Debian Linux Security Advisory 3025-1 – It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490).
Debian Security Advisory 3026-1
Debian Linux Security Advisory 3026-1 – Alban Crequy and Simon McVittie discovered several vulnerabilities in the D-Bus message daemon.
Red Hat Security Advisory 2014-1255-01
Red Hat Security Advisory 2014-1255-01 – Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center. A buffer overflow was found in the KADM5 administration server when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. All krb5 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc and kadmind daemons will be restarted automatically.
Middle-School Dropout Codes Chat Program That Foils NSA
Credit Card Cutting Flaw Could Have Killed Every Ad On Twitter
Critical Adobe Reader And Acrobat Patches Finally Make It Out
V3 Security Summit: Majority Of Apps Would Fail Basic Security Tests
SA-CONTRIB-2014-091 – Survey Builder – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2014-091
- Project: Survey Builder (third-party module)
- Version: 7.x
- Date: 2014-September-17
- Security risk: 9/25 ( Less Critical) AC:Basic/A:User/CI:None/II:None/E:Proof/TD:All
- Vulnerability: Cross Site Scripting
Description
This module allows you to use the Form Builder module to provide an intuitive interface for building surveys, along with the back-end for storing surveys and their responses.
Cross Site Scripting (XSS)
When viewing surveys at “/surveys”, the survey titles printed out are not sanitized. Any potentially dangerous code in the survey titles is also rendered.
This vulnerability is mitigated by the fact that a user must have the “Create Survey” permission to be able to set the survey titles.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- survey_builder 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Survey Builder module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the survey_builder module for Drupal 7.x, upgrade to survey_builder 7.x-1.2
Also see the Survey Builder project page.
Reported by
Fixed by
- Matt Vance
- Francisco José Cruz Romanos provisional member the Drupal Security Team
Coordinated by
- Rick Manelius member of Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.
Drupal version:
SA-CONTRIB-2014-090 Speech recognition – Multiple vulnerabilities
- Advisory ID: DRUPAL-SA-CONTRIB-2014-090
- Project: Speech recognition (third-party module)
- Version: 7.x
- Date: 2014-September-17
- Security risk: 14/25 ( Moderately Critical) AC:None/A:User/CI:None/II:Some/E:Proof/TD:All
- Vulnerability: Cross Site Scripting, Cross Site Request Forgery, Multiple vulnerabilities
Description
This module enables you to add speech recognition to forms, allowing site admins to enable experimental Speech Input API features on form inputs through the user interface.
Cross Site Scripting (XSS)
The module incorrectly prints fields without proper sanitization thereby opening a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer speech”.
Cross Site Request Forgery (CSRF)
The module enables in-place configuration of form options via AJAX requests, but it doesn’t sufficiently check the source of those requests, making possible for an attacker to cause a user to unknowingly make changes to the field configurations.
This vulnerability is mitigated by the fact that the attacked administrator must have a role with the permission “administer speech”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- All versions of Speech recognition.
Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.
Drupal core is not affected. If you do not use the contributed Speech recognition module,
there is nothing you need to do.
Solution
If you use the Speech recognition module you should uninstall it.
Also see the Speech recognition project page.
Reported by
- Matt Vance (provisional member of the Drupal Security Team)
- Francisco José Cruz Romanos (provisional member of the Drupal Security Team)
Fixed by
Not applicable.
Coordinated by
- Rick Manelius member of Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at
href=”https://www.drupal.org/contact“>https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Drupal version:
White House: Internet Not Borderless, But Lacking Interior
White House special assistant to the President and Cybersecurity Coordinator Micheal Daniel explains that a series of simple, known issues add up to a very difficult Internet security problem.