|
|
Prev week |
Colapse all |
Post message
[security bulletin] HPSBMA02596 SSRT100271 rev.1 - HP AssetCenter and HP AssetManager for AIX, HP-UX, Linux, Solaris and Windows , Remote Cross Site Scripting (XSS) 2010-10-21 security-alert hp com Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass 2010-10-21 Early Warning (seclist mindedsecurity com) Hey, Michal thanks for the reply to defend credits :). I had some moderation issues when I tried to send some word about this. Just for sake of clarification: I sent the advisory to Oracle on 20th April 2010. Oracle acknowledged the issue on june. If Roberto sent the advisory to Oracle then Oracle [ more ] [ reply ] Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass 2010-10-20 Roberto Suggi Liverani (roberto suggi security-assessment com) Hi Michael, Let me share some background on this advisory... I came to this result when I was looking into a way of exploiting the Apache Web Server "Compatibility with older browser feature". A separate paper has been published here: http://www.security-assessment.com/files/whitepapers/Leverag [ more ] [ reply ] Micro CMS Persistent XSS Vulnerability. 2010-10-21 SecPod Research (research secpod com) Hi, SecPod Research Team has found a Persistent Cross-Site vulnerability in Micro CMS. Advisory details has been attached to this mail. Regards, SecPod Research Team http://www.secpod.com ######################################################################## ###### Micro CMS Persistent Cros [ more ] [ reply ] [SecurityArchitect-009]: Microsoft Windows Mobile Double Free Vulnerability 2010-10-21 karakorsankara hotmail com Vendor: Microsoft Product: Windows Mobile Vulnerability: Double Free Tested vulnerable versions: Windows Mobile 6.1 and 6.5 Tested on : HTC Touch (WM 6.1), HTC Touch2 (WM 6.5) CREDITS: Celil Ünüver from SecurityArchitect.Org CONTACT: celilunuver[n0sp4m]gmail.com Vulnerability Details and Ana [ more ] [ reply ] [USN-998-1] Thunderbird vulnerabilities 2010-10-20 Jamie Strandboge (jamie canonical com) =========================================================== Ubuntu Security Notice USN-998-1 October 20, 2010 thunderbird vulnerabilities CVE-2010-3175, CVE-2010-3176, CVE-2010-3178, CVE-2010-3179, CVE-2010-3180, CVE-2010-3182, CVE-2010-3183 ================================================ [ more ] [ reply ] [USN-997-1] Firefox and Xulrunner vulnerabilities 2010-10-20 Jamie Strandboge (jamie canonical com) =========================================================== Ubuntu Security Notice USN-997-1 October 20, 2010 firefox, firefox-3.0, firefox-3.5, xulrunner-1.9.1, xulrunner-1.9.2 vulnerabilities CVE-2010-3175, CVE-2010-3176, CVE-2010-3177, CVE-2010-3178, CVE-2010-3179, CVE-2010-3180, CVE-20 [ more ] [ reply ] Wiccle Web Builder CMS and iWiccle CMS Community Builder Multiple XSS Vulnerabilities 2010-10-21 SecPod Research (research secpod com) Hi, SecPod Research Team has found a vulnerability in Wiccle Web Builder CMS and iWiccle CMS Community Builder Advisory details has been attached to this mail. Regards, SecPod Research Team http://www.secpod.com ######################################################################## ###### Wicc [ more ] [ reply ] [security bulletin] HPSBMA02592 SSRT100300 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows Running Adobe Flash, Remote Execution of Arbitrary Code, Denial of Service (DoS), Unauthorized Modification 2010-10-21 security-alert hp com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02549485 Version: 1 HPSBMA02592 SSRT100300 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows Running Adobe Flash, Remote Execution of Arbitrary Code, Denial of Service (DoS), [ more ] [ reply ] Java Multiple Issues 2010-10-21 Early Warning (seclist mindedsecurity com) Hi all and sorry for cross post, after several months since I contacted Oracle informing them about ten issues on Java applet security, they finally released an Java 6 update 22 which fixes several security issues In particular the issues are the following, sorted by impact: * Information Disc [ more ] [ reply ] [USN-1007-1] NSS vulnerabilities 2010-10-20 Jamie Strandboge (jamie canonical com) =========================================================== Ubuntu Security Notice USN-1007-1 October 20, 2010 nss vulnerabilities CVE-2010-3170, CVE-2010-3173 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.04 [ more ] [ reply ] Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass 2010-10-20 Michal Zalewski (lcamtuf coredump cx) > Eh, you can see where it came from though. Design bugs like this are absolutely miserable to fix (see how we'll never get rebinding out of the browser) and letting identical IP's script against eachother lets an awful lot of legitimate traffic through while blocking almost all attacks. > > I'm not [ more ] [ reply ] Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass 2010-10-20 Michal Zalewski (lcamtuf coredump cx) > Security-Assessment.com follows responsible disclosure > and promptly contacted Oracle after discovering > the issue. Oracle was contacted on August 1, > 2010. My understanding is that Stefano Di Paola of Minded Security reported this back in April; and further, the feature was a part of reasonab [ more ] [ reply ] [CORE-2010-0819] LibSMI smiGetNode Buffer Overflow When Long OID Is Given In Numerical Form 2010-10-20 CORE Security Technologies Advisories (advisories coresecurity com) Re: [Full-disclosure] Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass 2010-10-20 Dan Kaminsky (dan doxpara com) Sent from my iPhone On Oct 20, 2010, at 8:58 AM, Michal Zalewski <lcamtuf (at) coredump (dot) cx [email concealed]> wrote: >> Security-Assessment.com follows responsible disclosure >> and promptly contacted Oracle after discovering >> the issue. Oracle was contacted on August 1, >> 2010. > > My understanding is that Stefan [ more ] [ reply ] Re: Security-Assessment.com Advisory: Oracle JRE - java.net.URLConnection class - Same-of-Origin (SOP) Policy Bypass 2010-10-20 Mike Duncan (Mike Duncan noaa gov) Re: VSR Advisories: Linux RDS Protocol Local Privilege Escalation 2010-10-20 Dan Rosenberg (drosenberg vsecurity com) The advisory for this vulnerability has been updated to include a suggested workaround: Preventing the RDS kernel module from loading is an effective workaround. This can be accomplished by executing the following command as root: echo "alias net-pf-21 off" > /etc/modprobe.d/disable-rds In additi [ more ] [ reply ] XSS vulnerability in sNews 2010-10-19 advisory htbridge ch Vulnerability ID: HTB22637 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_snews.html Product: sNews Vendor: sNews Team ( http://www.snewscms.com/ ) Vulnerable Version: 1.7 and probably prior versions Vendor Notification: 05 October 2010 Vulnerability Type: Stored XSS (Cross Site S [ more ] [ reply ] XSS vulnerability in sNews 2010-10-19 advisory htbridge ch Vulnerability ID: HTB22638 Reference: http://www.htbridge.ch/advisory/xss_vulnerability_in_snews_1.html Product: sNews Vendor: sNews Team ( tp://www.snewscms.com/ ) Vulnerable Version: 1.7 and probably prior versions Vendor Notification: 05 October 2010 Vulnerability Type: XSS (Cross Site Scriptin [ more ] [ reply ] SQL Injection in 4site CMS 2010-10-19 advisory htbridge ch Vulnerability ID: HTB22639 Reference: http://www.htbridge.ch/advisory/sql_injection_in_4site_cms.html Product: 4site CMS Vendor: Method Lab ( http://www.4site.ru/ ) Vulnerable Version: 2.6 and probably prior versions Vendor Notification: 05 October 2010 Vulnerability Type: XSS (Cross Site Scrip [ more ] [ reply ] Path disclosure in Tribiq CMS 2010-10-19 advisory htbridge ch Vulnerability ID: HTB22640 Reference: http://www.htbridge.ch/advisory/path_disclosure_in_tribiq_cms.html Product: Tribiq CMS Vendor: Tribiq ( http://tribiq.com/ ) Vulnerable Version: 5.2.5 and probably prior versions Vendor Notification: 05 October 2010 Vulnerability Type: Path disclosure Statu [ more ] [ reply ] SQL injection in DeluxeBB 2010-10-19 advisory htbridge ch Vulnerability ID: HTB22641 Reference: http://www.htbridge.ch/advisory/sql_injection_in_deluxebb.html Product: DeluxeBB Vendor: DeluxeBB ( http://www.deluxebb.com/ ) Vulnerable Version: 1.3 and Probably Prior Versions Vendor Notification: 05 October 2010 Vulnerability Type: SQL Injection Status: [ more ] [ reply ] [SECURITY] [DSA 2121-1] New TYPO3 packages fix several vulnerabilities 2010-10-19 Florian Weimer (fw deneb enyo de) VSR Advisories: Linux RDS Protocol Local Privilege Escalation 2010-10-19 VSR Advisories (advisories vsecurity com) Re: Insecure SMS authorization scheme at LiqPAY micro-payments of PrivatBank (Ukraine) 2010-10-19 MustLive (mustlive websecurity com ua) Hello Andriy and Bugtraq! It's interesting issue in LiqPAY. Which was quickly fixed by Privat Bank after your disclosure. Even if they denied to fix it (as not issue in their opinion) at 22 March 2010, when you officially informed them, already at 27 March 2010 they fixed it, by adding site's addr [ more ] [ reply ] The GNU C library dynamic linker expands $ORIGIN in setuid library search path 2010-10-18 Tavis Ormandy (taviso cmpxchg8b com) The GNU C library dynamic linker expands $ORIGIN in setuid library search path ------------------------------------------------------------------------ ------ Gruezi, This is CVE-2010-3847. The dynamic linker (or dynamic loader) is responsible for the runtime linking of dynamically linked programs. [ more ] [ reply ] [USN-1006-1] WebKit vulnerabilities 2010-10-19 Marc Deslauriers (marc deslauriers canonical com) =========================================================== Ubuntu Security Notice USN-1006-1 October 19, 2010 webkit vulnerabilities https://launchpad.net/bugs/660075 =========================================================== A security issue affects the following Ubuntu releases: Ubun [ more ] [ reply ] [USN-1005-1] poppler vulnerabilities 2010-10-19 Marc Deslauriers (marc deslauriers canonical com) =========================================================== Ubuntu Security Notice USN-1005-1 October 19, 2010 poppler vulnerabilities CVE-2010-3702, CVE-2010-3703, CVE-2010-3704 =========================================================== A security issue affects the following Ubuntu rele [ more ] [ reply ] |
|
Privacy Statement |
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02535850
Version: 1
HPSBMA02596 SSRT100271 rev.1 - HP AssetCenter and HP AssetManager for AIX, HP-UX, Linux, Solaris and Windows , Remote Cross Site Scripting (XSS)
NOTICE: The information in th
[ more ] [ reply ]