Red Hat Security Advisory 2015-1907-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console.
eb927aee644dfa05c9e682753edffe2f99a92f01c18d732cc2610d84730383f9Red Hat Security Advisory 2015-1912-01 - Chromium is an open-source web browser, powered by WebKit. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. All Chromium users should upgrade to these updated packages, which contain Chromium version 46.0.2490.71, which corrects these issues. After installing the update, Chromium must be restarted for the changes to take effect.
97a1b23886328a80513fda74bf44d87aa650cf75c06eb33740dc23359b6be08eRed Hat Security Advisory 2015-1909-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. A race-condition flaw leading to ACL bypass was discovered in OpenStack Networking. An authenticated user could change the owner of a port after it was created but before firewall rules were applied, thus preventing firewall control checks from occurring. All OpenStack Networking deployments that used either the ML2 plug-in or a plug-in that relied on the security groups AMQP API were affected.
ba5de1546dd79402966938f870ea827ae290e36447e12d9a78788a2b6bdeff01Red Hat Security Advisory 2015-1898-01 - OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances and controlling access through users and projects. A denial of service flaw was found in the OpenStack Compute instance migration process. Because the migration process does not terminate when an instance is deleted, an authenticated user could bypass user quota and deplete all available disk space by repeatedly re-sizing and deleting an instance.
a22d3e6289d7cd90e8f02bfa0154496060866ce687902ebc6127863544d4adf6Red Hat Security Advisory 2015-1897-01 - OpenStack Image service provides discovery, registration, and delivery services for disk and server images. It provides the ability to copy or snapshot a server image, and immediately store it away. Stored images can be used as a template to get new servers up and running quickly and more consistently than installing a server operating system and individually configuring additional services. A flaw was discovered in the OpenStack Image service where a tenant could manipulate the status of their images by submitting an HTTP PUT request together with an 'x-image-meta-status' header. A malicious tenant could exploit this flaw to reactivate disabled images, bypass storage quotas, and in some cases replace image contents. Setups using the Image service's v1 API could allow the illegal modification of image status. Additionally, setups which also use the v2 API could allow a subsequent re-upload of image contents.
299e22800ce83179994515bf328b15dc9e67b6877bd8249eb02a85a2aabc6734Red Hat Security Advisory 2015-1905-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console.
eb89c322dc05195d96293e7b3bd6a45b4ccccfc51fd47a2b7459b5426241ae07Red Hat Security Advisory 2015-1904-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that sending requests containing large headers to the Web Console produced a Java OutOfMemoryError in the HTTP management interface. An attacker could use this flaw to cause a denial of service. It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console.
7b54a9054616b3b919e4de2504b70a27a7eb58995a4d8000629e3621f0203efaRed Hat Security Advisory 2015-1893-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin APSB15-25 listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.
43bba8b4bca2e30a1e577f17f22233ca5ac7d88ec42c034379ae9db4eaa6da1bUbuntu Security Notice 2709-2 - USN-2709-1 updated pollinate's certificate for entropy.ubuntu.com but did not include a new certificate authority certificate. This update fixes the problem. Various other issues were also addressed.
07405917955cc6e732f12d69492661b1fd9c7275b82debd279393aa8decd20c0Ubuntu Security Notice 2769-1 - It was discovered that Apache Commons HttpClient did not properly verify the Common Name or subjectAltName fields of X.509 certificates. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS. Florian Weimer discovered the fix for CVE-2012-5783 was incomplete for Apache Commons HttpClient. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS. Various other issues were also addressed.
af157aac0460aac84b53a3ba1669f3117b6a436e3293af422b911edc94f82c08HP Security Bulletin HPSBGN03515 1 - Potential security vulnerabilities have been identified with HP Smart Profile Server Data Analytics Layer (SPS DAL). These vulnerabilities could be exploited remotely to allow Cross-Site Scripting (XSS) or disclosure of information. Revision 1 of this advisory.
a9b259f68d6ed198e14ba45fb41c51eba0381eb95d369c09a8754b0afc0d5a7eThe library tiny-AES128-C contains a buffer overflow in its AES128_CBC_encrypt_buffer() function, where 15 bytes beyond the end of the input buffer can be overwritten.
a7e437ab1c1557b6f02e672829111df160cb4ee24f700f757d8715884da74e5bUbuntu Security Notice 2767-1 - Gustavo Grieco discovered that the GDK-PixBuf library did not properly handle scaling tga image files, leading to a heap overflow. If a user or automated system were tricked into opening a tga image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. Gustavo Grieco discovered that the GDK-PixBuf library contained an integer overflow when handling certain GIF images. If a user or automated system were tricked into opening a GIF image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. Various other issues were also addressed.
3a29a3b4a363c0c978dc6d50853bdf439cb053733deb55142ef0459a99031ae9This bulletin summary lists multiple bulletins that have undergone a major revision increment for October, 2015.
606915aba2106b77f76d909f0cffbd2e568af2dba89b3f1c521a0d01e6b8c16fThis bulletin summary lists six released Microsoft security bulletins for October, 2015.
97027239176df14da037279816ff2516a65b06d95cb97bc90c7275356c532a8dDebian Linux Security Advisory 3372-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, unauthorised information disclosure or unauthorised information modification.
307334c9a5eff72ba64a9e315472120a161622f5ea8a1063d37e73e088dcd4e3Red Hat Security Advisory 2015-1890-01 - The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
2419a1f8bb197d011605571f9eff7d3803265fff612609c2b582203ccbbe7645Red Hat Security Advisory 2015-1889-01 - The Simple Protocol for Independent Computing Environments is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host.
4e0726057f796adcd2fcb126eb4b00d2f42baf185d0c4b84693cbae4e4b50be8Red Hat Security Advisory 2015-1888-01 - Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. It was found that the code which checked that the server hostname matches the domain name in a subject's Common Name field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
137300cf20be6442c17106059dabf78383537b44c8fef262d899c482c94adf70EMC SourceOne Email Supervisor Reviewer is vulnerable to brute-force password guessing, cross site scripting, session hijacking, and use of hard-coded encryption key vulnerabilities.
675f02b326ac4c5d1fc4af34a8234c03706c420d281bc530a50212a23366245fDebian Linux Security Advisory 3371-1 - Frediano Ziglio of Red Hat discovered several vulnerabilities in spice, a SPICE protocol client and server library. A malicious guest can exploit these flaws to cause a denial of service (QEMU process crash), execute arbitrary code on the host with the privileges of the hosting QEMU process or read and write arbitrary memory locations on the host.
8724adae44c0f76d42a3f5b53969d8f1a2b8410728271b1ae7c84ec133ccef00Red Hat Security Advisory 2015-1862-01 - Red Hat Enterprise Linux OpenStack Platform director provides the facilities for deploying and monitoring a private or public infrastructure-as-a-service cloud based on Red Hat Enterprise Linux OpenStack Platform. A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package. The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data.
5ea40faeb29a51d07126fa754ad6aa9ce63c8cee88b0b54a3e88de07ebad322fRed Hat Security Advisory 2015-1876-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. It was found that Django incorrectly handled the session store. A session could be created by anonymously accessing the django.contrib.auth.views.logout view if it was not decorated correctly with django.contrib.auth.decorators.login_required. A remote attacker could use this flaw to fill up the session store or cause other users' session records to be evicted by requesting a large number of new sessions.
877d266616c7a414824877b342ccbfa1856350019d29d18619838e614d8640faPayPal Beacon firmware fails to check signatures, has a static root password, and uses insecure transport over HTTP.
74769ae9b794d352a824424018db32f720241a068c8be6481346846e1022a73cRevive Adserver versions 3.2.1 and below suffer from improper access controls, cross site request forgery, cross site scripting, local file inclusion, and various other vulnerabilities.
f3c53ca4f0d760cffde26a8a7bbe06712810d8fb32dabf303255604dc56e2372
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed