|
|
Colapse all |
Post message
[security bulletin] MFSBGN03803 rev.1 - UCMDB, Installation File Access Control Privilege Escalation Vulnerability 2018-04-12 cyber-psrt microfocus com [SECURITY] [DSA 4079-2] poppler regression update 2018-04-12 Salvatore Bonaccorso (carnil debian org) Call for Papers: USENIX Workshop on Offensive Technologies (WOOT '18) 2018-04-10 Yves Younan (wootcfp fort-knox org) Dear all, We are pleased to announce the Call for Papers for the 12th USENIX Workshop on Offensive Technologies! WOOT '18 will be held on August 13â??14, 2018, in conjunction with USENIX Security in Baltimore, MD, USA. WOOT provides a forum for high-quality, peer-reviewed work discussing tools and [ more ] [ reply ] secuvera-SA-2017-04: SQL-Injection Vulnerability in OCS Inventory NG ocsreports Web application 2018-04-09 Simon Bieber (sbieber secuvera de) Defense in depth -- the Microsoft way (part 53): our MSRC doesn't know how Windows handles PATH 2018-04-09 Stefan Kanthak (stefan kanthak nexgo de) Hi @ll, on their "Security Research & Defense" blog, members of Microsoft's Security Response Center recently posted <https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-plant ing-vulnerability/> This blog post but clearly shows that the MSRC doesn't know how Windows handles the PATH [ more ] [ reply ] secuvera-SA-2017-03: Reflected Cross-Site-Scripting Vulnerabilities in OCS Inventory NG ocsreports Web application 2018-04-09 Simon Bieber (sbieber secuvera de) Affected Products OCSInventory-ocsreports 2.4 (older releases have not been tested) References https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates) https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-r eleased/ (Release announcement of OCS [ more ] [ reply ] [SECURITY] [DSA 4168-1] squirrelmail security update 2018-04-08 Salvatore Bonaccorso (carnil debian org) [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution 2018-04-09 RedTeam Pentesting GmbH (release redteam-pentesting de) Advisory: CyberArk Password Vault Web Access Remote Code Execution The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web serv [ more ] [ reply ] [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure 2018-04-09 RedTeam Pentesting GmbH (release redteam-pentesting de) Advisory: CyberArk Password Vault Memory Disclosure Data in the CyberArk Password Vault may be accessed through a proprietary network protocol. While answering to a client's logon request, the vault discloses around 50 bytes of its memory to the client. Details ======= Product: CyberArk Password [ more ] [ reply ] [slackware-security] patch (SSA:2018-096-01) 2018-04-07 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] patch (SSA:2018-096-01) New patch packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +------------------------ [ more ] [ reply ] Advisory - Fisheye and Crucible - CVE-2018-5223 2018-04-05 Atlassian (security atlassian com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/aS5sO and https://confluence.atlassian.com/x/Zi5sO . CVE ID: * CVE-2018-5223. Product: Fisheye and Crucible. Affected Fisheye and Crucible product versions: version < [ more ] [ reply ] Advisory - Bamboo - CVE-2018-5224 2018-04-05 Atlassian (security atlassian com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/PS9sO . CVE ID: * CVE-2018-5224. Product: Bamboo. Affected Bamboo product versions: 2.7.0 <= version < 6.3.3 6.4.0 <= version < 6.4.1 Fixed Bamboo product versions: [ more ] [ reply ] FreeBSD Security Advisory FreeBSD-SA-18:05.ipsec 2018-04-04 FreeBSD Security Advisories (security-advisories freebsd org) FreeBSD Security Advisory FreeBSD-SA-18:04.vt 2018-04-04 FreeBSD Security Advisories (security-advisories freebsd org) [SECURITY] [DSA 4165-1] ldap-account-manager security update 2018-04-04 Luciano Bello (luciano debian org) [slackware-security] php (SSA:2018-090-01) 2018-04-01 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] php (SSA:2018-090-01) New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/php [ more ] [ reply ] [SECURITY] [DSA 4158-1] openssl1.0 security update 2018-03-29 Salvatore Bonaccorso (carnil debian org) APPLE-SA-2018-3-29-2 watchOS 4.3 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-2 watchOS 4.3 watchOS 4.3 is now available and addresses the following: CoreFoundation Available for: All Apple Watch models Impact: An application may be able to gain elevated privileges Description: A race condition was addresse [ more ] [ reply ] CA20180329-01: Security Notice for CA Workload Automation AE and CA Workload Control Center 2018-03-30 Williams, Ken (Ken Williams ca com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20180329-01: Security Notice for CA Workload Automation AE and CA Workload Control Center Issued: March 29, 2018 Last Updated: March 29, 2018 CA Technologies Support is alerting customers to two potential risks with CA Workload Automation AE and [ more ] [ reply ] APPLE-SA-2018-3-29-4 Xcode 9.3 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-4 Xcode 9.3 Xcode 9.3 is now available and addresses the following: LLVM Available for: macOS High Sierra 10.13.2 or later Impact: Multiple issues in llvm were addressed in this update Description: Multiple issues were addressed b [ more ] [ reply ] APPLE-SA-2018-3-29-7 iTunes 12.7.4 for Windows 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-7 iTunes 12.7.4 for Windows iTunes 12.7.4 for Windows is now available and addresses the following: Security Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A buffe [ more ] [ reply ] APPLE-SA-2018-3-29-8 iCloud for Windows 7.4 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-8 iCloud for Windows 7.4 iCloud for Windows 7.4 is now available and addresses the following: Security Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A buffer over [ more ] [ reply ] APPLE-SA-2018-3-29-3 tvOS 11.3 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-3 tvOS 11.3 tvOS 11.3 is now available and addresses the following: CoreFoundation Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to gain elevated privileges Description: A race conditi [ more ] [ reply ] APPLE-SA-2018-3-29-5 macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-5 macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan Admin Framework Available for: macOS High Sierra 10.13.3 Impact: Passwords supplied to sysadminctl may be exposed to other local [ more ] [ reply ] [slackware-security] ruby (SSA:2018-088-01) 2018-03-29 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] ruby (SSA:2018-088-01) New ruby packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/ruby-2.2.10-i5 [ more ] [ reply ] APPLE-SA-2018-3-29-6 Safari 11.1 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-6 Safari 11.1 Safari 11.1 is now available and addresses the following: Safari Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4 Impact: Visiting a malicious website may lead to address ba [ more ] [ reply ] APPLE-SA-2018-3-29-1 iOS 11.3 2018-03-29 Apple Product Security (product-security-noreply lists apple com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2018-3-29-1 iOS 11.3 iOS 11.3 is now available and addresses the following: Clock Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A person with physical access to an iOS device may be able to se [ more ] [ reply ] CA20180328-01: Security Notice for CA API Developer Portal 2018-03-29 Kotas, Kevin J (Kevin Kotas ca com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CA20180328-01: Security Notice for CA API Developer Portal Issued: March 28, 2018 Last Updated: March 28, 2018 CA Technologies Support is alerting customers to multiple potential risks with CA API Developer Portal. Multiple vulnerabilities exist tha [ more ] [ reply ] [SECURITY] [DSA 4154-1] net-snmp security update 2018-03-28 Salvatore Bonaccorso (carnil debian org) Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability 2018-03-27 Vulnerability Lab (research vulnerability-lab com) Document Title: =============== Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2116 Video: https://www.vulnerability-lab.com/get_content.php?id=2117 MSRC ID: 43520â?? CR [ more ] [ reply ] Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities 2018-03-27 Vulnerability Lab (research vulnerability-lab com) Document Title: =============== Sandoba CP:Shop CMS v2016.1 - Multiple Cross Site Scripting Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2122 Release Date: ============= 2018-03-02 Vulnerability Laboratory ID (VL-ID): ========== [ more ] [ reply ] Weblication CMS Core & Grid v12.6.24 - Multiple Cross Site Scripting Vulnerabilities 2018-03-27 Vulnerability Lab (research vulnerability-lab com) Document Title: =============== Weblication CMS Core & Grid v12.6.24 - Multiple Cross Site Scripting Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2121 Release Date: ============= 2018-02-21 Vulnerability Laboratory ID (VL-ID): = [ more ] [ reply ] AEF CMS v1.0.9 - (PM) Persistent Cross Site Scripting Vulnerability 2018-03-27 Vulnerability Lab (research vulnerability-lab com) Document Title: =============== AEF CMS v1.0.9 - (PM) Persistent Cross Site Scripting Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2123 Release Date: ============= 2018-02-18 Vulnerability Laboratory ID (VL-ID): ================= [ more ] [ reply ] [slackware-security] mozilla-firefox (SSA:2018-085-01) 2018-03-27 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2018-085-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/p [ more ] [ reply ] Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links 2018-03-24 Securify B.V. (lists securify nl) ------------------------------------------------------------------------ Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links ------------------------------------------------------------------------ Stephan Kaag, January 2018 ------------------ [ more ] [ reply ] [slackware-security] mozilla-thunderbird (SSA:2018-082-01) 2018-03-24 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-thunderbird (SSA:2018-082-01) New mozilla-thunderbird packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ p [ more ] [ reply ] [SECURITY] [DSA 4149-1] plexus-utils2 security update 2018-03-22 Moritz Muehlenhoff (jmm debian org) Bomgar Remote Support Portal JavaStart Applet <= 52970 - Path Traversal 2018-03-22 x ksi (s3810 pjwstk edu pl) Hey, The Path Traversal vulnerability was found in the component of the Bomgar Remote Support Portal (RSP) [1]. The affected component is a JavaStart.jar applet that is hosted at https://TARGET/api/content/JavaStart.jar on the vulnerable RSP deployments. The JavaStart version 52970 and prior were c [ more ] [ reply ] Kaseya AgentMon.exe <= 9.3.0.11 - Local Privilege Escalation 2018-03-22 x ksi (s3810 pjwstk edu pl) Hey, The Local Privilege Escalation vulnerability was found in the Kaseya Virtual System Administrator (VSA) [1] agent "AgentMon.exe". The agent is a Windows service that periodically executes various programs with â??NT AUTHORITY\SYSTEMâ? privileges. In the Kaseya's default configuration, Window [ more ] [ reply ] Secunia Research: Microsoft Windows Embedded OpenType Font Engine hdmx Table Information Disclosure Vulnerability 2018-03-21 Secunia Research (remove-vuln secunia com) Advisory - Bitbucket Server - CVE-2018-5225 2018-03-22 Matthew Hart (mhart atlassian com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/x/3WNsO CVE ID: CVE-2018-5225 Products: Bitbucket Server Affected Bitbucket Server Versions: 4.13.0 <= version < 5.4.8 5.5.0 <= version < 5.5.8 5.6.0 <= version < 5.6.5 5 [ more ] [ reply ] Secunia Research: Microsoft Windows Embedded OpenType Font Engine "MTX_IS_MTX_Data()" Information Disclosure Vulnerability 2018-03-21 Secunia Research (remove-vuln secunia com) Secunia Research: Microsoft Windows Embedded OpenType Font Engine Font Glyphs Handling Information Disclosure Vulnerability 2018-03-21 Secunia Research (remove-vuln secunia com) CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries 2018-03-20 Advisories (advisories compass-security com) (1 replies) ############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Microsoft Intune [1] # Vendor: Microsoft # CSNC ID: CSNC-2017-026 # Sub [ more ] [ reply ] Unsubscribe - Re: CSNC-2017-026 Microsoft Intune - Preserved Keychain Entries 2018-03-20 Gary Frank (garoo7 hotmail com) ES2018-05 Kamailio heap overflow 2018-03-20 Sandro Gauci (sandro enablesecurity com) (1 replies) # Off-by-one heap overflow in Kamailio - Authors: - Alfred Farrugia <alfred (at) enablesecurity (dot) com [email concealed]> - Sandro Gauci <sandro (at) enablesecurity (dot) com [email concealed]> - Fixed versions: Kamailio v5.1.2, v5.0.6 and v4.4.7 - References: no CVE assigned yet - Enable Security Advisory: <https://github.com/EnableSecurity/ad [ more ] [ reply ] [slackware-security] libvorbis (SSA:2018-076-01) 2018-03-18 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] libvorbis (SSA:2018-076-01) New libvorbis packages are available for Slackware 13.37, 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ p [ more ] [ reply ] [slackware-security] mozilla-firefox (SSA:2018-075-01) 2018-03-17 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2018-075-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix a security issue. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/ [ more ] [ reply ] [SECURITY] [DSA 4141-1] libvorbisidec security update 2018-03-16 Salvatore Bonaccorso (carnil debian org) RedCoded ISR: Abine Blur Password Manager Insecure Permissions (CVE-2018-8213) 2018-03-16 \(RS\) Tyler Schroder (redorhcs redcoded com) Abine Blur Password Manager Insecure Permissions Module: Blur Web Extension Announced: 2018-03-10/16 Credits: RS Tyler Schroder Affects: 7.8.242* BEFORE 7.8.2428 CVE ID: CVE-2018-7213 I. Background Abine Blur is a password management suite combined with online anonymity tools designed to help consu [ more ] [ reply ] [SECURITY] [DSA 4140-1] libvorbis security update 2018-03-16 Salvatore Bonaccorso (carnil debian org) [CVE-2017-1205] IBM Spectrum LSF Privilege Escalation 2018-03-16 john fitzpatrick mwrinfosecurity com ###[IBM Spectrum LSF Privilege Escalation]### * Software: IBM Spectrum LSF * Affected Versions: IBM Spectrum LSF 8.3, 9.1.1, 9.1.2, 9.1.3, 10.1, 10.1.0.1 * CVE Reference: CVE-2017-1205 * Author: John Fitzpatrick (@j0hn__f) * Severity: CVSS 9.3 * Vendor: IBM * Vendor Response: Fixes provided * Date: [ more ] [ reply ] [slackware-security] curl (SSA:2018-074-01) 2018-03-16 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] curl (SSA:2018-074-01) New curl packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/c [ more ] [ reply ] Secunia Research: LibRaw Multiple Denial of Service Vulnerabilities 2018-03-15 Secunia Research (remove-vuln secunia com) SEC Consult SA-20180314-0 :: Arbitrary Shortcode Execution & Local File Inclusion in WooCommerce Products Filter (PluginUs.Net) 2018-03-14 SEC Consult Vulnerability Lab (research sec-consult com) FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution 2018-03-14 FreeBSD Security Advisories (security-advisories freebsd org) [slackware-security] mozilla-firefox (SSA:2018-072-01) 2018-03-13 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] mozilla-firefox (SSA:2018-072-01) New mozilla-firefox packages are available for Slackware 14.2 and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/p [ more ] [ reply ] [slackware-security] samba (SSA:2018-072-02) 2018-03-13 Slackware Security Team (security slackware com) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] samba (SSA:2018-072-02) New samba packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security a issue. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/package [ more ] [ reply ] [RT-SA-2017-012] Shopware Cart Accessible by Third-Party Websites 2018-03-13 RedTeam Pentesting GmbH (release redteam-pentesting de) Advisory: Shopware Cart Accessible by Third-Party Websites RedTeam Pentesting discovered that the shopping cart implemented by Shopware offers an insecure API. Malicious, third-party websites may abuse this API to list, add or remove products from a user's cart. Details ======= Product: Shopware [ more ] [ reply ] SEC Consult SA-20180312-0 :: Multiple Critical Vulnerabilities in SecurEnvoy SecurMail 2018-03-12 SEC Consult Vulnerability Lab (research sec-consult com) [SECURITY] [DSA 4134-1] util-linux security update 2018-03-10 Salvatore Bonaccorso (carnil debian org) [RT-SA-2018-001] Arbitrary Redirect in Tuleap 2018-03-08 RedTeam Pentesting GmbH (release redteam-pentesting de) Advisory: Arbitrary Redirect in Tuleap RedTeam Pentesting discovered an arbitrary redirect vulnerability in the redirect mechanism of the application lifecycle management platform Tuleap. Details ======= Product: Tuleap Affected Versions: > 9.17.99.93 Fixed Versions: >= 9.17.99.93 Vulnerability [ more ] [ reply ] FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec [REVISED] 2018-03-08 FreeBSD Security Advisories (security-advisories freebsd org) [SECURITY] [DSA 4133-1] isc-dhcp security update 2018-03-07 Salvatore Bonaccorso (carnil debian org) FreeBSD Security Advisory FreeBSD-SA-18:01.ipsec 2018-03-07 FreeBSD Security Advisories (security-advisories freebsd org) [SECURITY] [DSA 4128-1] trafficserver security update 2018-03-02 Sebastien Delafond (seb debian org) DefenseCode Security Advisory: Magento Backups Cross-Site Request Forgery 2018-03-06 Defense Code (defensecode defensecode com) KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service 2018-03-02 KoreLogic Disclosures (disclosures korelogic com) KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service Advisory ID: KL-001-2018-007 Publication Date: 2018.03.02 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt 1. Vul [ more ] [ reply ] |
|
Privacy Statement |
Hash: SHA256
Note: the current version of the following document is available here:
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM031411
80
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: KM03141180
Version: 1
MFSBGN03803 rev.1
[ more ] [ reply ]