From security em unicamp.br Thu Oct 1 08:38:03 2015 From: security em unicamp.br (CSIRT Unicamp) Date: Thu, 1 Oct 2015 08:38:03 -0300 Subject: [SECURITY-L] [Security-news] User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152 In-Reply-To: <20150930202446.31E721E0057@www2.drupal.org> References: <20150930202446.31E721E0057@www2.drupal.org> Message-ID: <560D1B1B.3080708@unicamp.br> -------- Mensagem encaminhada -------- Assunto: [Security-news] User Dashboard - SQL Injection - Critical - SA-CONTRIB-2015-152 Data: Wed, 30 Sep 2015 20:24:46 +0000 (UTC) De: security-news em drupal.org Responder a: noreply em drupal.org Para: security-news em drupal.org View online: https://www.drupal.org/node/2577901 * Advisory ID: DRUPAL-SA-CONTRIB-2015-152 * Project: UserDashboard [1] (third-party module) * Version: 7.x * Date: 2015-September-30 * Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:All [2] * Vulnerability: SQL Injection -------- DESCRIPTION --------------------------------------------------------- Module contains SQL Injection vulnerabilities. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * user_dashboard 7.x versions prior to 7.x-1.4 Drupal core is not affected. If you do not use the contributed UserDashboard [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version (7.x-1.4). Also see the UserDashboard [5] project page. -------- REPORTED BY --------------------------------------------------------- * An43 [6] -------- FIXED BY ------------------------------------------------------------ * legovaer [7] * An43 [8] -------- COORDINATED BY ------------------------------------------------------ * Michael Hess [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/user_dashboard [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/user_dashboard [5] https://www.drupal.org/project/user_dashboard [6] https://www.drupal.org/user/110358 [7] https://www.drupal.org/user/110393 [8] https://www.drupal.org/user/110358 [9] https://www.drupal.org/u/mlhess [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Tue Oct 6 08:47:30 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 6 Oct 2015 08:47:30 -0300 Subject: [SECURITY-L] CAIS-Alerta: Inicio do Horario de Verao 2015/2016 Message-ID: <20151006114730.GA28820@unicamp.br> ----- Forwarded message from CAIS/RNP Alerta ----- Date: Mon, 5 Oct 2015 17:43:09 -0300 (BRT) From: CAIS/RNP Alerta To: rnp-alerta em cais.rnp.br Subject: CAIS-Alerta: InXcio do HorXrio de VerXo 2015/2016 Prezados, O CAIS informa que o Horario de Verao 2015/2016 tera inicio a zero hora (00:00) de 18 de outubro de 2015. O decreto no. 6.558 de 8 de setembro de 2008 determinou datas fixas de inicio e encerramento do periodo de Horario de Verao. O inicio sempre sera a zero hora do terceiro domingo de outubro e o encerramento sempre a zero hora do terceiro domingo de fevereiro do ano seguinte. Se o terceiro domingo de fevereiro for um domingo de Carnaval, entao o encerramento é automaticamente transferido para zero hora do domingo seguinte. No domingo de 18 de outubro, sera necessario adiantar os relogios em 1 hora nos estados das regioes Sul, Sudeste e Centro-Oeste que participam do Horario de Verao. Sao eles: ? Rio Grande do Sul ? Santa Catarina ? Parana ? Sao Paulo ? Rio de Janeiro ? Espirito Santo ? Minas Gerais ? Goias ? Mato Grosso ? Mato Grosso do Sul ? Distrito Federal Deve-se atentar que ao considerar um incidente de seguranca, a precisao dos relogios dos sistemas é fundamental para manter a consistencia dos logs, alem de ser imprescindivel nas investigacoes e identificacao de responsaveis. Lembre-se ainda que os logs reportados apos a vigencia do Horario de Verao, retornarao ao timezone UTC-0300 (GMT-3). Mais informacoes - Decreto no. 6.558 de 8 de setembro de 2008 - Institui a hora de verao em parte do territorio nacional http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2008/decreto/d6558.htm - ANEEL - Informacoes Tecnicas - Horario de Verao http://www.aneel.gov.br/area.cfm?id_area=65 - Hora Legal Brasileira http://www.horalegalbrasil.mct.on.br Alteracoes de configuracao necessarias para o horario de verao 2015/2016 O horario de verao tem relacao com o timezone (fuso horario) configurado no sistema. Ao alterar o timezone altera-se o parametro do sistema que determina a diferenca em horas entre o horario absoluto (UTC / GMT 0) e o horario local. Se o relogio do sistema (horario absoluto) marca 16:00:00 UTC, ajustado por NTP: ? Para o timezone de Brasilia (UTC-3), o horario mostrado ao usuario sera 13:00h ou UTC-3 (hora local) ? Para o timezone de Paris (França - UTC+1) o horario mostrado ao usuario sera 17:00h ou UTC+1 (hora local) ? No periodo de vigencia do horario de verao o timezone de Brasilia foi alterado para UTC-2, desta forma o horario mostrado ao usuario era 14:00:00 ou UTC-2 (hora local). O sincronismo de hora atraves de servidores NTP nao sofre modificacoes devido ao inicio ou fim do horario de verao. Quaisquer mudancas de horario nos sistemas no periodo do horario de verao se devem as configuracoes do fuso horario local no sistema. O horario de referencia oferecido pelos servidores NTP nao sofre alteracoes. O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os alertas do CAIS tambem sao oferecidos no Twitter: Siga @caisrnp ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ ----- End forwarded message ----- From security em unicamp.br Fri Oct 16 14:25:12 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 16 Oct 2015 14:25:12 -0300 Subject: [SECURITY-L] Resumo dos Boletins de SeguranXa da Microsoft - Outubro/2015 Message-ID: <20151016172512.GA15175@unicamp.br> Prezados, A Microsoft publicou 6 boletins de seguran?a em 13 de outubro de 2015 que abordam ao todo 33 vulnerabilidades em produtos da empresa. As explora??es destas vulnerabilidades permitem execu??o remota de c?digo, eleva??o de privil?gio e divulga??o de informa??es. At? o momento da publica??o deste alerta n?o foram divulgados c?digos de explora??o para as vulnerabilidades listadas. Severidade Cr?tica . MS15-106 . Atualiza??o de seguran?a cumulativa para o Internet Explorer . MS15-108 . Atualiza??o de seguran?a para o JScript e VBScript . MS15-109 . Atualiza??o de seguran?a para o Windows Shell Importante . MS15-107 . Atualiza??o de seguran?a cumulativa para o Microsoft Edge . MS15-110 . Atualiza??es de seguran?a para o Microsoft Office . MS15-111 . Atualiza??es de seguran?a para o Windows Kernel Moderada Nenhum boletim Baixa Nenhum boletim O sistema de classifica??o de severidade das vulnerabilidades adotado pelo CAIS ? o da pr?pria Microsoft. O CAIS recomenda que se apliquem as corre??es para vulnerabilidades classificadas como cr?tica e importante. No caso de corre??es para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomenda??es de mitiga??o sejam seguidas. . Cr?tica - Vulnerabilidades cuja explora??o possa permitir a propaga??o de um worm sem a necessidade de intera??o com o usu?rio. . Importante - Vulnerabilidades cuja explora??o possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usu?rios ou a integridade ou disponibilidade de recursos de processamento. . Moderada - explora??o ? mitigada significativamente por fatores como configura??o padr?o, auditoria ou dificuldade de explora??o. . Baixa - uma vulnerabilidade cuja explora??o seja extremamente dif?cil ou cujo impacto seja m?nimo. Corre??es dispon?veis Recomenda-se atualizar os sistemas para as vers?es dispon?veis em: Microsoft Update https://www.update.microsoft.com/microsoftupdate Microsoft Download Center http://www.microsoft.com/en-us/download/default.aspx Mais informa??es Resumo do Boletim de Seguran?a da Microsoft de outubro de 2015 https://technet.microsoft.com/pt-BR/library/security/ms15-oct.aspx Microsoft TechCenter de Seguran?a https://technet.microsoft.com/pt-br/security Microsoft Security Response Center - MSRC https://technet.microsoft.com/pt-br/security/dn440717 Microsoft Security Research & Defense - MSRD http://blogs.technet.com/b/srd/ Central de Prote??o e Seguran?a Microsoft https://www.microsoft.com/pt-br/security/default.aspx Identificador CVE (http://cve.mitre.org): CVE-2015-2482,CVE-2015-6042,CVE-2015-6044 CVE-2015-6046,CVE-2015-6047,CVE-2015-6048 CVE-2015-6049,CVE-2015-6050,CVE-2015-6051 CVE-2015-6052,CVE-2015-6053,CVE-2015-6055 CVE-2015-6056,CVE-2015-6059,CVE-2015-6057 CVE-2015-6058,CVE-2015-2482,CVE-2015-6052 CVE-2015-6055,CVE-2015-6059,CVE-2015-2515 CVE-2015-2548,CVE-2015-2555,CVE-2015-2556 CVE-2015-2557,CVE-2015-2558,CVE-2015-6037 CVE-2015-6039,CVE-2015-2549,CVE-2015-2550 CVE-2015-2552,CVE-2015-2553,CVE-2015-2554 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ?ltimas vers?es e corre??es oferecidas pelos fabricantes. Os alertas do CAIS tamb?m s?o oferecidos no Twitter: Siga @caisrnp ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ From security em unicamp.br Mon Oct 26 10:24:05 2015 From: security em unicamp.br (CSIRT Unicamp) Date: Mon, 26 Oct 2015 10:24:05 -0200 Subject: [SECURITY-L] [Urgent] Joomla Security Update Message-ID: <562E1B65.5090005@unicamp.br> Joomla! 3.4.5 Released ============================= Joomla! 3.4.5 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.4 release. ## What's in 3.4.5 Version 3.4.5 is released to address three reported security vulnerabilities and includes additional security hardening of the UploadShield system. ## Security Issues Fixed - High Priority - Core - SQL Injection (affecting Joomla 3.2 through 3.4.4) (http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html) - Medium Priority - Core - ACL Violations (affecting Joomla 3.2 through 3.4.4) (http://developer.joomla.org/security-centre/629-20151002-core-acl-violations.html) - Medium Priority - Core - ACL Violations (affecting Joomla 3.0 through 3.4.4) (http://developer.joomla.org/security-centre/630-20151003-core-acl-violations.html) Please see the documentation wiki for FAQ?s regarding the 3.4.5 release: https://docs.joomla.org/Category:Version_3.4.5_FAQ From security em unicamp.br Mon Oct 26 11:52:59 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 26 Oct 2015 11:52:59 -0200 Subject: [SECURITY-L] [carnil@debian.org: [SECURITY] [DSA 3377-1] mysql-5.5 security update] Message-ID: <20151026135259.GC9247@unicamp.br> ----- Forwarded message from Salvatore Bonaccorso ----- Date: Sat, 24 Oct 2015 08:06:52 +0000 From: Salvatore Bonaccorso To: debian-security-announce em lists.debian.org Subject: [SECURITY] [DSA 3377-1] mysql-5.5 security update ------------------------------------------------------------------------- Debian Security Advisory DSA-3377-1 security em debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 24, 2015 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2015-4792 CVE-2015-4802 CVE-2015-4815 CVE-2015-4816 CVE-2015-4819 CVE-2015-4826 CVE-2015-4830 CVE-2015-4836 CVE-2015-4858 CVE-2015-4861 CVE-2015-4870 CVE-2015-4879 CVE-2015-4913 Debian Bug : 802564 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.46. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-45.html https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-46.html http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html For the oldstable distribution (wheezy), these problems have been fixed in version 5.5.46-0+deb7u1. For the stable distribution (jessie), these problems have been fixed in version 5.5.46-0+deb8u1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org ----- End forwarded message ----- From security em unicamp.br Mon Oct 26 14:29:30 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 26 Oct 2015 14:29:30 -0200 Subject: [SECURITY-L] Livro: Combate ao spam Message-ID: <20151026162930.GA13730@unicamp.br> Prezados, A Comissão Anti-spam do CGI.br, lançou o livro: Combate ao spam na Internet no Brasil: Histórico e reflexões sobre o combate ao spam e a gerência da porta 25 coordenados pelo Comitê Gestor da Internet no Brasil ISBN 978-85-60062-96-6 Esta obra foi publicada nos termos da licença Creative Commons Atribuição 4.0 Internacional http://cgi.br/publicacao/combate-ao-spam-na-internet-no-brasil-historico-e-reflexoes-sobre-o-combate-ao-spam-e-a-gerencia-da-porta-25-coordenados-pelo-comite-gestor-da-internet-no-brasil/ Boa leitura! === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC E-mail: security em unicamp.br GnuPG Public Key: http://www.security.unicamp.br/security.asc Contact: +55 19 3521-2289 or +55 19 3521-2290 INOC-DBA-BR: 1251*830 From security em unicamp.br Mon Oct 26 16:30:36 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 26 Oct 2015 16:30:36 -0200 Subject: [SECURITY-L] [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp] Message-ID: <20151026183036.GF9247@unicamp.br> ----- Forwarded message from FreeBSD Security Advisories ----- Date: Mon, 26 Oct 2015 12:36:02 GMT From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-15:25.ntp ============================================================================= FreeBSD-SA-15:25.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-10-26 Credits: Network Time Foundation Affects: All supported versions of FreeBSD. Corrected: 2015-10-26 11:35:40 UTC (stable/10, 10.2-STABLE) 2015-10-26 11:36:55 UTC (releng/10.2, 10.2-RELEASE-p6) 2015-10-26 11:37:31 UTC (releng/10.1, 10.1-RELEASE-p23) 2015-10-26 11:36:40 UTC (stable/9, 9.3-STABLE) 2015-10-26 11:42:25 UTC (releng/9.3, 9.3-RELEASE-p29) CVE Name: CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description Crypto-NAK packets can be used to cause ntpd(8) to accept time from an unauthenticated ephemeral symmetric peer by bypassing the authentication required to mobilize peer associations. [CVE-2015-7871] FreeBSD 9.3 and 10.1 are not affected. If ntpd(8) is fed a crafted mode 6 or mode 7 packet containing an unusual long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition. [CVE-2015-7855] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd(8) that may cause it to crash, with the hypothetical possibility of a small code injection. [CVE-2015-7854] A negative value for the datalen parameter will overflow a data buffer. NTF's ntpd(8) driver implementations always set this value to 0 and are therefore not vulnerable to this weakness. If you are running a custom refclock driver in ntpd(8) and that driver supplies a negative value for datalen (no custom driver of even minimal competence would do this) then ntpd would overflow a data buffer. It is even hypothetically possible in this case that instead of simply crashing ntpd the attacker could effect a code injection attack. [CVE-2015-7853] If an attacker can figure out the precise moment that ntpq(8) is listening for data and the port number it is listening on or if the attacker can provide a malicious instance ntpd(8) that victims will connect to then an attacker can send a set of crafted mode 6 response packets that, if received by ntpq(8), can cause ntpq(8) to crash. [CVE-2015-7852] If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause ntpd(8) to overwrite files. [CVE-2015-7851]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd(8) was configured to disable authentication, then an attacker can send a set of packets to ntpd that will cause it to crash and/or create a potentially huge log file. Specifically, the attacker could enable extended logging, point the key file at the log file, and cause what amounts to an infinite loop. [CVE-2015-7850]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to allow remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password or if ntpd was configured to disable authentication, then an attacker can send a set of packets to ntpd that may cause a crash or theoretically perform a code injection attack. [CVE-2015-7849]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration. If ntpd(8) is configured to enable mode 7 packets, and if the use of mode 7 packets is not properly protected thru the use of the available mode 7 authentication and restriction mechanisms, and if the (possibly spoofed) source IP address is allowed to send mode 7 queries, then an attacker can send a crafted packet to ntpd that will cause it to crash. [CVE-2015-7848]. The default configuration of ntpd(8) within FreeBSD does not allow mode 7 packets. If ntpd(8) is configured to use autokey, then an attacker can send packets to ntpd that will, after several days of ongoing attack, cause it to run out of memory. [CVE-2015-7701]. The default configuration of ntpd(8) within FreeBSD does not use autokey. If ntpd(8) is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it's possible for an attacker to use the "pidfile" or "driftfile" directives to potentially overwrite other files. [CVE-2015-5196]. The default configuration of ntpd(8) within FreeBSD does not allow remote configuration An ntpd(8) client that honors Kiss-of-Death responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. [CVE-2015-7704] The fix for CVE-2014-9750 was incomplete in that there were certain code paths where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. [CVE-2015-7702]. The default configuration of ntpd(8) within FreeBSD does not use autokey. III. Impact An attacker which can send NTP packets to ntpd(8), which uses cryptographic authentication of NTP data, may be able to inject malicious time data causing the system clock to be set incorrectly. [CVE-2015-7871] An attacker which can send NTP packets to ntpd(8), can block the communication of the daemon with time servers, causing the system clock not being synchronized. [CVE-2015-7704] An attacker which can send NTP packets to ntpd(8), can remotely crash the daemon, sending malicious data packet. [CVE-2015-7855] [CVE-2015-7854] [CVE-2015-7853] [CVE-2015-7852] [CVE-2015-7849] [CVE-2015-7848] An attacker which can send NTP packets to ntpd(8), can remotely trigger the daemon to overwrite its configuration files. [CVE-2015-7851] [CVE-2015-5196] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Network administrators are advised to implement BCP-38, which helps to reduce risk associated with the attacks. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The ntpd service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The ntpd service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.bz2 # bunzip2 ntp-102.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-102.patch.asc # gpg --verify ntp-102.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.bz2 # bunzip2 ntp-101.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-101.patch.asc # gpg --verify ntp-101.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.bz2 # bunzip2 ntp-93.patch.bz2 # fetch https://security.FreeBSD.org/patches/SA-15:25/ntp-93.patch.asc # gpg --verify ntp-93.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # find contrib/ntp -type f -empty -delete c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html. d) For 9.3-RELEASE and 10.1-RELEASE an update to /etc/ntp.conf is recommended, which can be done with help of the mergemaster(8) tool on 9.3-RELEASE and with help of the etcupdate(8) tool on 10.1-RELEASE. Restart the ntpd(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision ------------------------------------------------------------------------- stable/9/ r289998 releng/9.3/ r290001 stable/10/ r289997 releng/10.1/ r290000 releng/10.2/ r289999 ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871 The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-15:25.ntp.asc _______________________________________________ freebsd-security-notifications em freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe em freebsd.org" ----- End forwarded message ----- From security em unicamp.br Thu Oct 29 09:41:14 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 29 Oct 2015 09:41:14 -0200 Subject: [SECURITY-L] [fw@deneb.enyo.de: [SECURITY] [DSA 3380-1] php5 security update] Message-ID: <20151029114114.GM9247@unicamp.br> ----- Forwarded message from Florian Weimer ----- Date: Tue, 27 Oct 2015 19:43:43 +0100 From: Florian Weimer To: debian-security-announce em lists.debian.org Subject: [SECURITY] [DSA 3380-1] php5 security update ------------------------------------------------------------------------- Debian Security Advisory DSA-3380-1 security em debian.org https://www.debian.org/security/ Florian Weimer October 27, 2015 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : php5 CVE ID : CVE-2015-7803 CVE-2015-7804 Two vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. CVE-2015-7803 The phar extension could crash with a NULL pointer dereference when processing tar archives containing links referring to non-existing files. This could lead to a denial of service. CVE-2015-7804 The phar extension does not correctly process directory entries found in archive files with the name "/", leading to a denial of service and, potentially, information disclosure. The update for Debian stable (jessie) contains additional bug fixes from PHP upstream version 5.6.14, as described in the upstream changelog: https://php.net/ChangeLog-5.php#5.6.13 Note to users of the the oldstable distribution (wheezy): PHP 5.4 has reached end-of-life on September 14th, 2015. As a result, there will be no more new upstream releases. The security support of PHP 5.4 in Debian oldstable (wheezy) will be best effort only, and you are strongly advised to upgrade to latest Debian stable release (jessie), which includes PHP 5.6. For the oldstable distribution (wheezy), these problems have been fixed in version 5.4.45-0+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 5.6.14+dfsg-0+deb8u1. For the testing distribution (stretch) and the unstable distribution (sid), these problems have been fixed in version 5.6.14+dfsg-1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org ----- End forwarded message ----- From security em unicamp.br Thu Oct 29 10:17:15 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 29 Oct 2015 10:17:15 -0200 Subject: [SECURITY-L] [thijs@debian.org: [SECURITY] [DSA 3382-1] phpmyadmin security update] Message-ID: <20151029121715.GP9247@unicamp.br> ----- Forwarded message from Thijs Kinkhorst ----- Date: Wed, 28 Oct 2015 20:52:25 +0100 (CET) From: Thijs Kinkhorst To: debian-security-announce em lists.debian.org Subject: [SECURITY] [DSA 3382-1] phpmyadmin security update ------------------------------------------------------------------------- Debian Security Advisory DSA-3382-1 security em debian.org https://www.debian.org/security/ Thijs Kinkhorst October 28, 2015 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : phpmyadmin CVE ID : CVE-2014-8958 CVE-2014-9218 CVE-2015-2206 CVE-2015-3902 CVE-2015-3903 CVE-2015-6830 CVE-2015-7873 Debian Bug : 774194 Several issues have been fixed in phpMyAdmin, the web administration tool for MySQL. CVE-2014-8958 (Wheezy only) Multiple cross-site scripting (XSS) vulnerabilities. CVE-2014-9218 (Wheezy only) Denial of service (resource consumption) via a long password. CVE-2015-2206 Risk of BREACH attack due to reflected parameter. CVE-2015-3902 XSRF/CSRF vulnerability in phpMyAdmin setup. CVE-2015-3903 (Jessie only) Vulnerability allowing man-in-the-middle attack on API call to GitHub. CVE-2015-6830 (Jessie only) Vulnerability that allows bypassing the reCaptcha test. CVE-2015-7873 (Jessie only) Content spoofing vulnerability when redirecting user to an external site. For the oldstable distribution (wheezy), these problems have been fixed in version 4:3.4.11.1-2+deb7u2. For the stable distribution (jessie), these problems have been fixed in version 4:4.2.12-2+deb8u1. For the unstable distribution (sid), these problems have been fixed in version 4:4.5.1-1. We recommend that you upgrade your phpmyadmin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org ----- End forwarded message ----- From security em unicamp.br Fri Oct 30 13:21:50 2015 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 30 Oct 2015 13:21:50 -0200 Subject: [SECURITY-L] [carnil@debian.org: [SECURITY] [DSA 3383-1] wordpress security update] Message-ID: <20151030152150.GA10849@unicamp.br> ----- Forwarded message from Salvatore Bonaccorso ----- Date: Thu, 29 Oct 2015 20:02:31 +0000 From: Salvatore Bonaccorso To: debian-security-announce em lists.debian.org Subject: [SECURITY] [DSA 3383-1] wordpress security update ------------------------------------------------------------------------- Debian Security Advisory DSA-3383-1 security em debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 29, 2015 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2015-2213 CVE-2015-5622 CVE-2015-5714 CVE-2015-5715 CVE-2015-5731 CVE-2015-5732 CVE-2015-5734 CVE-2015-7989 Debian Bug : 794560 799140 Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site. CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. CVE-2015-5714 A cross-site scripting vulnerability when processing shortcode tags. CVE-2015-5715 A vulnerability has been discovered, allowing users without proper permissions to publish private posts and make them sticky. CVE-2015-5731 An attacker could lock a post that was being edited. CVE-2015-5732 Cross-site scripting in a widget title allows an attacker to steal sensitive information. CVE-2015-5734 Fix some broken links in the legacy theme preview. CVE-2015-7989 A cross-site scripting vulnerability in user list tables. For the oldstable distribution (wheezy), these problems have been fixed in version 3.6.1+dfsg-1~deb7u8. For the stable distribution (jessie), these problems have been fixed in version 4.1+dfsg-1+deb8u5 or earlier in DSA-3332-1 and DSA-3375-1. For the testing distribution (stretch), these problems have been fixed in version 4.3.1+dfsg-1 or earlier versions. For the unstable distribution (sid), these problems have been fixed in version 4.3.1+dfsg-1 or earlier versions. We recommend that you upgrade your wordpress packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org ----- End forwarded message -----