Slackware Security Advisory - New seamonkey packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
7cd19932e1851777c31991fea89e31286ece90a8b0e795a9932b1ff7b009863e
Slackware Security Advisory - New patch packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.
fe238ef2150aeead7d26e594876ec8bf81a81d4520601e123f7712c1a3a86010
The latest update for SIMATIC STEP 7 (TIA Portal) V13 fixes two vulnerabilities. Device user passwords in TIA portal project files are stored using a weak hashing algorithm. Attackers with read access to the project file could possibly reconstruct the passwords for device users. Privilege information for device users is stored unprotected in the TIA portal projects. Attackers with access to the project file could possibly read and modify the permissions for device users in the project file. If unsuspecting users are tricked to download the manipulated project files to the device, the user permissions become active.
b243dfbab181ed3d05528d9c6f66e15488a6f9b74d9b5897afced4508f4b1aae
The latest update for SIMATIC WinCC (TIA Portal) V13 fixes two vulnerabilities. The remote management module of WinCC (TIA Portal) Multi Panels and Comfort Panels, and WinCC RT Advanced transmits weakly protected credentials over the network. Attackers capturing network traffic of the remote management module could possibly reconstruct used passwords. A hard coded encryption key used in WinCC RT Professional could allow attackers to escalate their privileges if the application's network communication with an authenticated user was captured.
8eaaadac7bd62a1372b3f4832ed7853c5bfabaa509311247fc900d53d44cd1e6
Gentoo Linux Security Advisory 201502-12 - Multiple vulnerabilities have been found in Oracle's Java SE Development Kit and Runtime Environment, the worst of which could lead to execution of arbitrary code. Versions less than 1.7.0.71 are affected.
946956dea19a3274d6fb6db363ac9cb4f3556abb6e68ec9eeff943208a8be906
Gentoo Linux Security Advisory 201502-11 - Two vulnerabilities have been found in GNU cpio, the worst of which could result in execution of arbitrary code. Versions less than 2.11-r3 are affected.
f1f78684fd995e9d27931a80192594ed6935913d54f7976cc9c14a41f436eb3f
Gentoo Linux Security Advisory 201502-10 - Two vulnerabilities have been found in libpng, possibly resulting in execution of arbitrary code. Versions less than 1.6.16 are affected.
67d11ac2a7cb95e97d8640dff6a24b5b8ed323460de161e636a523867f73d0ca
A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow.
9890952521e3cd5f5015f68364d858db61068493b180f85994b13d9035ba96b2
HumHub versions 0.10.0 and below suffer from .htaccess file upload and remote code execution vulnerabilities.
270e4348775db45bf8d7044ae1b7d6bb66a03193fd05759df6b2527b2e04fce4
HP Security Bulletin HPSBGN03258 1 - A potential security vulnerability has been identified with HP Insight Control server deployment Windows Pre-boot Execution Environment that could be exploited remotely resulting in arbitrary execution of code. This is the vulnerability known as Winshock. HP Insight Control server deployment uses the Windows Automated Installation Kit 2.0 to generate the Windows Pre-boot Execution Environment service operating system. WAIK 2.0 is vulnerable to CVE-2014-6321 (Microsoft Schannel Remote Code Execution vulnerability). This bulletin provides instructions to update the Windows Pre-boot Execution Environment with updates from Microsoft. Revision 1 of this advisory.
fdb36a29c9f919ae18292d8cf51a2c7d25c56db903151def63ed21febd08e1c0
During initial setup, the weather station will submit its complete configuration unencrypted to the manufacturer cloud service. This configuration includes confidential information like the user's Wifi password.
26c45dc9330c4b9106868739be6a04123e25c4881dd15ee9236e856c7b66fbf4
Ubuntu Security Notice 2488-2 - USN-2488-1 fixed a vulnerability in ClamAV for Ubuntu 14.10, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. This update provides the corresponding update for Ubuntu 10.04 LTS. Sebastian Andrzej Siewior discovered that ClamAV incorrectly handled certain upack packer files. An attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
1ba3829916f38cc8b6f3e2bbeba9b556ef562873a7a035d0f40069446390f3fd
All versions of WordPress fail to implement a cryptographically secure pseudorandom number generator.
170595a1bbe7e09d77645ac1e3ed66ad3b2cd04dd4cb157b616751c9edc794df
Open-Xchange Server 6 / OX AppSuite suffers from an information exposure vulnerability in versions 7.6.1 and below.
8229982ea2c858877843bfc93dec828d259e06e7d9ea4893899722e0857cf8f5
Mandriva Linux Security Advisory 2015-044 - Incorrect memory management in Gtk2::Gdk::Display::list_devices in perl-Gtk2 before 1.2495, where, the code was freeing memory that gtk+ still holds onto and might access later. The updated packages have been patched to correct this issue.
e73da39c4f4f83b3f336e55cc33673138264f90452afaeb86dafd1ea189a8695
Debian Linux Security Advisory 3161-1 - Simon McVittie discovered a local denial of service flaw in dbus, an asynchronous inter-process communication system. On systems with systemd-style service activation, dbus-daemon does not prevent forged ActivationFailure messages from non-root processes. A malicious local user could use this flaw to trick dbus-daemon into thinking that systemd failed to activate a system service, resulting in an error reply back to the requester.
2aa70c387619edf5818fcdac52d8d84392b4ab17ce8511cb0c1f79f7b11e9cc6
Mandriva Linux Security Advisory 2015-047 - Directory traversal vulnerability in the read_long_names function in libelf/elf_begin.c in elfutils allows remote attackers to write to arbitrary files to the root directory via a / in a crafted archive, as demonstrated using the ar program.
72bdd7da941cefc3fb4d3fcab073210f54c6225dc876df7b77489666a6946e4f
Mandriva Linux Security Advisory 2015-048 - Multiple vulnerabilities has been discovered and corrected in Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain access to seeing certain values, contrary to expected permissions. Andres Freund, Peter Geoghegan and Noah Misch discovered that PostgreSQL incorrectly handled buffers in to_char functions. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that PostgreSQL incorrectly handled memory in the pgcrypto extension. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. Emil Lenngren discovered that PostgreSQL incorrectly handled extended protocol message reading. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly inject query messages. This advisory provides the latest version of PostgreSQL that is not vulnerable to these issues.
634d97dbd89e3a11f0f04718cbf5534aac49ac2bfae32de2e27000b2b448d65e
Mandriva Linux Security Advisory 2015-046 - Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service. Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 addresses can be bypassed.
1738bc161859133a34d1c1b3f945bb293d62965b7ce6af9e1ab54e8936be9dd5
Mandriva Linux Security Advisory 2015-045 - The libext2fs library, part of e2fsprogs and utilized by its utilities, is affected by a boundary check error on block group descriptor information, leading to a heap based buffer overflow. A specially crafted filesystem image can be used to trigger the vulnerability.
afbd08dd885b278be82cc4c96d75245e87201d6fbcf427b723ce8ce64f54f3c9
Ubuntu Security Notice 2499-1 - Stephen Frost discovered that PostgreSQL incorrectly displayed certain values in error messages. An authenticated user could gain access to seeing certain values, contrary to expected permissions. Andres Freund, Peter Geoghegan and Noah Misch discovered that PostgreSQL incorrectly handled buffers in to_char functions. An authenticated attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
ece0ed1fa664c2cfc993dd729652d029bc60850f5ddde36ddea4ba499be6ec0d
Red Hat Security Advisory 2015-0158-01 - Red Hat Enterprise Virtualization Manager is a visual tool for centrally managing collections of virtual servers running Red Hat Enterprise Linux and Microsoft Windows. This package also includes the Red Hat Enterprise Virtualization Manager API, a set of scriptable commands that give administrators the ability to perform queries and operations on Red Hat Enterprise Virtualization Manager. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer Application Programming Interface .
d9bb9ff72c6bd97b60e38ccf8918a120f640422e9b3d209587866a2130fb7674
Debian Linux Security Advisory 3160-1 - Olivier Fourdan discovered that missing input validation in the Xserver's handling of XkbSetGeometry requests may result in an information leak or denial of service.
a8c6a3b27aaa3ff3ec4661dad807a413a2b37a89aa34950221b7a1e87856681f
Cisco Security Advisory - Cisco Secure Access Control System (ACS) prior to version 5.5 patch 7 is vulnerable to a SQL injection attack in the ACS View reporting interface pages. A successful attack could allow an authenticated, remote attacker to access and modify information such as RADIUS accounting records stored in one of the ACS View databases or to access information in the underlying file system. Cisco has released free software updates that address this vulnerability.
0316ff4c6325490cd4330984306d52e82eba029c3763085c673dc708d5d17e38
Red Hat Security Advisory 2015-0215-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity attacks.
57ab1fc8b9507ca56ece907b266ce7c9eb4bd0abbef003b66b314ffee42dde44