Category Archives: Security
Security
Fake Fingerprint Fools iPhone 6 Touch ID
The Internet Braces For Crazy Shellshock Worm
[ MDVA-2014:015 ] php
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Advisory MDVA-2014:015 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : php Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: This is a maintenance and bugfix release that upgrades php to the latest 5.5.17 version which resolves various upstream bugs in php. Additionally, the php-timezonedb packages has been upgraded to the latest 2014.7 version, the php-suhosin packages has been upgraded to the latest 0.9.36 version which has better support for php-5.5 and the PECL packages which requires so has been rebuilt for php-5.5.17. _______________________________________________________________________ References: http://php.net/ChangeLog-5.php#5.5
Home Hacking Made Simple
David Jacoby looked at all of the Web-enabled devices in his house–TV, game console, network storage device–and found a handful of exploitable bugs in them.
[ MDVSA-2014:189 ] nss
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:189 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : nss Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in Mozilla NSS: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates (CVE-2014-1568). The updated NSPR packages h
[ MDVSA-2014:188 ] wireshark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:188 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : wireshark Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated wireshark packages fix security vulnerabilities: RTP dissector crash (CVE-2014-6421, CVE-2014-6422). MEGACO dissector infinite loop (CVE-2014-6423). Netflow dissector crash (CVE-2014-6424). RTSP dissector crash (CVE-2014-6427). SES dissector crash (CVE-2014-6428). Sniffer file parser crash (CVE-2014-6429, CVE-2014-6430, CVE-2014-6431, CVE-2014-6432). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6421
[ MDVSA-2014:187 ] curl
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:187 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : curl Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cook
Small Signs of Progress on DNSSEC
SEATTLE–DNS doesn’t have a lot of friends. It’s old, it’s kind of creaky and it has some insecurity issues. The few friends it has have tried to help it out in the last few years with the addition of DNSSEC, but that hasn’t gone so well, either. The Internet hasn’t been quick to adopt DNSSEC, […]
Several vulnerabilities in extension JobControl (dmmjobcontrol)
Release Date: September 25, 2014
Bulletin update: October 6, 2014 (added CVEs)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 2.14.0 and below
Vulnerability Type: Cross-Site Scripting, SQL Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:A/I:P/A:N/E:H/RL:U/RC:C (What’s that?)
CVE: CVE-2014-7200 (XSS), CVE-2014-7201 (SQLi)
Problem Description: The extension fails to properly escape user input in SQL and HTML context.
Solution: Versions of this extension that are known to be vulnerable will no longer be available for download from the TYPO3 Extension Repository. The extension author is no longer maintaining this extension. Please uninstall and delete the extension folder from your installation.
Credits: Credits go to Hans-Martin Münch who discovered and reported the issues.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.