From security em unicamp.br Fri Aug 12 06:58:03 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 12 Aug 2016 06:58:03 -0300 Subject: [SECURITY-L] Fwd: CAIS-Alerta: Resumo dos Boletins de SeguranXXa da Microsoft Agosto 2016 In-Reply-To: <20160811194538.49E211C0432@cais.rnp.br> References: <20160811194538.49E211C0432@cais.rnp.br> Message-ID: <57AD9DAB.5030602@unicamp.br> -------- Mensagem encaminhada -------- Assunto: CAIS-Alerta: Resumo dos Boletins de SeguranXXa da Microsoft Agosto 2016 Data: Thu, 11 Aug 2016 16:45:38 -0300 (BRT) De: CAIS/RNP Alerta Para: rnp-alerta em cais.rnp.br CAIS-Alerta: Resumo dos Boletins de Segurança da Microsoft - Agosto/2016 A Microsoft publicou 9 boletins de segurança em 9 de agosto de 2016 que abordam ao todo 34 vulnerabilidades em produtos da empresa. As explorações destas vulnerabilidades permitem execução remota de código, elevação de privilégio, divulgação não autorizada de informações e bypass do recurso de segurança. Até o momento da publicação deste alerta não foram divulgados códigos de exploração para as vulnerabilidades listadas. Severidade Crítica * MS16-095 - Atualização de segurança cumulativa para o Internet Explorer * MS16-096 - Atualização de segurança cumulativa do Microsoft Edge * MS16-097 - Atualização de segurança para o componente gráfico da Microsoft * MS16-099 - Atualização de segurança para o Microsoft Office * MS16-102 - Atualização de segurança para a biblioteca de PDFs do Microsoft Windows Importante * MS16-098 - Atualização de segurança para drivers do modo Kernel do Windows * MS16-100 - Atualização de segurança para a Inicialização Segura * MS16-101 - Atualização de segurança para métodos de autenticação do Windows * MS16-103 - Atualização de segurança para ActiveSyncProvider Moderada Nenhum boletim Baixa Nenhum boletim O sistema de classificação de severidade das vulnerabilidades adotado pelo CAIS é o da própria Microsoft. O CAIS recomenda que se apliquem as correções para vulnerabilidades classificadas como crítica e importante. No caso de correções para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendações de mitigação sejam seguidas. * Crítica - Vulnerabilidades cuja exploração possa permitir a propagação de um worm sem a necessidade de interação com o usuário. * Importante - Vulnerabilidades cuja exploração possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. * Moderada - exploração é mitigada significativamente por fatores como configuração padrão, auditoria ou dificuldade de exploração. * Baixa - uma vulnerabilidade cuja exploração seja extremamente difícil ou cujo impacto seja mínimo. Correções disponíveis Recomenda-se atualizar os sistemas para as versões disponíveis em: Microsoft Update https://www.update.microsoft.com/microsoftupdate Microsoft Download Center http://www.microsoft.com/en-us/download/default.aspx Mais informações Resumo do Boletim de Segurança da Microsoft de agosto de 2016 https://technet.microsoft.com/pt-br/library/security/ms16-aug.aspx Microsoft TechCenter de Segurança https://technet.microsoft.com/pt-br/security Microsoft Security Response Center - MSRC https://technet.microsoft.com/pt-br/security/dn440717 Microsoft Security Research & Defense - MSRD http://blogs.technet.com/b/srd/ Central de Proteção e Segurança Microsoft https://www.microsoft.com/pt-br/security/default.aspx Identificador CVE (http://cve.mitre.org): CVE-2016-3288, CVE-2016-3327, CVE-2016-3326, CVE-2016-3309, CVE-2016-3318, CVE-2016-3289, CVE-2016-3329, CVE-2016-3327, CVE-2016-3310, CVE-2016-3320, CVE-2016-3290, CVE-2016-3289, CVE-2016-3329, CVE-2016-3311, CVE-2016-3237, CVE-2016-3293, CVE-2016-3293, CVE-2016-3301, CVE-2016-3313, CVE-2016-3300, CVE-2016-3321, CVE-2016-3296, CVE-2016-3303, CVE-2016-3315, CVE-2016-3319, CVE-2016-3322, CVE-2016-3319, CVE-2016-3304, CVE-2016-3316, CVE-2016-3312, CVE-2016-3326, CVE-2016-3322, CVE-2016-3308, CVE-2016-3317. O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os alertas do CAIS também são oferecidos no Twitter: Siga @caisrnp Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ From security em unicamp.br Mon Aug 22 16:14:57 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 22 Aug 2016 16:14:57 -0300 Subject: [SECURITY-L] [bugzilla@redhat.com: [RHSA-2016:1650-01] Important: Red Hat JBoss Web Server 2.1.1 security update] Message-ID: <20160822191457.GW14405@unicamp.br> ----- Forwarded message from bugzilla em redhat.com ----- Date: Mon, 22 Aug 2016 14:09:05 -0400 From: bugzilla em redhat.com To: rhsa-announce em redhat.com, jboss-watch-list em redhat.com Subject: [RHSA-2016:1650-01] Important: Red Hat JBoss Web Server 2.1.1 security update ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 2.1.1 security update Advisory ID: RHSA-2016:1650-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-1650.html Issue date: 2016-08-22 CVE Names: CVE-2014-3570 CVE-2015-0204 CVE-2016-2105 CVE-2016-2106 CVE-2016-3110 CVE-2016-5387 ===================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.1.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1 Release Notes, linked to in the References section, for information on the most significant of these changes. Security Fix(es): * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that OpenSSL would accept ephemeral RSA keys when using non-export RSA cipher suites. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method. (CVE-2015-0204) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2105) * An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts of input data. A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application. (CVE-2016-2106) * It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP). (CVE-2016-3110) * It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it. (CVE-2014-3570) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110. Upstream acknowledges Guido Vranken as the original reporter of CVE-2016-2105 and CVE-2016-2106. 3. Solution: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). The References section of this erratum contains a download link (you must log in to download the update). Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for a list of non security related fixes. 4. Bugs fixed (https://bugzilla.redhat.com/): 1180184 - CVE-2015-0204 openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK) 1180240 - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow 1337151 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0] 1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0] 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0] 5. References: https://access.redhat.com/security/cve/CVE-2014-3570 https://access.redhat.com/security/cve/CVE-2015-0204 https://access.redhat.com/security/cve/CVE-2016-2105 https://access.redhat.com/security/cve/CVE-2016-2106 https://access.redhat.com/security/cve/CVE-2016-3110 https://access.redhat.com/security/cve/CVE-2016-5387 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=distributions&version=2.1.1 https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2.1/html/2.1.1_Release_Notes/index.html https://access.redhat.com/site/documentation/ https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html https://access.redhat.com/security/vulnerabilities/httpoxy 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce ----- End forwarded message -----