Security News

[SECURITY] [DSA 4611-1] opensmtpd security update

Bug Traq - 30 January, 2020 - 02:08

Posted by Moritz Muehlenhoff on Jan 29

-------------------------------------------------------------------------
Debian Security Advisory DSA-4611-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 29, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : opensmtpd
CVE ID : CVE-2020-7247
Debian Bug :...

FreeBSD Security Advisory FreeBSD-SA-20:02.ipsec

Bug Traq - 29 January, 2020 - 05:00

Posted by FreeBSD Security Advisories on Jan 29

=============================================================================
FreeBSD-SA-20:02.ipsec Security Advisory
The FreeBSD Project

Topic: Missing IPsec anti-replay window check

Category: core
Module: kernel
Announced: 2020-01-28
Credits: Jean-Francois HREN
Affects: FreeBSD 12.0 only
Corrected:...

APPLE-SA-2020-1-28-1 iOS 13.3.1 and iPadOS 13.3.1

Bug Traq - 29 January, 2020 - 05:00

Posted by Apple Product Security on Jan 29

APPLE-SA-2020-1-28-1 iOS 13.3.1 and iPadOS 13.3.1

iOS 13.3.1 and iPadOS 13.3.1 are now available and address the
following:

Audio
Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4
and later, and iPod touch 7th generation
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3857: Zhuo Liang of Qihoo 360...

FreeBSD Security Advisory FreeBSD-SA-20:01.libfetch

Bug Traq - 29 January, 2020 - 04:48

Posted by FreeBSD Security Advisories on Jan 29

=============================================================================
FreeBSD-SA-20:01.libfetch Security Advisory
The FreeBSD Project

Topic: libfetch buffer overflow

Category: core
Module: libfetch
Announced: 2020-01-28
Credits: Duncan Overbruck
Affects: All supported versions of FreeBSD.
Corrected:...

FreeBSD Security Advisory FreeBSD-SA-20:03.thrmisc

Bug Traq - 29 January, 2020 - 04:44

Posted by FreeBSD Security Advisories on Jan 29

=============================================================================
FreeBSD-SA-20:03.thrmisc Security Advisory
The FreeBSD Project

Topic: kernel stack data disclosure

Category: core
Module: kernel
Announced: 2020-01-28
Credits: Ilja Van Sprundel
Affects: All supported versions of FreeBSD.
Corrected:...

APPLE-SA-2020-1-28-4 tvOS 13.3.1

Bug Traq - 29 January, 2020 - 04:38

Posted by Apple Product Security on Jan 29

APPLE-SA-2020-1-28-4 tvOS 13.3.1

tvOS 13.3.1 is now available and addresses the following:

Audio
Available for: Apple TV 4K and Apple TV HD
Impact: An application may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue was addressed with improved
memory handling.
CVE-2020-3857: Zhuo Liang of Qihoo 360 Vulcan Team

ImageIO
Available for: Apple TV 4K and Apple TV HD
Impact: Processing a maliciously...

APPLE-SA-2020-1-28-3 watchOS 6.1.2

Bug Traq - 29 January, 2020 - 04:38

Posted by Apple Product Security on Jan 29

APPLE-SA-2020-1-28-3 watchOS 6.1.2

watchOS 6.1.2 is now available and addresses the following:

AnnotationKit
Available for: Apple Watch Series 1 and later
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2020-3877: an anonymous researcher working with Trend Micro's
Zero Day Initiative

Audio...

APPLE-SA-2020-1-28-2 macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra

Bug Traq - 29 January, 2020 - 04:38

Posted by Apple Product Security on Jan 29

APPLE-SA-2020-1-28-2 macOS Catalina 10.15.3, Security Update
2020-001 Mojave, Security Update 2020-001 High Sierra

macOS Catalina 10.15.3, Security Update 2020-001 Mojave, and
Security Update 2020-001 High Sierra are now available and
address the following:

AnnotationKit
Available for: macOS Catalina 10.15.2
Impact: A remote attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: An...

APPLE-SA-2020-1-28-5 Safari 13.0.5

Bug Traq - 29 January, 2020 - 04:36

Posted by Apple Product Security on Jan 29

APPLE-SA-2020-1-28-5 Safari 13.0.5

Safari 13.0.5 is now available and addresses the following:

Safari
Available for: macOS Mojave and macOS High Sierra, and included in
macOS Catalina
Impact: Visiting a malicious website may lead to address bar spoofing
Description: An inconsistent user interface issue was addressed with
improved state management.
CVE-2020-3833: Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com)

Safari Login AutoFill...

APPLE-SA-2020-1-28-6 iTunes for Windows 12.10.4

Bug Traq - 29 January, 2020 - 04:33

Posted by Apple Product Security on Jan 29

APPLE-SA-2020-1-28-6 iTunes for Windows 12.10.4

iTunes for Windows 12.10.4 is now available and addresses the
following:

Mobile Device Service
Available for: Windows 7 and later
Impact: A user may gain access to protected parts of the file system
Description: The issue was addressed with improved permissions logic.
CVE-2020-3861: Andrea Pierini (@decoder_it), Christian Danieli
(@padovah4ck)

Installation note:

iTunes for Windows 12.10.4 may be...

Defense in depth -- the Microsoft way (part 61): security features are built to fail (or documented wrong)

Bug Traq - 29 January, 2020 - 04:28

Posted by Stefan Kanthak on Jan 29

Hi @ll,

(a long[er] form of the following advisory is available at
<https://skanthak.homepage.t-online.de/snafu.html>)

With Windows 10 1607, Microsoft introduced the /DEPENDENTLOADFLAG
linker option, a security feature to restrict or limit the search
path for DLLs:

| On supported operating systems, this option has the effect of
| changing calls to LoadLibrary("dependent.dll") to the equivalent
| of...

LPE and RCE in OpenSMTPD (CVE-2020-7247)

Bug Traq - 29 January, 2020 - 04:24

Posted by Qualys Security Advisory on Jan 29

Qualys Security Advisory

LPE and RCE in OpenSMTPD (CVE-2020-7247)

==============================================================================
Contents
==============================================================================

Summary
Analysis
Exploitation
Acknowledgments

==============================================================================
Summary
==============================================================================...

CVE - CVE-2020-7799 - FusionAuth command execution via Apache Freemarker Template

Bug Traq - 27 January, 2020 - 14:00

Posted by Gianluca Baldi on Jan 27

Dear bugtraq,

Please find attached an advisory for the following vulnerability, " FusionAuth command execution via Apache Freemarker
Template".
Description: An authenticated attacker with enough privileges to access the template editing functions (either site
templates or e-mail templates) in the FusionAuth dashboard can execute commands on the underlying operating system
using the Apache FreeMarker Expression language.

For...

[slackware-security] mozilla-thunderbird (SSA:2020-024-01)

Bug Traq - 27 January, 2020 - 04:03

Posted by Slackware Security Team on Jan 27

[slackware-security] mozilla-thunderbird (SSA:2020-024-01)

New mozilla-thunderbird packages are available for Slackware 14.2 and -current
to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mozilla-thunderbird-68.4.2-i686-1_slack14.2.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:...

WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001

Bug Traq - 23 January, 2020 - 23:02

Posted by Carlos Alberto Lopez Perez on Jan 23

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001
------------------------------------------------------------------------

Date reported : January 23, 2020
Advisory ID : WSA-2020-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2020-0001.html
WPE WebKit Advisory URL :...

[SECURITY] [DSA 4609-1] python-apt security update

Bug Traq - 23 January, 2020 - 22:58

Posted by Moritz Muehlenhoff on Jan 23

-------------------------------------------------------------------------
Debian Security Advisory DSA-4609-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 23, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : python-apt
CVE ID : CVE-2019-15795 CVE-2019-15796...

SEC Consult SA-20200123-0 :: Cross-Site Request Forgery (CSRF) in Umbraco CMS

Bug Traq - 23 January, 2020 - 09:42

Posted by SEC Consult Vulnerability Lab on Jan 23

SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >
=======================================================================
title: Cross-Site Request Forgery (CSRF)
product: Umbraco CMS
vulnerable version: version 8.2.2
fixed version: version 8.5
CVE number: CVE-2020-7210
impact: medium
homepage: https://umbraco.com/
found: October 2019...

SEC Consult SA-20200122-0 :: Reflected XSS in ZOHO ManageEngine ServiceDeskPlus

Bug Traq - 22 January, 2020 - 08:12

Posted by SEC Consult Vulnerability Lab on Jan 22

SEC Consult Vulnerability Lab Security Advisory < 20200122-0 >
=======================================================================
title: Reflected XSS
product: ZOHO ManageEngine ServiceDeskPlus
vulnerable version: <= 11.0 Build 11007
fixed version: 11.0 Build 11010
CVE number: CVE-2020-6843
impact: medium
homepage: https://www.manageengine.com/products/service-desk/...

[REVIVE-SA-2020-001] Revive Adserver Vulnerability

Bug Traq - 22 January, 2020 - 02:10

Posted by Matteo Beccati on Jan 21

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-01-21
Risk Level: Low...

[SECURITY] [DSA 4608-1] tiff security update

Bug Traq - 22 January, 2020 - 02:06

Posted by Moritz Muehlenhoff on Jan 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4608-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 21, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2019-14973 CVE-2019-17546...
Syndicate content