Twenty Year Anniversary
Showing 1 - 25 of 278 RSS Feed

Files

VMware Security Advisory 2014-0005
Posted May 31, 2014
Authored by VMware | Site vmware.com

VMware Security Advisory 2014-0005 - VMware Workstation, Player, Fusion, and ESXi patches address a vulnerability in VMware Tools which could result in a privilege escalation on Microsoft Windows 8.1.2.

tags | advisory
systems | windows
advisories | CVE-2014-3793
MD5 | 083e66b736a9e92ec49b2ffb2b734a19
Bizagi BPM Suite Cross Site Scripting / SQL Injection
Posted May 30, 2014
Authored by Mauricio Urizar, Todd Lewellen

Bizagi BPM Suite suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | advisory, remote, vulnerability, xss, sql injection
advisories | CVE-2014-2947, CVE-2014-2948
MD5 | 6f4252d73c9ad90dae95225a9022f126
Google Compute Engine VMs Denial Of Service
Posted May 30, 2014
Authored by Scott T. Cameron

Google Compute Engine VMs suffer from multiple traffic-based denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability
MD5 | b861d62d563726bbdecf79b01b1b1a88
Microsoft DHCP INFORM Configuration Overwrite
Posted May 30, 2014
Authored by laurent gaffie

A vulnerability in Windows DHCP was found on Windows OS versions ranging from Windows 2000 through to Windows server 2003. This vulnerability allows an attacker to remotely overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user interaction. Successful exploitation of this issue will result in a remote network configuration overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.

tags | advisory, remote
systems | windows, 2k
MD5 | 535d32799e8d5c79bd314ee2a3a71e9b
Apache Tomcat XML Parser Information Disclosure
Posted May 30, 2014
Authored by Mark Thomas | Site tomcat.apache.org

In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.5, Apache Tomcat 7.0.0 to 7.0.53, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, web, xxe
advisories | CVE-2014-0119
MD5 | 5bf0de101075a8680add82c3a1818657
Apache Tomcat XSLT Information Disclosure
Posted May 30, 2014
Authored by Mark Thomas | Site tomcat.apache.org

The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, web
advisories | CVE-2014-0096
MD5 | 6239c35f875e5fb748a963512ba6bf99
Apache Tomcat Information Disclosure
Posted May 29, 2014
Authored by Mark Thomas | Site tomcat.apache.org

The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, overflow
advisories | CVE-2014-0099
MD5 | 5111e908ad08ae8ebd18c203b6493da1
Apache Tomcat Denial Of Service
Posted May 29, 2014
Authored by Mark Thomas | Site tomcat.apache.org

It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, denial of service
advisories | CVE-2014-0075
MD5 | 58481d1d8cde56b09ee7b37ef3cc2cf1
Red Hat Security Advisory 2014-0581-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0581-01 - OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A flaw was discovered in OpenStack Dashboard that could allow a remote attacker to conduct cross-site scripting attacks if they were able to trick a horizon user into using a malicious heat template. Note that only setups exposing the orchestration dashboard in OpenStack Dashboard were affected.

tags | advisory, remote, xss
systems | linux, redhat
advisories | CVE-2014-0157
MD5 | e330fbc232a685189b4d359e72562993
Red Hat Security Advisory 2014-0580-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0580-01 - The OpenStack Identity service authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins. The openstack-keystone packages have been upgraded to upstream version 2013.2.3, which provides a number of bug fixes over the previous version. The following security issue is also fixed with this release: It was found that the memcached token back end of OpenStack Identity did not correctly invalidate a revoked trust token, allowing users with revoked tokens to retain access to services they should no longer be able to access. Note that only OpenStack Identity setups using the memcached back end for tokens were affected.

tags | advisory
systems | linux, redhat
advisories | CVE-2014-2237
MD5 | d3f3643c979223af16b6b0d862d9770e
Red Hat Security Advisory 2014-0578-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0578-01 - OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects. It was found that overwriting the disk inside of an instance with a malicious image, and then switching the instance to rescue mode, could potentially allow an authenticated user to access arbitrary files on the compute host depending on the file permissions and SELinux constraints of those files. Only setups that used libvirt to spawn instances and which had the use of cow images disabled were affected.

tags | advisory, arbitrary
systems | linux, redhat
advisories | CVE-2014-0134
MD5 | c961d7733af86ece5abefa1b729783ba
Red Hat Security Advisory 2014-0517-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0517-01 - The openstack-foreman-installer package provides facilities for rapidly deploying Red Hat Enterprise Linux OpenStack Platform 4. It was discovered that the Qpid configuration created by openstack-foreman-installer did not have authentication enabled when run with default settings in standalone mode. An attacker able to establish a TCP connection to Qpid could access any OpenStack back end using Qpid without any authentication. This update also fixes several bugs and adds enhancements.

tags | advisory, tcp
systems | linux, redhat
advisories | CVE-2013-6470
MD5 | 60a02f9ed6e8a58bda983aafefa068ef
Red Hat Security Advisory 2014-0582-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0582-01 - Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issue is also fixed with this release: It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.

tags | advisory, java, remote, denial of service
systems | linux, redhat
advisories | CVE-2013-4517
MD5 | 721402bebdb448bcd567130b4a44fe6d
Red Hat Security Advisory 2014-0516-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0516-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. A flaw was found in the way OpenStack Networking performed authorization checks on created ports. An authenticated user could potentially use this flaw to create ports on a router belonging to a different tenant, allowing unauthorized access to the network of other tenants. Note that only OpenStack Networking setups using plug-ins that rely on the l3-agent were affected.

tags | advisory
systems | linux, redhat
advisories | CVE-2013-6433, CVE-2014-0056
MD5 | 70ed45002aaab545368f7bd5162d0696
Red Hat Security Advisory 2014-0579-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0579-01 - OpenStack Orchestration is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. The openstack-heat-templates package provides heat example templates and image building elements for the openstack-heat package. It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2014-0040, CVE-2014-0041, CVE-2014-0042
MD5 | a990c535046c4233cc344171274998ef
Red Hat Security Advisory 2014-0573-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0573-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.3 will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 6.3 EUS after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided after this date. We encourage customers to plan their migration from Red Hat Enterprise Linux 6.3 to a more recent version of Red Hat Enterprise Linux. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 6 release.

tags | advisory
systems | linux, redhat
MD5 | 4c5e2f2e7f25053258fb8a0a04f743cb
Red Hat Security Advisory 2014-0575-01
Posted May 29, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0575-01 - In accordance with the Red Hat Enterprise Developer Toolset Life Cycle policy, the Red Hat Developer Toolset Version 1 offering will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Developer Toolset Version 1 after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided for Red Hat Developer Toolset Version 1 after this date. We encourage customers to plan their migration from Red Hat Enterprise Developer Toolset Version 1 to a more recent release of Red Hat Developer Toolset. As a benefit of the Red Hat subscription model, customers can use their active Red Hat Developer Toolset subscriptions to entitle any system on a currently supported version of this product.

tags | advisory
systems | linux, redhat
MD5 | 3d8838fe55a07900e0ced1be1927a415
Apache Tomcat Denial Of Service
Posted May 29, 2014
Authored by Mark Thomas | Site tomcat.apache.org

A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Versions affected include Apache Tomcat 8.0.0-RC2 to 8.0.3.

tags | advisory, denial of service
advisories | CVE-2014-0095
MD5 | a5c4c65f29ed8306dcd76c7893ccc1dc
Red Hat Security Advisory 2014-0559-01
Posted May 28, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0559-01 - The Red Hat Enterprise Virtualization Manager data warehouse package provides the Extract-Transform-Load process and database scripts to create a historic database API. It also provides SQL BI reports creation for management and monitoring. It was found that the ovirt-engine-dwh setup script logged the history database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2014-0202
MD5 | 1037169105032ad1a8519da83577d58c
Red Hat Security Advisory 2014-0558-01
Posted May 28, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0558-01 - The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. It was found that the ovirt-engine-reports setup script logged the reports database password in plain text to a world-readable file. An attacker with a local user account on the Red Hat Enterprise Virtualization Manager server could use this flaw to access, read, and modify the reports database.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2014-0199, CVE-2014-0200, CVE-2014-0201
MD5 | 7bbe48219dba010ee348c07d8aa8479f
Red Hat Security Advisory 2014-0561-01
Posted May 28, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0561-01 - cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP with NTLM authentication, LDAP, SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials.

tags | advisory, remote, web, protocol
systems | linux, redhat
advisories | CVE-2014-0015, CVE-2014-0138
MD5 | ca75f8603c28da55ec239f5a7f9effdb
Red Hat Security Advisory 2014-0557-01
Posted May 28, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0557-01 - The kernel-rt packages contain the Linux kernel, the core of any Linux operating system. A race condition leading to a use-after-free flaw was found in the way the Linux kernel's TCP/IP protocol suite implementation handled the addition of fragments to the LRU list under certain conditions. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system by sending a large amount of specially crafted fragmented packets to that system.

tags | advisory, remote, kernel, tcp, protocol
systems | linux, redhat
advisories | CVE-2014-0100, CVE-2014-0196, CVE-2014-1737, CVE-2014-1738, CVE-2014-2672, CVE-2014-2678, CVE-2014-2706, CVE-2014-2851, CVE-2014-3122
MD5 | 92ffb61f18bc3e90b948a3bb43daf85e
Red Hat Security Advisory 2014-0560-01
Posted May 28, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0560-01 - The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux and other operating systems. In addition, libvirt provides tools for remote management of virtualized systems. It was found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a special file that blocks on read access could use this flaw to cause libvirtd to hang indefinitely, resulting in a denial of service on the system.

tags | advisory, remote, denial of service
systems | linux, redhat
advisories | CVE-2014-0179
MD5 | fa1203b64bdda86041465ee92958f9eb
Debian Security Advisory 2938-1
Posted May 28, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2938-1 - The initial organization and setup of Squeeze LTS has now happened and it is ready for taking over security support once the standard security support ends at the end of the month.

tags | advisory
systems | linux, debian
MD5 | 7a720b011898194b93f67cfa3c9ff124
Debian Security Advisory 2937-1
Posted May 28, 2014
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2937-1 - Two security issues have been found in the Python WSGI adapter module for Apache.

tags | advisory, python
systems | linux, debian
advisories | CVE-2014-0240, CVE-2014-0242
MD5 | 60bc6088825335037777d7744751ddb2
Page 1 of 12
Back12345Next

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

Top Authors In Last 30 Days

Recent News

News RSS Feed
Ether Doesn't Fall Under SEC Rules
Posted Jun 15, 2018

tags | headline, government, bank, usa, cryptography
Decades-Old PGP Bug Allowed Hackers To Spoof Just About Anyone's Signature
Posted Jun 15, 2018

tags | headline, flaw, cryptography
LuckyMouse Threat Group Attacks Government Websites
Posted Jun 14, 2018

tags | headline, hacker, government, malware, china
US Senators Get Digging To Find Out The Truth About FCC DDoS Attack
Posted Jun 14, 2018

tags | headline, government, usa, denial of service, fraud
Backdoored Images Downloaded 5 Million Times Finally Removed From Docker Hub
Posted Jun 14, 2018

tags | headline, hacker, fraud, backdoor
Apple To Patch Flaw FBI Has Been Using To Hack iPhones
Posted Jun 14, 2018

tags | headline, government, privacy, usa, phone, flaw, patch, apple, fbi
Microsoft Fixes Cortana Lock Screen Bypass Flaw
Posted Jun 14, 2018

tags | headline, microsoft, flaw, password, patch
Paladin's Anti-Hacking Browser Extension Looks Like Snake Oil
Posted Jun 14, 2018

tags | headline, hacker
Intel Chip Flaw - Math Unit May Spill Crypto Secrets To Apps
Posted Jun 14, 2018

tags | headline, data loss, flaw, cryptography, intel
Smart Lock Can Be Hacked In Seconds
Posted Jun 13, 2018

tags | headline, hacker, flaw
View More News →
packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close