Debian Linux Security Advisory 3040-1 – Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog, a system for log processing. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack.
Monthly Archives: October 2014
HP Security Bulletin HPSBMU03112
HP Security Bulletin HPSBMU03112 – Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) on Linux and Windows. The vulnerabilities could be exploited remotely resulting in Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF), unauthorized disclosure of information, Denial of Service (DoS), and Clickjacking. Revision 1 of this advisory.
HP Security Bulletin HPSBST02958
HP Security Bulletin HPSBST02958 – A potential security vulnerability has been identified with the HP MPIO Device Specific Module Manager. The vulnerability could be exploited locally to allow the execution of arbitrary code with privilege elevation. Revision 1 of this advisory.
Textpattern 4.5.5 Cross Site Scripting
Textpattern version 4.5.5 suffers from a cross site scripting vulnerability.
Joomla Re-Issues Security Update After Patches Glitch
A security update for the Joomla content management system was pulled and re-issued after problems with the first set of patches for a remote file inclusion and denial of service vulnerability were discovered.
VMware Begins to Patch Bash Issues Across Product Line
VMware issued a progress report on fixes for four different types of products as they relate to the Bash vulnerability.
Honeywell Falcon Administrative Bypass
Honeywell Falcon suffers from a vulnerability that allows anyone to login as the administrator without prior knowledge of any username or password.
WordPress Photo Gallery 1.1.30 Cross Site Scripting
WordPress Photo Gallery plugin version 1.1.30 suffers from a cross site scripting vulnerability.
[ MDVSA-2014:193 ] xerces-j2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:193 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : xerces-j2 Date : October 1, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU (CVE-2013-4002). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002 https://rhn.redhat.com/errata/RHSA-2014-1319.
[ MDVSA-2014:192 ] perl-Email-Address
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:192 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : perl-Email-Address Date : October 1, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated perl-Email-Address package fixes security vulnerability: The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quoted string in an RFC 2822 address (CVE-2014-0477). The Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to backtrack