Red Hat Security Advisory 2013-1701-02 - The sudo utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password.
a123845b4cafb94e8438b79697c175656bdf7428c4a06099ba6aeacc46222972Red Hat Security Advisory 2013-1674-02 - The dracut packages include an event-driven initramfs generator infrastructure based on the udev device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system, so it can read and boot from the root partition. It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information. This issue was discovered by Peter Jones of the Red Hat Installer Team.
2050dc942de5eb4ba44015cdee252caaddb26b1adb34a3e870c29d892372f276Red Hat Security Advisory 2013-1635-02 - Pacemaker is a high-availability cluster resource manager with a powerful policy engine. A denial of service flaw was found in the way Pacemaker performed authentication and processing of remote connections in certain circumstances. When Pacemaker was configured to allow remote Cluster Information Base configuration or resource management, a remote attacker could use this flaw to cause Pacemaker to block indefinitely. Note: The default Pacemaker configuration in Red Hat Enterprise Linux 6 has the remote CIB management functionality disabled.
9d102a1147e401127cf203cf2ab61a235c649652bde033359f95bd195461afdeRed Hat Security Advisory 2013-1620-02 - X.Org is an open source implementation of the X Window System. It provides the basic low-level functionality that full-fledged graphical user interfaces are designed upon. A flaw was found in the way the X.org X11 server registered new hot plugged devices. If a local user switched to a different session and plugged in a new device, input from that device could become available in the previous session, possibly leading to information disclosure. This issue was found by David Airlie and Peter Hutterer of Red Hat.
d9b2327c50545970d9b73191ac1a524f85d7fbf297a2c977571a9de16d9ce5a3Red Hat Security Advisory 2013-1605-02 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the Name Server Caching Daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in glibc's memory allocator functions. If an application used such a function, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
daf7b810ca339f4203738b3d995a41e50c8f3237d997d559ea32ef846fec988dRed Hat Security Advisory 2013-1645-02 - The kernel packages contain the Linux kernel, the core of any Linux operating system. A flaw was found in the way the Linux kernel's IPv6 implementation handled certain UDP packets when the UDP Fragmentation Offload feature was enabled. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
97d65ec407c60f5d7fb845675304c446d1888daf065dc7d8976e4e16c33033abRed Hat Security Advisory 2013-1652-02 - The coreutils package contains the core GNU utilities. It is a combination of the old GNU fileutils, sh-utils, and textutils packages. It was discovered that the sort, uniq, and join utilities did not properly restrict the use of the alloca() function. An attacker could use this flaw to crash those utilities by providing long input strings. These updated coreutils packages include numerous bug fixes and two enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes, linked to in the References, for information on the most significant of these changes.
be0c34029a6c6c2bf5e62648c3f53350127f338719d8f83f05b8ad7a6aa7916dRed Hat Security Advisory 2013-1603-02 - Luci is a web-based high availability administration application. A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user. A flaw was found in the way luci generated its configuration file. The file was created as world readable for a short period of time, allowing a local user to gain access to the authentication secrets stored in the configuration file.
390b92c4abaa15b7e89a39f5215aff24625e8e3e48eef514bab0df512a2a6246Red Hat Security Advisory 2013-1591-02 - OpenSSH is OpenBSD's Secure Shell protocol implementation. These packages include the core files necessary for the OpenSSH client and server. The default OpenSSH configuration made it easy for remote attackers to exhaust unauthorized connection slots and prevent other users from being able to log in to a system. This flaw has been addressed by enabling random early connection drops by setting MaxStartups to 10:30:100 by default. For more information, refer to the sshd_config man page. These updated openssh packages include numerous bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.5 Technical Notes, linked to in the References, for information on the most significant of these changes.
a4f28ff7392407cc2b25c64fb8ce70d6d9dd9cbe74095327d51804e531223977Red Hat Security Advisory 2013-1536-02 - Libguestfs is a library and set of tools for accessing and modifying guest disk images. It was found that guestfish, which enables shell scripting and command line access to libguestfs, insecurely created the temporary directory used to store the network socket when started in server mode. A local attacker could use this flaw to intercept and modify other user's guestfish command, allowing them to perform arbitrary guestfish actions with the privileges of a different user, or use this flaw to obtain authentication credentials.
2ea5dead0a2607a799545568508db440ef0819dada2e1fe26cb1ae151696e649Whitepaper called To Kill a Centrifuge - A Technical Analysis of What Stuxnet's Creators Tried to Achieve.
75e6d217f9ac0859aa9d4ad1ececb2d395e122d6a0d1fa7cb30fc9e81bc01da9vBulletin vBSEO plugin versions 3.2.0 and 3.6.0 suffer from a cross site scripting vulnerability.
27f00a8a77a7b71b23dd09a034cd72b1107c5ccb58c14b597b811c78a98ad496Debian Linux Security Advisory 2798-2 - The update for curl in DSA-2798-1 uncovered a regression affecting the curl command line tool behaviour (#729965). This update disables host verification too when using the --insecure option.
ce1a6610897ebeb0ecc8600b5d5a1134408350f1241fe3beff51b07c1ce9e564Drupal Core versions 6.x and 7.x suffer from PRNG weaknesses, cross site scripting and open redirection vulnerabilities.
8b71c2acab67fed36a5047f2121643a2cc7ad3f1855e24a59cd60198f53221deGentoo Linux Security Advisory 201311-13 - Multiple vulnerabilities have been found in OpenVPN, allowing remote attackers to read encrypted traffic. Versions less than 2.3.1 are affected.
d2f81af3f93b9da61e7132428ea1952938c2cc2f98696e6c78aa0f34389ff15fGentoo Linux Security Advisory 201311-12 - A vulnerability in Open DC Hub could result in execution of arbitrary code. Versions less than 0.8.2 are affected.
0639f78feef4b7766dd42b74cd9299e430c37af7bff8fced8f131c7c33e533f8Gentoo Linux Security Advisory 201311-11 - A stack-based buffer overflow in CTorrent might allow a remote attacker to execute arbitrary code or cause a Denial of Service condition. Versions less than 3.3.2-r1 are affected.
737368af1259f8ff95a25fe794f06dd4030a9bc406f8acbd7d38c92617b20d93Mandriva Linux Security Advisory 2013-270 - Multiple security issues was identified and fixed in mozilla NSPR and NSS. Mozilla Network Security Services before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. Integer overflow in Mozilla Network Security Services 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. Various other issues were also addressed.
89688cb44f72d5c0610b28222e48ec4e53e14de8388bf3ba17ef5960b2f31817Mandriva Linux Security Advisory 2013-269 - Multiple security issues was identified and fixed in mozilla NSPR, NSS, and firefox. Mozilla Network Security Services before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. Integer overflow in Mozilla Network Security Services 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. Various other issues have also been addressed.
5ff6af659aa173d788e6b24e0437553faf1a51ae5b75cb0fcc5088c05d600b14Ubuntu Security Notice 2031-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, potentially execute arbitrary code, or lead to information disclosure.
3684065bb99c7b7f886ea12ba63ebd3fae46ae85cf46667f49f7d182e3e6f644Drupal Entity Reference third party module version 7.x suffers from an access bypass vulnerability.
79ec26c04814cae95cfa614ef3c9cf049782c96bcc442b5a595e09eb5d56a74dDrupal EU Cookie Compliance third party module version 7.x suffers from a cross site request forgery vulnerability.
c30c092d31ec22a4a89a6e7afd57a697d9bf85b456388e714e46ab976d71fbdeDrupal Organic Groups third party module version 7.x suffers from an access bypass vulnerability.
92946572ee7bab6bb347a2ad606428b2f2932f8a7baea52cf920cc0f1f180618Drupal Invitation third party module version 7.x suffers from an access bypass vulnerability.
176d222c03bc1e9a7a15daf5f2ef794edc06ffc1f8f08ea0cb40c33dbcae33e5Ruckus Wireless Zoneflex 2942 wireless access point suffers from an authentication bypass vulnerability.
a11949340cd5c013d3ac7d14a6262d36bf5f0d3c62b518117024442c4f69a79e
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed