Security Alerts

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 1 hour 7 min ago

[ MDVSA-2012:013 ] mozilla

Fri, 02/03/2012 - 18:07

Posted by security on Feb 03

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:013
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mozilla
Date : February 3, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:...
Categories: Security

ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability

Fri, 02/03/2012 - 12:41

Posted by Security_Alert on Feb 03

ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability.

EMC Identifier: ESA-2012-010
EMC Identifier: SRCH-7949

CVE Identifier: CVE-2012-0396

Severity Rating: CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected products:
EMC SW: EMC Documentum xPlore 1.0 (all patch versions)
EMC SW: EMC Documentum xPlore 1.1 (all patch versions prior to 1.1 P07)
EMC SW: EMC Documentum xPlore 1.2 (all patch versions)...
Categories: Security

RFC 6528 on Defending against Sequence Number Attacks

Fri, 02/03/2012 - 12:26

Posted by Fernando Gont on Feb 03

Folks,

FYI. (the RFC is available at: <http://www.rfc-editor.org/rfc/rfc6528.txt>)

A new Request for Comments is now available in online RFC libraries.

RFC 6528

Title: Defending against Sequence Number Attacks
Author: F. Gont, S. Bellovin
Status: Standards Track
Stream: IETF
Date: February 2012
Pages: 12
Characters: 26917
Obsoletes:...
Categories: Security

[SECURITY] [DSA 2403-1] php5 security update

Fri, 02/03/2012 - 12:16

Posted by Thijs Kinkhorst on Feb 03

-------------------------------------------------------------------------
Debian Security Advisory DSA-2403-1 security () debian org
http://www.debian.org/security/ Thijs Kinkhorst
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : php5
Vulnerability : code injection
Problem type :...
Categories: Security

[SECURITY] [DSA 2402-1] iceape security update

Fri, 02/03/2012 - 12:06

Posted by Moritz Muehlenhoff on Feb 03

-------------------------------------------------------------------------
Debian Security Advisory DSA-2402-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : iceape
Vulnerability : several
Problem type : remote...
Categories: Security

[SECURITY] [DSA 2400-1] iceweasel security update

Fri, 02/03/2012 - 11:55

Posted by Moritz Muehlenhoff on Feb 03

-------------------------------------------------------------------------
Debian Security Advisory DSA-2400-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : iceweasel
Vulnerability : several
Problem type : remote...
Categories: Security

[SECURITY] [DSA 2401-1] tomcat6 security update

Fri, 02/03/2012 - 11:44

Posted by Moritz Muehlenhoff on Feb 03

-------------------------------------------------------------------------
Debian Security Advisory DSA-2401-1 security () debian org
http://www.debian.org/security/ Moritz Muehlenhoff
February 02, 2012 http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tomcat6
Vulnerability : several
Problem type : remote...
Categories: Security

[security bulletin] HPSBGN02740 SSRT100741 rev.1 - HP Operations Manager, Operations Agent, Performance Agent, Service Health Reporter, Service Health Optimizer, Performance Manager, Remote Execution of Arbitrary Code

Fri, 02/03/2012 - 10:59

Posted by security-alert on Feb 03

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03179825
Version: 1

HPSBGN02740 SSRT100741 rev.1 - HP Operations Manager, Operations Agent, Performance Agent, Service Health Reporter,
Service Health Optimizer, Performance Manager, Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2012-02-02
Last Updated: 2012-02-02

Potential Security Impact:...
Categories: Security

GLSA (Gentoo Linux Security Advisory) publication changes

Thu, 02/02/2012 - 15:03

Posted by Alex Legler on Feb 02

Like other Linux distribution vendors, Gentoo is currently CC'ing advisories
to the full-disclosure and bugtraq mailing lists.
Starting today, we will be *no longer* publishing our advisories to full-
disclosure or bugtraq.
We are following our colleagues at Ubuntu with this decision.

Users who want to receive advisories via email in the future should subscribe
to the gentoo-announce mailing list, as described here:...
Categories: Security

[security bulletin] HPSBMU02739 SSRT100280 rev.1 - HP Data Protector Media Operations, Remote Execution of Arbitrary Code

Thu, 02/02/2012 - 14:52

Posted by security-alert on Feb 02

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03179046
Version: 1

HPSBMU02739 SSRT100280 rev.1 - HP Data Protector Media Operations, Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2012-02-01
Last Updated: 2012-02-01

------------------------------------------------------------------------------

Potential Security Impact: Remote execution...
Categories: Security

[CAL-2012-0004] opera array integer overflow

Thu, 02/02/2012 - 14:38

Posted by Code Audit Labs on Feb 02

CAL-2012-0004 opera array integer overflow

1 Affected Products
=================
11.60 and prior

2 Vulnerability Details
=====================

Code Audit Labs http://www.vulnhunt.com has discovered a integer
overflow vulnerability in array functions like
Int32Array,Int16Array... .

Opear vendor say "We have reproduced the problem, and determined that it
does not have any security implications, since the crash is a caused by
a memory...
Categories: Security

Fwd: RA-Guard: Advice on the implementation (feedback requested)

Thu, 02/02/2012 - 14:28

Posted by Fernando Gont on Feb 02

Folks,

We have talked about this one quite a few times (including
<http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>).
-- still, most implementations remain broken.

If you care to get this fixed, please provide feedback about this I-D on
the IETF *v6ops* mailing-list <v6ops () ietf org>, and CC me if possible.

Thanks!

Best regards,
Fernando

-------- Original Message --------
Subject: RA-Guard: Advice...
Categories: Security

Call For Paper

Thu, 02/02/2012 - 14:17

Posted by asemailing on Feb 02

CALL FOR PAPER

2012 ASE/IEEE International Conference on Privacy, Security, Risk, and Trust
Amsterdam, The Netherlands, September 3-6, 2012
WebSite: http://www.asesite.org/conferences/PASSAT/2012/
Workshop Proposal Submission Deadline: March 1, 2012
Paper Submission Deadline: May 11, 2012

================================================================
2012 ASE/IEEE International Conference on Cyber Security
Washington D.C., USA, October 5-7,...
Categories: Security

APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001

Thu, 02/02/2012 - 14:06

Posted by Apple Product Security on Feb 02

APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001

OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:

Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused...
Categories: Security

[ MDVSA-2012:012 ] apache

Thu, 02/02/2012 - 13:55

Posted by security on Feb 02

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:012
http://www.mandriva.com/security/
_______________________________________________________________________

Package : apache
Date : February 2, 2012
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:...
Categories: Security

XSS phpLDAPadmin: 1.2.0.5 (Debian package) and 1.2.2 (sourceforge)

Wed, 02/01/2012 - 14:04

Posted by andsarmiento on Feb 01

Attach some PoC analysis related to a XSS vulnerability to phpldapadmin. I previously coordinate with the Cert-US in
order they contact with Sourceforge and Debian, but receive they was unable to put in contact with them.

The first discover was on January 10 for 1.1.6 version, where after noticed that the same vulnerability was discover
previously. For that reason I tested later for version 1.2.2 (sourceforge) and 1.2.0.5 (Debian package)....
Categories: Security

ESA-2012-009: EMC Documentum Content Server privilege elevation vulnerability

Wed, 02/01/2012 - 13:54

Posted by Security_Alert on Feb 01

ESA-2012-009: EMC Documentum Content Server privilege elevation vulnerability.

EMC Identifier: ESA-2012-009
EMC Identifier: CS-16072
EMC Identifier: CS-16073

CVE Identifier: CVE-2011-4144

Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)

Affected prodcuts:
EMC Documentum Content Server 6.0
EMC Documentum Content Server 6.5
EMC Documentum Content Server 6.6

Vulnerability Summary:
EMC Documentum Content Server...
Categories: Security

Multiple vulnerabilities in OpenEMR

Wed, 02/01/2012 - 13:43

Posted by advisory on Feb 01

Advisory ID: HTB23069
Product: OpenEMR
Vendor: OEMR
Vulnerable Version: 4.1.0 and probably prior
Tested Version: 4.1.0
Vendor Notification: 11 January 2012
Vendor Patch: 29 January 2012
Public Disclosure: 01 February 2012
Vulnerability Type: Local File Inclusion, Arbitrary Command Execution
Solution Status: Fixed by Vendor
Risk Level: High
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )...
Categories: Security

Security advisory for Bugzilla 4.2rc2, 4.0.4, 3.6.8 and 3.4.14

Wed, 02/01/2012 - 13:32

Posted by LpSolit on Feb 01

Summary
=======

Bugzilla is a Web-based bug-tracking system used by a large number of
software projects. The following security issues have been discovered
in Bugzilla:

* When a user creates a new account, Bugzilla doesn't correctly
reject email addresses containing non-ASCII characters, which
could be used to impersonate another user account.

* A CSRF vulnerability in the implementation of the JSON-RPC API
could be used to make...
Categories: Security

802.1X password exploit on many HTC Android devices

Wed, 02/01/2012 - 13:21

Posted by Bret Jordan on Feb 01

February 1, 2012

--------------------------------------------------------------------------------
Subject
--------------------------------------------------------------------------------
802.1X password exploit on many HTC Android devices

--------------------------------------------------------------------------------
Abstract
--------------------------------------------------------------------------------
There is an issue in certain HTC...
Categories: Security