Red Hat Security Advisory 2018-2927-01 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include cross site scripting, denial of service, deserialization, information leakage, and remote SQL injection vulnerabilities.
28fc612d55914841a03c100791e1a5e510f200a646c0e0c2cab3742c7ef9004f
Red Hat Security Advisory 2018-2669-01 - Red Hat Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. This release of Red Hat Fuse 7.1 serves as a replacement for Red Hat Fuse 7.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution, cross site scripting, denial of service, path sanitization, and traversal vulnerabilities.
7b3635d1483cb247ae4e0a03ee8632f66f34f0c49a1302091a6f17cc60f5582a
Ubuntu Security Notice 3727-1 - It was discovered that Bouncy Castle incorrectly handled certain crypto algorithms. A remote attacker could possibly use these issues to obtain sensitive information, including private keys.
60e0e0a68a7a347593dfe99c12b72c05729ca8bcf40633b9aafc691863bb7acd
Ubuntu Security Notice 3585-1 - It was discovered that Twisted incorrectly handled certain HTTP requests. An attacker could possibly use this issue to execute arbitrary code.
6c609a9e2691d6eed8bc3f861c4ee967dd833b66728ff40a58ff763217a9250a
dotCMS versions prior to 4.1.1 suffer from remote SQL injection vulnerabilities.
2ef6211acd43254ff086ea4b5c0fc2e1e58d4c393813f4848d7027c88d8aaacd
Red Hat Security Advisory 2018-0273-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Multiple security issues have been addressed.
9b3ce16b4c52c0bc85663b6b2ca0f002b0a87d09953b621ce5c5048fe664f72a
Ubuntu Security Notice 3538-1 - Jann Horn discovered that OpenSSH incorrectly loaded PKCS#11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS#11 modules. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Jann Horn discovered that OpenSSH incorrectly handled permissions on Unix-domain sockets when privilege separation is disabled. A local attacker could possibly use this issue to gain privileges. This issue only affected Ubuntu 16.04 LTS. Various other issues were also addressed.
964c48c0439d989a11cbdd7601e6770b0c099bed3a91031d5cd9afb0716a4b35
Red Hat Security Advisory 2017-2912-01 - Tough-Cookie is a Node.js module that offers RFC6265 Cookies and Cookie Jar. The following packages have been upgraded to a later upstream version: rh-nodejs4-nodejs-tough-cookie. Security Fix: Regular expression denial of service flaws were found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU.
15d05375027e414524dfcc71c88c277757bdd2644e884d5051db86ec3f021974
Red Hat Security Advisory 2017-2029-01 - OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. The following packages have been upgraded to a later upstream version: openssh. Security Fix: A covert timing channel flaw was found in the way OpenSSH handled authentication of non-existent users. A remote unauthenticated attacker could possibly use this flaw to determine valid user names by measuring the timing of server responses.
d968f1977aa418a410f4eb0347eb315fb89ecda3c383e34f02b7ceef8867f98a
Red Hat Security Advisory 2017-0868-01 - Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files. Multiple security issues have been addressed.
b44baec06b4aa30482485d1d8aad1f8dcd12a8a67d5b08f4763ee3b328caa8b9
Apple Security Advisory 2017-03-27-3 - macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite are now available and address multiple vulnerabilities.
54a3d5f1eafce35231db5001f3683c3b0fd1ddc198a138e24dfe71082667f5b2
Ubuntu Security Notice 3192-1 - Saulius Lapinskas discovered that Squid incorrectly handled processing HTTP conditional requests. A remote attacker could possibly use this issue to obtain sensitive information related to other clients' browsing sessions. Felix Hassert discovered that Squid incorrectly handled certain HTTP Request headers when using the Collapsed Forwarding feature. A remote attacker could possibly use this issue to obtain sensitive information related to other clients' browsing sessions. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. Various other issues were also addressed.
ecc79a8400c481bb6a4ba233b597c5ac2df390712e0587e5c7d78454b95f39f8
Red Hat Security Advisory 2017-0183-01 - The squid34 packages provide version 3.4 of Squid, a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. A remote attacker could send a specially crafted request to an HTTP server via the squid proxy and steal private data from other connections.
81ac7d06a59f0b25477bb41bcc1ad6a82d5559631aad25a4bfac59beb1b49ab8
Red Hat Security Advisory 2017-0182-01 - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. Security Fix: It was found that squid did not properly remove connection specific headers when answering conditional requests using a cached request. A remote attacker could send a specially crafted request to an HTTP server via the squid proxy and steal private data from other connections.
7a6354e81530268f91cd7e92e13667bfaaa9c5f40c09d70361ca4ffd11b76dd7
Gentoo Linux Security Advisory 201701-38 - Multiple vulnerabilities have been found in Pidgin, the worst of which could lead to execution of arbitrary code. Versions less than 2.11.0 are affected.
8a00adaf28744a0f8b85c6aa185e2e04baef9410c1941237381a020576a41e77
FreeBSD Security Advisory - The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server.
4133c1c854c216326a44e20a387db0ea0e155db8534256aeaf099421a5c4ce6e
Slackware Security Advisory - New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
08ef340d91b270b8a32c5ac63fe7a91ea30387ba285683f09907414b82c6ca39
The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSH_AGENTC_ADD_SMARTCARD_KEY and SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED if OpenSSH was compiled with the ENABLE_PKCS11 flag (normally enabled) and the agent isn't locked. For these commands, the client has to specify a provider name. Th e agent passes this provider name to a subprocess (via ssh-agent.c:process_add_smartcard_key -> ssh-pkcs11-client.c:pkcs11_add_provider -> ssh-pkcs11-client.c:s end_msg), and the subprocess receives it and passes it to dlopen() (via ssh-pkcs 11-helper.c:process -> ssh-pkcs11-helper.c:process_add -> ssh-pkcs11.c:pkcs11_ad d_provider -> dlopen). No checks are performed on the provider name, apart from testing whether that provider is already loaded. This means that, if a user connects to a malicious SSH server with agent forwarding enabled and the malicious server has the ability to place a file with attacker-controlled contents in the victim's filesystem, the SSH server can execute code on the user's machine.
10d0d2808ffc63e1409341e7f4cd4e55ad32bf60b055a0cd27d7b6b8a3fa45ab
SAP Solman versions 7.1 through 7.31 suffer from an information disclosure vulnerability.
dea88ed2dc6890d3807c60232c4e9445c0386d1bcd4e0b05e177b4ee284efcce
Joomla DT Register component versions prior to 3.1.12 in Joomla 3.x and version 2.8.18 in Joomla 2.5 suffer from a remote SQL injection vulnerability.
2401db98d6efacc01bb96cbf2070c6ba9ba40606cc319b660982157d64981c63
Ubuntu Security Notice 3134-1 - It was discovered that the smtplib library in Python did not return an error when StartTLS fails. A remote attacker could possibly use this to expose sensitive information. Various other issues were also addressed.
f4acba05d29f61abc115563263a86c66eefab809d6312eba26bddf0ab4433cc7
Red Hat Security Advisory 2016-2101-01 - Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service solution designed for on-premise or private cloud deployments. Security Fix: A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU.
0c1b4ed27f0d1db4f3edc634e7d5fccb7e419a267e21c9074481e69ff631e66b
Joomla Huge-IT Portfolio Gallery plugin version 1.0.6 suffers from a remote SQL injection vulnerability.
c736d80fc3abb2b181ac9b8ebf78e33ac2a58f366fa330b5853b34264816675e
Joomla Huge-IT Catalog component version 1.0.7 suffers from a remote SQL injection vulnerability.
ec7c54b92dde7ae79e9dedd8de808f51247be85b0c3eea5eefcd781c3c987514
Red Hat Security Advisory 2016-1978-01 - Twisted is an event-based framework for internet applications. Twisted Web is a complete web server, aimed at hosting web applications using Twisted and Python, but fully able to serve static pages too. Security Fix: It was discovered that python-twisted-web used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
d5e3aa646dfd2f8b3f78548122631ae45d15ee8081e7f70b40011002ec277d92