Posted by Asterisk Security Team on Dec 10
Asterisk Project Security Advisory – AST-2014-019
Product Asterisk
Summary Remote Crash Vulnerability in WebSocket Server
Nature of Advisory Denial of Service
Susceptibility Remote Unauthenticated Sessions
Severity Moderate…
This module enables you to use Moip (a Brazilian payment method) with Drupal Commerce.
The module doesn’t sufficiently filter the data passed by the automatic notifications, leaving the possibility for a malicious user to insert Cross Site Scripting (xss) attacks.
This vulnerability is mitigated by the fact that only sites running the dblog module are affected (this module is enabled by default).
Drupal core is not affected. If you do not use the contributed MoIP module,
there is nothing you need to do.
Install the latest version:
Also see the MoIP project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
This module enables you to execute arbitrary Javascript by adding the script to the title of a node.
The module doesn’t sufficiently sanitize Watchdog messages when viewing the detail view of a specific Watchdog notification. It improperly translated the message rather than using proper Watchdog message syntax.
This vulnerability is mitigated by the fact that an attacker must have a role allowing them to create nodes or edit the title of an existing node. It is further mitigated in that the script is only executed by admins when viewing a Watchdog notice when using dblog module (syslog users are not affected).
Drupal core is not affected. If you do not use the contributed Godwin’s Law module,
there is nothing you need to do.
Install the latest version:
Also see the Godwin’s Law project page.
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Some domain name server (DNS) implementations are at risk for denial-of-service attacks after a vulnerability was disclosed and patched in a few popular server packages, including BIND, PowerDNS and NLnetLabs.
The attackers behind the Red October APT campaign that was exposed nearly two years ago have resurfaced with a new campaign that is targeting some of the same victims and using similarly constructed tools and spear phishing emails. Red October emerged in January 2013 and researchers found that the attackers were targeting diplomats in some […]
Posted by Portcullis Advisories on Dec 10
Vulnerability title: Privilege Escalation In K7 Computing Multiple Products [K7FWFilt.sys]
CVE: CVE-2014-7136
Vendor: K7 Computing
Product: Multiple Products [K7FWFilt.sys]
Affected version: Earlier and including 11.0.1.5
Fixed version: 14.0.1.16
Reported by: Kyriakos Economou
Details:
Latest, and possibly earlier versions of K7FWFilt.sys kernel mode driver, also named as the ‘K7Firewall Packet Driver’,
suffers from a heap overflow…
Posted by Portcullis Advisories on Dec 10
Vulnerability title: Privilege Escalation In K7 Computing Multiple Products [K7Sentry.sys]
CVE: CVE-2014-8956
Vendor: K7 Computing
Product: Multiple Products [K7Sentry.sys]
Affected version: 12.8.0.110
Fixed version: 12.8.0.119
Reported by: Kyriakos Economou
Details:
Latest, and possibly earlier versions of K7Sentry.sys kernel mode driver, also named as the ‘K7AV Sentry DeviceDriver’,
suffers from a Out-of-bounds Write condition that…
Posted by Portcullis Advisories on Dec 10
Vulnerability title: Null Pointer Dereference In K7 Computing Multiple Products [K7Sentry.sys]
CVE: CVE-2014-8608
Vendor: K7 Computing
Product: Multiple Products [K7Sentry.sys]
Affected version: 12.8.0.104
Fixed version: 12.8.0.119
Reported by: Kyriakos Economou
Details:
Latest and possibly earlier versions of K7Sentry.sys kernel mode driver, also named as the ‘K7AV Sentry Device Driver’,
allows any local user to crash the system by…
From passwords and the Internet of Everything to nation-state cyber warfare and jumping mobile malware, WatchGuard helps you gain some security perspective for 2015
Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind.