Ubuntu Security Notice 2169-2 - USN-2169-1 fixed vulnerabilities in Django. The upstream security patch for CVE-2014-0472 introduced a regression for certain applications. This update fixes the problem. Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. Michael Koziarski discovered that Django did not always perform explicit conversion of certain fields when using a MySQL database. An attacker could possibly use this issue to obtain unexpected results. Various other issues were also addressed.
a7b08008b8314bc324c3bac2dbe355fbb780f90950b9918e89cde30052b8e26e
Apple Security Advisory 2014-04-22-3 - Apple TV 6.1.1 is now available and addresses vulnerabilities related to credential compromise, ASLR bypass, code execution, and more.
d81613426a53f674f7139c2f7f48ccd2a036e3b91520029902421cb35746ef3e
Apple Security Advisory 2014-04-22-2 - iOS 7.1.1 is now available and addresses vulnerabilities in IOKit Kernel, CFNetwork HTTPProtocol, Secure Transport, and WebKit.
f28da37ecb5c5cd5e4f54bd76a029ed17595e3d1258104a49dc05c23ee23660b
Apple Security Advisory 2014-04-22-1 - Security Update 2014-002 is now available and addresses vulnerabilities in CFNetwork HTTPProtocol, CoreServicesUIAgent, FontParser, Heimdal Kerberos, ImageIO, Intel Graphics Driver, IOKit Kernel, the kernel, power management, Ruby, and more.
9bfdfa84c349e009ae9cfd6999bec5ea1e79b30268900ea21bdf77c411c8ff36
HP Security Bulletin HPSBMU03018 - A potential security vulnerability has been identified with HP Software Asset manager running OpenSSL. The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. The impacted products appear in the list below are vulnerable due to embedding OpenSSL standard release software. Revision 1 of this advisory.
332978aeae4871a3152a70a5202180bdb05e8d1bab52276229dfca74fca337fb
HP Security Bulletin HPSBMU03017 - A potential security vulnerability has been identified with HP Software Connect-IT running OpenSSL. The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. The impacted products appear in the list below are vulnerable due to embedding OpenSSL standard release software. Revision 1 of this advisory.
eedf0b7a61c757e800c92074f51a4c6d976e18cc6856501acdf52c8e7f2f3e73
HP Security Bulletin HPSBMU03019 - A potential security vulnerability has been identified with HP Software UCMDB Browser and Configuration Manager running OpenSSL. The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. The impacted products appear in the list below are vulnerable due to embedding OpenSSL standard release software. Revision 1 of this advisory.
c477c805172e3484a7c8c365a44202e98084581b278701e1977105ff9030b9fe
Ubuntu Security Notice 2169-1 - Benjamin Bach discovered that Django incorrectly handled dotted Python paths when using the reverse() function. An attacker could use this issue to cause Django to import arbitrary modules from the Python path, resulting in possible code execution. Paul McMillan discovered that Django incorrectly cached certain pages that contained CSRF cookies. An attacker could possibly use this flaw to obtain a valid cookie and perform attacks which bypass the CSRF restrictions. Various other issues were also addressed.
c06fe39660153662ccdc26aee4797b8b2cc6dc27ae9d5dcc5eacfa238b42bcac
Slackware Security Advisory - New php packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.
c688410c854937e1a43a107261fcbb759d55218a6cd9f726b13c94f1a629dc79
Slackware Security Advisory - New libyaml packages are available for Slackware 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
67766d18c7be9bf99a4f145887c9b60870dbfefc692474bde2466c4d0a02c5aa
Red Hat Security Advisory 2014-0421-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process.
6bb6017ff037f6088c5db07a13171259bd985f61435dcf170ba95439f45a61c8
Red Hat Security Advisory 2014-0420-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process.
5ff929048132cfe17cbd13f84dc1814a3f026c9794cbf817379cf915013f4b76
Red Hat Security Advisory 2014-0419-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the way the Linux kernel processed an authenticated COOKIE_ECHO chunk during the initialization of an SCTP connection. A remote attacker could use this flaw to crash the system by initiating a specially crafted SCTP handshake in order to trigger a NULL pointer dereference on the system.
671b6cce6fddde41c73ae126802c85a3215d54ece7d82be64e6c0ae54cbef6a2
Debian Linux Security Advisory 2911-1 - Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, out of bound reads, use-after-frees and other implementation errors may lead to the execution of arbitrary code, information disclosure or denial of service.
1c270a8efd85aadc9207bdba6fbb4a69a8079128f22ded1fffc00b71264ce953
Bugzilla Security Advisory - Bugzilla versions 2.0 through 4.4.2 and 4.5.1 through 4.5.2 suffer from a cross site request forgery vulnerability. Bugzilla versions 2.0 through 4.0.11, 4.1.1 through 4.2.7, 4.3.1 through 4.4.2, and 4.5.1 through 4.5.2 suffer from a social engineering vulnerability.
e3f8c68b0a1bbdf0fb518956a6f0baea7892e0d7d30f6fb5905d155c12849c5b
HP Security Bulletin HPSBMU02994 2 - A potential security vulnerability has been identified in HP BladeSystem c-Class Onboard Administrator (OA) running OpenSSL. This is the OpenSSL vulnerability known as "Heartbleed" which could be exploited remotely resulting in disclosure of information. Revision 2 of this advisory.
af46d77b342275c81dad243aee72e2543c47821cf6a2716985ee0ca5b3afb9f6
HP Security Bulletin HPSBMU03012 - A potential security vulnerability has been identified with HP Insight Management VCEM Web Client SDK (VCEMSDK) running OpenSSL.This is the OpenSSL vulnerability known as "Heartbleed" which could be exploited remotely resulting in disclosure of information. Revision 1 of this advisory.
6c05a0c36bd187bdcc660daf592bb50425bc02d0f86c606f509cebeb253e72c9
HP Security Bulletin HPSBMU02995 4 - The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. Revision 4 of this advisory.
33e0d5284e68173cae785275eb350a4a7bf30068e9220a8329d1a7271fef9654
Apache Archiva versions 1.3 through Continuum 1.3.6 and versions 1.2 through 1.2.2 are vulnerable to remote command execution.
6016752b96e92a44c9cf1eebaa5b10137807afe16bffa1cffa6f222ce1c77103
Apache Archiva versions 1.3 through Continuum 1.3.6 and versions 1.2 through 1.2.2 are vulnerable to a cross site scripting issue.
f3dd2a6339f2b9cb29bc32104faba46017ede0de57263310b410cddaa5374bbf
Debian Linux Security Advisory 2901-3 - The update of wordpress in DSA-2901-2 introduced a wrong versioned dependency on libjs-cropper, making the package uninstallable in the oldstable distribution (squeeze). This update corrects that problem.
0a850496735e1273b3de80b8645aa4ce0b91fe70713d28fd59c990bb6585ba45
Debian Linux Security Advisory 2895-2 - The update for prosody in DSA 2895 caused a regression when a client logins with the compression functionality activated. This update corrects that problem.
dd3018edf46d17e0a53e7f8a889c24f627291c94020ff5cde063af76b298b7bd
Debian Linux Security Advisory 2901-2 - The update for wordpress in DSA 2901 caused a regression in the Quick Drafts functionality. This update corrects that problem.
d2b698d3c0306b329f5d6fa12b5b30d81ec5aeefe5c0074149ffabaff5159725
Debian Linux Security Advisory 2910-1 - Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.
52575665baaeb878ce9083fe942d1d6fc71a1cdb48ddddbf66a810e4959d714c
Debian Linux Security Advisory 2909-1 - Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.
d5a88db7fc21bba30775e197759c2a16f7fc56b2f46b2263b0fa4c19795bc6ad