A major data breach on the Ubuntu Forums has not compromised the passwords of its affected users. Usernames, emails addresses and IPs have been exposed.
The post Passwords not compromised by Ubuntu Forums data breach appeared first on We Live Security.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Cross-Site Scripting
Affected Versions: 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description: TYPO3 ships example code from mso/idna-convert library in the vendor folder, which is vulnerable to Cross-Site Scripting.
Solution: Update to TYPO3 versions 7.6.10 or 8.2.1 that fix the problem described.
Alternative Solution: Make sure to not expose the vendor directory to the publicly accessible document root. In composer managed installation, make sure to configure a dedicated web folder. In general it is recommended to not expose the complete typo3_src sources folder in the document root.
Credits: Thanks to Frank Huber who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Environment Variable Injection
Affected Versions: Versions 8.0.0 to 8.2.0
Severity: Low
related CVE: CVE-2016-5385
Problem Description: PHP, when used as CGI, FPM or HHVM, exposes http headers also as environment variables starting with “HTTP_”. TYPO3 version 8.2.0 is vulnerable because it uses the third party library guzzlehttp/guzzlel, which makes use of the environment variable “HTTP_PROXY”. Read https://www.symfony.fi/entry/httpoxy-vulnerability-hits-php-installations-using-fastcgi-and-php-fpm-and-hhvm or https://httpoxy.org/ for further details.
Solution: Update to TYPO3 version 8.2.1 that fixes the problem described.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description: All link fields within the TYPO3 installation are vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url scheme “data:”.
Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described. The typoLink() function disables the insecure url scheme “data:”.
Credits: Thanks to Valentin Despa who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Information Disclosure
Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Severity: Low
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C
CVE: not assigned yet
Problem Description: The TYPO3 backend module stores the username of an authenticated backend user in its cache files. By guessing the file path to the cache files it is possible to receive valid backend usernames.
Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described.
Credits: Thanks to Matthias Kappenberg who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: SQL Injection
Affected Versions: Versions 6.2.0 to 6.2.25 and 7.6.0 to 7.6.9
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C
CVE: not assigned yet
Problem Description: Failing to properly escape user input, the frontend login component is vulnerable to SQL Injection. A valid frontend user account is needed to exploit this vulnerability.
Solution: Update to TYPO3 versions 6.2.26 or 7.6.10 that fix the problem described.
Credits: Thanks to Oliver Hader who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Insecure Unserialize
Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:H/Au:S/C:P/I:P/A:P/E:P/RL:O/RC:C
CVE: not assigned yet
Problem Description: Failing to properly validate incoming import data, the Import/Export component is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed.
Solution: In the released TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 the Import/Export module is disabled by default for non-admin users. To re-activate the Import/Export module for trusted users, please add “options.impexp.enableImportForNonAdminUser = 1” to the users TSconfig.
Credits: Thanks to Franz Jahn who discovered and reported the issue.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Component Type: TYPO3 CMS
Release Date: July 19, 2016
Vulnerability Type: Cross-Site Scripting
Affected Versions: Versions 6.2.0 to 6.2.25, 7.6.0 to 7.6.9 and 8.0.0 to 8.2.0
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C
CVE: not assigned yet
Problem Description: Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.
Solution: Update to TYPO3 versions 6.2.26, 7.6.10 or 8.2.1 that fix the problem described.
Credits: Thanks to Falk Huber, Markus Bucher, Martin Heigermoser and Nicole Cordes who discovered and reported the issues.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
The 28 countries that form the European Union will have a common cybersecurity goal beginning July 6th. The European parliament has approved a new directive in which these countries will have to change their legislation in the next 21 months.
The sectors that are listed (energy, transport, banking) will have to guarantee that they are capable of preventing cyberattacks. Also, if a serious incident related to cybersecurity does occur, the companies will have to inform the national authorities. Suppliers of digital services like Amazon or Google, are all required to facilitate this information.
The EU countries have 21 months to shift this into their legislation
The EU countries should strengthen cooperation in this area by designating one or more national authorities to the cybersecurity workload and strategize how to fight IT threats.
The EU’s approved directive establishes obligations for “basic service operators” (most of all in sectors that are already cited), and each country will have six months to transition their national legislation to the new EU rules.
Each country will have six months to transition their national legislation to the new rules.
Some businesses in the digital economy (e-commerce pages, search engines, cloud services) will also have to adopt measures in order to guarantee their infrastructure security. They will have to notify the authorities of any unusual incidents but micro and small businesses will be exempt from this rule.
We have already seen that this approval has come at a delicate moment in cyber-history. The European Union calculates that the cost of cyberattacks on businesses and citizens can be between 260,000 and 340,000 millions of Euros. According to a survey by Eurobarometro, 85% of internet users are concerned by the increasing risk of cybercrime attacks.
In this context, the goal of this directive is to boost trust between EU countries, sync security in the networks and IT systems, and overall, create an environment where information can be exchanged in order to prevent attacks, or at least communicate if a security incident occurs.
The post How the new EU cybersecurity regulations affect businesses appeared first on Panda Security Mediacenter.
From: Apple Product Security
Reply to list
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004 OS X El Capitan v10.11.6 and Security Update 2016-004 is now available and addresses the following: apache_mod_php Available for: OS X Yosemite v10.10.5 and OS X El Capitan v10. [...]