WASHINGTON–Gentlemen may not read each other’s mail, as Henry Stimson famously said so long ago, but in today’s world they certainly steal it and there’s precious little in the way of gentlemanly conduct happening in the realm of cyberespionage. It’s every man—or country—for himself in this environment, and that free-for-all is creating unforeseen consequences for […]
Mandriva Linux Security Advisory 2014-212 – Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP. The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the –retr-symlinks=no option to the wget command.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:212
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : wget
Date : October 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated wget package fixes security vulnerability:
Wget was susceptible to a symlink attack which could create arbitrary
files, directories or symbolic links and set their permissions when
retrieving a directory recursively through FTP (CVE-2014-4877).
The default settings in wget have been changed such that wget no longer
creates local symbolic links, but rather traverses them and retrieves
the pointed-to file in such a retrieval. The old behaviour can be
attained by passing the --retr-symlinks=no option to the wget co
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:211
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : wpa_supplicant
Date : October 29, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated wpa_supplicant packages fix security vulnerability:
A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
for executing action scripts. An unsanitized string received from a
remote device can be passed to a system() call resulting in arbitrary
command execution under the privileges of the wpa_cli/hostapd_cli
process (which may be root in common use cases) (CVE-2014-3686).
Using the wpa_supplicant package, systems are exposed to the
vulnerability if operating as a WPS registrar.
______
HP Security Bulletin HPSBUX03159 SSRT101785 – A potential security vulnerability has been identified in the HP-UX kernel. This vulnerability could allow local users to create a Denial of Service. Revision 1 of this advisory.
Red Hat Security Advisory 2014-1728-01 – Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
Red Hat Security Advisory 2014-1727-01 – Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 as provided from the Red Hat Customer Portal are advised to apply this update. The JBoss server process must be restarted for this update to take effect.
IT security staff have spent the last few weeks fighting hackers in the White House, after a computer network was breached. But can we tell who was behind the attack?
