Software: Moab Affected Versions: Dependent on configuration, can affect all versions of Moab including Moab 8 CVE Reference: CVE-2014-5376 Author: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/) Severity: High Risk Vendor: Adaptive Computing Vendor Response: Provided additional guidance in 7.2.9 release notes (MOAB-7480)
##[Description] Moab provides two methods to authenticate messages sent by users (e.g. job submissions). The default scheme which is widely used is insecure and can be circumvented in order to impersonate other users and perform operations on their behalf.
##[Impact]
It is possible to exploit this issue remotely in order to perform any operation on the server from the perspective of any user role. Examples include submitting jobs as arbitrary users (including as root), as well as reconfiguring the Moab server itself.
Software: Moab Affected Versions: All current versions of Moab. However, the impact is limited in Moab 7.2.9 and Moab 8. CVE Reference: CVE-2014-5375 Author: John Fitzpatrick, Luke Jennings MWR Labs (http://labs.mwrinfosecurity.com/) Severity: High Risk Vendor: Adaptive Computing Vendor Response: Updates in Moab 7.2.9 and Moab 8 provide some mitigations
##[Description]
It is possible to submit jobs to Moab as arbitrary users due to insufficient authentication checks during the submission of a job to the Moab server.
##[Impact] Users are able to submit jobs as arbitrary users. In environments that permit it this could allow job execution as root.
##[Cause]
Moab does not sufficiently validate the job submissions against its intended user ID values.
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Icedove), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.
An attacker could craft ASN.1 data to forge RSA certificates with a valid certification chain to a trusted CA.
For the stable distribution (wheezy), this problem has been fixed in version 24.8.1esr-1~deb7u1.
For the testing distribution (jessie) and unstable distribution (sid), Icedove uses the system NSS library, handled in DSA 3033-1.
We recommend that you upgrade your icedove packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at:https://www.debian.org/security/
Several vulnerabilities were discovered in Libvirt, a virtualisation abstraction library. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2014-0179
Richard Jones and Daniel P. Berrange found that libvirt passes the XML_PARSE_NOENT flag when parsing XML documents using the libxml2 library, in which case all XML entities in the parsed documents are expanded. A user able to force libvirtd to parse an XML document with an entity pointing to a special file that blocks on read access could use this flaw to cause libvirtd to hang indefinitely, resulting in a denial of service on the system.
New mozilla-firefox packages are available for Slackware 14.1 and -current to fix security issues.
Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/mozilla-firefox-24.8.1esr-i486-1_ slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *) +--------------------------+
Where to find the new packages: +-----------------------------+
Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-)
Also see the "Get Slack" section onhttp://slackware.comfor additional mirror sites near you.
Software: Moab Affected Versions: All versions prior to Moab 7.2.9 and Moab 8 CVE Reference: CVE-2014-5300 Author: John Fitzpatrick, MWR Labs (http://labs.mwrinfosecurity.com/) Severity: High Risk Vendor: Adaptive Computing Vendor Response: Resolved in Moab 7.2.9 and Moab 8
##[Description]
It is possible to bypass authentication within Moab in order to impersonate and run commands/operations as arbitrary users. The issue is believed to affect all versions of Moab prior to versions 7.2.9 and Moab 8.
##[Impact]
Successful exploitation could lead to remote code execution.