[KIS-2015-01] Concrete5 <= 5.7.3.1 (sendmail) Remote Code Execution Vulnerability
Monthly Archives: June 2015
Bugtraq: [KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities
[KIS-2015-02] Concrete5 <= 5.7.3.1 Multiple Reflected Cross-Site Scripting Vulnerabilities
Bugtraq: [KIS-2015-03] Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
[KIS-2015-03] Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
RHSA-2015:1091-1: Low: Red Hat Satellite IBM Java Runtime security update
RHN Satellite and Proxy: Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Satellite 5.6 and 5.7.
Red Hat Product Security has rated this update as having Low security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2005-1080, CVE-2015-0138, CVE-2015-0192, CVE-2015-0458, CVE-2015-0459, CVE-2015-0469, CVE-2015-0477, CVE-2015-0478, CVE-2015-0480, CVE-2015-0488, CVE-2015-0491, CVE-2015-1914, CVE-2015-2808
RHSA-2015:1090-1: Important: wpa_supplicant security and enhancement update
Red Hat Enterprise Linux: An updated wpa_supplicant package that fixes two security issues and adds
one enhancement is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
CVE-2015-1863, CVE-2015-4142
USN-2639-1: OpenSSL vulnerabilities
Ubuntu Security Notice USN-2639-1
11th June, 2015
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 15.04
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in OpenSSL.
Software description
- openssl
– Secure Socket Layer (SSL) cryptographic library and tools
Details
Praveen Kariyanahalli, Ivan Fratric and Felix Groebert discovered that
OpenSSL incorrectly handled memory when buffering DTLS data. A remote
attacker could use this issue to cause OpenSSL to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2014-8176)
Joseph Barr-Pixton discovered that OpenSSL incorrectly handled malformed
ECParameters structures. A remote attacker could use this issue to cause
OpenSSL to hang, resulting in a denial of service. (CVE-2015-1788)
Robert Swiecki and Hanno Böck discovered that OpenSSL incorrectly handled
certain ASN1_TIME strings. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2015-1789)
Michal Zalewski discovered that OpenSSL incorrectly handled missing content
when parsing ASN.1-encoded PKCS#7 blobs. A remote attacker could use this
issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2015-1790)
Emilia Käsper discovered that OpenSSL incorrectly handled NewSessionTicket
when being used by a multi-threaded client. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service.
(CVE-2015-1791)
Johannes Bauer discovered that OpenSSL incorrectly handled verifying
signedData messages using the CMS code. A remote attacker could use this
issue to cause OpenSSL to hang, resulting in a denial of service.
(CVE-2015-1792)
As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 768 bits, preventing a possible downgrade
attack.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 15.04:
-
libssl1.0.0
1.0.1f-1ubuntu11.4
- Ubuntu 14.10:
-
libssl1.0.0
1.0.1f-1ubuntu9.8
- Ubuntu 14.04 LTS:
-
libssl1.0.0
1.0.1f-1ubuntu2.15
- Ubuntu 12.04 LTS:
-
libssl1.0.0
1.0.1-4ubuntu5.31
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
IC3 Issues Alert on Gift Card Scams
Original release date: June 11, 2015
The Internet Crime Complaint Center (IC3) has released an alert warning consumers of fraud around the resale of gift cards. The secondary gift card market has grown in recent years, and criminal activity has been identified on sites facilitating such exchanges. When purchasing gift cards, look for reputable merchants who will ensure resold cards contain correct balances.
US-CERT encourages consumers to review the IC3 Alert for more details on avoiding gift card fraud and US-CERT Security Tip ST07-001 for information on shopping safely online.
This product is provided subject to this Notification and this Privacy & Use policy.
OpenSSL Toolkit 1.0.2b
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
TOR Virtual Network Tunneling Tool 0.2.6.9
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).
Concrete5 5.7.4 SQL Injection
Concrete5 versions 5.7.4 and below suffer from a remote SQL injection vulnerability.