Red Hat Security Advisory 2014-1690-01 - The python-backports-ssl_match_hostname package provides RFC 6125 compliant wildcard matching. A denial of service flaw was found in the way Python's SSL module implementation performed matching of certain certificate names. A remote attacker able to obtain a valid certificate that contained multiple wildcard characters could use this flaw to issue a request to validate such a certificate, resulting in excessive consumption of CPU. This issue was discovered by Florian Weimer of Red Hat Product Security.
630f007e3d3cbb97e3d958feade33386613235e76e9498f96c508f28f5197ea2Red Hat Security Advisory 2014-1687-02 - OpenStack Orchestration is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible.
7f7405ebb67a23bad0a5e03b8ca3295a9538a7dcba558003c4904fa12d6899b1Red Hat Security Advisory 2014-1688-01 - The OpenStack Identity service authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication, including user name and password credentials, token-based systems, and AWS-style logins. A flaw was found in the keystone V3 API. An attacker could send a single request with the same authentication method multiple times, possibly leading to a denial of service due to generating excessive load with minimal requests. Only keystone setups with the V3 API enabled were affected by this issue.
bc5ed9f6d904f1a939908666e1172587fbdc5ef969af0ca5fa10b16749557d41Red Hat Security Advisory 2014-1692-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer, Transport Layer Security, and Datagram Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. This update adds support for the TLS Fallback Signaling Cipher Suite Value, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails.
477e81c0daa2c159986f76e111440acbc133e23811a280839718932c86498c2cRed Hat Security Advisory 2014-1685-01 - OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. It was discovered that the image_size_cap configuration option in glance was not honored. An authenticated user could use this flaw to upload an image to glance and consume all available storage space, resulting in a denial of service.
a0090c9c0db888d7edb166344afcc29c4908804d642c308d51e21d0462a2cc7dRed Hat Security Advisory 2014-1686-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. It was discovered that unprivileged users could in some cases reset admin-only network attributes to their default values. This could lead to unexpected behavior or in some cases result in a denial of service.
4553f193356bf896b30b765aeb32390b4fac80bfe94e845dc99e02d1d3b8d081Red Hat Security Advisory 2014-1677-01 - Wireshark is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
a1a7daeb8f00d61b5fd598488dd3623a94589f4e8068dbe4da544bcb5b33bd85Red Hat Security Advisory 2014-1676-01 - Wireshark is a network protocol analyzer. It is used to capture and browse the traffic running on a computer network. Multiple flaws were found in Wireshark. If Wireshark read a malformed packet off a network or opened a malicious dump file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file.
bdf40530db7c8682a601bae4e2f22d37e58a49b1d2153ac8f3eb1a6af401ef27HP Security Bulletin HPSBUX03150 SSRT101681 - Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These could be exploited remotely to create a Denial of Service (DoS) and other vulnerabilities. Revision 1 of this advisory.
4da09901892670541bc06bce0716f03bf67eec1782653c05c5f559b376b89246Mandriva Linux Security Advisory 2014-199 - Updated perl and perl-Data-Dumper packages fixes security The Dumper method in Data::Dumper before 2.154, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Reference with many nested Array-References, which triggers a large number of recursive calls to the DD_dump function. The Data::Dumper module bundled with perl and the perl-Data-Dumper packages has been updated to fix this issue.
dc19d5d4be63100b1a9dbb64cf7587bae6e7a38cfaf80f976586d0016b2ee1e6Mandriva Linux Security Advisory 2014-198 - MediaWiki before 1.23.4 is vulnerable to cross-site scripting due to JavaScript injection via CSS in uploaded SVG files. MediaWiki before 1.23.5 is vulnerable to cross-site scripting due to JavaScript injection via user-specificed CSS in certain special pages.
203ecd5d429b9db3c2d9984f8a0ecef47d2012f052b9ba15d8080f4757f1211cMandriva Linux Security Advisory 2014-197 - Python before 2.7.8 is vulnerable to an integer overflow in the buffer type.
2c5b78300ec62d5bed39649532139fdd19a0f28439c2e6cd1b55641216103867Mandriva Linux Security Advisory 2014-196 - Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack.
163db772baec808ac8533a3c1ddf3059f717bd8f480fdf1a51d926bc04284d17Slackware Security Advisory - New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
b02606af88649aabc62638536f007c27bce518275be821922d8d2ba68cb082dfMandriva Linux Security Advisory 2014-201 - Multiple vulnerabilities has been found and corrected in the Linux kernel. These include stack-based buffer overflows and denial of service issues.
18d0010448f4aacc19c217e3371db5d34c01d05bb3fb2bb9179b1b838891d685Mandriva Linux Security Advisory 2014-200 - If a new comment was marked private to the insider group, and a flag was set in the same transaction, the comment would be visible to flag recipients even if they were not in the insider group. An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group's regular expression setting. During an audit of the Bugzilla code base, several places were found where cross-site scripting exploits could occur which could allow an attacker to access sensitive information.
61c8f38894850ae966a1583e1ba4b90ec2c9300c03912a57fe10569160797a9eAsterisk Project Security Advisory - Asterisk suffered from the SSL POODLE vulnerability.
f3393b5e599a0d63b52314b6cb1f7808ffb0f59894dcb498c686d60e147cb6d3Apple Security Advisory 2014-10-20-2 - Apple TV 7.0.1 is now available and addresses bluetooth and SSL 3.0 related security vulnerabilities.
c890e6b559bc3c39268a1477242e07d30dca426a1c327584e5bf3110bfd6fe17Apple Security Advisory 2014-10-20-1 - iOS 8.1 is now available and addresses bluetooth, insufficient cryptographic protection, and various other vulnerabilities.
2e164f01c6db9964bcf49a31c30cf308c0683a074854438dd1b12a474cb7e60eDebian Linux Security Advisory 3054-1 - Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.40.
6cd0ef9d078a2a8cb4ec2678875183e6895b173dadfa04a47e2632d3a36c536fRed Hat Security Advisory 2014-1671-01 - The rsyslog packages provide an enhanced, multi-threaded syslog daemon that supports writing to relational databases, syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part, and fine grained output format control. A flaw was found in the way rsyslog handled invalid log message priority values. In certain configurations, a local attacker, or a remote attacker able to connect to the rsyslog port, could use this flaw to crash the rsyslog daemon.
0492ec6cab84392b110bcb934f8441ca003623f7479694577d1178f88b67c705Red Hat Security Advisory 2014-1670-01 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest. This issue was discovered by Laszlo Ersek of Red Hat.
bbc96909469d3ba784e67ae678b88fc4ca6bc28433973aece36f29d26361811dRed Hat Security Advisory 2014-1669-02 - KVM is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest. This issue was discovered by Laszlo Ersek of Red Hat.
c1bd171b560b317db9a1ae26865140cf1989ab72f78bea76ac4971e6cb598ea2HP Security Bulletin HPSBMU03126 2 - Potential security vulnerabilities have been identified with HP Operations Agent. This also has an impact on the HP Operations Manager, where the HP Operations Agent is installed. The vulnerabilities could be exploited resulting in remote cross-site scripting (XSS). Revision 2 of this advisory.
507dce8c8a61ef7970a3f20f6ab9866550c8e312c0bb3f756a15c9776c4c2741HP Security Bulletin HPSBHF03146 - A potential security vulnerability has been identified with HP Integrity SD2 CB900s i4 & i2. This is the Bash Shell vulnerability known as "Shellshock" which could be exploited remotely to allow execution of code. This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. Revision 1 of this advisory.
71138975f2ecb9835216b1124791afaa131e7f859aaecdae0c613c524094559d
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed