Monthly Archives: February 2017

NVD

CVE-2016-9010

IBM WebSphere Message Broker 9.0 and 10.0 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim. IBM Reference #: 1997906.

NVD

CVE-2016-8866

The AcquireMagickMemory function in MagickCore/memory.c in GraphicsMagick 7.0.3.3 before 7.0.3.8 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862.

NVD

CVE-2016-8968

IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998515.

Avast

Who you gonna call? CyberThreatBusters!

In the movie Ghostbusters, the imaginary threats ranged from Psychomagnotheric Slime to the Stay Puft Marshmallow Man and Gozer the Gozerian, armed with slime and a bagful of Hollywood special effects. In the real world, small and medium businesses face a growing range of internal and external cybersecurity (CybSec) threats that are just as scary, while at the same time they are handicapped by a shortage of skills and resources. With most SMBs (55 percent) the victim of a cyberattack within the last 12 months, and 60 percent going out of business within six months, it makes partnering with a CybSec specialist (AKA CyberThreatBusters) a necessity. 

AVG

AVG and Avast merge together with shareholder payments

Court orders squeeze-out of minority shareholders of AVG Technologies B.V. a subsidiary of Avast Software B.V.

 

Prague, Czech Republic / Amsterdam, The Netherlands, February 15, 2017 – Avast Software B.V. (“Avast“) announces that yesterday the Enterprise Chamber of the Court of Appeal in Amsterdam, the Netherlands (the “Enterprise Court“) entered its judgment in the statutory squeeze-out proceedings initiated by Avast against the minority shareholders of AVG Technologies B.V. (“AVG“).

The Enterprise Court found that EUR 22.84 (being the offer price of USD 25.00 converted into EUR against the exchange rate of October 31, 2016) is the fair squeeze-out price per share in AVG and ordered all minority shareholders of AVG to transfer their shares to Avast in exchange for a payment of EUR 22.84 per share in cash, increased by statutory interest to be calculated over the period from October 31, 2016 until the date of transfer of the shares.

Up until March 15, 2017, shareholders of AVG may voluntarily adhere to the judgment of the Enterprise Court by transferring their shares in AVG to Avast. Shareholders should contact their bank, broker or other financial intermediary to obtain information on how to transfer their shares in AVG to Avast.

On or shortly after March 16, 2017, Avast will enforce the judgment of the Enterprise Court against the remaining shareholders of AVG and pay the aggregate squeeze-out price for the remaining shares in AVG into the consignment fund of the Dutch Ministry of Finance. As of that date, all shares in AVG that have not been transferred to Avast voluntarily will be transferred to Avast by operation of law, and the former holders of these shares will then be entitled to receive payment of the squeeze-out price for each share held as of March 16, 2017 from the consignment fund of the Dutch Ministry of Finance only.

* * *

About Avast

Avast Software (www.avast.com), the global leader in digital security products for businesses and consumers, protects over 400 million people online. Avast offers products under the Avast and AVG brands that protect people from threats on the internet and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, OPSWAT, ICSA Labs, West Coast Labs and others. Avast is backed by leading global private equity firms CVC Capital Partners and Summit Partners.

 

Forward-Looking Statements

This press release contains forward-looking information that involves substantial risks and uncertainties that could cause actual results to differ materially from those expressed or implied by such statements. All statements other than statements of historical fact are, or may be deemed to be, forward-looking statements within the meaning of the U.S. federal securities laws, and involve a number of risks and uncertainties. In some cases, forward-looking statements can be identified by the use of forward-looking terms such as “anticipate,” “estimate,” “believe,” “continue,” “could,” “intend,” “may,” “plan,” “potential,” “predict,” “should,” “will,” “expect,” “are confident that,” “objective,” “projection,” “forecast,” “goal,” “guidance,” “outlook,” “effort,” “target,” “would” or the negative of these terms or other comparable terms. There are a number of important factors that could cause actual events to differ materially from those suggested or indicated by such forward-looking statements and you should not place undue reliance on any such forward-looking statements. These factors include risks and uncertainties related to, among other things: general economic conditions and conditions affecting the industries in which Avast and AVG operate and the squeeze-out proceedings initiated by Avast against the minority shareholders of AVG. Additional information regarding the factors that may cause actual results to differ materially from these forward-looking statements is available in AVG’s filings with the U.S. Securities and Exchange Commission, including AVG’s Annual Report on Form 20-F for the year ended December 31, 2015. These forward-looking statements speak only as of the date of this release and neither Avast nor AVG assumes any obligation to update or revise any forward-looking statement, whether as a result of new information, future events and developments or otherwise, except as required by law.

 

Contacts

Avast Software
Marina Ziegler
PR & Communications Director
+49-(0)89-3815331-17
[email protected]

###

Drupal

Metatag -Moderately Critical – Information disclosure – SA-CONTRIB-2017-019

Description

This module enables you to add a variety of meta tags to a site for helping with a site’s search engine results and to customize how content is shared on social networks.

The module doesn’t sufficiently protect against data being cached that might contain information related to a specific user.

This vulnerability is mitigated by the fact that a site must have a page with sensitive data in the page title that varies per logged in user.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Metatag 7.x-1.x versions prior to 7.x-1.21.

Drupal core is not affected. If you do not use the contributed Metatag module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Metatag project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal

RESTful – Moderately Critical – Access Bypass – SA-CONTRIB-2017-018

Description

This module enables you to build a RESTful API for your Drupal site.

The restful_token_auth module (a sub-module) doesn’t validate the status of users when logging them in. This results in a blocked user being able to operate normally with the RESTful actions, even after being blocked.

This vulnerability is mitigated by the fact that an attacker must be in possession of the credentials of a previously blocked user. It is also mitigated by the attacker only will have the access corresponding to the roles of the blocked user. Finally this only affects sites that use the sub-module, restful_token_auth.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • RESTful 7.x-1.x versions prior to 7.x-1.8.
  • RESTful 7.x-2.x versions prior to 7.x-2.16.

Drupal core is not affected. If you do not use the contributed RESTful module, there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x