[ MDVSA-2014:157 ] ipython

 Mandriva Linux Security Advisory                         MDVSA-2014:157
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : ipython
 Date    : August 8, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated ipython package fixes security vulnerability:

 In IPython before 1.2, the origin of websocket requests was not
 verified within the IPython notebook server. If an attacker has
 knowledge of an IPython kernel id they can run arbitrary code on
 a user's machine when the client visits a crafted malicious page
 (CVE-2014-3429).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429
 http://advisories.mageia.org/MGASA-2014-0320.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 a526a91e9cf10d286fa4d26652fa3cf3  mbs1/x86_64/ipython-1.1.0-1.1.mbs1.noarch.rpm
 20d5402d8833de58f49de889012d29bd  mbs1/SRPMS/ipython-1.1.0-1.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com

[WorldCIST'15]: Call for Workshops Proposals - Proceedings by Springer

------
WorldCIST'15 - 3rd World Conference on Information Systems and Technologies
Ponta Delgada, São Miguel, Azores *, Portugal
1st-3rd of April 2015.
http://www.aisti.eu/worldcist15/
------
* Azores is ranked as the second most beautiful archipelago in the world by National Geographic.
------------

WORKSHOP FORMAT

The Information Systems and Technologies research and industrial community is invited to submit proposals of Workshops for WorldCIST'15 – 3rd World Conference on Information Systems and Technologies to be held at São Miguel, Azores, Portugal, 1st-3rd of April 2015.

Workshops should focus on a specific scientific subject on the scope of WorldCIST'15 but not directly included on the main conference areas. Each workshop will be coordinated by an Organizing Committee composed of, at least, two researchers in the field, preferably from different institutions and different countries. The organizers should create an international Program Committee for the Workshop, with recognized researchers within the specific Workshop scientific area. Each workshop should have at least 10 submissions and 5 accepted papers in order to be conducted at WorldCIST'15.

[security bulletin] HPSBUX03087 SSRT101413 rev.1 - HP-UX CIFS Server (Samba), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04396638

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04396638
Version: 1

HPSBUX03087 SSRT101413 rev.1 - HP-UX CIFS Server (Samba), Remote Denial of
Service (DoS), Execution of Arbitrary Code, Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-08-07
Last Updated: 2014-08-07

Potential Security Impact: Remote Denial of Service (DoS), execution of
arbitrary code, unauthorized access.

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP-UX
CIFS-Server (Samba). The vulnerabilities could be exploited remotely to cause
a Denial of Service (DoS).

Beginners error: QuickTime for Windows runs rogue program C:\Program.exe when opening associated files

Hi @ll,

the current version of QuickTime for Windows (and of course older versions
too) associates the following erroneous and vulnerable command lines with
some of the supported file types/extensions:

QuickTime.3g2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.3gp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.3gp2=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.3gpp=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.aac=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.ac3=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.adts=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.aif=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"
QuickTime.aifc=C:\Program Files\QuickTime\QuickTimePlayer.exe "%1"

[security bulletin] HPSBMU03086 rev.1 - HP Operations Agent running Glance, Local Elevation of Privilege

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04394554

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04394554
Version: 1

HPSBMU03086 rev.1 - HP Operations Agent running Glance, Local Elevation of
Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-08-07
Last Updated: 2014-08-07

Potential Security Impact: Local elevation of privilege

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Operations
Agent running Glance. The vulnerability could be exploited locally resulting
in elevation of privilege.

References: CVE-2014-2630 (SSRT101493)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Agent v11.00 and subsequent running Glance

BACKGROUND

[security bulletin] HPSBHF03084 rev.1 HP PCs with UEFI Firmware, Execution of Arbitrary Code

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04393276

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04393276
Version: 1

HPSBHF03084 rev.1 HP PCs with UEFI Firmware, Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-08-06
Last Updated: 2014-08-06

Potential Security Impact: Execution of arbitrary code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilies have been identified with certain HP PCs
with UEFI Firmware. The vulnerabilities could be exploited to allow execution
of arbitrary code.

Easy FTP Pro v4.2 iOS - Command Inject Vulnerabilities

Document Title:
===============
Easy FTP Pro v4.2 iOS - Command Inject Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1291


Release Date:
=============
2014-08-06


Vulnerability Laboratory ID (VL-ID):
====================================
1291


Common Vulnerability Scoring System:
====================================
5.7


Product & Service Introduction:
===============================
The Best FTP and SFTP client for iPhone and iPad! Easy FTP is an FTP (File Transfer Protocol) and SFTP client for
iPhone/iPod Touch. Easy FTP offer all the features of a desktop client. Also includes a web browser that allow to
download files, audio player, mp4, avi,... video player, Dropbox, also helps you to access files on your remote
computer (Mac, Windows, Linux), NAS Servers, and more.

( Copy of the Homepage: https://itunes.apple.com/en/app/easy-ftp-pro/id429071149 )

[ MDVSA-2014:156 ] ocsinventory

 Mandriva Linux Security Advisory                         MDVSA-2014:156
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : ocsinventory
 Date    : August 7, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated ocsinventory packages fix security vulnerability:

 Multiple cross-site scripting (XSS) vulnerabilities in the OCS Reports
 Web Interface in OCS Inventory NG allow remote attackers to inject
 arbitrary web script or HTML via unspecified vectors (CVE-2014-4722).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4722
 http://advisories.mageia.org/MGASA-2014-0317.html

(CVE-2014-3501/2/3) Apache Cordova for Android - Multiple Vulnerabilities

Hi,

We have recently discovered a severe Cross-Application Scripting (XAS) vulnerability in Apache Cordova for Android. This vulnerability enables theft of sensitive information from Crodova-based apps both locally by malware and also remotely by using drive-by exploitation techniques.

In addition, we have also found a set of vulnerabilities which allow for data exfiltration to an arbitrary target, bypassing Cordova's whitelisting mechanism.

The CVE identifiers are:

CVE-2014-3500: Cross-Application Scripting via Android Intents
CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs
CVE-2014-3502: Data Leak to Other Applications via Android Intent URIs

We had privately reported the issues to Cordova and CVE-2014-3100 has been fixed in Cordova 3.5.1. See our whitepaper for details on how to mitigate CVE-2014-3501 and CVE-2014-3502.

More details (including a video demo of a working exploit) are available at:

1. Blog: http://securityintelligence.com/apache-cordova-phonegap-vulnerability-android-banking-apps/
2. Advisory: https://www.slideshare.net/ibmsecurity/remote-exploitation-of-the-cordova-framework/

- Roee Hay & David Kaplan    

[ MDVSA-2014:153 ] mediawiki

 Mandriva Linux Security Advisory                         MDVSA-2014:153
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : mediawiki
 Date    : August 6, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated mediawiki packages fix security vulnerabilities:

 MediaWiki before 1.23.2 is vulnerable to JSONP injection in Flash,
 XSS in mediawiki.page.image.pagination.js, and clickjacking between
 OutputPage and ParserOutput.

 This update provides MediaWiki 1.23.2, fixing these and other issues.
 _______________________________________________________________________

 References:

 http://advisories.mageia.org/MGASA-2014-0309.html

TomatoCart v1.x (latest-stable) Multiple Vulnerabilities

CVE-2014-3978 - Remote SQL Injection Vulnerability
CVE-2014-3830 - Reflected Cross Site Scripting

-
------------------------------------------------------------------------------
Title:
    TomatoCart v1.x (latest-stable) Remote SQL Injection Vulnerability

Background:
    TomatoCart is open source ecommerce solution developed and
maintained by a
number of 64,000+ users from 50+ countries and regions. It's distributed
under
the terms of the GNU General Public License (or "GPL"), free to download and
share. The community, including project founders and other developers, are
supposed to work together on the platform of TomatoCart, contributing
features,
technical support and services. The current stable package is TomatoCart
V1.1.8.6.1, while the latest development version is version 2.0 Alpha
4.  This
exploit affects the "stable" tree.

Timeline:
    06 June 2014   - CVE-2014-3978 assigned
    06 June 2014   - Submitted to vendor
    25 June 2014   - Received inadequate patch from vendor
    26 June 2014   - Suggested patch sent to vendor
    17 July 2014   - Request for update from vendor, no response.
    05 August 2014 - Pull request sent on github for full patch

[ MDVSA-2014:150 ] tor

Mandriva Linux Security Advisory                         MDVSA-2014:150
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : tor
 Date    : August 6, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated tor package fixes security vulnerability:

 Tor before 0.2.4.23 maintains a circuit after an inbound RELAY_EARLY
 cell is received by a client, which makes it easier for remote
 attackers to conduct traffic-confirmation attacks by using the pattern
 of RELAY and RELAY_EARLY cells as a means of communicating information
 about hidden service names (CVE-2014-5117).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5117
 http://advisories.mageia.org/MGASA-2014-0312.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 3e0f97955d0b6c502370a236a72e24d1  mbs1/x86_64/tor-0.2.4.23-1.mbs1.x86_64.rpm
 b86c8f18399a3608b67d360ae53c8d84  mbs1/SRPMS/tor-0.2.4.23-1.mbs1.src.rpm

PhotoSync v2.2 iOS - Command Inject Web Vulnerability

Document Title:
===============
PhotoSync v2.2 iOS - Command Inject Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1290


Release Date:
=============
2014-08-05


Vulnerability Laboratory ID (VL-ID):
====================================
1290


Common Vulnerability Scoring System:
====================================
6.5


Product & Service Introduction:
===============================
It`s all about one thing – the best and easiest way to transfer, backup and share your photos & videos! PhotoSync allows you to transfer
your photos & videos between your iPhone, iPad, Mac or PC over your local Wi-Fi network. It also supports sending and receiving photos &
videos to/from popular cloud & photo services, mobile storage devices and NAS.

[ MDVSA-2014:149 ] php

Mandriva Linux Security Advisory                         MDVSA-2014:149
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php
 Date    : August 6, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in php:

 Use-after-free vulnerability in ext/spl/spl_array.c in the SPL
 component in PHP through 5.5.14 allows context-dependent attackers to
 cause a denial of service or possibly have unspecified other impact via
 crafted ArrayIterator usage within applications in certain web-hosting
 environments (CVE-2014-4698).

 Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL
 component in PHP through 5.5.14 allows context-dependent attackers to
 cause a denial of service or possibly have unspecified other impact
 via crafted iterator usage within applications in certain web-hosting
 environments (CVE-2014-4670).

 file before 5.19 does not properly restrict the amount of data read
 during a regex search, which allows remote attackers to cause a
 denial of service (CPU consumption) via a crafted file that triggers
 backtracking during processing of an awk rule. NOTE: this vulnerability
 exists because of an incomplete fix for CVE-2013-7345 (CVE-2014-3538).

 The updated php packages have been upgraded to the 5.5.15 version
 and patched to resolve these security flaws.

 Additionally, the jsonc extension has been upgraded to the 1.3.6
 version and the PECL packages which requires so has been rebuilt
 for php-5.5.15.

[security bulletin] HPSBMU03085 rev.1 - HP Application Lifecycle Management / Quality Center, Elevation of Privilege

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04394553

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04394553
Version: 1

HPSBMU03085 rev.1 - HP Application Lifecycle Management / Quality Center,
Elevation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-08-05
Last Updated: 2014-08-05

Potential Security Impact: Elevation of privilege

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Application
Lifecycle Management, which is also known as HP Quality Center. The
vulnerability could be exploited to allow elevation of privilege.

PhotoSync Wifi & Bluetooth v1.0 - File Include Vulnerability

Document Title:
===============
PhotoSync Wifi & Bluetooth v1.0 - File Include Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1289


Release Date:
=============
2014-08-04


Vulnerability Laboratory ID (VL-ID):
====================================
1289


Common Vulnerability Scoring System:
====================================
6.8


Product & Service Introduction:
===============================
PhotosSync - Wifi Bluetooth let you transfer photos from one iPhone, iPod Touch, iPad to another iPhone, iPod Touch, iPad, Mac and PC.

CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java

CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java
===================================================================

Smack <http://www.igniterealtime.org/projects/smack/> is an Open Source
XMPP (Jabber) client library for instant messaging and presence written
in Java. Smack prior to version 4.0.2 is vulnerable to TLS
Man-in-the-Middle attacks, as it fails to check if the server
certificate matches the hostname of the connection.

Affected versions
-----------------

-   Smack 4.0.0 and 4.0.1 are vulnerable.
-   Smack 2.x and 3.x are vulnerable if a custom `SSLContext` is
    supplied via `connectionConfiguration.setCustomSSLContext()`.

Details
-------

Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.

In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
(CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363)
and has been removed in Smack 4.0.0.

Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname
verification.

Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities

# Exploit Title: Pro Chat Rooms v8.2.0 - Multiple Vulnerabilities
# Google Dork: intitle:"Powered by Pro Chat Rooms"
# Date: 5 August 2014
# Exploit Author: Mike Manzotti @ Dionach Ltd
# Vendor Homepage: http://prochatrooms.com
# Software Link: http://prochatrooms.com/software.php
# Version: v8.2.0
# Tested on: Debian (Apache+MySQL)

1) Stored XSS
=============

Text Chat Room Software of ProoChatRooms is vulnerable to Stored XSS. After registered an account, an attacker can upload a profile picture containing Javascript code as shown below:

POST: http://<WEBSITE>/prochatrooms/profiles/index.php?id=1
Content-Disposition: form-data; name="uploadedfile"; filename="nopic333.jpg"
Content-Type: image/jpeg

<script>alert(document.cookie)</script>

By inspecting the response, the web application returns a 32 digits value in the HTML tag "imgID" as shown below:

Response:
<input type="hidden" name="imgID" value="798ae9b06cd900b95ed5a60e02419d4b">

Apache Cordova 3.5.1

Android Platform Release: 04 Aug 2014

Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.

For your convenience, the text of these CVEs is included here.

A blog post is available at http://cordova.apache.org/#news


CVE-2014-3500: Cordova cross-application scripting via Android intent URLs


Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

[CVE- Requested][Vembu Storegrid - Multiple Critical Vulnerabilities]

1. Advisory Overview


Multiple vulnerabilities exist in the Vembu Storegrid Backup and Disaster
Recovery solution affecting both the client and server software (see
Additional Information section) include but are not limited to reflected
XSS, source code/sensitive
 information disclosure, privilege escalation, remote code execution,
Denial of Service, and poorly implemented business logic in the client
which can be leveraged to allow an unauthenticated user to exfiltrate full
disk backups from a target machine via a
 rogue server. This is a white-label product and may be labelled as
something else.


2. Advisory information

- - Public Release Date: 4/8/2014

- - Vendor notified: Yes 30/7/2014

- - CVE¹s: requested 1/8/2014

- - Last Revised: 4/7/2014

- - Researchers: Mike Antcliffe and Ed Tredgett

- - Research Organisation: Logically Secure Ltd

- - Research Organisation Website: http://www.logicallysecure.com

SEC Consult SA-20140805-0 :: Multiple vulnerabilities in Readsoft Invoice Processing and Process Director

SEC Consult Vulnerability Lab Security Advisory < 20140805-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Readsoft Invoice Processing / Process Director
 vulnerable version: Invoice Servicepack 5.6, Process Director 7.2
      fixed version: -
             impact: Critical
           homepage: http://www.readsoft.com
              found: 2014-02-27
                 by: J. Greil, M. Hofer, B. Kopp
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
- ---------------------------
"ReadSoft has been a pioneer in P2P invoice automation since the 1990s, when
the company first brought free-form technology for invoice processing to
market. Today, ReadSoft continues to be a global leader in business document
process automation, with 2,500+ accounts payable solution applications
worldwide - more than double the total applications of all major competitors
put together."

URL: http://www.readsoft.com/about-us/who-we-are


Business recommendation:
- ------------------------
Vulnerabilities have been identified that are based on severe design flaws in
the application. It is highly recommended by SEC Consult not to use this
software until a thorough security review has been performed by security
professionals and all identified issues have been resolved.

[security bulletin] HPSBMU03037 rev.2 - HP Multimedia Service Environment (MSE), (HP Network Interactive Voice Response (NIVR)), Remote Disclosure of Information

UPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04275280
Version: 2

HPSBMU03037 rev.2 - HP Multimedia Service Environment (MSE), (HP Network
Interactive Voice Response (NIVR)), Remote Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-05-06
Last Updated: 2014-08-04

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Multimedia
Service Environment (MSE), formerly known as HP Network Interactive Voice
Response (NIVR). This is the OpenSSL vulnerability known as "Heartbleed"
which could be exploited remotely resulting in disclosure of information.

References:
CVE-2014-0160, SSRT101551

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Multimedia Service Environment (MSE) 2.1.1
HP Network Interactive Voice Response (NIVR) 2.1.0, Reactive Patches 001,
002, 003
HP Network Interactive Voice Response (NIVR) 2.0.7, Reactive Patch 003

Only the MSE (ACM TMP) database set up with Replication using SSL is impacted
for the above versions. No other product interfaces are impacted. To
determine if replication with SSL is set up, check if the USE_SSL line is
uncommented in the file /etc/opt/OC/hpoc-nivr/nivr.properties

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2014-0160    (AV:N/AC:L/Au:N/C:P/I:N/A:N)       5.0
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided updates for all impacted versions of the software. Please
obtain the software updates by contacting HP Support. The updated software
versions include:

HP Multimedia Service Environment (MSE) 2.1.2
HP Network Interactive Voice Response (NIVR) 2.1.0, Reactive Patch 004
HP Network Interactive Voice Response (NIVR) 2.0.7, Reactive Patch 004

HISTORY
Version:1 (rev.1) - 6 May 2014 Initial release
Version:2 (rev.2) - 4 August 2014 Updated resolution

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

CVE-2014-2595 - Authentication Bypass in Barracuda Web Application Firewall

Vulnerability title: Authentication Bypass in Barracuda Web Application
Firewall
CVE: CVE-2014-2595
Vendor: Barracuda
Product: Web Application Firewall
Affected version: Firmware v7.8.1.013
Fixed version: N/A
Reported by: Nick Hayes

Details:

It is possible to re-use a link which includes a non-expiring
authentication token in the query string to gain access to the interface
of the Barracuda Web Application Firewall (WAF) firmware version 7.8.1.013.

Example:

http://waf.ptest.cudasvc.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest

The above link opens up the Request Limit Policies on the Barracuda labs
WAF test host as the Guest user. This has been confirmed to work on
actual devices and with administrative accounts.


Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2595/

[security bulletin] HPSBMU03083 rev.1 - HP BladeSystem c-Class Virtual Connect Firmware running OpenSSL, Remote Unauthorized Access or Disclosure of Information

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04392919

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04392919
Version: 1

HPSBMU03083 rev.1 - HP BladeSystem c-Class Virtual Connect Firmware running
OpenSSL, Remote Unauthorized Access or Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-08-01
Last Updated: 2014-08-01

Potential Security Impact: Remote unauthorized access or disclosure of
information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP BladeSystem
c-Class Virtual Connect Firmware running OpenSSL. This vulnerability could be
exploited remotely resulting in unauthorized access or disclosure of
information.

References: CVE-2014-0224, SSRT101656

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP BladeSystem c-Class Virtual Connect Firmware prior to v4.30.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2014-0224    (AV:N/AC:M/Au:N/C:P/I:P/A:P)       6.8
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided an updated version of the HP BladeSystem c-Class Virtual
Connect Firmware to address this vulnerability.

HP BladeSystem c-Class Virtual Connect Firmware v4.30 is available at the
following download location:

http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetail
s/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTo
k=com.vignette.cachetoken&javax.portlet.prp_bd9b6997fbc7fc515f4cf4626f5c8d01=
wsrp-navigationalState%3Didx%253D%257CswItem%253DMTX_52c1d36ae30d4630bbf60592
ab%257CswEnvOID%253D2078%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%25
7Caction%253DdriverDocument&javax.portlet.tpst=bd9b6997fbc7fc515f4cf4626f5c8d
01&sp4ts.oid=3884114&ac.admitted=1406807633194.876444892.199480143

HISTORY
Version:1 (rev.1) - 1 August 2014 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Ebay Inc Magento ProStore CP #4 - Filter Validation Bypass & Persistent (Payment Information) Vulnerability

Document Title:
===============
Ebay Inc Magento ProStore CP #4 - Filter Validation Bypass & Persistent
(Payment Information) Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1265

Ebay Inc ID: EIBBP-28091

Video: http://www.vulnerability-lab.com/get_content.php?id=1276

View: https://www.youtube.com/watch?v=v8_knMYRUOQ

FreeDisk v1.01 iOS - Multiple Web Vulnerabilities

Document Title:
===============
FreeDisk v1.01 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1287


Release Date:
=============
2014-08-01


Vulnerability Laboratory ID (VL-ID):
====================================
1287


Common Vulnerability Scoring System:
====================================
7.1


Product & Service Introduction:
===============================
Transfer files between your iPhone/iPod/iPad and your computers without iTunes! Just start FreeDisk, and your iDevice is automatically
turned into a wifi hard drive. You can then connect your iDevice to your computers, and use it as a regular hard drive, and easily
transfer files. No need for third part software, or iTunes, to finally exchange files between your iDevices and your computers!
FreeDisk can also turn your iDevice into an internet server to share your files with other smartphones (iOS, Android, Windows...) !
Last but not least, all your data are protected and can only be read when the app is running.

(Copy of the Homepage: https://itunes.apple.com/us/app/free-disk-turn-your-iphone/id896356251 )

Video WiFi Transfer 1.01 - Directory Traversal Vulnerability

Document Title:
===============
Video WiFi Transfer 1.01 - Directory Traversal Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1288


Release Date:
=============
2014-08-02


Vulnerability Laboratory ID (VL-ID):
====================================
1288


Common Vulnerability Scoring System:
====================================
6.7


Product & Service Introduction:
===============================
Using this app, you can download videos to a PC or a smartphone from your iPhone through WiFi. The video downloaded can be played back
on PC and another smart phones as well as Mac and iPhone because the app converts it into a MP4 video. It only takes a few seconds for
the conversion. You would say it is the fastest. Just run the app on the iPhone and open the web browser on your PC or Android. That is
all that you are required to do. It is quite simple. In addition to the web browser, a ftp client application is also supported to
access the videos. Do not pay money for these functions as the app provides all of them without charging.

(Copy of the Homepage: https://itunes.apple.com/de/app/video-wifi-transfer-mp4-conversion/id892132370 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a Directory Traversal vulnerability in the official Bluefinger App Video WiFi Transfer/MP4 Conversion v1.01 iOS mobile application.

[slackware-security] dhcpcd (SSA:2014-213-02)

[slackware-security]  dhcpcd (SSA:2014-213-02)

New dhcpcd packages are available for Slackware 13.1, 13.37, 14.0, 14.1,
and -current to fix a security issue.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/dhcpcd-6.0.5-i486-3_slack14.1.txz:  Rebuilt.
  This update fixes a security issue where a specially crafted packet
  received from a malicious DHCP server causes dhcpcd to enter an infinite
  loop causing a denial of service.
  Thanks to Tobias Stoeckmann for the bug report.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/dhcpcd-5.2.12-i486-2_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/dhcpcd-5.2.12-x86_64-2_slack13.1.txz

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/dhcpcd-5.2.12-i486-2_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/dhcpcd-5.2.12-x86_64-2_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/dhcpcd-5.5.6-i486-2_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/dhcpcd-5.5.6-x86_64-2_slack14.0.txz

Microsoft Exchange Multiple Vulnerabilities

Exchange Multiple Internal IP Disclosures
------------------------------------------
Advisory:
http://foofus.net/?p=758
http://www.securitypentest.com/2014/08/exchange-multiple-internal-ip.html

Autodiscover Enumeration Vulnerability
------------------------------------------
Advisory:
http://foofus.net/?p=793
http://www.securitypentest.com/2014/08/autodiscover-enumeration-vulnerability.html

CAS Authentication Timing Attack
------------------------------------------
Advisory:
http://foofus.net/?p=784
http://www.securitypentest.com/2014/08/cas-authentication-timing-attack.html

POC video:
http://www.securitypentest.com/2014/08/owa-timing-attack-poc.html

Tools
------------------------------------------
http://foofus.net/?p=804

C++11 insecure by default

C++11 <regex> insecure by default
http://cxsecurity.com/issue/WLB-2014070187


--- 0 Description ---
In this article I will present a conclusion of testing the new 'objective regex' in several implementation of standard c++ library like libcxx (clang) and stdlibc++ (gcc). The results show the weakness in official supported implementations. Huge complexity and memory exhaustion were well known in most of libc libraries. Theoretical the new c++11 <regex> eliminate resource exhaustion by specifying special limits preventing for evil patterns.
In glibc there was the conviction that for the safety of use regcomp() respond vendor using regex implementation. However, it is difficult to do the parser of regular expression in clients applications and others remote affected. The exceptions support for regex errors looks very promising. Let's see some part of documentation std::regex_error

-std::regex_constants::error_type-----------------------
error_space
there was not enough memory to convert the expression into a finite state machine

error_complexity
the complexity of an attempted match exceeded a predefined level

error_stack
there was not enough memory to perform a match
-std::regex_constants::error_type-----------------------

error_complexity looks promising but which the value of level complexity is the best'? There is many interpretations between usability and security. In security aspect this level should be low for to keep real time execution. In contrast to the static code analysis where execution time is not so important. The other constants like error_space and error_stack are also interesting in security view.
After official release for stdlibc++ <regex> in GCC 4.9.0 I have decided check this implementation. To prove that these limits do not fulfill their role, I reported below issues

[security bulletin] HPSBMU03081 rev.1 - HP Enterprise Maps, Remote Information Disclosure

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04390793

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04390793
Version: 1

HPSBMU03081 rev.1 - HP Enterprise Maps, Remote Information Disclosure

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-07-31
Last Updated: 2014-07-31

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Enterprise
Maps. The vulnerability could be exploited remotely to allow disclosure of
information.

References: CVE-2014-2628, SSRT101627

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Enterprise Maps v.1

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2014-2628    (AV:N/AC:L/Au:S/C:C/I:C/A:C)        9
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided a patch for HP Enterprise Maps v.1 to resolve the
vulnerability. Please contact HP support to request the patch.

HISTORY
Version:1 (rev.1) - 31 July 2014 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

[ MDVSA-2014:148 ] dbus

 Mandriva Linux Security Advisory                         MDVSA-2014:148
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : dbus
 Date    : July 31, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated dbus packages fix security vulnerabilities:

 A flaw was reported in D-Bus&#039;s file descriptor passing feature. A
 local attacker could use this flaw to cause a service or application
 to disconnect from the bus, typically resulting in that service or
 application exiting (CVE-2014-3532).

 A flaw was reported in D-Bus&#039;s file descriptor passing feature. A local
 attacker could use this flaw to cause an invalid file descriptor to be
 forwarded to a service or application, causing it to disconnect from
 the bus, typically resulting in that service or application exiting
 (CVE-2014-3533).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3532
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3533
 http://advisories.mageia.org/MGASA-2014-0294.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 3ec7d0230c9bba5579b6970e80e30b1d  mbs1/x86_64/dbus-1.4.16-6.4.mbs1.x86_64.rpm
 0086d90124d84e60a09c70fa8e70baf3  mbs1/x86_64/dbus-doc-1.4.16-6.4.mbs1.x86_64.rpm
 d126249502ee1a3819af4e5ae9600115  mbs1/x86_64/dbus-x11-1.4.16-6.4.mbs1.x86_64.rpm
 17d4362c3888962ac3e402eacc5aac15  mbs1/x86_64/lib64dbus-1_3-1.4.16-6.4.mbs1.x86_64.rpm
 8e46f1e7c2c5d4fb2ffc4fda7bfba55b  mbs1/x86_64/lib64dbus-1-devel-1.4.16-6.4.mbs1.x86_64.rpm
 df3ab9438c830215ad2b3597921d0333  mbs1/SRPMS/dbus-1.4.16-6.4.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com

Cisco Security Advisory: Cisco IOS Software and Cisco IOS XE Software EnergyWise Crafted Packet Denial of Service Vulnerability

Cisco IOS Software and Cisco IOS XE Software EnergyWise Crafted Packet Denial of Service Vulnerability

Advisory ID: cisco-sa-20140806-energywise

Revision 1.0

For Public Release 2014 August 6 16:00  UTC (GMT)
+---------------------------------------------------------------------

Summary
=======

A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device.

The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.


Cisco has released free software updates that address this vulnerability.

There are no workarounds for this vulnerability.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140806-energywise

[ MDVSA-2014:151 ] cups

Mandriva Linux Security Advisory                         MDVSA-2014:151
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : cups
 Date    : August 6, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated cups packages fix security vulnerability:

 In CUPS before 1.7.4, a local user with privileges of group=lp
 can write symbolic links in the rss directory and use that to gain
 &#039;@SYSTEM&#039; group privilege with cupsd (CVE-2014-3537).

 It was discovered that the web interface in CUPS incorrectly
 validated permissions on rss files and directory index files. A local
 attacker could possibly use this issue to bypass file permissions
 and read arbitrary files, possibly leading to a privilege escalation
 (CVE-2014-5029, CVE-2014-5030, CVE-2014-5031).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031
 http://advisories.mageia.org/MGASA-2014-0313.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 a205c1ad91e99d9b69eded0b2ef7c4a7  mbs1/x86_64/cups-1.5.4-1.6.mbs1.x86_64.rpm
 0062bb06376c6565863850f28b9c99e4  mbs1/x86_64/cups-common-1.5.4-1.6.mbs1.x86_64.rpm
 5992698b0904822789c8d24072108771  mbs1/x86_64/cups-serial-1.5.4-1.6.mbs1.x86_64.rpm
 06935b8fdb6754b0e1fe2bb26e392171  mbs1/x86_64/lib64cups2-1.5.4-1.6.mbs1.x86_64.rpm
 8c6bb4a24184ef63375a32efff9f9eb4  mbs1/x86_64/lib64cups2-devel-1.5.4-1.6.mbs1.x86_64.rpm
 fe9c1328465c6b3b24354631e92d9bd9  mbs1/x86_64/php-cups-1.5.4-1.6.mbs1.x86_64.rpm
 f9b9941ba6bbb175eec495f806999bcb  mbs1/SRPMS/cups-1.5.4-1.6.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com

[ MDVSA-2014:152 ] glibc

 Mandriva Linux Security Advisory                         MDVSA-2014:152
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : glibc
 Date    : August 6, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated glibc packages fix security issues:

 Stephane Chazelas discovered that directory traversal issue in locale
 handling in glibc.  glibc accepts relative paths with .. components
 in the LC_* and LANG variables.  Together with typical OpenSSH
 configurations (with suitable AcceptEnv settings in sshd_config),
 this could conceivably be used to bypass ForceCommand restrictions
 (or restricted shells), assuming the attacker has sufficient level
 of access to a file system location on the host to create crafted
 locale definitions there (CVE-2014-0475).

 David Reid, Glyph Lefkowitz, and Alex Gaynor discovered a bug where
 posix_spawn_file_actions_addopen fails to copy the path argument
 (glibc bz #17048) which can, in conjunction with many common memory
 management techniques from an application, lead to a use after free,
 or other vulnerabilities (CVE-2014-4043).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0475
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043
 http://advisories.mageia.org/MGASA-2014-0314.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 7e4bd56ba434c72f8c9360e54f3ace30  mbs1/x86_64/glibc-2.14.1-12.7.mbs1.x86_64.rpm
 c00abe493846257a224bcd217dbda193  mbs1/x86_64/glibc-devel-2.14.1-12.7.mbs1.x86_64.rpm
 3dc3199457ef337c453eb48e757b19d7  mbs1/x86_64/glibc-doc-2.14.1-12.7.mbs1.noarch.rpm
 642eec51aea574ccb12fe1212fa50eb6  mbs1/x86_64/glibc-doc-pdf-2.14.1-12.7.mbs1.noarch.rpm
 25514e42a9b9ebdde40f5fa059dc5a3c  mbs1/x86_64/glibc-i18ndata-2.14.1-12.7.mbs1.x86_64.rpm
 3c9cdb0cd83af355302df271ae63f49d  mbs1/x86_64/glibc-profile-2.14.1-12.7.mbs1.x86_64.rpm
 ac264ef2f31ca27d97bd62afcce34af9  mbs1/x86_64/glibc-static-devel-2.14.1-12.7.mbs1.x86_64.rpm
 58f3bcd904422da59ac688292c2d9cdc  mbs1/x86_64/glibc-utils-2.14.1-12.7.mbs1.x86_64.rpm
 f499b1252ed18408eaa11149da20cc22  mbs1/x86_64/nscd-2.14.1-12.7.mbs1.x86_64.rpm
 fc23371516f3983f6c190cbbe9fa475a  mbs1/SRPMS/glibc-2.14.1-12.7.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com

[ MDVSA-2014:154 ] readline

 Mandriva Linux Security Advisory                         MDVSA-2014:154
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : readline
 Date    : August 6, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated readline packages fix security vulnerability:

 Steve Kemp discovered the _rl_tropen() function in readline insecurely
 handled a temporary file. This could allow a local attacker to perform
 symbolic link attacks (CVE-2014-2524).

 Also, upstream patches have been added to fix an infinite loop in vi
 input mode, and to fix an issue with slowness when pasting text.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2524
 http://advisories.mageia.org/MGASA-2014-0319.html
 __________________________________________________

[ MDVSA-2014:155 ] kernel

_______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:155
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : August 7, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:

 Multiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c
 in the Linux kernel before 3.12 allow local users to cause a
 denial of service or possibly have unspecified other impact
 by leveraging the CAP_NET_ADMIN capability and providing a long
 station-name string, related to the (1) wvlan_uil_put_info and (2)
 wvlan_set_station_nickname functions (CVE-2013-4514).

 Use-after-free vulnerability in the skb_segment function in
 net/core/skbuff.c in the Linux kernel through 3.13.6 allows attackers
 to obtain sensitive information from kernel memory by leveraging the
 absence of a certain orphaning operation (CVE-2014-0131).

[ MDVSA-2014:147 ] sendmail

Mandriva Linux Security Advisory                         MDVSA-2014:147
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : sendmail
 Date    : July 31, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated sendmail packages fix security vulnerability:

 Sendmail before 8.14.9 does not properly closing file descriptors
 before executing programs. This bug could enable local users to
 interfere with an open SMTP connection if they can execute their own
 program for mail delivery (e.g., via procmail or the prog mailer)
 (CVE-2014-3956).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956
 http://advisories.mageia.org/MGASA-2014-0270.html

Multiple SQL Injection Vulnerabilities in web2Project

Advisory ID: HTB23213
Product: web2Project
Vendor: http://web2project.net
Vulnerable Version(s): 3.1 and probably prior
Tested Version: 3.1
Advisory Publication:  April 30, 2014  [without technical details]
Vendor Notification: April 30, 2014
Vendor Patch: May 1, 2014
Public Disclosure: June 18, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-3119
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web2Project, which can be exploited to perform SQL Injection attacks and gain complete access to vulnerable website.


1) SQL Injection in web2Project: CVE-2014-3119


1.1 The vulnerability exists due to insufficient sanitization of the "search_string" HTTP POST parameter passed to "/index.php" script. A remote authenticated user with privileges to access "contacts" module can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.

TigerCom iFolder+ v1.2 iOS - Multiple Vulnerabilities

Document Title:
===============
TigerCom iFolder+ v1.2 iOS - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1284


Release Date:
=============
2014-07-30


Vulnerability Laboratory ID (VL-ID):
====================================
1284


Common Vulnerability Scoring System:
====================================
7.4


Product & Service Introduction:
===============================
iFolder+, Belong to yourself is a mobile application coded by TigerCom. The application allows to communicate
and share information or files in the wifi network. The app is uncommercial and can be downloaded through the
apple itunes shop or app-store.

WiFi HD v7.3.0 iOS - Multiple Web Vulnerabilities

Document Title:
===============
WiFi HD v7.3.0 iOS - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1283


Release Date:
=============
2014-07-29


Vulnerability Laboratory ID (VL-ID):
====================================
1283


Common Vulnerability Scoring System:
====================================
7.4

Kunena Forum Extension for Joomla Multiple Reflected Cross-Site Scripting Vulnerabilities

Kunena forum extension for Joomla multiple reflected cross-site scripting vulnerabilities

Class:                  Input Validation Error
CVE                     N/A
Remote                  Yes
Local                   No
Published               02/07/2014

Credit                  Raymond Rizk of Dionach (vulns@dionach.com)
Vendor                  Kunena
Vulnerable              Kunena v3.0.5
Solution Status:        Fixed by Vendor

Kunena Forum is prone to multiple reflected cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and obtain sensitive information.

Kunena v3.0.5 is known to be vulnerable. Earlier versions may also be vulnerable.

To exploit this issue, an attacker must have a user account on the forum. The vulnerability affects all pages/tasks that use parameters in the form of “parameter[]”. Additionally, the file upload and profile image upload functionality are also vulnerable. This can be seen in the proof of concept example below:

POST /index.php?option=com_kunena&view=home&defaultmenu=130&Itemid=12
Content-Disposition: form-data; name="avatarfile"; filename="<iframe src=javascript:alert('XSS')>"

Vendor informed and a new version (3.0.6) was released on 28/07/2014. Vendor recommends updating Kunena to the latest version.

Photo WiFi Transfer 1.01 - Directory Traversal Vulnerability

Document Title:
===============
Photo WiFi Transfer 1.01 - Directory Traversal Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1285


Release Date:
=============
2014-07-31


Vulnerability Laboratory ID (VL-ID):
====================================
1286


Common Vulnerability Scoring System:
====================================
6.7


Product & Service Introduction:
===============================
Using this app, you can download photos to a PC or a smartphone from your iPhone through WiFi. The app provides the easiest and
fastest way to do it. Just run the app on the iPhone and open the web browser on your PC or another smart phone. That is all
that you are required to do. It is quite simple. In addition to the web browser, a ftp client application is also supported to
access the photos. Do not pay money for these functions as the app provides all of them without charging.

[ MDVSA-2014:145 ] php-ZendFramework

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:145
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php-ZendFramework
 Date    : July 31, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in php-ZendFramework:

 The implementation of the ORDER BY SQL statement in Zend_Db_Select
 of Zend Framework 1 contains a potential SQL injection when the query
 string passed contains parentheses (CVE-2014-4914).

 The updated packages have been upgraded to the latest ZendFramework
 (1.12.7) version which is not vulnerable to this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4914
 http://framework.zend.com/security/advisory/ZF2014-04

[ MDVSA-2014:146 ] file

 Mandriva Linux Security Advisory                         MDVSA-2014:146
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : file
 Date    : July 31, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in file:

 file before 5.19 does not properly restrict the amount of data read
 during a regex search, which allows remote attackers to cause a
 denial of service (CPU consumption) via a crafted file that triggers
 backtracking during processing of an awk rule. NOTE: this vulnerability
 exists because of an incomplete fix for CVE-2013-7345 (CVE-2014-3538).

nullcon CFP is open

Dear Security Gurus,

6th year | CFP opens on 6th Aug 2014 | conference on 6th Feb 2015.

Welcome to nullcon 666! Bring out the beast in you.
http://en.wikipedia.org/wiki/666_(number)

we are happy to open the CFP. Time to tickle your gray cells and
submit your research.
Training: 4th-5th Feb 2015
Conference: 6th-7th Feb 2015

CFP 666
=======
Website - http://nullcon.net

Submit under any of the below options
Papers (40 mins - 1 hr)
Events (Sub-events, Competitions, CTF, BOFs)
Recreation (Fun events, Games, Parties, Tech Rock bands, Djs)
Tutorials (2-3hrs Workshops, hacking villages)

[SECURITY] [DSA 2997-1] reportbug security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2997-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
August 05, 2014                        http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : reportbug
CVE ID         : CVE-2014-0479

Jakub Wilk discovered a remote command execution flaw in reportbug, a
tool to report bugs in the Debian distribution. A man-in-the-middle
attacker could put shell metacharacters in the version number allowing
arbitrary code execution with the privileges of the user running
reportbug.

For the stable distribution (wheezy), this problem has been fixed in
version 6.4.4+deb7u1.

For the testing distribution (jessie), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 6.5.0+nmu1.

We recommend that you upgrade your reportbug packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 2998-1] openssl security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2998-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
August 07, 2014                        http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3508
                 CVE-2014-3509 CVE-2014-3510 CVE-2014-3511 CVE-2014-3512
                 CVE-2014-5139

Multiple vulnerabilities have been identified in OpenSSL, a Secure
Sockets Layer toolkit, that may result in denial of service
(application crash, large memory consumption), information leak,
protocol downgrade. Additionally, a buffer overrun affecting only
applications explicitly set up for SRP has been fixed (CVE-2014-3512).

Detailed descriptions of the vulnerabilities can be found at:
https://www.openssl.org/news/secadv_20140806.txt

It's important that you upgrade the libssl1.0.0 package and not just
the openssl package.

All applications linked to openssl need to be restarted. You can use
the "checkrestart" tool from the debian-goodies package to detect
affected programs. Alternatively, you may reboot your system.

[SECURITY] [DSA 2996-1] icedove security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2996-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
August 03, 2014                        http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
CVE ID         : CVE-2014-1544 CVE-2014-1547 CVE-2014-1555 CVE-2014-1556
                 CVE-2014-1557

Multiple security issues have been found in Icedove, Debian's version of
the Mozilla Thunderbird mail and news client: Multiple memory safety
errors and use-after-frees may lead to the execution of arbitrary code
or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 24.7.0-1~deb7u1.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 2995-1] lzo2 security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2995-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
August 03, 2014                        http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lzo2
CVE ID         : CVE-2014-4607
Debian Bug     : 752861

Don A. Bailey from Lab Mouse Security discovered an integer overflow
flaw in the way the lzo library decompressed certain archives compressed
with the LZO algorithm. An attacker could create a specially crafted
LZO-compressed input that, when decompressed by an application using the
lzo library, would cause that application to crash or, potentially,
execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 2.06-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 2.08-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.08-1.

We recommend that you upgrade your lzo2 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[slackware-security] samba (SSA:2014-213-01)

[slackware-security]  samba (SSA:2014-213-01)

New samba packages are available for Slackware 14.1 and -current to
fix a security issue.


Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/samba-4.1.11-i486-1_slack14.1.txz:  Upgraded.
  This update fixes a remote code execution attack on unauthenticated nmbd
  NetBIOS name services.  A malicious browser can send packets that may
  overwrite the heap of the target nmbd NetBIOS name services daemon.
  It may be possible to use this to generate a remote code execution
  vulnerability as the superuser (root).
  For more information, see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3560
  (* Security fix *)
+--------------------------+

[SECURITY] [DSA 2994-1] nss security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2994-1                   security@debian.org
http://www.debian.org/security/                          Raphael Geissert
July 31, 2014                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss
CVE ID         : CVE-2013-1741 CVE-2013-5606 CVE-2014-1491 CVE-2014-1492

Several vulnerabilities have been discovered in nss, the Mozilla Network
Security Service library:

CVE-2013-1741

    Runaway memset in certificate parsing on 64-bit computers leading to
    a crash by attempting to write 4Gb of nulls.

CVE-2013-5606

    Certificate validation with the verifylog mode did not return
    validation errors, but instead expected applications to determine
    the status by looking at the log.

CVE-2014-1491

    Ticket handling protection mechanisms bypass due to the lack of
    restriction of public values in Diffie-Hellman key exchanges.

CVE-2014-1492

    Incorrect IDNA domain name matching for wildcard certificates could
    allow specially-crafted invalid certificates to be considered as
    valid.

For the stable distribution (wheezy), these problems have been fixed in
version 2:3.14.5-1+deb7u1.

For the testing distribution (jessie), and the unstable distribution (sid),
these problems have been fixed in version 2:3.16-1.

We recommend that you upgrade your nss packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

[SECURITY] [DSA 2993-1] tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2993-1                   security@debian.org
http://www.debian.org/security/                           Peter Palfrader
July 31, 2014                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2014-5117

Several issues have been discovered in Tor, a connection-based
low-latency anonymous communication system, resulting in information
leaks.

o  Relay-early cells could be used by colluding relays on the network to
   tag user circuits and so deploy traffic confirmation attacks
   [CVE-2014-5117].  The updated version emits a warning and drops the
   circuit upon receiving inbound relay-early cells, preventing this
   specific kind of attack.  Please consult the following advisory for
   more details about this issue:

     https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack

o  A bug in the bounds-checking in the 32-bit curve25519-donna
   implementation could cause incorrect results on 32-bit
   implementations when certain malformed inputs were used along with a
   small class of private ntor keys.  This flaw does not currently
   appear to allow an attacker to learn private keys or impersonate a
   Tor server, but it could provide a means to distinguish 32-bit Tor
   implementations from 64-bit Tor implementations.

[SECURITY] [DSA 2992-1] linux security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2992-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
July 29, 2014                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2014-3534 CVE-2014-4667 CVE-2014-4943
Debian Bug     : 728705

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a denial of service or privilege escalation:

CVE-2014-3534

    Martin Schwidefsky of IBM discovered that the ptrace subsystem does
    not properly sanitize the psw mask value. On s390 systems, an
    unprivileged local user could use this flaw to set address space
    control bits to kernel space combination and thus gain read/write
    access to kernel memory.

CVE-2014-4667

    Gopal Reddy Kodudula of Nokia Siemens Networks discovered that the
    sctp_association_free function does not properly manage a certain
    backlog value, which allows remote attackers to cause a denial of
    service (socket outage) via a crafted SCTP packet.

[SECURITY] [DSA 2979-1] fail2ban security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2979-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
July 17, 2014                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : fail2ban
CVE ID         : CVE-2013-7176 CVE-2013-7177

Two vulnerabilities were discovered in Fail2ban, a solution to ban hosts
that cause multiple authentication errors. When using Fail2ban to monitor
Postfix or Cyrus IMAP logs, improper input validation in log parsing
could enable a remote attacker to trigger an IP ban on arbitrary
addresses, resulting in denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 0.8.6-3wheezy3.

For the testing distribution (jessie), these problems have been fixed in
version 0.8.11-1.

For the unstable distribution (sid), these problems have been fixed in
version 0.8.11-1.

We recommend that you upgrade your fail2ban packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org