Security
Posted by oststrom (public) on Oct 13
Hash: SHA1
CVE-2014-2022 – vbulletin 4.x – SQLi in breadcrumbs via xmlrpc API
(post-auth)
============================================================================
==
Overview
——–
date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
*…
Posted by oststrom (public) on Oct 13
Hash: SHA1
CVE-2013-2021 – vBulletin 5.x/4.x – persistent XSS in AdminCP/ApiLog via
xmlrpc API (post-auth)
============================================================================
====================
Overview
——–
date : 10/12/2014
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe : 79
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x and 5.x (to date);…
Posted by E Boogie on Oct 13
I’ve done a little more testing and what I’ve found is pretty startling.
I tested on a Galaxy Note 2 running Android 4.4.2 and the CSP bypass worked.
I also tested on an old version of Safari on an iPad (Safari/7534.48.3) and
the CSP bypass also worked.
If you are so kind, please use ejj.io/test.php to test this for me. If it
worked, please press the “IT WORKED” button.
This way I can compile a large finger print of…
Posted by Dirk-Willem van Gulik on Oct 13
Security Advisory
DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
CVE-2014-3671
references:
CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278
CVE-2014-7186 and, CVE-2014-7187
* Summary:
Above CVEs detail a number of flaws in bash prior related to the parsing
of environment variables (aka BashBug, Shellshock). Several networked
vectors for…
Resolved Bugs
1133439 – CVE-2014-5447 CVE-2014-5448 CVE-2014-5449 CVE-2014-5450 zarafa: multiple default permission issues
1133442 – zarafa: multiple default permission issues [epel-all]<br
Zarafa Collaboration Platform 7.1.11 final R1 [46050]
=====================================================
General
——-
This R1 release of the 7.1.11 final release addresses the WebAccess install problem on RPM-based systems and resolves the dependencies problems under Ubuntu 14.04.
Backend
——-
* ZCP-12472: zarafa-search crashes on ubuntu 14.0.4 LTS
* ZCP-12405: zarafa-search do not start on Ubuntu 14.04
* ZCP-12581: config files are being saved as config.cfg.dpkg-new on ubuntu 14.04
* ZCP-12570: install.sh for Ubuntu 14.04
* ZCP-12582: installing webaccess on rhel based systems result in scriptlet failed, exit status 1
Zarafa Collaboration Platform 7.1.11 final [45875]
==================================================
General
——-
This release brings a few new features while maintaining stability. With this release we address a few segfaults in zarafa-search to match this final release.
Backend
——-
* ZCP-11809: zarafa-gateway is unable to create RTF text stream
* ZCP-11862: zarafa-backup zarafa-restore breaks textfiles
* ZCP-11934: Enhance MariaDB support by modifying sql_mode
* ZCP-12012: zarafa-server segfaults when running zarafa-stats –system
* ZCP-12097: Disposition-Notification-To double colons in middle of line. dagent crashes
* ZCP-12110: Segfault zarafa-server 7.1.8 R1
* ZCP-12127: Support for Apache 2.4
* ZCP-12134: Randomly lost e-mail attachments in e-mails
* ZCP-12266: [BIG5] Customer requires an option to set the default character encoding of incoming mail when no encoding is set.
* ZCP-12269: public folder shows MAPI_E_STORE_FULL when creating new element
* ZCP-12272: WebAccess: .htaccess is not marked as a configuration file in rpm
* ZCP-12436: jpegPhoto included twice in ldap.propmap.cfg
* ZCP-12500: Zarafa stores rfc enforced linebreaks as actual line breaks
* ZCP-12511: zarafa-gateway is unable to create RTF text stream
* ZCP-12537: ical issue when password contains a colon
* ZCP-12547: As a hoster I need a way to reduce the performance impact on LDAP caused by zarafa-licensed.
* ZCP-12563: Create configuration setting to indicate if folder owners automatically get full access rights or not
* ZCP-12548: zarafa-search segfault
Resolved Bugs
965511 – davfs2 package should be built with PIE flags<br
Add global harderning flags – RHBZ 965511
CMS Subkarma suffers from cross site scripting and remote SQL injection vulnerabilities. Note that this finding houses site-specific data.