ESA-2015-081: RSA BSAFE® Micro Edition Suite, Crypto-C Micro Edition, Crypto-J, SSL-J and SSL-C Multiple Vulnerabilities EMC Identifier: ESA-2015-081 CVE Identifier: CVE-2015-0533, CVE-2015-0534, CVE-2015-0535, CVE-2015-0536, CVE-2015-0537 Severity Rating: CVSS v2 Base Score: See below for individual scores for each CVE Affected Products: RSA BSAFE Micro Edition Suite (MES) all 4.1.x versions prior to 4.1.3 RSA BSAFE Micro Edition Suite (MES) all 4.0.x versions prior to 4.0.8 RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) 4.1 RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) all versions prior to 4.0.4 RSA BSAFE Crypto-J all versions prior to 6.2 RSA BSAFE SSL-J all versions prior to 6.2 RSA BSAFE SSL-C all versions including 2.8.9 Unaffected Products: RSA BSAFE Micro Edition Suite (MES) 4.1.3 RSA BSAFE Micro Edition Suite (MES) 4.0.8 RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) 4.0.4 RSA BSAFE Crypto-J 6.2 RSA BSAFE SSL-J 6.2
2015 m. rugpjūčio 28 d., penktadienis
ESA-2015-081: RSA BSAFE® Micro Edition Suite, Crypto-C Micro Edition, Crypto-J, SSL-J and SSL-C Multiple Vulnerabilities
ESA-2015-094: RSA Archer® GRC Multiple Cross-Site Request Forgery Vulnerabilities
ESA-2015-094: RSA Archer® GRC Multiple Cross-Site Request Forgery Vulnerabilities EMC Identifier: ESA-2015-094 CVE Identifier: CVE-2015-0542 Severity Rating: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Affected Products: RSA Archer GRC 5.5 SP1 Summary: RSA Archer GRC contains fixes for multiple Cross-Site Request Forgery vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.
ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities
ESA-2015-131: EMC Documentum Content Server Multiple Vulnerabilities EMC Identifier: ESA-2015-131 CVE Identifier: CVE-2015-4531, CVE-2015-4532, CVE-2015-4533, CVE-2015-4534, CVE-2015-4535, CVE-2015-4536 Severity Rating: CVSS v2 Base Score: See below for individual scores for each CVE Affected products: • EMC Documentum Content Server prior to 7.0 • EMC Documentum Content Server 7.0 • EMC Documentum Content Server 7.1 • EMC Documentum Content Server 7.2 Summary: EMC Documentum Content Server contains multiple vulnerabilities that could be exploited by malicious users to compromise the Content Server in several ways.
ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability
ESA-2015-130: EMC Documentum WebTop and WebTop Clients Cross-Site Request Forgery Vulnerability EMC Identifier: ESA-2015-130 CVE Identifier: CVE-2015-4530 Severity Rating: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Affected products: • EMC Documentum WebTop versions 6.8 and earlier • EMC Documentum Administrator versions 7.1 and earlier • EMC Documentum Digital Assets Manager version 6.5SP6 and earlier • EMC Documentum Web Publishers version 6.5 SP7 and earlier • EMC Documentum Task Space, versions 6.7SP2 and earlier Summary: EMC Documentum WebTop and WebTop-based applications listed above contain Cross-Site Request Forgery (CSRF) vulnerabilities. Details: EMC Documentum WebTop and WebTop-based clients are affected by a CSRF vulnerability. An attacker can potentially exploit this vulnerability by tricking authenticated users of the application to click on links embedded within an email, web page, or another source, and perform Docbase operations with that user's privileges. The previous fix for CVE-2014-2518 was incomplete.
CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion Vulnerability
CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion Vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Flex BlazeDS 4.7.0
Description: When receiving XML encoded AMF messages containing DTD entities, the
default XML parser configurations allows expanding of entities to local resources.
A request that included a specially crafted request parameter could be used to
access content that would otherwise be protected.
Mitigation: All users of Apache Flex BlazeDS prior to 4.7.1
Example: For an AMF message that contains the following xml payload:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
the entity &xxe; would be expanded to the content of the file /etc/passwd.
However this expanded information is not automatically transferred back to
the client, but could be made available by the application.
Credit: This issue was discovered by Matthias Kaiser of Code White
References: https://www.owasp.org/index.ph
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Flex BlazeDS 4.7.0
Description: When receiving XML encoded AMF messages containing DTD entities, the
default XML parser configurations allows expanding of entities to local resources.
A request that included a specially crafted request parameter could be used to
access content that would otherwise be protected.
Mitigation: All users of Apache Flex BlazeDS prior to 4.7.1
Example: For an AMF message that contains the following xml payload:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
the entity &xxe; would be expanded to the content of the file /etc/passwd.
However this expanded information is not automatically transferred back to
the client, but could be made available by the application.
Credit: This issue was discovered by Matthias Kaiser of Code White
References: https://www.owasp.org/index.ph
[security bulletin] HPSBUX03400 SSRT102211 rev.1 - HP-UX Running BIND, Remote Denial of Service (DoS)
Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/
docDisplay?docId=emr_na-
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04769567
Version: 1
HPSBUX03400 SSRT102211 rev.1 - HP-UX Running BIND, Remote Denial of Service
(DoS)
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-08-18
Last Updated: 2015-08-18
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running
BIND. This vulnerability could be exploited remotely to create a Denial of
Service (DoS).
References:
CVE-2015-5477
CVE-2014-8500
SSRT102211
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11 running BIND 9.3.2 prior to C.9.3.2.14.0
HP-UX B.11.23 running BIND 9.3.2 prior to C.9.3.2.14.0
https://h20564.www2.hpe.com/
docDisplay?docId=emr_na-
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c04769567
Version: 1
HPSBUX03400 SSRT102211 rev.1 - HP-UX Running BIND, Remote Denial of Service
(DoS)
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2015-08-18
Last Updated: 2015-08-18
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running
BIND. This vulnerability could be exploited remotely to create a Denial of
Service (DoS).
References:
CVE-2015-5477
CVE-2014-8500
SSRT102211
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11 running BIND 9.3.2 prior to C.9.3.2.14.0
HP-UX B.11.23 running BIND 9.3.2 prior to C.9.3.2.14.0
[SECURITY] [DSA 3339-1] openjdk-6 security update
- ------------------------------
Debian Security Advisory DSA-3339-1 security@debian.org
https://www.debian.org/
August 19, 2015 https://www.debian.org/
- ------------------------------
Package : openjdk-6
CVE ID : CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621
CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808
CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733
CVE-2015-4748 CVE-2015-4749 CVE-2015-4760
Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.
For the oldstable distribution (wheezy), these problems have been fixed
in version 6b36-1.13.8-1~deb7u1.
We recommend that you upgrade your openjdk-6 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/
Debian Security Advisory DSA-3339-1 security@debian.org
https://www.debian.org/
August 19, 2015 https://www.debian.org/
- ------------------------------
Package : openjdk-6
CVE ID : CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621
CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808
CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733
CVE-2015-4748 CVE-2015-4749 CVE-2015-4760
Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform, resulting in the execution
of arbitrary code, breakouts of the Java sandbox, information disclosure,
denial of service or insecure cryptography.
For the oldstable distribution (wheezy), these problems have been fixed
in version 6b36-1.13.8-1~deb7u1.
We recommend that you upgrade your openjdk-6 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/
[SECURITY] [DSA 3340-1] zendframework security update
- ------------------------------
Debian Security Advisory DSA-3340-1 security@debian.org
https://www.debian.org/
August 19, 2015 https://www.debian.org/
- ------------------------------
Package : zendframework
CVE ID : CVE-2015-5161
Dawid Golunski discovered that when running under PHP-FPM in a threaded
environment, Zend Framework, a PHP framework, did not properly handle
XML data in multibyte encoding. This could be used by remote attackers
to perform an XML External Entity attack via crafted XML data.
For the oldstable distribution (wheezy), this problem has been fixed
in version 1.11.13-1.1+deb7u3.
For the stable distribution (jessie), this problem has been fixed in
version 1.12.9+dfsg-2+deb8u3.
For the testing distribution (stretch), this problem has been fixed
in version 1.12.14+dfsg-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.12.14+dfsg-1.
We recommend that you upgrade your zendframework packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/
Debian Security Advisory DSA-3340-1 security@debian.org
https://www.debian.org/
August 19, 2015 https://www.debian.org/
- ------------------------------
Package : zendframework
CVE ID : CVE-2015-5161
Dawid Golunski discovered that when running under PHP-FPM in a threaded
environment, Zend Framework, a PHP framework, did not properly handle
XML data in multibyte encoding. This could be used by remote attackers
to perform an XML External Entity attack via crafted XML data.
For the oldstable distribution (wheezy), this problem has been fixed
in version 1.11.13-1.1+deb7u3.
For the stable distribution (jessie), this problem has been fixed in
version 1.12.9+dfsg-2+deb8u3.
For the testing distribution (stretch), this problem has been fixed
in version 1.12.14+dfsg-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.12.14+dfsg-1.
We recommend that you upgrade your zendframework packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/
Užsisakykite:
Pranešimai (Atom)