Red Hat Security Advisory 2016-1385-01 - Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. A flaw was found in the way handle_command() function would validate prefix value from user. An authenticated attacker could send a specially crafted prefix value resulting in ceph monitor crash. Upstream acknowledges Xiaoxi Chen as the original reporter of CVE-2016-5009.
6e2f1a64426a3441db19a3f627ac1a2e6c54b062acf80e1faf2263a2ed0aa796Red Hat Security Advisory 2016-1384-01 - Red Hat Ceph Storage is a massively scalable, open, software-defined storage platform that combines the most stable version of Ceph with a Ceph management platform, deployment tools, and support services. A flaw was found in the way handle_command() function would validate prefix value from user. An authenticated attacker could send a specially crafted prefix value resulting in ceph monitor crash. Upstream acknowledges Xiaoxi Chen as the original reporter of CVE-2016-5009.
f30178f82aa154cadd872f88c326882a07f2396b67d8d10c20059c3b84008dbfUbuntu Security Notice 3025-1 - It was discovered that GIMP incorrectly handled malformed XCF files. If a user were tricked into opening a specially crafted XCF file, an attacker could cause GIMP to crash, or possibly execute arbitrary code with the user's privileges.
f4883d83e7653e58a5a51631f142e075260510c3732cfb4884abb838a6206bfaUbuntu Security Notice 3026-2 - It was discovered that libusbmuxd incorrectly handled socket permissions. A remote attacker could use this issue to access services on iOS devices, contrary to expectations.
9eba56d6604451c259fb0e08ea9d19711741157daa341b4525e648e499bcfacdHP Security Bulletin HPSBHF03613 1 - Potential security vulnerabilities in OpenSSL have been addressed with HPE network products including iMC, VCX, Comware 5 and Comware 7. The vulnerabilities could be exploited remotely resulting in Denial of Service (DoS) or unauthorized access. Revision 1 of this advisory.
9167fdcf073265b0be894bab391505d9b9700dc7bb114d588f30e9567cafc92bUbuntu Security Notice 3026-1 - It was discovered that libimobiledevice incorrectly handled socket permissions. A remote attacker could use this issue to access services on iOS devices, contrary to expectations.
de4898d4ca2ee3a1c5c45efa3b211507d61cffa1a3087c65983973107a1f8822Ubuntu Security Notice 3024-1 - It was discovered that Tomcat incorrectly handled pathnames used by web applications in a getResource, getResourceAsStream, or getResourcePaths call. A remote attacker could use this issue to possibly list a parent directory . This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. It was discovered that the Tomcat mapper component incorrectly handled redirects. A remote attacker could use this issue to determine the existence of a directory. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. Various other issues were also addressed.
4370e181c653b8239d33a7ca5224666cb7d29084f3014c7e307c339e87ecd273Red Hat Security Advisory 2016-1378-01 - OpenStack Bare Metal is a tool used to provision bare metal machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific functionality. Security Fix: An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew the MAC address of a network card belonging to a node, the flaw could be exploited by sending a crafted POST request to the node's /v1/drivers/$DRIVER_NAME/vendor_passthru resource. The response included the node's full details, including management passwords, even if the /etc/ironic/policy.json file was configured to hide passwords in API responses.
cf0653a60b67d585ed9588c8088bcba3f2e30c854c60789ef0985ca54cbb1db7Red Hat Security Advisory 2016-1377-01 - OpenStack Bare Metal is a tool used to provision bare metal machines. It leverages common technologies such as PXE boot and IPMI to cover a wide range of hardware. It also supports pluggable drivers to allow added, vendor-specific functionality. Security Fix: An authentication vulnerability was found in openstack-ironic. A client with network access to the ironic-api service could bypass OpenStack Identity authentication, and retrieve all information about any node registered with OpenStack Bare Metal. If an unprivileged attacker knew the MAC address of a network card belonging to a node, the flaw could be exploited by sending a crafted POST request to the node's /v1/drivers/$DRIVER_NAME/vendor_passthru resource. The response included the node's full details, including management passwords, even if the /etc/ironic/policy.json file was configured to hide passwords in API responses.
d0bf2032c8fc6f463979829d9f140ec32ab10ca2f36f474f914a721b83f2f3acSlackware Security Advisory - New mozilla-thunderbird packages are available for Slackware 14.1, 14.2, and -current to fix security issues.
1af27cbf8c0fcfe0a2a30b081299a3527075a1b360c06d9a09003f8f6a4fd9c1Red Hat Security Advisory 2016-1380-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fix: The nodejs-qs module has the ability to create sparse arrays during parsing. By specifying a high index in a querystring parameter it is possible to create a large array that will eventually take up all the allocated memory of the running process, resulting in a crash.
acdec234b54c7dfd32536ce5ae44e6ef68bd3a56857fe91b3743c4c38970aea2Debian Linux Security Advisory 3616-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.
f8f91d42b2147ed0e585aa9485405e88185e79297b056fa67e83dc0d6de123eeWordPress CodeCanyon Real3D FlipBook plugin version 2.18.8 suffers from unauthenticated file deletion, file upload, and cross site scripting vulnerabilities.
3c4b4687c891c6fca773d5436678988b2dd8987079a676672916e5464ce95eafThe Acer Portal Android application version 3.9.3.2006 and below, installed by the manufacturer on all Acer branded Android devices, does not validate the SSL certificate it receives when connecting to the mobile application login server.
e41d65b401922a36dd4fd36af2a4b2b250969e944b8ae92cf0e117d652041d1bApple Safari version 9.1.1 for Mac OS X suffers from a local XXE vulnerability when processing specially crafted SVG images. This does not work with downloaded files.
23bbd32f77e1c03ed726b6f44b84ac17454893681f3844f34b64aef3707c3454Apache HTTPD WebServer versions 2.4.18 through 2.4.20 do not validate an X509 client certificate correctly when the experimental module for the HTTP/2 protocol is used to access a resource.
73cb5eb411b034ceb6b622bf0f896e11c8dc4ab336ed65d2398b8fb6ff33854a
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed