Red Hat Security Advisory 2015-2083-01 – PostgreSQL is an advanced object-relational database management system. A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input.
Monthly Archives: November 2015
Red Hat Security Advisory 2015-2077-01
Red Hat Security Advisory 2015-2077-01 – PostgreSQL is an advanced object-relational database management system. A memory leak error was discovered in the crypt() function of the pgCrypto extension. An authenticated attacker could possibly use this flaw to disclose a limited amount of the server memory. A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input.
NEW VMSA-2015-0008 – VMware product updates address information disclosure issue
------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2015-0008
Synopsis: VMware product updates address information disclosure
issue
Issue date: 2015-11-18
Updated on: 2015-11-18
CVE number: CVE-2015-3269
------------------------------------------------------------------------
1. Summary
VMware product updates address information disclosure issue.
2. Relevant Releases
VMware vCenter Server 5.5 prior to version 5.5 update 3
VMware vCenter Server 5.1 prior to version 5.1 update u3b
VMware vCenter Server 5.0 prior to version 5.0 update u3e
vCloud Director 5.6 prior to version 5.6.4
vCloud Director 5.5 prior to version 5.5.3
VMware Horizon View 6.0 prior to version 6.1
VMware Horizon View 5.0 prior to version 5.3.4
3. Problem Description
a. vCenter Server, vCloud Director, Horizon View information
disclosure issue.
VMware products that use Flex BlazeDS may be affected by a flaw in
the processing of XML External Entity (XXE) requests. A specially
crafted XML request sent to the server could lead to unintended
information be disclosed.
VMware would like to thank Matthias Kaiser of Code White GmbH for
reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the identifier CVE-2015-3269 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
==================== ======= =================
vCenter Server 6.0 any not affected
vCenter Server 5.5 any 5.5 update 3
vCenter Server 5.1 any 5.1 update u3b
vCenter Server 5.0 any 5.5 update u3e
vCloud Director 5.6 any 5.6.4
vCloud Director 5.5 any 5.5.3
Horizon View 6.0 any 6.1
Horizon View 5.3 any 5.3.4
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
vCenter Server
--------------------------------
Downloads and Documentation:
https://www.vmware.com/go/download-vsphere
vCloud Director For Service Providers
--------------------------------
Downloads and Documentation:
https://www.vmware.com/support/pubs/vcd_pubs.html
Horizon View 6.1, 5.3.4:
--------------------------------
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-610-GA&productId=492
https://my.vmware.com/web/vmware/details?downloadGroup=VIEW-534-PREMIER&productId=396
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269
------------------------------------------------------------------------
6. Change log
2015-11-18 VMSA-2015-0008
Initial security advisory
------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
Consolidated list of VMware Security Advisories
http://kb.vmware.com/kb/2078735
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2015 VMware Inc. All rights reserved.
_______________________________________________
Security-announce mailing list
Security-announce-xEzmwC/hc7si8rCdYzckzA< at >public.gmane.org
http://lists.vmware.com/mailman/listinfo/security-announce
Vuln: Oracle Java SE CVE-2015-4872 Remote Security Vulnerability
Oracle Java SE CVE-2015-4872 Remote Security Vulnerability
Vuln: Oracle Java SE CVE-2015-4860 Remote Security Vulnerability
Oracle Java SE CVE-2015-4860 Remote Security Vulnerability
DSA-3400 lxc – security update
Roman Fiedler discovered a directory traversal flaw in LXC, the Linux
Containers userspace tools. A local attacker with access to a LXC
container could exploit this flaw to run programs inside the container
that are not confined by AppArmor or expose unintended files in the host
to the container.
CVE-2015-5255
Adobe BlazeDS, as used in ColdFusion 10 before Update 18 and 11 before Update 7 and LiveCycle Data Services 3.0.x before 3.0.0.354175, 3.1.x before 3.1.0.354180, 4.5.x before 4.5.1.354177, 4.6.2.x before 4.6.2.354178, and 4.7.x before 4.7.0.354178, allows remote attackers to send HTTP traffic to intranet servers via a crafted XML document, related to a Server-Side Request Forgery (SSRF) issue.
CVE-2015-8051
The Adobe Premiere Clip app before 1.2.1 for iOS mishandles unspecified input, which has unknown impact and attack vectors.
CVE-2015-8052
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 18 and 11 before Update 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-8053.
CVE-2015-8053
Cross-site scripting (XSS) vulnerability in Adobe ColdFusion 10 before Update 18 and 11 before Update 7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-8052.