AuraCMS version 3.0 suffers from cross site scripting and local file inclusion vulnerabilities.
5a35bc77f37b80e3b6ae5d1eaf892a6a012cf4c579dda292eeb102b6f33561daCheck_MK suffers from an arbitrary file disclosure vulnerability.
29ea17ad8196b8ca5a593382f3d744479bd2f4a883b8f7db788780575f11978eThe code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.
efe876f026d805aec0ae402905d0f399166b1e85133b042ab6011a6439d5095fIt was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.3, Apache Tomcat 7.0.0 to 7.0.52, and Apache Tomcat 6.0.0 to 6.0.39.
14014726ae194fcbd52254b00f5e7e99823908207f8227e73309d1f9549f50e1Red Hat Security Advisory 2014-0581-01 - OpenStack Dashboard provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A flaw was discovered in OpenStack Dashboard that could allow a remote attacker to conduct cross-site scripting attacks if they were able to trick a horizon user into using a malicious heat template. Note that only setups exposing the orchestration dashboard in OpenStack Dashboard were affected.
3cf9b2341558bbe8305cde1cdbe8f36482a30e22137a9d73e93d3f39be026b5eRed Hat Security Advisory 2014-0580-01 - The OpenStack Identity service authenticates and authorizes OpenStack users by keeping track of users and their permitted activities. The Identity service supports multiple forms of authentication including user name and password credentials, token-based systems, and AWS-style logins. The openstack-keystone packages have been upgraded to upstream version 2013.2.3, which provides a number of bug fixes over the previous version. The following security issue is also fixed with this release: It was found that the memcached token back end of OpenStack Identity did not correctly invalidate a revoked trust token, allowing users with revoked tokens to retain access to services they should no longer be able to access. Note that only OpenStack Identity setups using the memcached back end for tokens were affected.
cbbf882a59e7a04c181ef09556964cf1dbb16484778d505b0c2a9c16a7da6974Red Hat Security Advisory 2014-0578-01 - OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects. It was found that overwriting the disk inside of an instance with a malicious image, and then switching the instance to rescue mode, could potentially allow an authenticated user to access arbitrary files on the compute host depending on the file permissions and SELinux constraints of those files. Only setups that used libvirt to spawn instances and which had the use of cow images disabled were affected.
63b3fb8b016547bd70086401213819f350561fb27cbc25c07899d9a76fa6e893Red Hat Security Advisory 2014-0517-01 - The openstack-foreman-installer package provides facilities for rapidly deploying Red Hat Enterprise Linux OpenStack Platform 4. It was discovered that the Qpid configuration created by openstack-foreman-installer did not have authentication enabled when run with default settings in standalone mode. An attacker able to establish a TCP connection to Qpid could access any OpenStack back end using Qpid without any authentication. This update also fixes several bugs and adds enhancements.
0c5878fb3ca39f4bfc286dcd8a1b7c27424d3484ba4a69d122cb5e3b11cf8a28Red Hat Security Advisory 2014-0582-01 - Red Hat JBoss SOA Platform is the next-generation ESB and business process automation infrastructure. Red Hat JBoss SOA Platform allows IT to leverage existing, modern, and future integration methodologies to dramatically improve business process execution speed and quality. This roll up patch serves as a cumulative upgrade for Red Hat JBoss SOA Platform 5.3.1. It includes various bug fixes. The following security issue is also fixed with this release: It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.
b8593d70dd43aadb30773782fde079796ce4e875ae531e2e5e5e45c520c7f18dRed Hat Security Advisory 2014-0516-01 - OpenStack Networking is a pluggable, scalable, and API-driven system that provisions networking services to virtual machines. Its main function is to manage connectivity to and from virtual machines. As of Red Hat Enterprise Linux OpenStack Platform 4.0, 'neutron' replaces 'quantum' as the core component of OpenStack Networking. A flaw was found in the way OpenStack Networking performed authorization checks on created ports. An authenticated user could potentially use this flaw to create ports on a router belonging to a different tenant, allowing unauthorized access to the network of other tenants. Note that only OpenStack Networking setups using plug-ins that rely on the l3-agent were affected.
c0588230b69d9979c0b5ff1a318a4d0d3c47c4b2e44dde5b16954df8d2d433c8Red Hat Security Advisory 2014-0579-01 - OpenStack Orchestration is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. The openstack-heat-templates package provides heat example templates and image building elements for the openstack-heat package. It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system.
ca06ea7eab4f54b7a387adbdef2d7be82b8761ba25ef9e19be26524fc94c5affRed Hat Security Advisory 2014-0573-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.3 will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Red Hat Enterprise Linux 6.3 EUS after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided after this date. We encourage customers to plan their migration from Red Hat Enterprise Linux 6.3 to a more recent version of Red Hat Enterprise Linux. As a benefit of the Red Hat subscription model, customers can use their active subscriptions to entitle any system on a currently supported Red Hat Enterprise Linux 6 release.
84add74bf4934fa3246c88972d5837845c5ad62f8afe71ced2c17006b0030dd8Red Hat Security Advisory 2014-0575-01 - In accordance with the Red Hat Enterprise Developer Toolset Life Cycle policy, the Red Hat Developer Toolset Version 1 offering will be retired as of June 30, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for Developer Toolset Version 1 after June 30, 2014. In addition, technical support through Red Hat's Global Support Services will no longer be provided for Red Hat Developer Toolset Version 1 after this date. We encourage customers to plan their migration from Red Hat Enterprise Developer Toolset Version 1 to a more recent release of Red Hat Developer Toolset. As a benefit of the Red Hat subscription model, customers can use their active Red Hat Developer Toolset subscriptions to entitle any system on a currently supported version of this product.
8f642504c1f6988e2155666984c9463204d4155f4e20cc5bdfc8dfd7360d8f32A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Versions affected include Apache Tomcat 8.0.0-RC2 to 8.0.3.
28c61c41ea4c82aebf18e1389e65f0ee95408b53ccd619f2378c0bef49785f6aHandsomeWeb SOS Webpages versions 1.1.11 and below suffer from backup and password hash disclosure vulnerabilities.
95fa3a37604887c4a9477550b3793f175517c90416e587a425c76050ebc648db
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed