Security Alerts

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 2 weeks 4 days ago

[SECURITY] [DSA 4491-1] proftpd-dfsg security update

Mon, 08/05/2019 - 04:28

Posted by Moritz Muehlenhoff on Aug 05

-------------------------------------------------------------------------
Debian Security Advisory DSA-4491-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
August 04, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : proftpd-dfsg
CVE ID : CVE-2019-12815
Debian Bug...
Categories: Security

Microsoft Windows PowerShell Unsanitized Filename Command Execution

Mon, 08/05/2019 - 04:24

Posted by apparitionsec on Aug 05

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: Apparition Security

[Vendor]
www.microsoft.com

[Product]
Windows PowerShell

Windows PowerShell is a Windows command-line shell designed especially for system administrators.
PowerShell includes an interactive...
Categories: Security

[slackware-security] mariadb (SSA:2019-213-01)

Fri, 08/02/2019 - 03:52

Posted by Slackware Security Team on Aug 02

[slackware-security] mariadb (SSA:2019-213-01)

New mariadb packages are available for Slackware 14.1 and -current to
fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:
+--------------------------+
patches/packages/mariadb-5.5.65-i486-1_slack14.1.txz: Upgraded.
This update fixes bugs and security issues.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2805...
Categories: Security

[SECURITY] [DSA 4490-1] subversion security update

Thu, 08/01/2019 - 05:37

Posted by Salvatore Bonaccorso on Aug 01

-------------------------------------------------------------------------
Debian Security Advisory DSA-4490-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
August 01, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : subversion
CVE ID : CVE-2018-11782 CVE-2019-0203...
Categories: Security

[SECURITY] [DSA 4489-1] patch security update

Tue, 07/30/2019 - 03:36

Posted by Salvatore Bonaccorso on Jul 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-4489-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
July 27, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : patch
CVE ID : CVE-2019-13636 CVE-2019-13638
Debian...
Categories: Security

CVE-2019-13635: Directory traversal in WP Fastest Cache 0.8.9.5 and below

Tue, 07/30/2019 - 03:32

Posted by Imre Rad on Jul 30

WP Fastest Cache is a Wordpress plugin that creates static html files
from the dynamic WordPress blog in order to speed up operation.

Version 0.8.9.5 and below of the plugin was identified being
vulnerable to directory traversal attacks.

The first two are Windows only, the 3rd one is generic. The Windows
specific ones were tested on WampServer (so with Apache's Httpd).

#1:
The impact is reading files outside of the cache directory. The...
Categories: Security

[SYSS-2019-004]: ABUS Secvest (FUAA50000) - Message Transmission - Unchecked Error Condition (CWE-391)

Tue, 07/30/2019 - 03:29

Posted by matthias . deeg on Jul 30

Advisory ID: SYSS-2019-004
Product: ABUS Secvest (FUAA50000)
Manufacturer: ABUS
Affected Version(s): v3.01.01
Tested Version(s): v3.01.01
Vulnerability Type: Message Transmission - Unchecked Error Condition (CWE-391)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2019-03-02
Solution Date: -
Public Disclosure: 2019-07-26
CVE Reference: CVE-2019-14261
Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert...
Categories: Security

[SECURITY] [DSA 4488-1] exim4 security update

Tue, 07/30/2019 - 03:26

Posted by Salvatore Bonaccorso on Jul 30

-------------------------------------------------------------------------
Debian Security Advisory DSA-4488-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : exim4
CVE ID : CVE-2019-13917

Jeremy Harris...
Categories: Security

[SYSS-2019-016] SquirrelMail script filter bypass/XSS (update)

Tue, 07/30/2019 - 03:22

Posted by Moritz Bechler on Jul 30

Advisory ID: SYSS-2019-016 (update 1)
Product: SquirrelMail
Manufacturer: The SquirrelMail Project
Affected Version(s): 1.4.22, SVN
Tested Version(s): SVN
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-17
Solution Date: 2019-07-24
Public Disclosure: 2019-07-01
CVE Reference: CVE-2019-12970
Author of Advisory: Moritz Bechler, SySS GmbH...
Categories: Security

FreeBSD Security Advisory FreeBSD-SA-19:16.bhyve

Wed, 07/24/2019 - 10:12

Posted by FreeBSD Security Advisories on Jul 24

=============================================================================
FreeBSD-SA-19:16.bhyve Security Advisory
The FreeBSD Project

Topic: Bhyve out-of-bounds read in XHCI device

Category: core
Module: bhyve
Announced: 2019-07-24
Credits: Reno Robert
Affects: All supported versions of FreeBSD....
Categories: Security

FreeBSD Security Advisory FreeBSD-SA-19:17.fd

Wed, 07/24/2019 - 10:09

Posted by FreeBSD Security Advisories on Jul 24

=============================================================================
FreeBSD-SA-19:17.fd Security Advisory
The FreeBSD Project

Topic: File description reference count leak

Category: core
Module: unix
Announced: 2019-07-24
Credits: Mark Johnston
Affects: All supported versions of FreeBSD.
Corrected:...
Categories: Security

FreeBSD Security Advisory FreeBSD-SA-19:15.mqueuefs

Wed, 07/24/2019 - 10:04

Posted by FreeBSD Security Advisories on Jul 24

=============================================================================
FreeBSD-SA-19:15.mqueuefs Security Advisory
The FreeBSD Project

Topic: Reference count overflow in mqueue filesystem

Category: core
Module: kernel
Announced: 2019-07-24
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD....
Categories: Security

FreeBSD Security Advisory FreeBSD-SA-19:14.freebsd32

Wed, 07/24/2019 - 10:00

Posted by FreeBSD Security Advisories on Jul 24

=============================================================================
FreeBSD-SA-19:14.freebsd32 Security Advisory
The FreeBSD Project

Topic: Kernel memory disclosure in freebsd32_ioctl

Category: core
Module: kernel
Announced: 2019-07-24
Credits: Ilja van Sprundel, IOActive
Affects: FreeBSD 11.2 and...
Categories: Security

FreeBSD Security Advisory FreeBSD-SA-19:12.telnet

Wed, 07/24/2019 - 09:57

Posted by FreeBSD Security Advisories on Jul 24

=============================================================================
FreeBSD-SA-19:12.telnet Security Advisory
The FreeBSD Project

Topic: telnet(1) client multiple vulnerabilities

Category: contrib
Module: contrib/telnet
Announced: 2019-07-24
Credits: Juniper Networks
Affects: All supported versions of...
Categories: Security

FreeBSD Security Advisory FreeBSD-SA-19:13.pts

Wed, 07/24/2019 - 09:53

Posted by FreeBSD Security Advisories on Jul 24

=============================================================================
FreeBSD-SA-19:13.pts Security Advisory
The FreeBSD Project

Topic: pts(4) write-after-free

Category: core
Module: kernel
Announced: 2019-07-24
Credits: syzkaller
Affects: All supported versions of FreeBSD.
Corrected: 2019-07-07...
Categories: Security

APPLE-SA-2019-7-22-3 Safari 12.1.2

Tue, 07/23/2019 - 03:55

Posted by Apple Product Security on Jul 23

APPLE-SA-2019-7-22-3 Safari 12.1.2

Safari 12.1.2 is now available and addresses the following:

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
included in macOS Mojave 10.14.6
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2019-8670: Tsubasa FUJII (@reinforchu)

WebKit
Available for: macOS Sierra...
Categories: Security

APPLE-SA-2019-7-22-5 tvOS 12.4

Tue, 07/23/2019 - 03:52

Posted by Apple Product Security on Jul 23

APPLE-SA-2019-7-22-5 tvOS 12.4

tvOS 12.4 is now available and addresses the following:

Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data
Available for: Apple TV 4K and Apple TV HD
Impact: A remote attacker may be able to cause arbitrary code...
Categories: Security

APPLE-SA-2019-7-22-4 watchOS 5.3

Tue, 07/23/2019 - 03:49

Posted by Apple Product Security on Jul 23

APPLE-SA-2019-7-22-4 watchOS 5.3

watchOS 5.3 is now available and addresses the following:

Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause...
Categories: Security

APPLE-SA-2019-7-22-1 iOS 12.4

Tue, 07/23/2019 - 03:45

Posted by Apple Product Security on Jul 23

APPLE-SA-2019-7-22-1 iOS 12.4

iOS 12.4 is now available and addresses the following:

Core Data
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation and later
Impact: A remote attacker may be able to leak memory
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2019-8646: Natalie Silvanovich of Google Project Zero

Core Data
Available for: iPhone 5s and later, iPad Air and...
Categories: Security

Jira Server - Template injection in various resources - CVE-2019-11581

Mon, 07/22/2019 - 04:18

Posted by Anton Black on Jul 22

This email refers to the advisory found at
https://confluence.atlassian.com/x/AzoGOg .

CVE ID:

* CVE-2019-11581.

Product: Jira Server and Data Center.

Affected Jira Server and Data Center product versions:

4.0.0 <= version < 7.6.14
7.13.0 <= version < 7.13.5
8.0.0 <= version < 8.0.3
8.1.0 <= version < 8.1.2
8.2.0 <= version < 8.2.3

Fixed Jira Server and Data Center product versions:

* Jira Server and Data...
Categories: Security