Drupal Core versions 7.32 and below remote SQL injection exploit. Written in Python.
Monthly Archives: October 2014
Drupal Core 7.32 SQL Injection
Drupal Core versions 7.32 and below remote SQL injection exploit. Written in PHP.
Denial of Service vulnerability in extension Calendar Base (cal)
Release Date: October 17, 2014
Bulletin Update: October 18, 2014 (added CVE)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: all versions of 0.x.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x; 1.5.8 and below of 1.5.x; 1.6.0
Vulnerability Type: Denial of Service
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVE: CVE-2014-8325
Problem Description: User input is passed to PHP’s PCRE library without validating it beforehand. Depending on user input this may consume a tremendous amount of system resources.
Solution: Updated versions 1.5.9 (for TYPO3 CMS 4.5.5 – 6.0.99) and 1.6.1 (for TYPO3 CMS 6.1.0 – 6.2.99) are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/cal/1.6.1/t3x/ and http://typo3.org/extensions/repository/download/cal/1.5.9/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Daniel Hahler and Bernd Schuhmacher who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Denial of Service vulnerability in extension Calendar Base (cal)
Release Date: October 17, 2014
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: all versions of 0.x.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x; 1.5.8 and below of 1.5.x; 1.6.0
Vulnerability Type: Denial of Service
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
Problem Description: User input is passed to PHP’s PCRE library without validating it beforehand. Depending on user input this may consume a tremendous amount of system resources.
Solution: Updated versions 1.5.9 (for TYPO3 CMS 4.5.5 – 6.0.99) and 1.6.1 (for TYPO3 CMS 6.1.0 – 6.2.99) are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/cal/1.6.1/t3x/ and http://typo3.org/extensions/repository/download/cal/1.5.9/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Daniel Hahler and Bernd Schuhmacher who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Fedora 20 Security Update: java-1.8.0-openjdk-1.8.0.25-0.b18.fc20
Updated to security u25.
Security bugs are same as for http://blog.fuseyism.com/index.php/2014/10/15/security-icedtea-2-5-3-for-openjdk-7-released/
Fedora 20 Security Update: devscripts-2.14.10-1.fc20
Resolved Bugs
1059947 – CVE-2014-1833 devscripts: directory traversal flaw in uupdate
1059948 – devscripts: directory traversal flaw in uupdate [fedora-20]<br
Update to version 2.14.10, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.10_changelog for details.
Update to version 2.14.9, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.9_changelog for details.
Update to version 2.14.8, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.8_changelog for details. Fixes CVE-2014-1833.
Update to version 2.14.9, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.9_changelog for details.
Update to version 2.14.8, see http://metadata.ftp-master.debian.org/changelogs//main/d/devscripts/devscripts_2.14.8_changelog for details. Fixes CVE-2014-1833.
Fedora 20 Security Update: openssl-1.0.1e-40.fc20
Resolved Bugs
1152850 – CVE-2014-3566 openssl: Padding Oracle On Downgraded Legacy Encryption attack [fedora-all]<br
Update fixing three moderate security issues.
Fedora 19 Security Update: rubygem-httpclient-2.4.0-2.fc19
Updated to 2.4.0 which stops hard-coding ssl v3 and allows ssl negotiation
Fedora 19 Security Update: thunderbird-31.2.0-1.fc19
For list of changes see: https://www.mozilla.org/en-US/thunderbird/31.2.0/releasenotes/
For release notes and fixed issues see here: https://www.mozilla.org/en-US/thunderbird/31.1.1/releasenotes/
Fedora 20 Security Update: kernel-3.16.6-200.fc20
Resolved Bugs
1151108 – CVE-2014-7975 Kernel: fs: umount denial of service
1152025 – CVE-2014-7975 Kernel: fs: umount denial of service [fedora-all]
1151095 – CVE-2014-7970 Kernel: fs: VFS denial of service
1151484 – CVE-2014-7970 Kernel: fs: VFS denial of service [fedora-all]
1149414 – bcache Oops at bch_btree_node_read_done+0x4c/0x450 [bcache]
1149509 – [PATCH] Apply quirk for elan touchscreens<br
The 3.16.6 stable update contains a number of important fixes across the tree.