From security em unicamp.br Mon Feb 1 09:22:19 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 1 Feb 2016 09:22:19 -0200 Subject: [SECURITY-L] [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-16:11.openssl] Message-ID: <20160201112219.GE4112@unicamp.br> ----- Forwarded message from FreeBSD Security Advisories ----- Date: Sat, 30 Jan 2016 06:38:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-16:11.openssl ============================================================================= FreeBSD-SA-16:11.openssl Security Advisory The FreeBSD Project Topic: OpenSSL SSLv2 ciphersuite downgrade vulnerability Category: contrib Module: openssl Announced: 2016-01-30 Affects: All supported versions of FreeBSD. Corrected: 2016-01-28 21:42:10 UTC (stable/10, 10.2-STABLE) 2016-01-30 06:12:03 UTC (releng/10.2, 10.2-RELEASE-p12) 2016-01-30 06:12:03 UTC (releng/10.1, 10.1-RELEASE-p29) 2016-01-30 06:09:38 UTC (stable/9, 9.3-STABLE) 2016-01-30 06:12:03 UTC (releng/9.3, 9.3-RELEASE-p36) CVE Name: CVE-2015-3197 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. III. Impact An active MITM attacker may be able to force a protocol downgrade to SSLv2, which is a flawed protocol and intercept the communication between client and server. IV. Workaround No workaround is available, but only applications that do not explicitly disable SSLv2 are affected. To determine if a server have SSLv2 enabled, a system administrator can use the following command: % openssl s_client -ssl2 -connect : &1 | grep DONE which will print "DONE" if and only if SSLv2 is enabled. Note that this check will not work for services that uses STARTTLS or DTLS. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all deamons using the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.2.patch.asc # gpg --verify openssl-10.2.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-10.1.patch.asc # gpg --verify openssl-10.1.patch.asc [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch # fetch https://security.FreeBSD.org/patches/SA-16:11/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision ------------------------------------------------------------------------- stable/9/ r295060 releng/9.3/ r295061 stable/10/ r295016 releng/10.1/ r295061 releng/10.2/ r295061 ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at _______________________________________________ freebsd-security-notifications em freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe em freebsd.org" ----- End forwarded message ----- From security em unicamp.br Wed Feb 3 08:35:20 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 3 Feb 2016 08:35:20 -0200 Subject: [SECURITY-L] WordPress 4.4.2 Security and Maintenance Release Message-ID: <56B1D7E8.8020403@unicamp.br> WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites *immediately*. WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar. Thank you to both reporters for practicing responsible disclosure. In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes: https://codex.wordpress.org/Version_4.4.2 https://core.trac.wordpress.org/query?milestone=4.4.2 Download WordPress 4.4.2 or venture over to Dashboard ? Updates and simply click ?Update Now.? Sites that support automatic background updates are already beginning to update to WordPress 4.4.2. Refer: https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/ === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Feb 3 14:27:16 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 3 Feb 2016 14:27:16 -0200 Subject: [SECURITY-L] [bugzilla@redhat.com: [RHSA-2016:0118-01] Critical: Red Hat JBoss Operations Network 3.3.5 update] Message-ID: <20160203162716.GF3390@unicamp.br> ----- Forwarded message from bugzilla em redhat.com ----- Date: Wed, 3 Feb 2016 10:04:33 -0500 From: bugzilla em redhat.com To: rhsa-announce em redhat.com, jboss-watch-list em redhat.com Subject: [RHSA-2016:0118-01] Critical: Red Hat JBoss Operations Network 3.3.5 update ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Operations Network 3.3.5 update Advisory ID: RHSA-2016:0118-01 Product: Red Hat JBoss Operations Network Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0118.html Issue date: 2016-02-03 CVE Names: CVE-2015-3253 CVE-2015-7501 ===================================================================== 1. Summary: Red Hat JBoss Operations Network 3.3 update 5, which fixes two security issues and several bugs, is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.5 release serves as a replacement for JBoss Operations Network 3.3.4, and includes several bug fixes. Refer to the Customer Portal page linked in the References section for information on the most significant of these changes. The following security issues are also fixed with this release: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2015-3253) All users of JBoss Operations Network 3.3.4 as provided from the Red Hat Customer Portal are advised to upgrade to JBoss Operations Network 3.3.5. 3. Solution: The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Operations Network installation (including its databases, applications, configuration files, the JBoss Operations Network server's file system directory, and so on). Refer to the JBoss Operations Network 3.3.5 Release Notes for installation information. 4. Bugs fixed (https://bugzilla.redhat.com/): 1158947 - Operations, configuration, monitoring are broken on rhq.ear/rhq-core-domain-ejb3.jar#rhqpu resource 1187680 - Error recalculating DynaGroups due to ResourceGroupAlreadyExistsException continues to be reported every 11 minutes 1203799 - Ant Contrib tasks not recognized in Bundle Deployer Tool 1206084 - Resource group cannot be deleted if more then one bundle version is deployed on it 1231199 - Upgrade on windows failed with "Could not verify that the node is up and running" 1234991 - Expose replication factor as a read-only value on the storage node topology cluster settings page 1243934 - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure 1255196 - Event data purge job results in OutOfMemoryError when there are over 10 million events to be purged 1261907 - Metric chart in JON UI is not redrawn after it is first open 1269420 - Uninformative SQL error on insert on RHQ_CONFIG_DEF table when agent plug-in has a property name defined that exceeds 100 characters in length 1277389 - Default values for secure-socket-protocol parameters in rhq-server.properties and standalone-full.xml need updated to a valid protocol 1278215 - cassandra-jvm.properties.new includes Windows specific carriage return character "^M" 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1293350 - Data Calc Job fails to complete when JBoss ON Server is set to DEBUG mode 1293368 - Some MeasurementData may not be processed by alerting 5. References: https://access.redhat.com/security/cve/CVE-2015-3253 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce ----- End forwarded message ----- From security em unicamp.br Thu Feb 11 08:59:41 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 11 Feb 2016 08:59:41 -0200 Subject: [SECURITY-L] [USN-2892-1] nginx vulnerabilities] Message-ID: <20160211105941.GD2260@unicamp.br> ----- Forwarded message from Marc Deslauriers ----- Date: Tue, 9 Feb 2016 13:26:04 -0500 From: Marc Deslauriers To: ubuntu-security-announce em lists.ubuntu.com Subject: [USN-2892-1] nginx vulnerabilities ========================================================================== Ubuntu Security Notice USN-2892-1 February 09, 2016 nginx vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.10 - Ubuntu 14.04 LTS Summary: Several security issues were fixed in nginx. Software Description: - nginx: small, powerful, scalable web/proxy server Details: It was discovered that nginx incorrectly handled certain DNS server responses when the resolver is enabled. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service. (CVE-2016-0742) It was discovered that nginx incorrectly handled CNAME response processing when the resolver is enabled. A remote attacker could use this issue to cause nginx to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-0746) It was discovered that nginx incorrectly handled CNAME resolution when the resolver is enabled. A remote attacker could possibly use this issue to cause nginx to consume resources, resulting in a denial of service. (CVE-2016-0747) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.10: nginx-core 1.9.3-1ubuntu1.1 nginx-extras 1.9.3-1ubuntu1.1 nginx-full 1.9.3-1ubuntu1.1 nginx-light 1.9.3-1ubuntu1.1 Ubuntu 14.04 LTS: nginx-core 1.4.6-1ubuntu3.4 nginx-extras 1.4.6-1ubuntu3.4 nginx-full 1.4.6-1ubuntu3.4 nginx-light 1.4.6-1ubuntu3.4 nginx-naxsi 1.4.6-1ubuntu3.4 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2892-1 CVE-2016-0742, CVE-2016-0746, CVE-2016-0747 Package Information: https://launchpad.net/ubuntu/+source/nginx/1.9.3-1ubuntu1.1 https://launchpad.net/ubuntu/+source/nginx/1.4.6-1ubuntu3.4 -- ----- End forwarded message ----- From security em unicamp.br Fri Feb 12 14:28:04 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 12 Feb 2016 14:28:04 -0200 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de SeguranXa da Microsoft Fevereiro/2016 In-Reply-To: <20160212162024.BD9E81C008E@cais.rnp.br> References: <20160212162024.BD9E81C008E@cais.rnp.br> Message-ID: <56BE0814.7020608@unicamp.br> -------- Mensagem encaminhada -------- Assunto: CAIS-Alerta: Resumo dos Boletins de SeguranXa da Microsoft Fevereiro/2016 Data: Fri, 12 Feb 2016 14:20:24 -0200 (BRST) De: CAIS/RNP Alerta Para: rnp-alerta em cais.rnp.br Prezados, A Microsoft publicou 13 boletins de segurança em 9 de fevereiro de 2016 que abordam ao todo 36 vulnerabilidades em produtos da empresa. As exploraçőes destas vulnerabilidades permitem execuçăo remota de código, elevaçăo de privilégio e negaçăo de serviço. Até o momento da publicaçăo deste alerta năo foram divulgados códigos de exploraçăo para as vulnerabilidades listadas. Severidade Crítica . MS16-009 - Atualizaçăo de Segurança Cumulativa para o Internet Explorer . MS16-011 - Atualizaçăo de segurança cumulativa do Microsoft Edge . MS16-012 - Atualizaçăo de segurança para a biblioteca de PDF do Microsoft Windows para abordar a execuçăo remota de código . MS16-013 - Atualizaçăo de segurança para o Diário do Windows para abordar a execuçăo remota de código . MS16-015 - Atualizaçăo de segurança para o Microsoft Office para corrigir execuçăo remota de código . MS16-022 - Atualizaçăo de segurança para o Adobe Flash Player Importante . MS16-014 - Atualizaçăo de segurança para o Microsoft Windows para corrigir execuçăo remota de código . MS16-016 - Atualizaçăo de segurança do WebDAV para abordar elevaçăo de privilégio . MS16-017 - Atualizaçăo de segurança para driver de exibiçăo da área de trabalho remota para abordar elevaçăo de privilégio . MS16-018 - Atualizaçăo de segurança dos drivers de modo kernel do Windows para corrigir elevaçăo de privilégio . MS16-019 - Atualizaçăo de segurança do .NET Framework para abordar negaçăo de serviço . MS16-020 - Atualizaçăo de segurança para Serviços de Federaçăo do Active Directory para abordar negaçăo de serviço . MS16-021 - Atualizaçăo de segurança do servidor NPS RADIUS para abordar negaçăo de serviço Moderada Nenhum boletim Baixa Nenhum boletim O sistema de classificaçăo de severidade das vulnerabilidades adotado pelo CAIS é o da própria Microsoft. O CAIS recomenda que se apliquem as correçőes para vulnerabilidades classificadas como crítica e importante. No caso de correçőes para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomendaçőes de mitigaçăo sejam seguidas. . Crítica - Vulnerabilidades cuja exploraçăo possa permitir a propagaçăo de um worm sem a necessidade de interaçăo com o usuário. . Importante - Vulnerabilidades cuja exploraçăo possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuários ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploraçăo é mitigada significativamente por fatores como configuraçăo padrăo, auditoria ou dificuldade de exploraçăo. . Baixa - uma vulnerabilidade cuja exploraçăo seja extremamente difícil ou cujo impacto seja mínimo. Correçőes disponíveis Recomenda-se atualizar os sistemas para as versőes disponíveis em: Microsoft Update https://www.update.microsoft.com/microsoftupdate Microsoft Download Center http://www.microsoft.com/en-us/download/default.aspx Mais informaçőes Resumo do Boletim de Segurança da Microsoft de fevereiro de 2016 https://technet.microsoft.com/pt-br/library/security/ms16-feb.aspx Microsoft TechCenter de Segurança https://technet.microsoft.com/pt-br/security Microsoft Security Response Center - MSRC https://technet.microsoft.com/pt-br/security/dn440717 Microsoft Security Research & Defense - MSRD http://blogs.technet.com/b/srd/ Central de Proteçăo e Segurança Microsoft https://www.microsoft.com/pt-br/security/default.aspx Identificador CVE (http://cve.mitre.org): CVE-2016-0022,CVE-2016-0033,CVE-2016-0036,CVE-2016-0037 CVE-2016-0038,CVE-2016-0039,CVE-2016-0040,CVE-2016-0041 CVE-2016-0042,CVE-2016-0044,CVE-2016-0046,CVE-2016-0047 CVE-2016-0048,CVE-2016-0049,CVE-2016-0050,CVE-2016-0051 CVE-2016-0052,CVE-2016-0053,CVE-2016-0054,CVE-2016-0055 CVE-2016-0056,CVE-2016-0058,CVE-2016-0059,CVE-2016-0060 CVE-2016-0061,CVE-2016-0062,CVE-2016-0063,CVE-2016-0064 CVE-2016-0067,CVE-2016-0068,CVE-2016-0069,CVE-2016-0071 CVE-2016-0072,CVE-2016-0077,CVE-2016-0080,CVE-2016-0084 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versőes e correçőes oferecidas pelos fabricantes. Os alertas do CAIS também săo oferecidos no Twitter: Siga @caisrnp Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ From security em unicamp.br Fri Feb 12 14:48:33 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 12 Feb 2016 14:48:33 -0200 Subject: [SECURITY-L] Fwd: CAIS-Alerta: Fim do horXrio de verXo 2015-2016 In-Reply-To: <20160212163256.CDDA11C0112@cais.rnp.br> References: <20160212163256.CDDA11C0112@cais.rnp.br> Message-ID: <56BE0CE1.6000006@unicamp.br> -------- Mensagem encaminhada -------- Assunto: CAIS-Alerta: Fim do horXrio de verXo 2015-2016 Data: Fri, 12 Feb 2016 14:32:56 -0200 (BRST) De: CAIS/RNP Alerta Para: rnp-alerta em cais.rnp.br Prezados, O CAIS informa que o Horário de Verăo 2015/2016, iniciado a zero hora (00:00) de 18 de outubro de 2015, encerra-se a zero hora (00:00) de 21 de fevereiro de 2016. O decreto no. 6.558 de 8 de setembro de 2008 determinou datas fixas de início e encerramento do período de Horário de Verăo. O início sempre será a zero hora do terceiro domingo de outubro e o encerramento sempre a zero hora do terceiro domingo de fevereiro do ano seguinte. Se o terceiro domingo de fevereiro for um domingo de Carnaval, entăo o encerramento é automaticamente transferido para zero hora do domingo seguinte. No domingo de 21 de fevereiro, será necessário atrasar os relógios em 1 hora nos estados das regiőes Sudeste, Sul e Centro-Oeste que participam do Horário de Verăo. Săo eles: . Săo Paulo . Rio de Janeiro . Espírito Santo . Minas Gerais . Paraná . Santa Catarina . Rio Grande do Sul . Goiás . Mato Grosso . Mato Grosso do Sul . Distrito Federal Deve-se atentar que ao considerar um incidente de segurança, a precisăo dos relógios dos sistemas é fundamental para manter a consistęncia dos logs, além de ser imprescindível nas investigaçőes e identificaçăo de responsáveis. Lembre-se ainda que os logs registrados após o término da vigęncia do Horário de Verăo, deverăo considerar o timezone UTC-0300 (GMT-3) Mais informaçőes . Decreto no. 6.558 de 8 de setembro de 2008 - Institui a hora de verăo em parte do território nacional http://www.planalto.gov.br/ccivil_03/_ato2007-2010/2008/decreto/d6558.htm . ANEEL - Informaçőes Técnicas - Horário de Verăo http://www.aneel.gov.br/area.cfm?id_area=65 . Hora Legal Brasileira http://www.horalegalbrasil.mct.on.br Alteraçőes de configuraçăo necessárias para o horário de verăo 2015/2016 O horário de verăo tem relaçăo com o timezone (fuso horário) configurado no sistema. Ao alterar o timezone altera-se o parâmetro do sistema que determina a diferença em horas entre o horário absoluto (UTC / GMT 0) e o horário local. Se o relógio do sistema (horário absoluto) marca 16:00:00 UTC, ajustado por NTP: . Para o timezone de Brasília (UTC-3), o horário mostrado ao usuário será 13:00h ou UTC-3 (hora local) . Para o timezone de Paris (França - UTC+1) o horário mostrado ao usuário será 17:00h ou UTC+1 (hora local) . No período de vigęncia do horário de verăo o timezone de Brasília foi alterado para UTC-2, desta forma o horário mostrado ao usuário era 14:00:00 ou UTC-2 (hora local). O sincronismo de hora através de servidores NTP năo sofre modificaçőes devido ao início ou fim do horário de verăo. Quaisquer mudanças de horário nos sistemas no período do horário de verăo se devem ŕs configuraçőes do fuso horário local no sistema. O horário de referęncia oferecido pelos servidores NTP năo sofre alteraçőes. O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versőes e correçőes oferecidas pelos fabricantes. Os alertas do CAIS também săo oferecidos no Twitter: Siga @caisrnp Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ From security em unicamp.br Tue Feb 16 14:51:12 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 16 Feb 2016 14:51:12 -0200 Subject: [SECURITY-L] Fwd: [RHSA-2016:0175-01] Critical: glibc security and bug fix update In-Reply-To: <201602161603.u1GG3Oj7017422@int-mx10.intmail.prod.int.phx2.redhat.com> References: <201602161603.u1GG3Oj7017422@int-mx10.intmail.prod.int.phx2.redhat.com> Message-ID: <56C35380.5050509@unicamp.br> -------- Mensagem encaminhada -------- Assunto: [RHSA-2016:0175-01] Critical: glibc security and bug fix update Data: Tue, 16 Feb 2016 16:03:24 +0000 De: bugzilla em redhat.com Para: rhsa-announce em redhat.com, enterprise-watch-list em redhat.com ===================================================================== Red Hat Security Advisory Synopsis: Critical: glibc security and bug fix update Advisory ID: RHSA-2016:0175-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0175.html Issue date: 2016-02-16 CVE Names: CVE-2015-7547 ===================================================================== 1. Summary: Updated glibc packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547) This issue was discovered by the Google Security Team and Red Hat. This update also fixes the following bugs: * The dynamic loader has been enhanced to allow the loading of more shared libraries that make use of static thread local storage. While static thread local storage is the fastest access mechanism it may also prevent the shared library from being loaded at all since the static storage space is a limited and shared process-global resource. Applications which would previously fail with "dlopen: cannot load any more object with static TLS" should now start up correctly. (BZ#1291270) * A bug in the POSIX realtime support would cause asynchronous I/O or certain timer API calls to fail and return errors in the presence of large thread-local storage data that exceeded PTHREAD_STACK_MIN in size (generally 16 KiB). The bug in librt has been corrected and the impacted APIs no longer return errors when large thread-local storage data is present in the application. (BZ#1301625) All glibc users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1293532 - CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: glibc-2.12-1.166.el6_7.7.src.rpm i386: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-headers-2.12-1.166.el6_7.7.i686.rpm glibc-utils-2.12-1.166.el6_7.7.i686.rpm nscd-2.12-1.166.el6_7.7.i686.rpm x86_64: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-2.12-1.166.el6_7.7.x86_64.rpm glibc-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm glibc-utils-2.12-1.166.el6_7.7.x86_64.rpm nscd-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm x86_64: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: glibc-2.12-1.166.el6_7.7.src.rpm x86_64: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-2.12-1.166.el6_7.7.x86_64.rpm glibc-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm glibc-utils-2.12-1.166.el6_7.7.x86_64.rpm nscd-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: glibc-2.12-1.166.el6_7.7.src.rpm i386: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-headers-2.12-1.166.el6_7.7.i686.rpm glibc-utils-2.12-1.166.el6_7.7.i686.rpm nscd-2.12-1.166.el6_7.7.i686.rpm ppc64: glibc-2.12-1.166.el6_7.7.ppc.rpm glibc-2.12-1.166.el6_7.7.ppc64.rpm glibc-common-2.12-1.166.el6_7.7.ppc64.rpm glibc-debuginfo-2.12-1.166.el6_7.7.ppc.rpm glibc-debuginfo-2.12-1.166.el6_7.7.ppc64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.ppc.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.ppc64.rpm glibc-devel-2.12-1.166.el6_7.7.ppc.rpm glibc-devel-2.12-1.166.el6_7.7.ppc64.rpm glibc-headers-2.12-1.166.el6_7.7.ppc64.rpm glibc-utils-2.12-1.166.el6_7.7.ppc64.rpm nscd-2.12-1.166.el6_7.7.ppc64.rpm s390x: glibc-2.12-1.166.el6_7.7.s390.rpm glibc-2.12-1.166.el6_7.7.s390x.rpm glibc-common-2.12-1.166.el6_7.7.s390x.rpm glibc-debuginfo-2.12-1.166.el6_7.7.s390.rpm glibc-debuginfo-2.12-1.166.el6_7.7.s390x.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.s390.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.s390x.rpm glibc-devel-2.12-1.166.el6_7.7.s390.rpm glibc-devel-2.12-1.166.el6_7.7.s390x.rpm glibc-headers-2.12-1.166.el6_7.7.s390x.rpm glibc-utils-2.12-1.166.el6_7.7.s390x.rpm nscd-2.12-1.166.el6_7.7.s390x.rpm x86_64: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-2.12-1.166.el6_7.7.x86_64.rpm glibc-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm glibc-utils-2.12-1.166.el6_7.7.x86_64.rpm nscd-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm ppc64: glibc-debuginfo-2.12-1.166.el6_7.7.ppc.rpm glibc-debuginfo-2.12-1.166.el6_7.7.ppc64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.ppc.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.ppc64.rpm glibc-static-2.12-1.166.el6_7.7.ppc.rpm glibc-static-2.12-1.166.el6_7.7.ppc64.rpm s390x: glibc-debuginfo-2.12-1.166.el6_7.7.s390.rpm glibc-debuginfo-2.12-1.166.el6_7.7.s390x.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.s390.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.s390x.rpm glibc-static-2.12-1.166.el6_7.7.s390.rpm glibc-static-2.12-1.166.el6_7.7.s390x.rpm x86_64: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: glibc-2.12-1.166.el6_7.7.src.rpm i386: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-headers-2.12-1.166.el6_7.7.i686.rpm glibc-utils-2.12-1.166.el6_7.7.i686.rpm nscd-2.12-1.166.el6_7.7.i686.rpm x86_64: glibc-2.12-1.166.el6_7.7.i686.rpm glibc-2.12-1.166.el6_7.7.x86_64.rpm glibc-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-devel-2.12-1.166.el6_7.7.i686.rpm glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm glibc-utils-2.12-1.166.el6_7.7.x86_64.rpm nscd-2.12-1.166.el6_7.7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm x86_64: glibc-debuginfo-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-2.12-1.166.el6_7.7.x86_64.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.i686.rpm glibc-debuginfo-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-static-2.12-1.166.el6_7.7.i686.rpm glibc-static-2.12-1.166.el6_7.7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2015-7547 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/articles/2161461 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2016 Red Hat, Inc. -- RHSA-announce mailing list RHSA-announce em redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce From security em unicamp.br Wed Feb 24 08:47:42 2016 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 24 Feb 2016 08:47:42 -0300 Subject: [SECURITY-L] Fwd: [USN-2912-1] libssh vulnerabilities In-Reply-To: <56CC74DC.9040509@canonical.com> References: <56CC74DC.9040509@canonical.com> Message-ID: <56CD985E.3020001@unicamp.br> -------- Mensagem encaminhada -------- Assunto: [USN-2912-1] libssh vulnerabilities Data: Tue, 23 Feb 2016 10:03:56 -0500 De: Marc Deslauriers Responder a: ubuntu-users em lists.ubuntu.com, Ubuntu Security Para: ubuntu-security-announce em lists.ubuntu.com ========================================================================== Ubuntu Security Notice USN-2912-1 February 23, 2016 libssh vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in libssh. Software Description: - libssh: A tiny C SSH library Details: Mariusz Ziulek discovered that libssh incorrectly handled certain packets. A remote attacker could possibly use this issue to cause libssh to crash, resulting in a denial of service. (CVE-2015-3146) Aris Adamantiadis discovered that libssh incorrectly generated ephemeral secret keys of 128 bits instead of the recommended 1024 or 2048 bits when using the diffie-hellman-group1 and diffie-hellman-group14 methods. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. (CVE-2016-0739) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.10: libssh-4 0.6.3-3ubuntu3.2 Ubuntu 14.04 LTS: libssh-4 0.6.1-0ubuntu3.3 Ubuntu 12.04 LTS: libssh-4 0.5.2-1ubuntu0.12.04.6 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2912-1 CVE-2015-3146, CVE-2016-0739 Package Information: https://launchpad.net/ubuntu/+source/libssh/0.6.3-3ubuntu3.2 https://launchpad.net/ubuntu/+source/libssh/0.6.1-0ubuntu3.3 https://launchpad.net/ubuntu/+source/libssh/0.5.2-1ubuntu0.12.04.6 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: -------------- Próxima Parte ---------- -- ubuntu-security-announce mailing list ubuntu-security-announce em lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce From security em unicamp.br Wed Feb 24 17:02:04 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 24 Feb 2016 17:02:04 -0300 Subject: [SECURITY-L] [Security-news] SA-CONTRIB-2016-008 - FileField - Denial of Service] Message-ID: <20160224200204.GL9037@unicamp.br> View online: https://www.drupal.org/node/2674854 * Advisory ID: DRUPAL-SA-CONTRIB-2016-008 * Project: FileField [1] (third-party module) * Version: 6.x * Date: 2016-February-24 * Security risk: 11/25 ( Moderately Critical) AC:Complex/A:User/CI:None/II:Some/E:Proof/TD:All [2] * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- FileField module allows users to upload files in conjunction with the Content Construction Kit (CCK) module in Drupal 6. The module doesn't validate that a request to delete a temporary file was made by the user who uploaded the file. An attacker can use this vulnerability to delete other user's file uploads while they are in the process of creating or editing content and attaching files (before it is saved). This can be used as a denial of service (DoS) attack that can prevent file uploads from working on the site. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content and upload files using a file (or image) field. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * FileField module 6.x-3.x versions prior to 6.x-3.14. Drupal core is not affected. If you do not use the contributed FileField [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the File Filed module for Drupal 6.x, upgrade to FileField 6.x-3.14 [5] Also see the FileField [6] project page. -------- REPORTED BY --------------------------------------------------------- * fnqgpc [7] -------- FIXED BY ------------------------------------------------------------ * Peter Wolanin [8] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Peter Wolanin [9] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [14] [1] https://www.drupal.org/project/filefield [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/filefield [5] https://www.drupal.org/node/2674868 [6] https://www.drupal.org/project/filefield [7] https://www.drupal.org/user/3250434 [8] https://www.drupal.org/user/49851 [9] https://www.drupal.org/user/49851 [10] https://www.drupal.org/contact [11] https://www.drupal.org/security-team [12] https://www.drupal.org/writing-secure-code [13] https://www.drupal.org/security/secure-configuration [14] https://twitter.com/drupalsecurity From security em unicamp.br Wed Feb 24 17:03:29 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 24 Feb 2016 17:03:29 -0300 Subject: [SECURITY-L] [Security-news] Drupal Core - Critical - Multiple Vulnerabilities - SA-CORE-2016-001] Message-ID: <20160224200329.GM9037@unicamp.br> View online: https://www.drupal.org/SA-CORE-2016-001 * Advisory ID: SA-CORE-2016-001 * Project: Drupal core [1] * Version: 6.x, 7.x, 8.x * Date: 2016-February-24 * Security risk: 15/25 ( Critical) AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2] * Vulnerability: Multiple vulnerabilities -------- DESCRIPTION --------------------------------------------------------- .... File upload access bypass and denial of service (File module - Drupal 7 and 8 - Moderately Critical) A vulnerability exists in the File module that allows a malicious user to view, delete or substitute a link to a file that the victim has uploaded to a form while the form has not yet been submitted and processed. If an attacker carries out this attack continuously, all file uploads to a site could be blocked by deleting all temporary files before they can be saved. This vulnerability is mitigated by the fact that the attacker must have permission to create content or comment and upload files as part of that process. .... Brute force amplification attacks via XML-RPC (XML-RPC server - Drupal 6 and 7 - Moderately Critical) The XML-RPC system allows a large number of calls to the same method to be made at once, which can be used as an enabling factor in brute force attacks (for example, attempting to determine user passwords by submitting a large number of password variations at once). This vulnerability is mitigated by the fact that you must have enabled a module that provides an XML-RPC method that is vulnerable to brute-forcing. There are no such modules in Drupal 7 core, but Drupal 6 core is vulnerable via the Blog API module. It is additionally mitigated if flood control protection is in place for the method in question. .... Open redirect via path manipulation (Base system - Drupal 6, 7 and 8 - Moderately Critical) In Drupal 6 and 7, the current path can be populated with an external URL. This can lead to Open Redirect vulnerabilities. This vulnerability is mitigated by the fact that it would only occur in combination with custom code, or in certain cases if a user submits a form shown on a 404 page with a specially crafted URL. For Drupal 8 this is a hardening against possible browser flaws handling certain redirect paths. .... Form API ignores access restrictions on submit buttons (Form API - Drupal 6 - Critical) An access bypass vulnerability was found that allows input to be submitted, for example using JavaScript, for form button elements that a user is not supposed to have access to because the button was blocked by setting #access to FALSE in the server-side form definition. This vulnerability is mitigated by the fact that the attacker must have access to submit a form that has such buttons defined for it (for example, a form that both administrators and non-administrators can access, but where administrators have additional buttons available to them). .... HTTP header injection using line breaks (Base system - Drupal 6 - Moderately Critical) A vulnerability in the drupal_set_header() function allows an HTTP header injection attack to be performed if user-generated content is passed as a header value on sites running PHP versions older than 5.1.2. If the content contains line breaks the user may be able to set arbitrary headers of their own choosing. This vulnerability is mitigated by the fact that most hosts have newer versions of PHP installed, and that it requires a module to be installed on the site that allows user-submitted data to appear in HTTP headers. .... Open redirect via double-encoded 'destination' parameter (Base system - Drupal 6 - Moderately Critical) The drupal_goto() function in Drupal 6 improperly decodes the contents of $_REQUEST['destination'] before using it, which allows the function's open redirect protection to be bypassed and allows an attacker to initiate a redirect to an arbitrary external URL. This vulnerability is mitigated by that fact that the attack is not possible for sites running on PHP 5.4.7 or greater. .... Reflected file download vulnerability (System module - Drupal 6 and 7 - Moderately Critical) Drupal core has a reflected file download vulnerability that could allow an attacker to trick a user into downloading and running a file with arbitrary JSON-encoded content. This vulnerability is mitigated by the fact that the victim must be a site administrator and that the full version of the attack only works with certain web browsers. .... Saving user accounts can sometimes grant the user all roles (User module - Drupal 6 and 7 - Less Critical) Some specific contributed or custom code may call Drupal's user_save() API in a manner different than Drupal core. Depending on the data that has been added to a form or the array prior to saving, this can lead to a user gaining all roles on a site. This issue is mitigated by the fact that it requires contributed or custom code that calls user_save() with an explicit category and code that loads all roles into the array. .... Email address can be matched to an account (User module - Drupal 7 and 8 - Less Critical) In certain configurations where a user's email addresses could be used to log in instead of their username, links to "have you forgotten your password" could reveal the username associated with a particular email address, leading to an information disclosure vulnerability. This issue is mitigated by the fact that it requires a contributed module to be installed that permits logging in with an email address, and that it is only relevant on sites where usernames are typically chosen to hide the users' real-life identities. .... Session data truncation can lead to unserialization of user provided data (Base system - Drupal 6 - Less Critical) On certain older versions of PHP, user-provided data stored in a Drupal session may be unserialized leading to possible remote code execution. This issue is mitigated by the fact that it requires an unusual set of circumstances to exploit and depends on the particular Drupal code that is running on the site. It is also believed to be mitigated by upgrading to PHP 5.4.45, 5.5.29, 5.6.13, or any higher version. -------- CVE IDENTIFIER(S) ISSUED (# [3]) ------------------------------------ * /CVE identifiers [4] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Drupal core 6.x with FileField module versions prior to 6.x-3.14. See SA-CONTRIB-2016-008 - FileField - Denial of Service [5]. * Drupal core 6.x versions prior to 6.38 * Drupal core 7.x versions prior to 7.43 * Drupal core 8.0.x versions prior to 8.0.4 -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Drupal 6.x, upgrade to FileField [6] 6.x-3.14 and Drupal core 6.38 [7] * If you use Drupal 7.x, upgrade to Drupal core 7.43 [8] * If you use Drupal 8.0.x, upgrade to Drupal core 8.0.4 [9] Also see the Drupal core [10] project page. -------- REPORTED BY --------------------------------------------------------- File upload access bypass and denial of service: * fnqgpc [11] Brute force amplification attacks via XML-RPC: * Stéphane Corlosquet [12] of the Drupal Security Team Open redirect via path manipulation: * Francesco Placella [13] * Heine Deelstra [14] of the Drupal Security Team * Pere Orga [15] of the Drupal Security Team * Peter Wolanin [16] of the Drupal Security Team Form API ignores access restrictions on submit buttons: * Gábor Hojtsy [17] of the Drupal Security Team * Damien Tournoud [18] of the Drupal Security Team * Daniel Kudwien [19] HTTP header injection using line breaks: * Dave Hansen-Lange [20] Open redirect via double-encoded 'destination' parameter: * Tarpinder Grewal [21] * Harry Taheem [22] * David Rothstein [23] of the Drupal Security Team Reflected file download vulnerability: * Juho Nurminen [24] Saving user accounts can sometimes grant the user all roles: * Dave Cohen [25] * Annie Gerard [26] Email address can be matched to an account: * FengWen [27] * Jimmy Henderickx [28] Session data truncation can lead to unserialization of user provided data: * David Jardin of the Joomla Security Team * Damien Tournoud [29] of the Drupal Security Team * Heine Deelstra [30] of the Drupal Security Team -------- FIXED BY ------------------------------------------------------------ File upload access bypass and denial of service: * fnqgpc [31] * Nathaniel Catchpole [32] of the Drupal Security Team * Ben Dougherty [33] of the Drupal Security Team * Lee Rowlands [34] of the Drupal Security Team * Sascha Grossenbacher [35] * Gábor Hojtsy [36] of the Drupal Security Team * Greg Knaddison [37] of the Drupal Security Team * Klaus Purer [38] of the Drupal Security Team * David Rothstein [39] of the Drupal Security Team * Stefan Ruijsenaars [40], provisional member of the Drupal Security Team * Cathy Theys [41], provisional member of the Drupal Security Team * Peter Wolanin [42] of the Drupal Security Team Brute force amplification attacks via XML-RPC: * Frédéric G. Marand [43], provisional member of the Drupal Security Team * Peter Wolanin [44] of the Drupal Security Team Open redirect via path manipulation: * Nathaniel Catchpole [45] of the Drupal Security Team * Ben Dougherty [46] of the Drupal Security Team * Alan Evans [47] * Nate Haug [48] * Gábor Hojtsy [49] of the Drupal Security Team * Heine Deelstra [50] of the Drupal Security Team * David Stoline [51] of the Drupal Security Team * Damien McKenna [52] Provisional member of the Drupal Security Team * Pere Orga [53] of the Drupal Security Team * Francesco Placella [54] * Dave Reid [55] of the Drupal Security Team * David Rothstein [56] of the Drupal Security Team * Lee Rowlands [57] of the Drupal Security Team * David Snopek [58] of the Drupal Security Team * Cathy Theys [59], provisional member of the Drupal Security Team * Peter Wolanin [60] of the Drupal Security Team Form API ignores access restrictions on submit buttons: * chx [61] * Daniel Kudwien [62] * Alex Bronstein [63] of the Drupal Security Team * Heine Deelstra [64] of the Drupal Security Team * Dmitri Gaskin [65] * Nate Haug [66] * John Morahan [67] * David Rothstein [68] of the Drupal Security Team * Damien Tournoud [69] of the Drupal Security Team * Peter Wolanin [70] of the Drupal Security Team HTTP header injection using line breaks: * Dave Hansen-Lange [71] * David Rothstein [72] of the Drupal Security Team * Nathaniel Catchpole [73] of the Drupal Security Team * Klaus Purer [74] of the Drupal Security Team Open redirect via double-encoded 'destination' parameter: * David Rothstein [75] of the Drupal Security Team * Alex Bronstein [76] of the Drupal Security Team Reflected file download vulnerability: * Juho Nurminen [77] * David Rothstein [78] of the Drupal Security Team * Damien Tournoud [79] of the Drupal Security Team * Peter Wolanin [80] of the Drupal Security Team * Nate Haug [81] Saving user accounts can sometimes grant the user all roles: * Dave Cohen [82] * Greg Knaddison [83] of the Drupal Security Team * Rick Manelius [84] of the Drupal Security Team * Balazs Nagykekesi [85] * David Rothstein [86] of the Drupal Security Team * Peter Wolanin [87] of the Drupal Security Team Email address can be matched to an account: * Klaus Purer [88] of the Drupal Security Team * David Rothstein [89] of the Drupal Security Team Session data truncation can lead to unserialization of user provided data: * Heine Deelstra [90] of the Drupal Security Team * Damien Tournoud [91] of the Drupal Security Team * David Rothstein [92] of the Drupal Security Team * Peter Wolanin [93] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * The Drupal Security Team [94] * Cathy Theys, provisional member of the Drupal Security team [95] -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [96]. Learn more about the Drupal Security team and their policies [97], writing secure code for Drupal [98], and securing your site [99]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [100] [1] https://www.drupal.org/project/drupal [2] https://www.drupal.org/security-team/risk-levels [3] #cve-identifiers-issued [4] http://cve.mitre.org/ [5] https://www.drupal.org/node/2674854 [6] https://www.drupal.org/project/filefield [7] https://www.drupal.org/drupal-6.38-release-notes [8] https://www.drupal.org/drupal-7.43-release-notes [9] https://www.drupal.org/drupal-8.0.4-release-notes [10] https://www.drupal.org/project/drupal [11] https://www.drupal.org/u/fnqgpc [12] https://www.drupal.org/u/scor [13] https://www.drupal.org/u/plach [14] https://www.drupal.org/u/heine [15] https://www.drupal.org/u/pere-orga [16] https://www.drupal.org/u/pwolanin [17] https://www.drupal.org/u/g%C3%A1bor-hojtsy [18] https://www.drupal.org/u/damien-tournoud [19] https://www.drupal.org/u/sun [20] https://www.drupal.org/u/dalin [21] https://www.drupal.org/u/tarpinder [22] https://www.drupal.org/u/htaheem [23] https://www.drupal.org/u/david_rothstein [24] https://www.drupal.org/u/juho-nurminen-2ns [25] https://www.drupal.org/u/dave-cohen [26] https://www.drupal.org/u/agerard [27] https://www.drupal.org/u/fengwen [28] https://www.drupal.org/u/strykaizer [29] https://www.drupal.org/u/damien-tournoud [30] https://www.drupal.org/u/heine [31] https://www.drupal.org/u/fnqgpc [32] https://www.drupal.org/u/catch [33] https://www.drupal.org/u/benjy [34] https://www.drupal.org/u/larowlan [35] https://www.drupal.org/u/berdir [36] https://www.drupal.org/u/g%C3%A1bor-hojtsy [37] https://www.drupal.org/u/greggles [38] https://www.drupal.org/u/klausi [39] https://www.drupal.org/u/david_rothstein [40] https://www.drupal.org/u/stefan.r [41] https://www.drupal.org/u/yesct [42] https://www.drupal.org/u/pwolanin [43] https://www.drupal.org/u/fgm [44] https://www.drupal.org/u/pwolanin [45] https://www.drupal.org/u/catch [46] https://www.drupal.org/u/benjy [47] https://www.drupal.org/u/alan-evans [48] https://www.drupal.org/u/quicksketch [49] https://www.drupal.org/u/g%C3%A1bor-hojtsy [50] https://www.drupal.org/u/heine [51] https://www.drupal.org/u/dstol [52] https://www.drupal.org/u/damienmckenna [53] https://www.drupal.org/u/pere-orga [54] https://www.drupal.org/u/plach [55] https://www.drupal.org/u/dave-reid [56] https://www.drupal.org/u/david_rothstein [57] https://www.drupal.org/u/larowlan [58] https://www.drupal.org/u/dsnopek [59] https://www.drupal.org/u/yesct [60] https://www.drupal.org/u/pwolanin [61] https://www.drupal.org/u/chx [62] https://www.drupal.org/u/sun [63] https://www.drupal.org/u/effulgentsia [64] https://www.drupal.org/u/heine [65] https://www.drupal.org/u/dmitrig01 [66] https://www.drupal.org/u/quicksketch [67] https://www.drupal.org/u/john-morahan [68] https://www.drupal.org/u/david_rothstein [69] https://www.drupal.org/u/damien-tournoud [70] https://www.drupal.org/u/pwolanin [71] https://www.drupal.org/u/dalin [72] https://www.drupal.org/u/david_rothstein [73] https://www.drupal.org/u/catch [74] https://www.drupal.org/u/klausi [75] https://www.drupal.org/u/david_rothstein [76] https://www.drupal.org/u/effulgentsia [77] https://www.drupal.org/u/juho-nurminen-2ns [78] https://www.drupal.org/u/david_rothstein [79] https://www.drupal.org/u/damien-tournoud [80] https://www.drupal.org/u/pwolanin [81] https://www.drupal.org/u/quicksketch [82] https://www.drupal.org/u/dave-cohen [83] https://www.drupal.org/u/greggles [84] https://www.drupal.org/u/rickmanelius [85] https://www.drupal.org/u/nagba [86] https://www.drupal.org/u/david_rothstein [87] https://www.drupal.org/u/pwolanin [88] https://www.drupal.org/u/klausi [89] https://www.drupal.org/u/david_rothstein [90] https://www.drupal.org/u/heine [91] https://www.drupal.org/u/damien-tournoud [92] https://www.drupal.org/u/david_rothstein [93] https://www.drupal.org/u/pwolanin [94] https://www.drupal.org/security-team [95] https://www.drupal.org/u/YesCT [96] https://www.drupal.org/contact [97] https://www.drupal.org/security-team [98] https://www.drupal.org/writing-secure-code [99] https://www.drupal.org/security/secure-configuration [100] https://twitter.com/drupalsecurity