Red Hat Security Advisory 2018-2908-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.51. Issues addressed include a crash vulnerability.

The 26th ACM Conference on Computer and Communications Security will take place in London, UK, November 11th through the 15th, 2019. The Conference on Computer and Communications Security (CCS) seeks submissions presenting novel contributions related to all real-world aspects of computer security and privacy. Theoretical papers must make a convincing case for the relevance of their results to practice. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. In particular, authors should bear in mind that anyone on the program committee may be asked to give an opinion about any paper.

Zoho ManageEngine OpManager versions 12.3 before build 123223 have a cross site scripting vulnerability via the updateWidget API.

Debian Linux Security Advisory 4340-1 - An out-of-bounds bounds memory access issue was discovered in chromium's v8 javascript library by cloudfuzzer.

ELBA5 Network Installation versions prior to 5.8.1 suffer from a remote code execution vulnerability.

Microsoft Windows 10 1803 and 1809 have an issue with unnamed kernel object creation. It's possible to default the security descriptor owner or mandatory label to the value from an Identification level impersonation token leading to elevation of privilege.

Microsoft Windows 10 1803 suffers from a DfMarshal unsafe unmarshaling elevation of privilege vulnerability.

macOS version 10.13 workq_kernreturn denial of service proof of concept exploit.

ImageMagick versions prior to 7.0.8-9 suffers from a memory leak vulnerability.

Ticketly version 1.0 suffers from a cross site request forgery vulnerability.

Ubuntu Security Notice 3816-2 - USN-3816-1 fixed several vulnerabilities in systemd. However, the fix for CVE-2018-6954 was not sufficient. This update provides the remaining fixes. Jann Horn discovered that unit_deserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject arbitrary state across re-execution and obtain root privileges. Jann Horn discovered a race condition in chown_one. A local attacker could potentially exploit this by setting arbitrary permissions on certain files to obtain root privileges. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. It was discovered that systemd-tmpfiles mishandled symlinks in non-terminal path components. A local attacker could potentially exploit this by gaining ownership of certain files to obtain root privileges. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Various other issues were also addressed.

Ricoh myPrint suffers from hardcoded application credential and information disclosure vulnerabilities. The myPrint windows client version 2.9.2.4 and myPrint android client version 2.2.7 are both affected.

Synaccess netBooter NP-0801DU version 7.4 suffers from a cross site request forgery vulnerability.

Synaccess netBooter NP-02x and NP-08x version 6.8 suffer from an authentication bypass vulnerability due to a missing control check when calling the webNewAcct.cgi script while creating users. This allows an unauthenticated attacker to create an admin user account and bypass authentication giving her the power to turn off a power supply to a resource.

Microsoft Edge suffers from a Chakra OP_Memset type confusion vulnerability.

XMPlay version 3.8.3 suffers from a denial of service vulnerability.

HTML Video Player version 1.2.5 suffers from a buffer overflow vulnerability.

Intel Rapid Storage Technology User Interface and Driver version 15.9.0.1015 suffers from a dll hijacking vulnerability.

Budabot versions 0.6 through 4.0 suffer from a denial of service vulnerability.

Easy Outlook Express Recovery version 2.0 suffers from a denial of service vulnerability.

Ubuntu Security Notice 3824-1 - It was discovered that the Security component of OpenJDK did not properly ensure that manifest elements were signed before use. An attacker could possibly use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. Artem Smotrakov discovered that the HTTP client redirection handler implementation in OpenJDK did not clear potentially sensitive information in HTTP headers when following redirections to different hosts. An attacker could use this to expose sensitive information. Various other issues were also addressed.

Mumsoft Easy Software version 2.0 suffers from a denial of service vulnerability.

DomainMOD versions 4.09.03 through 4.11.01 suffer from a cross site scripting vulnerability.

Helpdezk version 1.1.1 suffers from a remote shell upload vulnerability.