APPLE-SA-2017-03-27-1 Pages 6.1, Numbers 4.1, and Keynote 7.1for Mac; Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS are nowavailable and address the following:ExportAvailable for: macOS 10.12 Sierra or later, iOS 10 or laterImpact: The contents of password-protected PDFs exported from iWorkmay be exposedDescription: iWork used weak 40-bit RC4 encryption for password-protected PDF exports. This issue was addressed by changing iWorkexport to use AES-128.CVE-2017-2391: Philipp Eckel of ThoughtWorksInstallation note:Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1,Numbers 3.1, and Keynote 3.1 for iOS may be obtained from theApp Store.Information will also be posted to the Apple Security Updatesweb site: https://support.apple.com/kb/HT201222This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/
Cisco Security Advisory: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution VulnerabilityAdvisory ID: cisco-sa-20170317-cmpRevision: 1.0For Public Release: 2017 March 17 16:00 GMTLast Updated: 2017 March 17 16:00 GMTCVE ID(s): CVE-2017-3881CVSS Score v(3): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H+-----------------------------
----------------------------------------Summary=======A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, andThe incorrect processing of malformed CMP-specific Telnet options. An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.This advisory is available at the following link:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp"]
- ------------------------------------------------------------
-------------Debian Security Advisory DSA-3811-1 security@debian.orghttps://www.debian.org/security/ Moritz MuehlenhoffMarch 18, 2017 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : wiresharkCVE ID : CVE-2017-5596 CVE-2017-5597 CVE-2017-6014 CVE-2017-6467 CVE-2017-6468 CVE-2017-6469 CVE-2017-6470 CVE-2017-6471 CVE-2017-6472 CVE-2017-6473 CVE-2017-6474It was discovered that wireshark, a network protocol analyzer, containedseveral vulnerabilities in the dissectors for ASTERIX , DHCPv6,NetScaler, LDSS, IAX2, WSP, K12 and STANAG 4607, that could lead tovarious crashes, denial-of-service or execution of arbitrary code.For the stable distribution (jessie), these problems have been fixed inversion 1.12.1+g01b65bf-4+deb8u11.For the unstable distribution (sid), these problems have been fixed inversion 2.2.5+g440fd4d-2.We recommend that you upgrade your wireshark packages.Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/
Debian Security Advisory DSA-3812-1 security@debian.orghttps://www.debian.org/security/ Moritz MuehlenhoffMarch 18, 2017 https://www.debian.org/security/faq- ------------------------------------------------------------
-------------Package : ioquake3CVE ID : CVE-2017-6903It was discovered that ioquake3, a modified version of the ioQuake3 gameengine performs insufficent restrictions on automatically downloadedcontent (pk3 files or game code), which allows malicious game servers tomodify configuration settings including driver settings.For the stable distribution (jessie), this problem has been fixed inversion 1.36+u20140802+gca9eebb-2+deb8u1.For the unstable distribution (sid), this problem has been fixed inversion 1.36+u20161101+dfsg1-2.We recommend that you upgrade your ioquake3 packages.Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/
- ------------------------------------------------------------
-------------Debian Security Advisory DSA-3813-1 security@debian.orghttps://www.debian.org/security/ Moritz MuehlenhoffMarch 19, 2017 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : r-baseCVE ID : CVE-2016-8714Cory Duplantis discovered a buffer overflow in the R programminglangauage. A malformed encoding file may lead to the execution ofarbitrary code during PDF generation.For the stable distribution (jessie), this problem has been fixed inversion 3.1.1-1+deb8u1.For the upcoming stable distribution (stretch), this problem has beenfixed in version 3.3.3-1.For the unstable distribution (sid), this problem has been fixed inversion 3.3.3-1.We recommend that you upgrade your r-base packages.Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/
