From security-advisories em freebsd.org Wed Dec 16 04:36:20 2015
From: security-advisories em freebsd.org (FreeBSD Security Advisories)
Date: Wed, 16 Dec 2015 06:36:20 +0000 (UTC)
Subject: [SECURITY-L] FreeBSD Security Advisory FreeBSD-SA-15:27.bind
Message-ID: <20151216063620.B4CF712E7@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-15:27.bind Security Advisory
The FreeBSD Project
Topic: BIND remote denial of service vulnerability
Category: contrib
Module: bind
Announced: 2015-12-16
Credits: ISC
Affects: FreeBSD 9.x
Corrected: 2015-12-16 06:10:05 UTC (stable/9, 9.3-STABLE)
2015-12-16 06:21:26 UTC (releng/9.3, 9.3-RELEASE-p32)
CVE Name: CVE-2015-8000
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. The libdns
library is a library of DNS protocol support functions.
II. Problem Description
An error in the parsing of incoming responses allows some records with an
incorrect class to be be accepted by BIND instead of being rejected as
malformed. This can trigger a REQUIRE assertion failure when those records
are subsequently cached.
III. Impact
An attacker who can cause a server to request a record with a malformed class
attribute can use this bug to trigger a REQUIRE assertion in db.c, causing
named to exit and denying service to clients.
The risk to recursive servers is high. Authoritative servers are at limited
risk if they perform authentication when making recursive queries to resolve
addresses for servers listed in NS RRSETs.
IV. Workaround
No workaround is available, but hosts not running named(8) are not
vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
The named service has to be restarted after the update. A reboot is
recommended but not required.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
The named service has to be restarted after the update. A reboot is
recommended but not required.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch
# fetch https://security.FreeBSD.org/patches/SA-15:27/bind.patch.asc
# gpg --verify bind.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- -------------------------------------------------------------------------
stable/9/ r292320
releng/9.3/ r292321
- -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.8 (FreeBSD)
iQIcBAEBCgAGBQJWcQOeAAoJEO1n7NZdz2rnpUoQAIjWIowpcRnteiQ8xJFnebHN
iXj0vEWBGXofefDF1QzMZe0+mu688Brw1UGC89alhJVKfcmUP66okW5KP+4KDWUp
+jkIqjw0VLrWztc8V+YzGKkbFNprvYUKhzJJ/Y5TLjadqGRc5BBBDxwzY+9CnDfC
P+OzaTHwO2HIrqclt5nVyhgBTXSGZHai6Eyw2fBuhmEqbOWNr4cBu8IVhAtvw6SR
0lFSSITZ2z6YrDTq7l7fkeJwv+MnerpBXfe57P6r6tbDzzmsmZiNKABsk9wW2lkP
kuOTf14VNoMySCwQ60PUEtflERCTJ/QRZxZTbBRh4YZXJxPsERwj3dlfguMA/5Pq
sO9cxbhSKdoaiswKev67uVUkJXCePb8YIfcxui9Wj5YgcYaN5Au9F/tX2xMmWwfp
2+XwiRkLoNao+NYrx6hAJjWxAUTZJJJhWvu6L7mpBiImsqczd5AJq52bqD/C2M5C
v0acQ6ozNz2Fdkxy4YA1kuXm1STwFuCAfWSVYOpaLz42PeRrHzfqXFuAsoJCp8k1
2m2pFgLgQKGhje6XY9rtaFPLulGFDOem8tdYDHH94lgToinVIZ/+GcMbV4My7vr/
gWRnbzxr8J8/kdhUSp2+rlwnpdPEhgfcnxzwwr9F6duuwb5lLYCqNH/N4SOxRIAV
En2VQ4vrDSCP7rszpvI7
=89Kp
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications em freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe em freebsd.org"
From security em unicamp.br Thu Dec 17 12:21:19 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 17 Dec 2015 12:21:19 -0200
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Block
Class- Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175]
Message-ID: <20151217142119.GB23533@unicamp.br>
----- Forwarded message from security-news em drupal.org -----
Date: Wed, 16 Dec 2015 19:33:38 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Block Class- Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-175
X-Mailer: Drupal
View online: https://www.drupal.org/node/2636502
* Advisory ID: DRUPAL-SA-CONTRIB-2015-175
* Project: Block Class [1] (third-party module)
* Version: 7.x
* Date: 2015-December-16
* Security risk: 19/25 ( Critical)
AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
This module enables you to add custom classes to blocks.
The module doesn't sufficiently scrub class names written by a malicious
block class administrator.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer block classes".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* block_class 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed Block Class
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the block_class module for Drupal 7.x, upgrade to block_class
7.x-2.2 [5]
Also see the Block Class [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Neil Drumm [7] of the Drupal Security Team
-------- FIXED BY
------------------------------------------------------------
* Berend de Boer [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Ben Dougherty [9] of the Drupal Security Team
* Owen Barton [10] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [11].
Learn more about the Drupal Security team and their policies [12], writing
secure code for Drupal [13], and securing your site [14].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [15]
[1] https://www.drupal.org/project/block_class
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/block_class
[5] https://www.drupal.org/node/2636498
[6] https://www.drupal.org/project/block_class
[7] https://www.drupal.org/user/23
[8] https://www.drupal.org/user/143552
[9] https://www.drupal.org/user/1852732
[10] https://www.drupal.org/user/19668
[11] https://www.drupal.org/contact
[12] https://www.drupal.org/security-team
[13] https://www.drupal.org/writing-secure-code
[14] https://www.drupal.org/security/secure-configuration
[15] https://twitter.com/drupalsecurity
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
----- End forwarded message -----
From security em unicamp.br Thu Dec 17 12:39:54 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 17 Dec 2015 12:39:54 -0200
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Select2
Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173]
Message-ID: <20151217143954.GD23533@unicamp.br>
----- Forwarded message from security-news em drupal.org -----
Date: Wed, 16 Dec 2015 18:25:00 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Select2 Field Widget - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-173
X-Mailer: Drupal
View online: https://www.drupal.org/node/2636352
* Advisory ID: DRUPAL-SA-CONTRIB-2015-173
* Project: Select2 Field Widget [1] (third-party module)
* Version: 7.x
* Date: 2015-December-16
* Security risk: 17/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Select2 Field Widget module enables you to use the select2 library for field
widgets.
The module doesn't sufficiently sanitize some user supplied text, leading to
a reflected Cross Site Scripting vulnerability (XSS).
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Select2 Field Widget 7.x-2.x versions prior to 7.x-2.8.
Drupal core is not affected. If you do not use the contributed Select2 Field
Widget [4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Select2 Field Widget module for Drupal 7.x, upgrade to
Select2 Field Widget 7.x-2.9 [5]
Also see the Select2 Field Widget [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* kris84 [7]
* jbylsma [8]
-------- FIXED BY
------------------------------------------------------------
* kris84 [9]
* Zoltán Kisgyörgy [10], module maintainer
* Zoltan Keresztes [11], module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [12] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [13].
Learn more about the Drupal Security team and their policies [14], writing
secure code for Drupal [15], and securing your site [16].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [17]
[1] https://www.drupal.org/project/select2widget
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/select2widget
[5] https://www.drupal.org/node/2636114
[6] https://www.drupal.org/project/select2widget
[7] https://www.drupal.org/user/142812
[8] https://www.drupal.org/u/jbylsma
[9] https://www.drupal.org/user/142812
[10] https://www.drupal.org/u/k_zoltan
[11] https://www.drupal.org/user/2768895
[12] https://www.drupal.org/user/2301194
[13] https://www.drupal.org/contact
[14] https://www.drupal.org/security-team
[15] https://www.drupal.org/writing-secure-code
[16] https://www.drupal.org/security/secure-configuration
[17] https://twitter.com/drupalsecurity
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
----- End forwarded message -----
From security em unicamp.br Thu Dec 17 12:40:24 2015
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Thu, 17 Dec 2015 12:40:24 -0200
Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Open Atrium
- Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174]
Message-ID: <20151217144024.GF23533@unicamp.br>
----- Forwarded message from security-news em drupal.org -----
Date: Wed, 16 Dec 2015 18:25:06 +0000 (UTC)
From: security-news em drupal.org
To: security-news em drupal.org
Subject: [Security-news] Open Atrium - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-174
X-Mailer: Drupal
View online: https://www.drupal.org/node/2636380
* Advisory ID: DRUPAL-SA-CONTRIB-2015-174
* Project: Open Atrium [1] (third-party module)
* Version: 7.x
* Date: 2015-December-16
* Security risk: 17/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Open Atrium distribution enables you to create an intranet.
Open Atrium Core module doesn't sufficiently sanitize some user supplied
text, leading to a reflected Cross Site Scripting vulnerability (XSS).
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Open Atrium distribution 7.x-2.x versions prior to 7.x-2.51
* Open Atrium Core module 7.x-2.x versions prior to 7.x-2.66
Drupal core is not affected. If you do not use the contributed Open Atrium
[4] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
If you use the Open Atrium distribution for Drupal 7.x:
* Upgrade to Open Atrium 7.x-2.51
If you use the Open Atrium Core module for Drupal 7.x:
* Upgrade to Open Atrium Core 7.x-2.66 [5]
Also see the Open Atrium [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* kris84 [7]
* jbylsma [8]
-------- FIXED BY
------------------------------------------------------------
* kris84 [9]
* Mike Potter [10], a module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and securing your site [15].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]
[1] https://www.drupal.org/project/openatrium
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/openatrium
[5] https://www.drupal.org/node/2636350
[6] https://www.drupal.org/project/openatrium
[7] https://www.drupal.org/user/142812
[8] https://www.drupal.org/u/jbylsma
[9] https://www.drupal.org/user/142812
[10] https://www.drupal.org/user/616192
[11] https://www.drupal.org/u/pere-orga
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity
_______________________________________________
Security-news mailing list
Security-news em drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
----- End forwarded message -----