-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. I uploaded new packages for nginx which fixed the following security problems: CVE-2012-2089 - nginx -- arbitrary code execution in mp4 pseudo-streaming module A flaw was reported in the nginx standard mp4 pseudo-streaming module. A specially-crafted mp4 file could allow for the overwriting of memory locations in a worker process if ngx_http_mp4_module were used. This could potentially result in arbitrary code execution with the privileges of the unprivileged nginx user. This has been corrected in upstream 1.0.15 and 1.1.9 versions, and only affected versions newer than 1.1.3 and 1.0.7 when built with the ngx_http_mp4_module and had the "mp4" directive set in the configuration file. For the squeeze-backports distribution the problems have been fixed in version 1.1.19-1~bpo60+1 For wheezy (testing) and sid (unstable) this was fixed in version 1.1.19-1 Squeeze (stable) is not vulnerable to this security issue. Thanks. - -- Cyril "Davromani
WordPress 3.3.2 is available now and is a security update for all previous versions.
Three external libraries included in WordPress received security updates:
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.
These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2. Consult the change log for more details.
Download WordPress 3.3.2Â or update now from the Dashboard â Updates menu in your site’s admin area.
WordPress 3.4 Beta 3 also available
Our development of WordPress 3.4 development continues. Today we are proud to release Beta 3 for testing. Nearly 90 changes have been made since Beta 2, released 9 days ago. (We are aiming for a beta every week.)
This is still beta software, so we don’t recommend that you use it on production sites. But if you’re a plugin developer, a theme developer, or a site administrator, you should be running this on your test environments and reporting any bugs you find. (See the known issues here.) If you’re a WordPress user who wants to open your presents early, take advantage of WordPress’s famous 5-minute install and spin up a secondary test site. Let us know what you think!
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. (CVSS:6.9) (Last Update:2013-09-17)
Apache HTTP Server 2.4.2 Released The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.2 of the Apache HTTP Server ("Apache"). This version of Apache is our 2nd GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This version of Apache is principally a security and bug fix release, including the following security fix: *) SECURITY: CVE-2012-0883 (cve.mitre.org) envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. Apache HTTP Server 2.4.2 is available for download from: http://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.2 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_24.html This release requires the Apache Portable Runtime (APR) version 1.4.x and APR-Util version 1.4.x. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes. http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. NOTE to Windows users: AcceptFilter None has replaced Win32DisableAcceptEx and the feature appears to have interoperability issues with mod_ssl. Apache 2.4.2 may not yet be suitable for all Windows servers. There is not yet a Windows binary distribution of httpd 2.4, but this is expected to be remedied soon as various dependencies graduate from beta to GA.
2012å¹´5æ19-21æ¥å¨æ¡æä¸¾åçä¸åå ¨å½ï¼å«æ¸¯æ¾³å°ï¼ç¬¬ä¸å±ååæåæ¨æ»è£æºæ §ï¼EMBAï¼Courseé«çº§ç ä¿®çï¼åæ¨ééååºéè¯·ï¼ç´æ¥ç¹å»é¾æ¥http://www.zhkzwhyj.com/yjy/html/?85.htmlæç»å½âä¸åååæåç ç©¶ä¼âå®ç½:http://www.zhkzwhyj.comæ¥çè¯¦æ ãç¥æ¨åç¥¥å®åº·ï¼ä¸äºå¦æï¼
I uploaded new packages for samba which fixed the following security problem: CVE-2012-1182 PIDL based autogenerated code allows overwriting beyond of allocated array. For the squeeze-backports distribution the problems have been fixed in version 2:3.6.4-1~bpo60+1.
The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors. (CVSS:6.5) (Last Update:2012-12-05)