FreeBSD Security Advisory - The TLS protocol supports an alert protocol which can be used to signal the other party with certain failures in the protocol context that may require immediate termination of the connection. An attacker can trigger generation of an SSL alert which could cause a null pointer deference. An attacker may be able to cause a service process that uses OpenSSL to crash, which can be used in a denial-of-service attack.
5e7e027355f544c110f3a57ad64dbc048f43ff80774c5c5bf5cd2ee3b519875eAleph 500, the integrated library management system, suffers from a cross site scripting vulnerability.
38198138de2de1992287e268af781f344dc7306b73808bcc1f65116914757799Gentoo Linux Security Advisory 201405-7 - Multiple vulnerabilities have been found in X.Org X Server, allowing attackers to execute arbitrary code or cause a Denial of Service condition. Versions less than 1.14.3-r2 are affected.
f191a6d803ee52893abaf1ebc5b38cb24ae2b2f23d074bcaefcd37350622dea2Debian Linux Security Advisory 2927-1 - Ilja van Sprundel of IOActive discovered several security issues in the X.Org libXfont library, which may allow a local, authenticated user to attempt to raise privileges; or a remote attacker who can control the font server to attempt to execute code with the privileges of the X server.
cdba8e46fc8703f628140a96e5b5758b282928e4bd48ee7dcfc5f3a27f9546c8Red Hat Security Advisory 2014-0510-01 - Ruby on Rails is a model-view-controller framework for web application development. Action Pack implements the controller and the view components. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. All ruby193-rubygem-actionpack users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
43c8a948142a3bf827dccd735296150f1caa88e3d8cd1b62366b356529dd6ae1Red Hat Security Advisory 2014-0508-01 - IBM Java SE version 6 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.
90ddd4af030964838b2a1b328a5c7b9afc6b06fcb961dfc88d17c98ff3cc7f86Red Hat Security Advisory 2014-0509-01 - IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit.
985dc09ea3dc919948c0e034b12323d756ba379e4d13d506967760d5a5afea60Red Hat Security Advisory 2014-0511-01 - Red Hat JBoss Operations Network is a middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. Apache Struts is a framework for building web applications with Java. It was found that the Struts 1 ActionForm object allowed access to the 'class' parameter, which is directly mapped to the getClass() method. A remote attacker could use this flaw to manipulate the ClassLoader used by an application server running Struts 1. This could lead to remote code execution under certain conditions.
1ca60d1e65c986cd9a9a0da28640c61b3da39426145fa0d4d41a7308e48cf2daUbuntu Security Notice 2214-1 - Daniel Berrange discovered that libxml2 would incorrectly perform entity substitution even when requested not to. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause resource consumption, resulting in a denial of service.
64ca427162a57b3fc78c8d1d6777e7a05d14345a9139d949bb434394a88f5e63Mandriva Linux Security Advisory 2014-088 - The clean_html() function, provided by the lxml.html.clean module, did not properly clean HTML input if it included non-printed characters. A remote attacker could use this flaw to serve malicious content to an application using the clean_html() function to process HTML, possibly allowing the attacker to inject malicious code into a website generated by this application.
27b6915e85e2cf8c9db16287c6217e0b73f61d3b1249f6dfb9740f12c8973c01Mandriva Linux Security Advisory 2014-087 - PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user. The updated php packages have been upgraded to the 5.5.12 version which is not vulnerable to this issue. Additionally, the timezonedb packages has been upgraded to the latest 2014.3 version, the php-suhosin packages has been upgraded to the latest 0.9.35 version which has better support for php-5.5 and the PECL packages which requires so has been rebuilt for php-5.5.12.
a6e19960073cef3beae4d8e577966a156b2ecc6d43d1cf63b7154d5b8c984e73Ubuntu Security Notice 2213-1 - It was discovered that Dovecot incorrectly handled closing inactive SSL/TLS connections. A remote attacker could use this issue to cause Dovecot to stop responding to new connections, resulting in a denial of service.
e11d65530516edf471c037d15e12b497989180e21221b6dc72a4223832e170edDebian Linux Security Advisory 2928-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation.
94181887db3182cd102cc9832bea482e248427764ebad1d14421ba5fe3931dc4Ubuntu Security Notice 2212-1 - Stephen Stewart, Michael Nelson, Natalia Bidart and James Westby discovered that Django improperly removed Vary and Cache-Control headers from HTTP responses when replying to a request from an Internet Explorer or Chrome Frame client. An attacker may use this to retrieve private data or poison caches. This update removes workarounds for bugs in Internet Explorer 6 and 7. Peter Kuma and Gavin Wahl discovered that Django did not correctly validate some malformed URLs, which are accepted by some browsers. An attacker may use this to cause unexpected redirects. An update has been provided for 12.04 LTS, 12.10, 13.10, and 14.04 LTS; this issue remains unfixed for 10.04 LTS as no "is_safe_url()" functionality existed in this version. Various other issues were also addressed.
5b065fb6a72116c48d17fa2575373d8d96f467584b070bb42f5c881d9c76e332Bilyoner mobile applications are prone to various SSL/TLS attacks. Note that this finding houses site-specific data.
3e4620f372271f1aafbe2da3a1493c3650555c58774e0908e18ec210054b5b02
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed