Subrion CMS version 3.2.2 suffers from a cross site scripting vulnerability.
c1298bd4285680bb909de7d080e42246026fcafa8acbcb9c5b42cb20c45c4a52
goYWP WebPress version 13.00.06 suffers from multiple cross site scripting vulnerabilities.
a21be4dd03bd59d3528f15a9288cff274f06afcc7ee938c5319f87766878e5f3
phpTrafficA versions 2.3 and below suffer from a remote SQL injection vulnerability.
35cf42f536241e5b5165723fb326796ec0832be49a1a2e5d66ecf66411871ea8
Apache CloudStack may be configured to authenticate LDAP users. When so configured, it performs a simple LDAP bind with the name and password provided by a user. Simple LDAP binds are defined with three mechanisms (RFC 4513): 1) username and password; 2) unauthenticated if only a username is specified; and 3) anonymous if neither username or password is specified. Currently, Apache CloudStack does not check if the password was provided which could allow an attacker to bind as an unauthenticated user. Versions 4.3 and 4.4 are affected.
bbbd1b2ac7a4bb891b769624d11c121d4535a2c1bb2af58f8cd50947731eefdc
Debian Linux Security Advisory 3093-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service or privilege escalation.
57232cc982d5b56a3a4484ad03202481e9d82dcc2130c361d364a0329773cbdd
HP Security Bulletin HPSBST03154 2 - A potential security vulnerability has been identified with HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell. This is the Bash Shell vulnerability known as "ShellShock" which could be exploited remotely to allow execution of code. Revision 2 of this advisory.
1fd37f9427784b3b37be04b743ed2eb89dd0ff93ce83329650327ceec8f74b04
Debian Linux Security Advisory 3094-1 - It was discovered that BIND, a DNS server, is prone to a denial of service vulnerability. By making use of maliciously-constructed zones or a rogue server, an attacker can exploit an oversight in the code BIND 9 uses to follow delegations in the Domain Name Service, causing BIND to issue unlimited queries in an attempt to follow the delegation. This can lead to resource exhaustion and denial of service (up to and including termination of the named server process).
1d2684cbff318116da931be8775f83a064a4521f81b9e896735e6547897432ec
Ubuntu Security Notice 2437-1 - Florian Maury discovered that Bind incorrectly handled delegation. A remote attacker could possibly use this issue to cause Bind to consume resources and crash, resulting in a denial of service.
3d1d036b529b6873104212a11d009791b5b4b740cb524238ad8f2bfb5b4b7a8a
Red Hat Security Advisory 2014-1976-01 - The RPM Package Manager is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
f3d5900ed19dc90fb2fe4b2515aa16f953b699c1bbe2c44861f607a0ddb74b93
Red Hat Security Advisory 2014-1974-01 - The RPM Package Manager is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
6e89aa2b2e0253c04afbf06552de7a2d10d01556b868fb8b80dec65dd2b96cbd
Red Hat Security Advisory 2014-1975-01 - The RPM Package Manager is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating software packages. Each software package consists of an archive of files along with information about the package such as its version, description, and other information. It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
8d80abb8541cbbc8250361acbc9606a88785e1abb04428c93bbb1a8a92b84a06
Red Hat Security Advisory 2014-1973-01 - Red Hat JBoss Portal is the open source implementation of the Java EE suite of services and Portal services running atop Red Hat JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Middleware components that have been tested and certified together to provide an integrated experience. RichFaces is an open source framework that adds Ajax capability into existing JavaServer Faces applications. It was found that RichFaces accepted arbitrary strings included in a URL and returned them unencoded in a CSS file. A remote attacker could use this flaw to perform cross-site scripting attacks against a user running a RichFaces application.
814cf5940970b4e11d38e5b84b869f649ada5cb0bfc376e7c0c1241393ca9288
Red Hat Security Advisory 2014-1972-01 - The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled. A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
b15033df8966e461bd230191dc61a940f431119df00b767cbba93b9ab386f18c
Red Hat Security Advisory 2014-1971-01 - A flaw was found in the way the Linux kernel's SCTP implementation handled malformed or duplicate Address Configuration Change Chunks. A remote attacker could use either of these flaws to crash the system. A flaw was found in the way the Linux kernel's SCTP implementation handled the association's output queue. A remote attacker could send specially crafted packets that would cause the system to use an excessive amount of memory, leading to a denial of service.
259b2a7a6414f480013fd35c56afb4dd38c3314536fa54e70f0ac1b44239b896
Ubuntu Security Notice 2435-1 - It was discovered that graphviz incorrectly handled parsing errors. An attacker could use this issue to cause graphviz to crash or possibly execute arbitrary code.
5932c92cbfbc9eeade2de417beb3caef257a0e59dd0e0e9600dca6d53ee4b85d
Ubuntu Security Notice 2436-1 - Ilja van Sprundel discovered a multitude of security issues in the X.Org X server. An attacker able to connect to an X server, either locally or remotely, could use these issues to cause the X server to crash or execute arbitrary code resulting in possible privilege escalation.
97deccba022aa2cc95bda1a026d6949fb81fdc208c22a7019aa4f37ecc4abd4a
HP Security Bulletin HPSBGN03208 1 - A potential security vulnerability has been identified with HP Cloud Service Automation running SSLv3. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "Poodle", which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.
27f37afb1036f5c5d4bb6b486468b8c08347f3df32c493091b0e0391eaab9061
HP Security Bulletin HPSBGN03222 1 - A potential security vulnerability has been identified with HP Enterprise Maps running SSLv3. This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" also known as "Poodle", which could be exploited remotely to allow disclosure of information. Revision 1 of this advisory.
f18daf6c0c99a853a512a72f0ccc9a7ec88c30820920cee167b136d92412be40
Scarlet Daisy Web CMS suffers from a cross site scripting vulnerability. Note that this finding houses site-specific data.
d6b8a12437d0210b5129116dbb62cac83a2528fa625ec889888d0ffb37d18192
B-Sides Vancouver 2015 has announced its Call For Papers. It will be held March 16th and 17th, 2015 in Vancouver, British Columbia, Canada.
73ea7bcc54693a3019aa63a693d45e9123e728addfa88e9bb6e520a29504f9d6
Humhub versions 0.10.0-rc.1 and below suffer from cross site scripting and remote SQL injection vulnerabilities.
a8b814b89548826f53744a839edb39b524a3238eaea84c586c85c33e616b62ac
This bulletin summary lists two bulletins that have undergone a major revision increment for December, 2014.
91b8c128a0cc65616bf6f64e683d9135b7d0759d7374b3a37d0b3d750ef8d121
BulletProof FTP Client 2010 SEH buffer overflow exploit that affects version 2010.75.0.76.
768ac5c85705858de901eded228cb32ca920c358f2b0b48fd7cc80cc6fee9a4a
ClassAd version 3.0 suffers from a remote SQL injection vulnerability.
08e3f466466b70f7c2ba6f79ba80db7b44175d81abd88c0594531502dedcd2c6
espn.go.com suffers from cross site scripting and open redirection vulnerabilities.
5b0500a08b374806d0cceeb29f4910ac61b0bf1fa95d2f59f39a461e09d32362