Security News
Bugtraq: [SECURITY] [DSA 4269-1] postgresql-9.6 security update
[SECURITY] [DSA 4269-1] postgresql-9.6 security update
Bugtraq: [SECURITY] [DSA 4268-1] openjdk-8 security update
[SECURITY] [DSA 4268-1] openjdk-8 security update
Bugtraq: [SECURITY] [DSA 4267-1] kamailio security update
[SECURITY] [DSA 4267-1] kamailio security update
Bugtraq: [CVE-2018-12584] Heap overflow vulnerability in reSIProcate through 1.10.2
[CVE-2018-12584] Heap overflow vulnerability in reSIProcate through 1.10.2
More rss feeds from SecurityFocus
News, Infocus, Columns, Vulnerabilities, Bugtraq ...
Reflected XSS – HRworks Login (v1.16.1)
Posted by Georg Ph E Heise via Fulldisclosure on Sep 20
# Exploit Title: Reflected XSS – HRworks Login (v1.16.1)# Vendor Homepage: https://www.hrworks.de
# Exploit Author: Georg Philipp Erasmus Heise / Lufthansa Industry Solutions
# Contact: https://twitter.com/gpheheise
# Website: https://www.lufthansa-industry-solutions.com
# Category: webapps
# CVE: CVE-2019-11559
Timeline
26.04.2019 Disclosure to Vendor
29.04.2019 Vendor informed that the issue was remediated
17.09.2019 Publication...
[SECURITY] [DSA 4526-1] opendmarc security update
Posted by Salvatore Bonaccorso on Sep 20
-------------------------------------------------------------------------Debian Security Advisory DSA-4526-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 19, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : opendmarc
CVE ID : CVE-2019-16378
Debian Bug :...
[SECURITY] [DSA 4527-1] php7.3 security update
Posted by Moritz Muehlenhoff on Sep 20
-------------------------------------------------------------------------Debian Security Advisory DSA-4527-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 19, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : php7.3
CVE ID : CVE-2019-11036 CVE-2019-11039...
[SECURITY] [DSA 4528-1] bird security update
Posted by Moritz Muehlenhoff on Sep 20
-------------------------------------------------------------------------Debian Security Advisory DSA-4528-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 19, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : bird
CVE ID : CVE-2019-16159
Daniel McCarney...
[SECURITY] [DSA 4525-1] ibus security update
Posted by Salvatore Bonaccorso on Sep 18
-------------------------------------------------------------------------Debian Security Advisory DSA-4525-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
September 18, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : ibus
CVE ID : CVE-2019-14822
Debian Bug :...
SEC Consult SA-20190918-0 :: Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF
Posted by SEC Consult Vulnerability Lab on Sep 18
SEC Consult Vulnerability Lab Security Advisory < 20190918-0 >=======================================================================
title: Reflected Cross-Site Scripting (XSS)
product: Oracle Mojarra JSF included in Java EE 7
Eclipse Mojarra JSF
vulnerable version: 2.2 & 2.3
fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING...
SEC Consult SA-20190918-0 :: Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF
Posted by SEC Consult Vulnerability Lab on Sep 18
SEC Consult Vulnerability Lab Security Advisory < 20190918-0 >=======================================================================
title: Reflected Cross-Site Scripting (XSS)
product: Oracle Mojarra JSF included in Java EE 7
Eclipse Mojarra JSF
vulnerable version: 2.2 & 2.3
fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING...
Re: Longer form questions
Posted by Andre Gironda on Sep 17
Daemonlogger + Zeek Intelligence Framework for sightings. Doesn't need TLSsecrets. Doesn't need high availability or to run inline. The sensors tell
you what they see and where and when they saw it. No need to block. No need
to "detect". No signatures at all (just a living watchlist). No AI/ML. No
modification of traffic. No huge concern if an APT, skiddie, or admin
crashes it (it's receive-only on the Daemonlogger...
[SECURITY] [DSA 4524-1] dino-im security update
Posted by Moritz Muehlenhoff on Sep 17
-------------------------------------------------------------------------Debian Security Advisory DSA-4524-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 16, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : dino-im
CVE ID : CVE-2019-16235 CVE-2019-16236...
[slackware-security] expat (SSA:2019-259-01)
Posted by Slackware Security Team on Sep 17
[slackware-security] expat (SSA:2019-259-01)New expat packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix a security issue.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/expat-2.2.8-i586-1_slack14.2.txz: Upgraded.
Fix heap overflow triggered by XML_GetCurrentLineNumber (or
XML_GetCurrentColumnNumber), and deny internal entities closing the doctype.
For more...
[SECURITY] [DSA 4523-1] thunderbird security update
Posted by Moritz Muehlenhoff on Sep 16
-------------------------------------------------------------------------Debian Security Advisory DSA-4523-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
September 15, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : thunderbird
CVE ID : CVE-2019-11739 CVE-2019-11740...
[SECURITY] [DSA 4522-1] faad2 security update
Posted by Moritz Muehlenhoff on Sep 16
-------------------------------------------------------------------------Debian Security Advisory DSA-4522-1 security () debian org
https://www.debian.org/security/ Hugo Lefeuvre
September 15, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : faad2
CVE ID : CVE-2018-19502 CVE-2018-19503...
SEC Consult SA-20190912-0 :: Stored and reflected XSS vulnerabilities in LimeSurvey
Posted by SEC Consult Vulnerability Lab on Sep 16
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >=======================================================================
title: Stored and reflected XSS vulnerabilities
product: LimeSurvey
vulnerable version: <= 3.17.13
fixed version: =>3.17.14
CVE number: CVE-2019-16172, CVE-2019-16173
impact: medium
homepage: https://www.limesurvey.org/...
Insecure tmpdir() use in dbtoepub.rb in docbook / xslt10-stylesheets
Posted by Shlomi Fish on Sep 13
See:https://github.com/docbook/xslt10-stylesheets/pull/144
«
See https://ruby-doc.org/stdlib-2.0.0/libdoc/tmpdir/rdoc/Dir.html -
tmpdir returns the same value everytime and as a result the tmpdirs can
be identical or existing.
SECURITY!
Thanks to phaul from #ruby .
»
There is a patch that seems to work well in the mageia linux package, but
no PoC exploit.
Piwigo - Version 2.9.5 [CVE-2019-13363, CVE-2019-13364 ]
Posted by rant on Sep 13
=====[ Tempest Security Intelligence - ADV-03/2019]==========================
Piwigo - Version 2.9.5
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents]==================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgments
* References
=====[ Vulnerability...
