Bug Traq

Syndicate content
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 5 min 32 sec ago

[slackware-security] libssh2 (SSA:2019-077-01)

19 March, 2019 - 04:41

Posted by Slackware Security Team on Mar 19

[slackware-security] libssh2 (SSA:2019-077-01)

New libssh2 packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/libssh2-1.8.1-i586-1_slack14.2.txz: Upgraded.
Fixed several security issues.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3855...

[SECURITY] [DSA 4409-1] neutron security update

19 March, 2019 - 04:38

Posted by Moritz Muehlenhoff on Mar 19

-------------------------------------------------------------------------
Debian Security Advisory DSA-4409-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 18, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : neutron
CVE ID : CVE-2019-9735

Erik Olof Gunnar...

Gitea 1.7.3 stored HTML injection (XSS)

17 March, 2019 - 22:41

Posted by Anti Räis on Mar 17

Gitea 1.7.3 stored HTML injection (XSS)
#######################################

Information
===========

Name: Gitea 1.7.0 - 1.7.3 stored HTML injection
Software: Gitea - a self-hosted Git service
Homepage: https://gitea.io/
Vulnerability: stored HTML injection
Affected: 1.7.0 - 1.7.3
Tested: 1.7.2, 1.7.3
Fixed: 1.7.4
Prerequisites: edit repository settings
Severity: low
CVE: NA

Credit:...

[SECURITY] [DSA 4408-1] liblivemedia security update

17 March, 2019 - 22:38

Posted by Moritz Muehlenhoff on Mar 17

-------------------------------------------------------------------------
Debian Security Advisory DSA-4408-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 17, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : liblivemedia
CVE ID : CVE-2019-6256 CVE-2019-7314...

NEW: VMSA-2019-0003 - VMware Horizon update addresses Connection Server information disclosure vulnerability

15 March, 2019 - 06:07

Posted by VMware Security Response Center on Mar 15

VMSA-2019-0003 - VMware Horizon update addresses Connection Server
information disclosure vulnerability

Please see the advisory here:
https://www.vmware.com/security/advisories/VMSA-2019-0003.html

Relevant Products:

- VMware Horizon

Change Log:

2019-03-14: VMSA-2019-0003
Initial security advisory in conjunction with the release of VMware Horizon
7.8 on 2019-03-14.

NEW: VMSA-2019-0002 - VMware Workstation update addresses elevation of privilege issues.

15 March, 2019 - 06:04

Posted by VMware Security Response Center on Mar 15

VMSA-2019-0002 - VMware Workstation update addresses elevation of privilege
issues.

Please see the advisory here:
https://www.vmware.com/security/advisories/VMSA-2019-0002.html

Relevant Products:

- VMware Workstation Pro / Player (Workstation)

Change Log:

2019-03-14: VMSA-2019-0002
Initial security advisory in conjunction with the release of VMware
Workstation 14.1.6 and 15.0.3 on 2019-03-14.

[SYSS-2018-033]: Fujitsu Wireless Keyboard Set LX901 - Keystroke Injection Vulnerability

15 March, 2019 - 06:01

Posted by matthias . deeg on Mar 15

Advisory ID: SYSS-2018-033
Product: Wireless Keyboard Set LX901
Manufacturer: Fujitsu
Affected Version(s): Model No. GK900
Tested Version(s): Model No. GK900
Vulnerability Type: Cryptographic Issues (CWE-310)
Keystroke Injection Vulnerability
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-10-19
Solution Date: -
Public Disclosure: 2019-03-15
CVE Reference: Not yet assigned
Author of Advisory: Matthias...

IPv6 Security for IPv4 Engineers

13 March, 2019 - 22:32

Posted by Fernando Gont on Mar 13

Folks,

It is often argued that IPv4 practices should be forgotten when
deploying IPv6, as after all IPv6 is a different protocol! But we think
years of IPv4 operational experience should be leveraged as much as
possible.

So we are publishing IPv6 Security for IPv4 Engineers as a roadmap to
IPv6 security that is specifically aimed at IPv4 engineers and operators.

Rather than describing IPv6 in an isolated manner, it aims to re-use as
much of...

Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)

13 March, 2019 - 22:29

Posted by David Coomber on Mar 13

Cisco Common Service Platform Collector - Hardcoded Credentials (CVE-2019-1723)

[SECURITY] [DSA 4407-1] xmltooling security update

13 March, 2019 - 03:15

Posted by Moritz Muehlenhoff on Mar 13

-------------------------------------------------------------------------
Debian Security Advisory DSA-4407-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : xmltooling
CVE ID : CVE-2019-9628

Ross Geerlings...

[SECURITY] [DSA 4406-1] waagent security update

13 March, 2019 - 03:11

Posted by Moritz Muehlenhoff on Mar 13

-------------------------------------------------------------------------
Debian Security Advisory DSA-4406-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 12, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : waagent
CVE ID : CVE-2019-0804

Francis McBratney...

Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

12 March, 2019 - 15:45

Posted by apparitionsec on Mar 12

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives,
keys, and values.
.reg files can be created from...

[**UPDATED] Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

12 March, 2019 - 15:41

Posted by apparitionsec on Mar 12

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives,
keys, and values.
.reg files can be created from...

[SECURITY] [DSA 4405-1] openjpeg2 security update

11 March, 2019 - 02:56

Posted by Luciano Bello on Mar 11

-------------------------------------------------------------------------
Debian Security Advisory DSA-4405-1 security () debian org
https://www.debian.org/security/ Luciano Bello
March 10, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjpeg2
CVE ID : CVE-2017-17480 CVE-2018-5785...

FlexPaper <= 2.3.6 Remote Command Execution

11 March, 2019 - 02:53

Posted by Red Timmy Sec - on Mar 11

Description
===========
FlexPaper (https://www.flowpaper.com) is an open source project, released under GPL license, quite widespread over the
internet. It provides document viewing functionalities to web clients, mobile and tablet devices. At least until 2014
the component has been actively used by WikiLeaks, when it was discovered to be affected by a XSS vulnerability
subsequently patched.

Around one year ago Red Timmy Sec discovered a...

[SECURITY] [DSA 4404-1] chromium security update

11 March, 2019 - 02:49

Posted by Michael Gilbert on Mar 11

-------------------------------------------------------------------------
Debian Security Advisory DSA-4404-1 security () debian org
https://www.debian.org/security/ Michael Gilbert
March 09, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : chromium
CVE ID : CVE-2019-5786

Clement Lecigne...

[SECURITY] [DSA 4403-1] php7.0 security update

11 March, 2019 - 02:47

Posted by Moritz Muehlenhoff on Mar 11

-------------------------------------------------------------------------
Debian Security Advisory DSA-4403-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 08, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : php7.0
CVE ID : not yet available

Multiple...

[slackware-security] ntp (SSA:2019-067-01)

11 March, 2019 - 02:43

Posted by Slackware Security Team on Mar 11

[slackware-security] ntp (SSA:2019-067-01)

New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/ntp-4.2.8p13-i586-1_slack14.2.txz: Upgraded.
This release fixes a bug that allows an attacker with access to an explicitly
trusted source to send a crafted malicious mode 6 (ntpq) packet that can...

[SECURITY] [DSA 4402-1] mumble security update

6 March, 2019 - 08:25

Posted by Moritz Muehlenhoff on Mar 06

-------------------------------------------------------------------------
Debian Security Advisory DSA-4402-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
March 05, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : mumble
CVE ID : CVE-2018-20743

It was discovered...

SAP J2EE Engine/7.01/Fiori Reflected Cross Site Scripting (XSS)

4 March, 2019 - 09:41

Posted by Ece örsel on Mar 04

I. VULNERABILITY
-------------------------
SAP J2EE Engine/7.01/Fiori
Reflected Cross Site Scripting (XSS)

II. CVE REFERENCE
-------------------------
Use CVE-2018-17865

III. VENDOR
-------------------------
https://www.sap.com

IV. TIMELINE
-------------------------
10/08/2018 Vulnerability discovered
12/07/2018 Vendor contacted
19/07/2018 SAP reply that SAP J2EE engine/7.01 end of support

V. CREDIT
-------------------------
Ece Orsel from...