It was discovered that the server certificate validation checks performed by EMC Secure Remote Services Virtual Edition are insecure. Weak certificate validation allows attackers to perform a man in the middle attack against ESRS connections. This allows for eavesdropping on, and spoofing of provisioned devices in ESRS VE (including but not limited to home calls to the ESRS portal esrs.emc.com). Versions 3.02, 3.03, and 3.04 are affected.
895ec0911f275467cdc882bab4fd519470eb66160a1c9ff1d02204173cd0bc37
SAP NetWeaver AS Java version 7.4 suffers from an XXE injection vulnerability. Related CVE Number: CVE-2015-4091.
6cfc59352a8bee96dd51e5b8172b86529f4d78b89fc4d04fbb33af78e0cd1d52
EMC Documentum WebTop and WebTop-based clients are affected by a cross site request forgery vulnerability. An attacker can potentially exploit this vulnerability by tricking authenticated users of the application to click on links embedded within an email, web page, or another source, and perform Docbase operations with that user's privileges.
ad1a83f8c864d27f64af80a01849f2edf8a6a00ce286cec429b553b3059f4c4f
UNIT4TETA TETA WEB version 22.62.3.4 suffers from an authorization bypass vulnerability.
fdd28477bf2f54627c01a32c396aeec05fd01c67d3b979bdbca2491f59e2b4f0
It was discovered that the session tokens in EMC Secure Remote Services Virtual Edition are Base64 encoded XML tokens that lack any cryptographic protection. Due to this it is possible for attackers to create their own session cookies. Attackers with network access (insiders) to the ESRS Web Portal can exploit this issue to gain unauthorized access to the management interface.
151cc56ac265671c750c63e5338bd4cbdd1d2ba6148271d1080ba9484f3b172a
EMC Documentum Content Server contains multiple vulnerabilities that could be exploited by malicious users to compromise the Content Server in several ways.
95830881705d0d2408b47ceb7001260e614677f1858c088afc5e0922d3a4aee9
RSA Archer GRC platform contains fixes for multiple cross site request forgery vulnerabilities that could potentially be exploited by malicious users to perform unauthorized actions on behalf of authenticated users of the application.
959a33a5b9f33dbce4f82531607aa009fbef57c91009bfcaa6085f4d703795d5
Ubuntu Security Notice 2711-1 - It was discovered that Net-SNMP incorrectly handled certain trap messages when the -OQ option was used. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service. Qinghao Tang discovered that Net-SNMP incorrectly handled SNMP PDU parsing failures. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
637f1672470959d86194903a05d03503644b70c98bc272b459ef69a1bfc19637
This is a fun write-up detailing vulnerabilities in Oracle products discovered by the security community and how Oracle CSO Mary Ann Davidson's math on the subject just does not add up. No surprise there.
2da1fcf5b8f0090fe5d0ec336bb7d93cd663a84c8ff4ad87b305664d9081d629
RSA BSAFE Micro Edition Suite, Crypto-C Micro Edition, Crypto-J, SSL-J and SSL-C all suffer from various crypto, denial of service, and underflow vulnerabilities.
249db2924aab5ee66f78a2cea495509bc66d1e874798148d85df7a38d50f16a4
Gentoo Linux Security Advisory 201508-3 - A bug in the Icecast code handling source client URL authentication causes a Denial of Service condition. Versions less than 2.4.2 are affected.
7d860a37ca2e6eb7705507bfb6605db340741515e8d65938618a23309044f202
Gentoo Linux Security Advisory 201508-2 - Multiple vulnerabilities have been found in libgadu, the worst of which may result in execution of arbitrary code. Versions less than 1.12.0 are affected.
ac6323304dec7a73e7b87d81f49e9a488514b085986f013e99182e85aa74812f
Gentoo Linux Security Advisory 201508-1 - Multiple vulnerabilities have been found in Adobe Flash Player, the worst of which allows remote attackers to execute arbitrary code. Versions less than 11.2.202.508 are affected.
0847bbaee6df81c0c128448e66176965e633dd961c717381e4b388a8b8ad5416
Red Hat Security Advisory 2015-1635-01 - SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. A flaw was found in the way SQLite handled dequoting of collation-sequence names. A local attacker could submit a specially crafted COLLATE statement that would crash the SQLite process, or have other unspecified impacts.
a0efdeb75f1c30ee358397a36729d3fe23e95d4dc3424a9aa6ec32de06cdaf97
Red Hat Security Advisory 2015-1634-01 - SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. It was found that SQLite's sqlite3VXPrintf() function did not properly handle precision and width values during floating-point conversions. A local attacker could submit a specially crafted SELECT statement that would crash the SQLite process, or have other unspecified impacts.
e2762eea5beb5fd075760c1b0b8af959cd5f3c3de8d5ef879e22ec6715b97e02
Red Hat Security Advisory 2015-1633-01 - Subversion is a concurrent version control system which enables one or more users to collaborate in developing and maintaining a hierarchy of files and directories while keeping a history of all changes. The mod_dav_svn module is used with the Apache HTTP Server to allow access to Subversion repositories via HTTP. An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server to crash.
d091320b57163b4490f94feff3ef41c63366f20353500a6e770c256ec6180c43
Red Hat Security Advisory 2015-1631-01 - Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file. ceph has been upgraded from v0.80.8.1 to v0.80.8.2.
fe73ad4a770c72f8100654d86047b20f029b23f77a092e0e02e9755c7903b274
Slackware Security Advisory - New mozilla-firefox packages are available for Slackware 14.1 to fix security issues.
ddd1377dc71f5d5573e3e5e113250659fa5106c15a9db1996d2a264f41de8a60
Slackware Security Advisory - New mozilla-thunderbird packages are available for Slackware 14.1 and -current to fix security issues.
c5563a7464d928ff21dd335904c774ff47e54780fa40f3c9603723d7ca88c81c
Red Hat Security Advisory 2015-1630-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server.
31d5def2c42016aa18d489eedd4022a3fdb32f470a20bed0708b9c3529e62a47
Red Hat Security Advisory 2015-1629-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server.
193f2f3152d15e39225d22426ed2be7c4dea32eaf1a7cf33d2bced97b5f15dc4
Red Hat Security Advisory 2015-1628-01 - MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon and many client programs and libraries. This update fixes several vulnerabilities in the MySQL database server.
a51eb1ee58883d7b18206e0a8a5b2389573c95a87c5662f85dd577031dafa293
Red Hat Security Advisory 2015-1627-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. An invalid free flaw was found in glibc's getaddrinfo() function when used with the AI_IDN flag. A remote attacker able to make an application call this function could use this flaw to execute arbitrary code with the permissions of the user running the application. Note that this flaw only affected applications using glibc compiled with libidn support.
09824f32e3805a9e1048366162b64a1f26104e46bb0ac50ac2b3cfa92168bbeb
Ubuntu Security Notice 2709-1 - The pollinate package bundles the certificate for entropy.ubuntu.com. This update refreshes the certificate to match the new certificate for the server.
515b8d6dbe355a16da8fb1581c572dc3b3ca25de060b3ca51000881d8e51f64b
Ubuntu Security Notice 2710-1 - Moritz Jodeit discovered that OpenSSH incorrectly handled usernames when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to perform user impersonation. Moritz Jodeit discovered that OpenSSH incorrectly handled context memory when using PAM authentication. If an additional vulnerability were discovered in the OpenSSH unprivileged child process, this issue could allow a remote attacker to bypass authentication or possibly execute arbitrary code. Various other issues were also addressed.
5e6d369a707bc3cd52edbf61992614fe1906738d5016b5215cd4d7307a0c93fe