WatchGuard XTM version 11.8.3 suffers from a cross site scripting vulnerability.

In May 2014, VSR identified a vulnerability in versions 7.0 and 7.1 of the iOS SDK whereby the NSXMLParser class, resolves XML External Entities by default despite documentation which indicates otherwise. In addition, settings to change the behavior of XML External Entity resolution appears to be non-functional. This vulnerability, commonly known as XXE (XML eXternal Entities) attacks could allow for an attacker’s ability to use the XML parser to carry out attacks ranging from network port scanning, information disclosure, denial of service, and potentially to carry out remote file retrieval. Further review also revealed that the Foundation Framework used in OS X 10.9.x is also vulnerable.

downloadcenter.netgear.com suffers from cross site scripting and open redirection vulnerabilities.

Asterisk Project Security Advisory – When an out of call message – delivered by either the SIP or PJSIP channel driver or the XMPP stack – is handled in Asterisk, a crash can occur if the channel servicing the message is sent into the ReceiveFax dialplan application while using the res_fax_spandsp module. Note that this crash does not occur when using the res_fax_digium module. While this crash technically occurs due to a configuration issue, as attempting to receive a fax from a channel driver that only contains textual information will never succeed, the likelihood of having it occur is sufficiently high as to warrant this advisory.

Asterisk Project Security Advisory – It is possible to trigger a crash in Asterisk by sending a SIP SUBSCRIBE request with unexpected mixes of headers for a given event package. The crash occurs because Asterisk allocates data of one type at one layer and then interprets the data as a separate type at a different layer. The crash requires that the SUBSCRIBE be sent from a configured endpoint, and the SUBSCRIBE must pass any authentication that has been configured. Note that this crash is Asterisk’s PJSIP-based res_pjsip_pubsub module and not in the old chan_sip module.

Oracle’s MyOracle allows for malicious script code insertion into outbound emails.

Red Hat Security Advisory 2014-1265-01 – In accordance with the Red Hat OpenShift Enterprise Life Cycle Policy, the two-year life cycle of Production Support for version 1.2 will end on November 27, 2014. In addition, technical support through Red Hat’s Global Support Services will no longer be provided after this date.

Red Hat Security Advisory 2014-1263-01 – Red Hat Storage is software-only, scale-out storage that provides flexible and affordable unstructured data storage for an enterprise. GlusterFS, a key building block of Red Hat Storage, is based on a stackable user-space design and can deliver exceptional performance for diverse workloads. GlusterFS aggregates various storage servers over network interconnections into one large, parallel network file system. A denial of service flaw was found in the way Python’s SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU.