Observium version 0.16.7533 suffers from code execution and cross site request forgery vulnerabilities.
Monthly Archives: April 2016
Observium 0.16.7533 Cross Site Request Forgery
Observium version 0.16.7533 suffers from a cross site request forgery vulnerability.
Packet Fence 6.0.1
PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secure networks, from small to very large heterogeneous networks. PacketFence provides NAC-oriented features such as registration of new network devices, detection of abnormal network activities including from remote snort sensors, isolation of problematic devices, remediation through a captive portal, and registration-based and scheduled vulnerability scans.
Apache Struts 2.3.28 Dynamic Method Invocation Remote Code Execution
This Metasploit module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
Red Hat Security Advisory 2016-0702-01
Red Hat Security Advisory 2016-0702-01 – IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7 SR9-FP40. Security Fix: This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.
Red Hat Security Advisory 2016-0701-01
Red Hat Security Advisory 2016-0701-01 – IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR3-FP40. Security Fix: This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.
Ubuntu Security Notice USN-2956-1
Ubuntu Security Notice 2956-1 – Zygmunt Krynicki discovered that ubuntu-core-launcher did not properly sanitize its input and contained a logic error when determining the mountpoint of bind mounts when using snaps on Ubuntu classic systems (eg, traditional desktop and server). If a user were tricked into installing a malicious snap with a crafted snap name, an attacker could perform a delayed attack to steal data or execute code within the security context of another snap. This issue did not affect Ubuntu Core systems.
FBI Releases Article on Ransomware
Original release date: April 29, 2016
The Federal Bureau of Investigation (FBI) has released an article addressing the proliferation of ransomware campaigns. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.
Users and administrators are encouraged to review the FBI article Ransomware on the Rise for details and refer to US-CERT Alert TA16-091A for more information on ransomware.
This product is provided subject to this Notification and this Privacy & Use policy.
APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blocked
From: Apple Product Security
Reply to list
APPLE-SA-2016-04-28-1 OS X: Flash Player plug-in blocked Due to security and stability issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 21.0.0.226 and 18.0.0.343. Information on blocked web plug-ins will be posted to: [...]
Bugtraq: Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream
Mozilla doesn’t care for upstream security fixes, and doesn’t bother to send own security fixes upstream