haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.
fb1d8b3dcbb9d06b30eccd8aa500fd31Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.
e7b9a9c35661007fe5a9cb6aea8c865fRed Hat Security Advisory 2017-3247-01 - Mozilla Firefox is an open source web browser. This update upgrades Firefox to version 52.5.0 ESR. Security Fix: Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox.
c46e919d507d1c9b0fb423e0907f6182This Microsoft bulletin summary holds information regarding an update to ADV170012.
4e9919cd113438dc3cc12f96a9e9962cCisco Umbrella virtual appliance versions 2.1.0 and below contain undocumented hardcoded credentials which could allow an attacker to access the hypervisor console and provide persistent and unrestricted access to the virtual appliance.
993e3f76b4724491d5f16794bc2fb968Google Chrome versions prior to 62 universal cross site scripting proof of concept exploit.
ad8127eed413a23668fc4660414117ffVXSearch version 10.2.14 local SEH buffer overflow exploit that binds a shell to port 1337.
1ab1330c76b3835a22a52f5325e58751Progress Sitefinity versions 10.0 and 10.1 suffer from broken access control and LINQ injection vulnerabilities.
81f6c377a2786674652795adbfa628e3FreeBSD Security Advisory - Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace.
4185c6c38d161594900777f2d539e495D-Link DCS-936L suffers from a cross site request forgery vulnerability.
16ebb26ff2ecf0815f3032dd2a3b7e7cDell Active Roles versions 7.1, 7.0.4, 7.0.3, 7.0.2, and 7.0 suffer from an unquoted service path privilege escalation vulnerability.
345625e8405d3b2ffe718dce42429c46phpMyFAQ version 2.9.9 suffers from an issue where an administrative account can execute arbitrary code on the server by modifying LANG_CONF[main.metaDescription].
225232827b43d46c5d4a7742cbe2ff01Red Hat Security Advisory 2017-3240-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.
3b29f86af233ff52d38e4b5b486e8852Red Hat Security Advisory 2017-3239-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library.
d3308a53ac9894680ebba1c87d267299Ubuntu Security Notice 3482-1 - It was discovered that racoon, the ipsec-tools IKE daemon, incorrectly handled certain ISAKMP fragments. A remote attacker could use this issue to cause racoon to crash, resulting in a denial of service.
c03a17de47f9086226a6a0912badf93fUbuntu Security Notice 3477-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. Various other issues were also addressed.
5ed2b9f8c90425388420326b5e31775dUbuntu Security Notice 3481-1 - A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
68e7c4cff272deb50d9fba595e29a0d0Red Hat Security Advisory 2017-3244-01 - Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 7.1.1 serves as a replacement for Red Hat JBoss Data Grid 7.1.0, and includes bug fixes and enhancements, which are documented in the Release Notes linked to in the References. Security Fix: It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.
82346d59795f9de41423699c8800be3dRed Hat Security Advisory 2017-3227-01 - openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry or Time-Series-Database-as-a-Service. Security Fix: A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user.
4d3d8bee73c831b9caf8a52499eb6e8f
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed