one of the biggest hits at the 2015 Consumer Electronics Show this past week.
Unmanned aircraft systems (UAS), as they are also known, are like model airplanes on steroids. They can hover, fly and often come equipped with cameras. They can belong to you or anyone else for under $100 dollars.
The cheap availability and growing capabilities of drones means that there are privacy and safety issues at stake.
We’ve already seen drones experience near misses with aircraft at major airports while unmanned flying cameras are an obvious threat to privacy.
It’s clear that drones are going to be around for a while and that legislation is needed to set reasonable and responsible limitations for recreational drone use.
However, regulation is still very much up in the air, if you’ll pardon the pun.
Who is taking action on drones?
The U.S. Federal Aviation Administration has issued a list of do’s and don’ts for flying safety regarding model aircraft for recreational use. These mostly focus on keeping them away from flying aircraft, airports and within sight line of the user. (See guidelines here.)
National Parks Service has banned drones from all National Parks, worried that the noise and proximity to wildlife would disturb nesting, migratory, and reproductive habits. The NPS also noted visitor safety was an issue.
Drone industry officials announced that they are teaming up with the government and model aircraft hobbyists to launch a safety campaign, which includes a website (www.knowbeforeyoufly.com) that includes safety tips and FAA regulations.
In the U.K, the Civilian Air Authority has already set protocols, mostly involving flying over congested areas and airspace, and the European Aviation Safety Agency is developing EU-wide safety standards which reportedly will be as high as those for manned aircraft.
Commercial use of drones has become a thorny subject and there is pending legislation in U.S. Congress that might even require commercial drone operators to have pilot licenses.
With all this legislation in the works, it’s clear there’s a lot more to this year’s hot toy story than first meets the eye. And you can bet there’s going to be a lot more to come…
Title image courtesy of firstsing
CEBA-2015:0029 CentOS 7 httpd BugFix Update
CentOS Errata and Bugfix Advisory 2015:0029 Upstream details at : https://rhn.redhat.com/errata/RHBA-2015-0029.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) x86_64: 744f3338e01129ad7500c508aa7bdf8100dc1453e0de0921dc41390117088995 httpd-2.4.6-19.el7.centos.x86_64.rpm 79ad55851e9d1145e9ae968b1abe16a1f0d73c16086516fede81f80e3f35180d httpd-devel-2.4.6-19.el7.centos.x86_64.rpm 95242c4f7142243dbfb68be4c1c8b76b7160f65e3c9c06db239222466ea25aa7 httpd-manual-2.4.6-19.el7.centos.noarch.rpm 133ba146ad0e551467c55afe4387250035f07c9957843c282104c62d45fae90b httpd-tools-2.4.6-19.el7.centos.x86_64.rpm 9e781c17c1a914b8cf59bb38d894154a42b1545c1df30cf3d9ec53b2452ac541 mod_ldap-2.4.6-19.el7.centos.x86_64.rpm a62c536476780783e782f408e2443df1a6a88d9a83343b8f647e7ec6b0acd93f mod_proxy_html-2.4.6-19.el7.centos.x86_64.rpm 8cdcaa691924aecdc7827bf0d752e9c42ef03d67ee84166301174cf3fb468ee7 mod_session-2.4.6-19.el7.centos.x86_64.rpm 48cb1fd76d126ed5484820b1db9818a5f2ca9a83ee5ccab3a981d43c1b673468 mod_ssl-2.4.6-19.el7.centos.x86_64.rpm Source: 8dd954944e236efb90c390003531eb9e843ae90fb8c7e6412c6c8ee06de68164 httpd-2.4.6-19.el7.centos.src.rpm