Security

Firefox 32 Debuts With Public-Key Pinning, Several Security Fixes

Mozilla has released Firefox 32, the latest version of its browser, which now supports public-key pinning and also includes fixes for several critical security vulnerabilities. The move to support public-key pinning is an important one for Firefox, as it helps protect users against man-in-the-middle attacks that rely on forged certificates. The feature binds a set […]

Apache

[Announce] Apache HTTP Server 2.2.29 Released

                       Apache HTTP Server 2.2.29 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.29 of the Apache HTTP
   Server ("Apache"). (Note that 2.2.28 was not released). This version
   of Apache is principally a security and bug fix maintenance release,
   and addresses these specific security defects as well as other fixes;

    CVE-2014-0118 (cve.mitre.org)
     mod_deflate: The DEFLATE input filter (inflates request bodies) now
     limits the length and compression ratio of inflated request bodies to
     avoid denial of sevice via highly compressed bodies. See directives
     DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
     and DeflateInflateRatioBurst.

    CVE-2014-0231 (cve.mitre.org)
     mod_cgid: Fix a denial of service against CGI scripts that do
     not consume stdin that could lead to lingering HTTPD child processes
     filling up the scoreboard and eventually hanging the server. By
     default, the client I/O timeout (Timeout directive) now applies to
     communication with scripts. The CGIDScriptTimeout directive can be
     used to set a different timeout for communication with scripts.

    CVE-2014-0226 (cve.mitre.org)
     Fix a race condition in scoreboard handling, which could lead to
     a heap buffer overflow.

    CVE-2013-5704 (cve.mitre.org)
     HTTP trailers could be used to replace HTTP headers late during
     request processing, potentially undoing or otherwise confusing
     modules that examined or modified request headers earlier.
     Adds "MergeTrailers" directive to restore this legacy behavior.

   We consider the Apache HTTP Server 2.4 release to be the best version
   of Apache available, and encourage users of 2.2 and all prior versions
   to upgrade. This 2.2 maintenance release is offered for those unable
   to upgrade at this time. For further details, see:

     http://www.apache.org/dist/httpd/Announcement2.4.txt

   Apache HTTP Server 2.4 and 2.2.29 are available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes. A condensed list, CHANGES_2.2.29 includes only
   those changes introduced since the prior 2.2 release. A summary of all
   of the security vulnerabilities addressed in this and earlier releases
   is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.5.1
   and APR Utility Library (APR-util) version 1.5.3, bundled with the tar
   and zip distributions. The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.
   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
   from earlier httpd 2.2 source distributions.

   This release builds on and extends the Apache 2.0 API and is superceeded
   by the Apache 2.4 API. Modules written for Apache 2.0 or 2.4 will need
   to be recompiled in order to run with Apache 2.2, and most will require
   minimal or no source code changes.

   When upgrading or installing this version of Apache, please bear in mind
   that if you intend to use Apache with one of the threaded MPMs (other
   than the Prefork MPM), you must ensure that any modules you will be
   using (and the libraries they depend on) are thread-safe.
Security

Mozilla Releases Security Updates for Firefox and Thunderbird

Original release date: September 03, 2014

The Mozilla Foundation has released security updates to address multiple vulnerabilities in Firefox and Thunderbird. Exploitation of these vulnerabilities may allow an attacker to cause an exploitable crash or execute arbitrary code.

The following updates are available:              

  • Firefox 32
  • Firefox ESR 24.8
  • Firefox ESR 31.1
  • Thunderbird 31.1
  • Thunderbird 24.8

Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR and Thunderbird to determine which updates should be applied to mitigate these risks.

This product is provided subject to this Notification and this Privacy & Use policy.

AVG

AVG Technologies Announces Intention to Acquire Location Labs

Today, we announced our intention to acquire Location Labs, which is best known for its “mobile security for humansâ€.

AVG has been talking for some time about the need for a more holistic approach to security; one that protects not only devices, but also data and, ultimately, the people using those devices and data. Products that encompass all these elements must be easy to understand and easy to use.

AVG’s security for Android smartphones is one the top security apps on the Google Play store. Location Labs products, sold by major mobile operators and running on both the Android and iOS platforms, provide exceptional security and safety for people – you and those you care for.

Additionally, Location Labs’ mobile products and services draw on the value of the mobile operator network to provide features and functionality that are not possible otherwise. Having multiple distribution channels delivers good choices for customers. They may want to download our apps directly from App stores, or they may prefer to choose a service that has been validated and integrated with their network provider, including their billing and customer support services. Currently, AVG’s mobile offerings use the first method; Location Labs’, the second.

At AVG and Location Labs, we understand that for our customers, safety and security for connected devices is first and foremost about ensuring that their families, or those they care deeply about, are protected. This is where the combination of AVG Zen and the Location Labs’ products will really shine. With AVG Zen, customers can connect to, and manage the device and data security of their own, and others’, phones, laptops, and PCs.

With Location Labs offerings, they can also manage the content, applications, and permissions available on each of those devices, and see the location and status of the users. As massive numbers of mobile devices are adopted worldwide, and as we all connect more and more items to our own personal networks, this promises to be an important and growing market.

We are particularly pleased that the leadership and the team at Location Labs will be joining AVG. They have built a compelling business within the mobile industry – not an easy thing to do – and helped grow the company to over 1.3 million paying subscribers. We are looking forward to working with them to grow the business further to improve safety and security for all mobile users.

Today’s announcement is the first step in a longer journey and we believe it marks the start of a new approach to mobile security for consumers. We understand that to really enjoy the rich experience of today’s connected world, we all need to feel comfortable and safe, and to have confidence and trust in the smart devices that enable us to monitor and secure the people we care about. As we move forward, we’ll be working hard to make this vision a reality for our customers.

Redhat

Is your software fixed?

A common query seen at Red Hat is “our auditor says our Red Hat machines are vulnerable to CVE-2015-1234, is this true?” or “Why hasn’t Red Hat updated software package foo to version 1.2.3?” In other words, our customers (and their auditors) are not sure whether or not we have fixed a security vulnerability, or if a given package is up to date with respect to security issues. In an effort to help our security-conscious customers, Red Hat make this information available in an easy to consume format.

What’s the deal with CVEs?

Red Hat is committed to the CVE process. To quote our CVE compatibility page:

We believe that giving our users accurate and complete information about security issues is extremely important. By including CVE names when we discuss security issues in our services and products, we can help users cross-reference vulnerabilities so they spend less time investigating and categorizing security events.

Red Hat has a representative on the CVE Editorial Board and declared CVE compatibility in April 2002.

To put it simply: if it’s a security issue and we fix it in an RHSA it gets a CVE. In fact we usually assign CVEs as soon as we determine a security issue exists (additional information on determining what constitutes a security issue can be found on our blog.).

How to tell if you software is fixed?

A CVE can be queried at our public CVE page.  Details concerning the vulnerability, the CVSS v2 metrics, and security errata are easily accessible from here.

To verify you system is secure, simply check which version of the package you have installed and if the NVR of your installed package is equal to or higher than the NVR of the package in the RHSA then you’re safe.

What’s an NVR?

The NVR is the Name-Version-Release of the package. The Heartbleed RHSA lists packages such as: openssl-1.0.1e-16.el6_5.7.x86_64.rpm. So from this we see a package name of “openssl” (a hyphen), a version of 1.0.1e (a hyphen) and the release is 16.el6_5.7. Assuming you are running RHEL 6, x86_64, if you have openssl version 1.0.1e release 16.el6_5.7 or later you’re protected from the Heartbleed issue.

Please note, there is an additional field called “epoch”, this field actually supersedes the version number (and release), most packages do not have an epoch number, however a larger epoch number means that a package can override a package with a lower epoch. This can be useful, for example, if you need a custom modified version of a package that also exists in RPM repos you are already using.  By assigning an epoch number to your package RPM you can override the same version package RPMs from another repo even if they have a higher version number. So be aware, using packages that have the same name and a higher epoch number you will not get security updates unless you specifically create new RPM’s with the epoch number and the security update.

But what if there is no CVE page?

As part of our process the CVE pages are automatically created if public entries exist in Bugzilla.  CVE information may not be available if the details of the vulnerability have not been released or the issue is still embargoed.  We do encourage responsible handling of vulnerabilities and sometimes delay CVE information from being made public.

Also, CVE information will not be created if the software we shipped wasn’t vulnerable.

How to tell if your system is vulnerable?

If you have a specific CVE or set of CVEs that you are worried about you can use the yum command to see if your system is vulnerable. Start by installing yum-plugin-security:

sudo yum install yum-plugin-security

Then query the CVE you are interested in, for example on a RHEL 7 system without the OpenSSL update:

[root@localhost ~]# yum updateinfo info --cve CVE-2014-0224
===============================================
 Important: openssl security update
===============================================
 Update ID : RHSA-2014:0679
 Release : 
 Type : security
 Status : final
 Issued : 2014-06-10 00:00:00
 Bugs : 1087195 - CVE-2010-5298 openssl: freelist misuse causing 
        a possible use-after-free
 : 1093837 - CVE-2014-0198 openssl: SSL_MODE_RELEASE_BUFFERS NULL
   pointer dereference in do_ssl3_write()
 : 1103586 - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
 : 1103593 - CVE-2014-0221 openssl: DoS when sending invalid DTLS
   handshake
 : 1103598 - CVE-2014-0195 openssl: Buffer overflow via DTLS 
   invalid fragment
 : 1103600 - CVE-2014-3470 openssl: client-side denial of service 
   when using anonymous ECDH
 CVEs : CVE-2014-0224
 : CVE-2014-0221
 : CVE-2014-0198
 : CVE-2014-0195
 : CVE-2010-5298
 : CVE-2014-3470
Description : OpenSSL is a toolkit that implements the Secure 
Sockets Layer

If your system is up to date or the CVE doesn’t affect the platform you’re on then no information will be returned.

Conclusion

Red Hat Product Security makes available as much information as we can regarding vulnerabilities affecting our customers.  This information is available on our customer portal as well as within the software repositories. As you can see it is both easy and quick to determine if your system is up to date on security patches with the provided information and tools.

The following checklist can be used to check if systems or packages are affected by specific security issues:

1) Check if the issue you’re concerned about has a CVE and check the Red Hat CVE page:

https://access.redhat.com/security/cve/CVE-2014-0224

2) Check to see if your system is up to date for that issue:

sudo yum install yum-plugin-security 
yum updateinfo info --cve CVE-2014-0224

3) Alternatively you can check the package NVR in the RHSA errata listed in the CVE page (in #1) and compare it to the packages on your system to see if they are the same or greater.
4) If you still have questions please contact Red Hat Support!

AVG

AVG to lead innovation sessions at The Pitch, London

This Thursday 4th September in London, AVG will be attending the first of two small business boot-camps as part of The Pitch, UK. Now in its seventh year The Pitch is one of the UK’s longest running small business competitions and awards thousands of pounds worth of prizes to innovative startups.

The boot camps will be attended by 100 small businesses that made it through the first stage of the competition. These are split into two regional groups, North and South, who will attend boot camps in Manchester (on 18th September) and this week in London where after an intense day of mentoring their pitching prowess will be assessed.

As a main sponsor for The Pitch, AVG is delighted to attend these boot camp sessions and will be working directly with the competitors in one of the hands-on sessions. The boot camps will focus on the four key pillars of pitching:

  • Marketing
  • Finance
  • Business model innovation
  • Pitching

AVG’s Director of Partner Enablement Mike Byrne will be leading the Business Model Innovation session aimed to provide candidates with some useful ideas about how to optimise their business models and sharpen their sales techniques using technology. Whether it’s managing relationships, assessing the competition, reducing sales cycle time/costs or simply making life easier, technology has a lot offer business sales activities.

AVG’s philosophy is all about empowering small businesses to manage their technology simply and reliably so they can stop worrying about their data and concentrate on growth in today’s fast changing, increasingly mobile workplace.

After the boot camps, the competitors will be narrowed down from 100 to 30 applicants to proceed to the final where a winner will be chosen by a panel of judges including AVG’s own Judith Bitterli.

 

The overall winner of The Pitch will win a priceless prize package that includes expert mentoring from business leaders and free access to world leading products and services including free AVG CloudCare services for two years.

Software and Security Information