SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header. (CVSS:5.0) (Last Update:2013-10-30)
CVE-2012-1150
Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. (CVSS:5.0) (Last Update:2013-10-30)
CVE-2012-3458
Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors. (CVSS:4.3) (Last Update:2012-09-17)
WatchGuard's Formula for 18 Percent Year-Over-Year Growth: Enterprise-Grade Manageability
Q2 Demand Rose for WatchGuard XTM Products for Mid-sized and Large Businesses as Security Professionals Sought Greater Control and Manageability
CVE-2012-4891 (firewall_analyzer)
Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
CVE-2012-1151
Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function. (CVSS:5.0) (Last Update:2013-04-04)
WordPress 3.4.2 Maintenance and Security Release
WordPress 3.4.2, now available for download, is a maintenance and security release for all previous versions.
After nearly 15 million downloads since 3.4 was released not three months ago, we’ve identified and fixed a number of nagging bugs, including:
- Fix some issues with older browsers in the administration area.
- Fix an issue where a theme may not preview correctly, or its screenshot may not be displayed.
- Improve plugin compatibility with the visual editor.
- Address pagination problems with some category permalink structures.
- Avoid errors with both oEmbed providers and trackbacks.
- Prevent improperly sized header images from being uploaded.
Version 3.4.2 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential privilege escalation and a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.
Download 3.4.2 now or visit Dashboard → Updates in your site admin to update now.
Fixes for some bugs
Back to work on 3.5
It’s time to update
CVE-2012-3509 (binutils, debian_linux, libiberty, ubuntu_linux)
Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the “addition of CHUNK_HEADER_SIZE to the length,” which triggers a heap-based buffer overflow.
CVE-2012-1612
Cross-site scripting (XSS) vulnerability in the update manager in Joomla! 2.5.x before 2.5.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. (CVSS:4.3) (Last Update:2012-09-07)
CVE-2012-1611
Joomla! 2.5.x before 2.5.4 does not properly check permissions, which allows attackers to obtain sensitive “administrative back end” information via unknown attack vectors. NOTE: this might be a duplicate of CVE-2012-1599. (CVSS:5.0) (Last Update:2013-10-03)