-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dominic Hargreaves uploaded new packages for request-tracker4 which fixed the following security problems: CVE-2011-2082 The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users. CVE-2011-2083 Several cross-site scripting issues have been discovered. CVE-2011-2084 Password hashes could be disclosed by privileged users. CVE-2011-2085 Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0. CVE-2011-4458 The code to support variable envelope return paths allowed the execution of arbitrary code. CVE-2011-4459 Disabled groups were not fully accounted as disabled. CVE-2011-4460 SQL injection vulnerability, only exploitable by privileged users. For the squeeze-backports distribution the problems have been fixed in version 4.0.5-3~bpo60+1. -----BEG
WatchGuard Earns Common Criteria EAL 4+ Certification for Latest Multifunction Firewalls and Content Security Solutions
Latest WatchGuard XTM and XCS Products Certified for Demanding Enterprise and Government Environments
WatchGuard Continues Pattern of Strong Growth
Q1 Breaks Record and Continues Pace of Double Digit Growth; Sees Increasing Demand for High End Security Products
WatchGuard Receives Information Technology Industry's "2012 World's Best" Award for Security Hardware
WatchGuard XTM 8 Series Honored by Network Products Guide at Interop
WatchGuard Goes Virtual with Security
Entire Portfolio of Award Winning Content and Network Security Products Now Being Offered As Virtualized Solutions
SA-CORE-2012-002 – Drupal core multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CORE-2012-002
- Project: Drupal core
- Version: 7.x
- Date: 2012-May-2
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Denial of Service, Access bypass, Unvalidated form redirect
Description
Denial of Service
CVE: CVE-2012-1588
Drupal core’s text filtering system provides several features including removing inappropriate HTML tags and automatically linking content that appears to be a link. A pattern in Drupal’s text matching was found to be inefficient with certain specially crafted strings. This vulnerability is mitigated by the fact that users must have the ability to post content sent to the filter system such as a role with the “post comments” or “Forum topic: Create new content” permission.
Unvalidated form redirect
CVE: CVE-2012-1589
Drupal core’s Form API allows users to set a destination, but failed to validate that the URL was internal to the site. This weakness could be abused to redirect the login to a remote site with a malicious script that harvests the login credentials and redirects to the live site. This vulnerability is mitigated only by the end user’s ability to recognize a URL with malicious query parameters to avoid the social engineering required to exploit the problem.
Access bypass – forum listing
CVE: CVE-2012-1590
Drupal core’s forum lists fail to check user access to nodes when displaying them in the forum overview page. If an unpublished node was the most recently updated in a forum then users who should not have access to unpublished forum posts were still be able to see meta-data about the forum post such as the post title.
Access bypass – private images
CVE: CVE-2012-1591
Drupal core provides the ability to have private files, including images, and Image Styles which create derivative images from an original image that may differ, for example, in size or saturation. Drupal core failed to properly terminate the page request for cached image styles allowing users to access image derivatives for images they should not be able to view. Furthermore, Drupal didn’t set the right headers to prevent image styles from being cached in the browser.
Access bypass – content administration
CVE: CVE-2012-2153
Drupal core provides the ability to list nodes on a site at admin/content. Drupal core failed to confirm a user viewing that page had access to each node in the list. This vulnerability only concerns sites running a contributed node access module and is mitigated by the fact that users must have a role with the “Access the content overview page” permission. Unpublished nodes were not displayed to users who only had the “Access the content overview page” permission.
Versions affected
- Drupal core 7.x versions prior to 7.13.
Solution
Install the latest version:
- If you use Drupal 7.x, upgrade to Drupal core 7.13
Also see the Drupal core project page.
Reported by
- The Denial of Service vulnerability was reported by Jay Wineinger and Lin Clark.
- The unvalidated form redirect vulnerability was reported by Károly Négyesi of the Drupal Security Team and Katsuhiko Nakanishi.
- The access bypass in forum listing vulnerability was reported by Glen W.
- The access bypass for private images vulnerability was reported by frega, Andreas Gonell, Jeremy Meier and Xenza.
- The access bypass for the content administration vulnerability was reported by Jennifer Hodgdon.
Fixed by
- The Denial of Service was fixed by Károly Négyesi of the Drupal Security Team.
- The unvalidated form redirect was fixed by Wolfgang Ziegler and Stéphane Corlosquet of the Drupal Security Team.
- The access bypass in forum listing was fixed by Michael Hess of the Drupal Security Team, Ben Jeavons of the Drupal Security Team and xjm.
- The Access bypass for private images was fixed by Károly Négyesi of the Drupal Security Team, Damien Tournoud of the Drupal Security Team, Greg Knaddison of the Drupal Security Team, Stéphane Corlosquet of the Drupal Security Team, Xenza and frega.
- The Access bypass for content administration was fixed by Jennifer Hodgdon.
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal version:
Oracle Security Alert for CVE-2012-1675
[BSA-069] Security Update for NGINX
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
I uploaded new packages for nginx which fixed the following security
problems:
CVE-2012-2089 - nginx -- arbitrary code execution in mp4
pseudo-streaming module
A flaw was reported in the nginx standard mp4 pseudo-streaming module. A
specially-crafted mp4 file could allow for the overwriting of memory
locations in a worker process if ngx_http_mp4_module were used. This
could potentially result in arbitrary code execution with the privileges
of the unprivileged nginx user.
This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only
affected versions newer than 1.1.3 and 1.0.7 when built with the
ngx_http_mp4_module and had the "mp4" directive set in the configuration
file.
For the squeeze-backports distribution the problems have been fixed in
version
1.1.19-1~bpo60+1
For wheezy (testing) and sid (unstable) this was fixed in version
1.1.19-1
Squeeze (stable) is not vulnerable to this security issue.
Thanks.
- --
Cyril "Davromani
WordPress 3.3.2 (and WordPress 3.4 Beta 3)
WordPress 3.3.2 is available now and is a security update for all previous versions.
Three external libraries included in WordPress received security updates:
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
Thanks to Neal Poole and Nathan Partlan for responsibly disclosing the bugs in Plupload and SWFUpload, and Szymon Gruszecki for a separate bug in SWFUpload.
WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.
These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2. Consult the change log for more details.
Download WordPress 3.3.2 or update now from the Dashboard → Updates menu in your site’s admin area.
WordPress 3.4 Beta 3 also available
Our development of WordPress 3.4 development continues. Today we are proud to release Beta 3 for testing. Nearly 90 changes have been made since Beta 2, released 9 days ago. (We are aiming for a beta every week.)
This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. (See the known issues here.) If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’s famous 5-minute install and spin up a secondary test site. Let us know what you think!
Version 3.4 Beta 3 includes all of the fixes included in version 3.3.2. Download WordPress 3.4 Beta 3 or use the WordPress Beta Tester plugin.