From security em unicamp.br Tue Mar 1 13:34:22 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 1 Mar 2016 13:34:22 -0300 Subject: [SECURITY-L] [ghedo@debian.org: [SECURITY] [DSA 3500-1] openssl security update] Message-ID: <20160301163422.GA12074@unicamp.br> ----- Forwarded message from Alessandro Ghedini ----- Date: Tue, 01 Mar 2016 14:34:35 +0000 From: Alessandro Ghedini To: debian-security-announce em lists.debian.org Subject: [SECURITY] [DSA 3500-1] openssl security update ------------------------------------------------------------------------- Debian Security Advisory DSA-3500-1 security em debian.org https://www.debian.org/security/ Alessandro Ghedini March 01, 2016 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799 Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer toolkit. CVE-2016-0702 Yuval Yarom from the University of Adelaide and NICTA, Daniel Genkin from Technion and Tel Aviv University, and Nadia Heninger from the University of Pennsylvania discovered a side-channel attack which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture. This could allow local attackers to recover RSA private keys. CVE-2016-0705 Adam Langley from Google discovered a double free bug when parsing malformed DSA private keys. This could allow remote attackers to cause a denial of service or memory corruption in applications parsing DSA private keys received from untrusted sources. CVE-2016-0797 Guido Vranken discovered an integer overflow in the BN_hex2bn and BN_dec2bn functions that can lead to a NULL pointer dereference and heap corruption. This could allow remote attackers to cause a denial of service or memory corruption in applications processing hex or dec data received from untrusted sources. CVE-2016-0798 Emilia K??sper of the OpenSSL development team discovered a memory leak in the SRP database lookup code. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to the SRP_VBASE_get1_by_user function. CVE-2016-0799 Guido Vranken discovered an integer overflow in the BIO_*printf functions that could lead to an OOB read when printing very long strings. Additionally the internal doapr_outch function can attempt to write to an arbitrary memory location in the event of a memory allocation failure. These issues will only occur on platforms where sizeof(size_t) > sizeof(int) like many 64 bit systems. This could allow remote attackers to cause a denial of service or memory corruption in applications that pass large amounts of untrusted data to the BIO_*printf functions. Additionally the EXPORT and LOW ciphers were disabled since thay could be used as part of the DROWN (CVE-2016-0800) and SLOTH (CVE-2015-7575) attacks, but note that the oldstable (wheezye) and stable (jessie) distributions are not affected by those attacks since the SSLv2 protocol has already been dropped in the openssl package version 1.0.0c-2. For the oldstable distribution (wheezy), these problems have been fixed in version 1.0.1e-2+deb7u20. For the stable distribution (jessie), these problems have been fixed in version 1.0.1k-3+deb8u4. For the unstable distribution (sid), these problems will be fixed shortly. We recommend that you upgrade your openssl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org ----- End forwarded message ----- From security em unicamp.br Thu Mar 10 09:50:30 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 10 Mar 2016 09:50:30 -0300 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Seguranca da Microsoft Marco 2016] Message-ID: <20160310125030.GI711@unicamp.br> Prezados, A Microsoft publicou 13 boletins de seguran?a em 8 de mar?o de 2016 que abordam ao todo 36 vulnerabilidades em produtos da empresa. As explora??es destas vulnerabilidades permitem execu??o remota de c?digo, eleva??o de privil?gio e desvio de recurso de seguran?a. At? o momento da publica??o deste alerta n?o foram divulgados c?digos de explora??o para as vulnerabilidades listadas. Severidade Cr?tica . MS16-023 - Atualiza??o de seguran?a cumulativa para o Internet Explorer . MS16-024 - Atualiza??o de seguran?a cumulativa do Microsoft Edge . MS16-026 - Atualiza??o de seguran?a para fontes gr?ficas para corrigir a execu??o remota de c?digo . MS16-027 - Atualiza??o de seguran?a do Windows Media para corrigir a execu??o remota de c?digo . MS16-028 - Atualiza??o de seguran?a para a Biblioteca de PDF do Microsoft Windows para corrigir a execu??o remota de c?digo Importante . MS16-025 - Atualiza??o de seguran?a para o carregamento da biblioteca do Windows para corrigir execu??o remota de c?digo . MS16-029 - Atualiza??o de seguran?a para Microsoft Office para corrigir a execu??o remota de c?digo . MS16-030 - Atualiza??o de seguran?a para o Windows OLE para corrigir a execu??o remota de c?digo . MS16-031 - Atualiza??o de seguran?a para o Microsoft Windows para corrigir a eleva??o de privil?gio . MS16-032 - Atualiza??o de seguran?a para logon secund?rio para corrigir a eleva??o de privil?gio . MS16-033 - Atualiza??o de seguran?a para o driver de classe de armazenamento em massa USB do Windows para corrigir a eleva??o de privil?gio . MS16-034 - Atualiza??o de seguran?a dos drivers de modo kernel do Windows para corrigir a eleva??o de privil?gio . MS16-035 - Atualiza??o de seguran?a para o .NET Framework para corrigir o bypass do recurso de seguran?a Moderada Nenhum boletim Baixa Nenhum boletim O sistema de classifica??o de severidade das vulnerabilidades adotado pelo CAIS ? o da pr?pria Microsoft.O CAIS recomenda que se apliquem as corre??es para vulnerabilidades classificadas como cr?tica e importante. No caso de corre??es para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomenda??es de mitiga??o sejam seguidas. . Cr?tica - Vulnerabilidades cuja explora??o possa permitir a propaga??o de um worm sem a necessidade de intera??o com o usu?rio. . Importante - Vulnerabilidades cuja explora??o possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usu?rios ou a integridade ou disponibilidade de recursos de processamento. . Moderada - explora??o ? mitigada significativamente por fatores como configura??o padr?o, auditoria ou dificuldade de explora??o. . Baixa - Vulnerabilidade cuja explora??o seja extremamente dif?cil ou cujo impacto seja m?nimo. Corre??es dispon?veis Recomenda-se atualizar os sistemas para as vers?es dispon?veis em: Microsoft Update https://www.update.microsoft.com/microsoftupdate Microsoft Download Center http://www.microsoft.com/en-us/download/default.aspx Mais informa??es Resumo do Boletim de Seguran?a da Microsoft de fevereiro de 2016 https://technet.microsoft.com/pt-br/library/security/ms16-feb.aspx Microsoft TechCenter de Seguran?a https://technet.microsoft.com/pt-br/security Microsoft Security Response Center - MSRC https://technet.microsoft.com/pt-br/security/dn440717 Microsoft Security Research & Defense - MSRD http://blogs.technet.com/b/srd/ Central de Prote??o e Seguran?a Microsoft https://www.microsoft.com/pt-br/security/default.aspx Identificador CVE (http://cve.mitre.org): CVE-2016-0102,CVE-2016-0103,CVE-2016-0104 CVE-2016-0105,CVE-2016-0106,CVE-2016-0107 CVE-2016-0108,CVE-2016-0109,CVE-2016-0110 CVE-2016-0111,CVE-2016-0112,CVE-2016-0113 CVE-2016-0114,CVE-2016-0102,CVE-2016-0105 CVE-2016-0109,CVE-2016-0110,CVE-2016-0111 CVE-2016-0116,CVE-2016-0123,CVE-2016-0124 CVE-2016-0125,CVE-2016-0129,CVE-2016-0130 CVE-2016-0100,CVE-2016-0120,CVE-2016-0121 CVE-2016-0098,CVE-2016-0101,CVE-2016-0117 CVE-2016-0118,CVE-2016-0021,CVE-2016-0057 CVE-2016-0134,CVE-2016-0091,CVE-2016-0092 CVE-2016-0087,CVE-2016-0099,CVE-2016-0133 CVE-2016-0093,CVE-2016-0094,CVE-2016-0095 CVE-2016-0096,CVE-2016-0132, O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ?ltimas vers?es e corre??es oferecidas pelos fabricantes. Os alertas do CAIS tamb?m s?o oferecidos no Twitter: Siga @caisrnp Atenciosamente, CAIS/RNP ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.rnp.br/servicos/seguranca # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ From security em unicamp.br Thu Mar 10 09:51:42 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 10 Mar 2016 09:51:42 -0300 Subject: [SECURITY-L] [SECURITY] [DSA 3511-1] bind9 security update] Message-ID: <20160310125142.GJ711@unicamp.br> ------------------------------------------------------------------------- Debian Security Advisory DSA-3511-1 security em debian.org https://www.debian.org/security/ Michael Gilbert March 09, 2016 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2016-1285 CVE-2016-1286 Two vulnerabilites have been discovered in ISC's BIND DNS server. CVE-2016-1285 A maliciously crafted rdnc, a way to remotely administer a BIND server, operation can cause named to crash, resulting in denial of service. CVE-2016-1286 An error parsing DNAME resource records can cause named to crash, resulting in denial of service. For the oldstable distribution (wheezy), these problems have been fixed in version 9.8.4.dfsg.P1-6+nmu2+deb7u10. For the stable distribution (jessie), these problems have been fixed in version 9.9.5.dfsg-9+deb8u6. For the testing (stretch) and unstable (sid) distributions, these problems will be fixed soon. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org From security em unicamp.br Thu Mar 10 09:53:03 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 10 Mar 2016 09:53:03 -0300 Subject: [SECURITY-L] [FreeBSD Security Advisory FreeBSD-SA-16:12.openssl] Message-ID: <20160310125303.GK711@unicamp.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:12.openssl Security Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2016-03-10 Credits: OpenSSL Project Affects: All supported versions of FreeBSD. Corrected: 2016-03-04 00:40:15 UTC (stable/10, 10.2-BETA3) 2016-03-03 07:30:55 UTC (releng/10.2, 10.2-RELEASE-p13) 2016-03-03 07:30:55 UTC (releng/10.1, 10.1-RELEASE-p30) 2016-03-10 03:58:48 UTC (stable/9, 9.3-STABLE) 2016-03-10 10:03:28 UTC (releng/9.3, 9.3-RELEASE-p38) CVE Name: CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705 CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. [CVE-2016-0800] A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. [CVE-2016-0705] The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. [CVE-2016-0798] In the BN_hex2bn function, the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL pointer dereference. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. [CVE-2016-0797] The internal |fmtstr| function used in processing a "%s" formatted string in the BIO_*printf functions could overflow while calculating the length of a string and cause an out-of-bounds read when printing very long strings. [CVE-2016-0799] A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. [CVE-2016-0702] s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they displace encrypted-key bytes. [CVE-2016-0703] s2_srvr.c overwrites the wrong bytes in the master key when applying Bleichenbacher protection for export cipher suites. [CVE-2016-0704] III. Impact Servers that have SSLv2 protocol enabled are vulnerable to the "DROWN" attack which allows a remote attacker to fast attack many recorded TLS connections made to the server, even when the client did not make any SSLv2 connections themselves. An attacker who can supply malformed DSA private keys to OpenSSL applications may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0705] An attacker connecting with an invalid username can cause memory leak, which could eventually lead to a Denial of Service condition. [CVE-2016-0798] An attacker who can inject malformed data into an application may be able to cause memory corruption which would lead to a Denial of Service condition. [CVE-2016-0797, CVE-2016-0799] A local attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions could recover RSA keys. [CVE-2016-0702] An eavesdropper who can intercept SSLv2 handshake can conduct an efficient divide-and-conquer key recovery attack and use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. [CVE-2016-0703] An attacker can use the Bleichenbacher oracle, which enables more efficient variant of the DROWN attack. [CVE-2016-0704] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all deamons using the library, or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-9.3.patch.xz # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-9.3.patch.xz.asc # gpg --verify openssl-9.3.patch.xz.asc Note that the initial patch version contains a serious regression that would lead to crash. The following patch must be applied to address it. # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-9.3-fix.patch # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-9.3-fix.patch.asc # gpg --verify openssl-9.3-fix.patch.asc [FreeBSD 10.1] # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-10.1.patch.xz # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-10.1.patch.xz.asc # gpg --verify openssl-10.1.patch.xz.asc [FreeBSD 10.2] # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-10.2.patch # fetch https://security.FreeBSD.org/patches/SA-16:12/openssl-10.2.patch.asc # gpg --verify openssl-10.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r296598 releng/9.3/ r296611 stable/10/ r296371 releng/10.1/ r296341 releng/10.2/ r296341 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.11 (FreeBSD) iQIcBAEBCgAGBQJW4UchAAoJEO1n7NZdz2rnNC8P/2YSnc2DaOH37BZXKBKCt2iv rzTlQ6Cdr2n3r0k6Ayp1MonEfndWl9d86us6Z5ssfMrNsmJGWZv3Yj1Y8H12HE8+ ZhHCJ44ZYbyaDSe/vigG1S+xYILKP6uOxJYPWH5lXD9Yr20dHIJ8s3e9Jsai8aY2 aXMSVz67t84QJUoxAf5yEDsmY2drA5myppkRCRB1Xcb3qVebgwwQ4XkB+rJjjNjg rG0DFbTxLnStr/geEDC+WdeAzLH6D035gFRkHL6uIOfOX8UcYNnf4pVXUgymWJzI E/su+Cij/ckhV6UuOyNvKgN8uEs5XCny/10LKHqpPDhcYY6L8Dg47rI+2acOdFUi 5+79rx7+gUs71zC4D6hFCldUqOVpNYDRBYhX+MNqYkLn5XYEffbckv5zSkg53+aE Rf1G90VcC+yHRFu2hgCTOGXsayOAJhvCRTnuqLncKpznFSRD+1a3XUm2zS79gfpN f/uYIYmPbE1/uCU4StAlemdiH5vhYoWsP8tkBJsL8s6jMbV1REqukPJUPdDSaJmj rHLvige7yr1QTWYBQ1ghRXJml+3xDSst/RZzqn+QelsDoUwa1wJa6kc5Ki74eXmi XyuklOME8cbfUc8TPLqv4Lqbvr0nGK71jT0M7zG+eQTJsUls5EFBPhWL/6+SU29I Lb+5Q4Wn9Qlmxfj0Nm3U =f6Cw -----END PGP SIGNATURE----- _______________________________________________ ----- End forwarded message ----- From security em unicamp.br Thu Mar 10 09:53:59 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 10 Mar 2016 09:53:59 -0300 Subject: [SECURITY-L] [FreeBSD Security Advisory FreeBSD-SA-16:13.bind] Message-ID: <20160310125359.GL711@unicamp.br> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-16:13.bind Security Advisory The FreeBSD Project Topic: Multiple BIND vulnerabilities Category: contrib Module: bind Announced: 2016-03-10 Credits: ISC Affects: FreeBSD 9.x Corrected: 2016-03-10 07:47:55 UTC (stable/9, 9.3-STABLE) 2016-03-10 10:03:28 UTC (releng/9.3, 9.3-RELEASE-p38) CVE Name: CVE-2016-1285, CVE-2016-1286 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named's control channel (the interface which allows named to be controlled using the "rndc" server control utility). [CVE-2016-1285] An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. [CVE-2016-1286] III. Impact A remote attacker can deliberately trigger the failed assertion if the DNS server accepts remote rndc commands regardless if authentication is configured. Note that this is not enabled by default. [CVE-2016-1285] A remote attacker who can cause a server to make a query deliberately chosen to generate a response containing a signature record which would trigger a failed assertion and cause named to stop. Disabling DNSsec does not provide protection against this vulnerability. [CVE-2016-1286] IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. The named service has to be restarted after the update. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install The named service has to be restarted after the update. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-16:13/bind.patch # fetch https://security.FreeBSD.org/patches/SA-16:13/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the named(8) daemon, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r296608 releng/9.3/ r296611 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.11 (FreeBSD) iQIcBAEBCgAGBQJW4UdUAAoJEO1n7NZdz2rnmRwQAIXDSu/gX5A+CFv6+9/2ak+H 3JOMO8p7KSKWhc1Hh7uqTUEy04lmpUylzK6Kj3h5PDNVaObxCcqsCAdy9xLYv8Q6 scBLeaDRPnwVQ1Mb/pkx1pdKSG7oKjY00PY0/hTKOVJUC1tJIoiAX8ExFqt53UKc LHjzrFrHh/0lBebYj8jmqW8Pxhi8nluuwWhtrwFgiG/XR15k69TRjPHnLOfXVwqs ORJb/8pVHYsNkGP3JB1xWMVs1nKLjzc7+Gm43OmLCa6QeLgQWqYmguoUl0FEHpoI nPqlukYT3V9BfMR+fwoNXXUjgjiK66onvS/O3yhyCPCrRgnw0ZVVSF2jbPUhT638 p1QwN9snoTzxY0CpCjcjpZvf9Zhfyzc8UFnl2hm0rmAuCiOPBTeJ16AG3a8S40vF /xoq4P6gNxUTQrPpGmG3Z/tfUQsxIpzib9D6ncDD5feuRyLB9y/MQSK1wxZjXDjk 2Bmaqk5foXNJfNEViNfJ4yy2qqED114ZpPIcDbSyIX9HeiKBo9BTEZ7Q9nEUHurN GcnvimUuhk+hYJDEsELDSGDSLT6aMaD/hXVTMQeQwxQKh7QDFfzJsUlA44tqB56V sn6VfIiA++K/JAFrAExD2FhtaIlOsUx24dUYkhcfNuVVBm3lgGCECeKGFxdNu2SM kRc1+1ihyNRolL47E3s/ =OncW -----END PGP SIGNATURE----- From security em unicamp.br Mon Mar 14 10:04:10 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 14 Mar 2016 10:04:10 -0300 Subject: [SECURITY-L] [carnil@debian.org: [SECURITY] [DSA 3514-1] samba security update] Message-ID: <20160314130410.GJ989@unicamp.br> ----- Forwarded message from Salvatore Bonaccorso ----- Date: Sat, 12 Mar 2016 07:23:52 +0000 From: Salvatore Bonaccorso To: debian-security-announce em lists.debian.org Subject: [SECURITY] [DSA 3514-1] samba security update ------------------------------------------------------------------------- Debian Security Advisory DSA-3514-1 security em debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 12, 2016 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : samba CVE ID : CVE-2015-7560 CVE-2016-0771 Debian Bug : 812429 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2015-7560 Jeremy Allison of Google, Inc. and the Samba Team discovered that Samba incorrectly handles getting and setting ACLs on a symlink path. An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to. CVE-2016-0771 Garming Sam and Douglas Bagnall of Catalyst IT discovered that Samba is vulnerable to an out-of-bounds read issue during DNS TXT record handling, if Samba is deployed as an AD DC and chosen to run the internal DNS server. A remote attacker can exploit this flaw to cause a denial of service (Samba crash), or potentially, to allow leakage of memory from the server in the form of a DNS TXT reply. Additionally this update includes a fix for a regression introduced due to the upstream fix for CVE-2015-5252 in DSA-3433-1 in setups where the share path is '/'. For the oldstable distribution (wheezy), these problems have been fixed in version 2:3.6.6-6+deb7u7. The oldstable distribution (wheezy) is not affected by CVE-2016-0771. For the stable distribution (jessie), these problems have been fixed in version 2:4.1.17+dfsg-2+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 2:4.3.6+dfsg-1. We recommend that you upgrade your samba packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org ----- End forwarded message ----- From security em unicamp.br Wed Mar 16 14:31:51 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 16 Mar 2016 14:31:51 -0300 Subject: [SECURITY-L] [security-news@drupal.org: [Security-news] Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016] Message-ID: <20160316173151.GK19749@unicamp.br> ----- Forwarded message from security-news em drupal.org ----- Date: Wed, 16 Mar 2016 17:17:34 +0000 (UTC) From: security-news em drupal.org To: security-news em drupal.org Subject: [Security-news] Fast Autocomplete - Critical - DOS vulnerability - SA-CONTRIB-2016-016 X-Mailer: Drupal View online: https://www.drupal.org/node/2688461 * Advisory ID: DRUPAL-SA-CONTRIB-2016-016 * Project: Fast Autocomplete [1] (third-party module) * Version: 7.x * Date: 2016-March-16 * Security risk: 12/25 ( Moderately Critical) AC:None/A:None/CI:None/II:None/E:Theoretical/TD:All [2] * Vulnerability: Denial of Service -------- DESCRIPTION --------------------------------------------------------- This module enables you to show IMDB-like suggestions when entering terms into an input field using json files to "cache" suggestions making the autocomplete very fast. The module doesn't sufficiently validate the incoming language parameter in the request path when a json file of the module is requested resulting in folders being created in the public files directory where the module stores its json files. This vulnerability can be exploited to perform a DOS-attack by depletion of available inodes on the webserver. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Fast Autocomplete 7.x-1.x versions prior to 7.x-1.1. Drupal core is not affected. If you do not use the contributed Fast Autocomplete [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Fast Autocomplete module for Drupal 7.x, upgrade to Fast Autocomplete 7.x-1.1 [5] Also see the Fast Autocomplete [6] project page. -------- REPORTED BY --------------------------------------------------------- * Martijn van Wensen [7] -------- FIXED BY ------------------------------------------------------------ * Martijn van Wensen [8] providing the patch * Baris Wanschers [9] reviewing/refining the patch * Martijn Vermeulen [10] the module maintainer -------- COORDINATED BY ------------------------------------------------------ * Pere Orga [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/fac [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/fac [5] https://www.drupal.org/node/2688365 [6] https://www.drupal.org/project/fac [7] https://www.drupal.org/u/mvwensen [8] https://www.drupal.org/u/mvwensen [9] https://www.drupal.org/u/barisw [10] https://www.drupal.org/u/marty2081 [11] https://www.drupal.org/u/pere-orga [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news ----- End forwarded message ----- From security em unicamp.br Mon Mar 21 09:03:38 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 21 Mar 2016 09:03:38 -0300 Subject: [SECURITY-L] =?iso-8859-1?q?CERT=2Ebr_aponta_aumento_de_notifica?= =?iso-8859-1?q?=E7=F5es_de_ataques_a_servidores_Web?= Message-ID: <20160321120338.GA20011@unicamp.br> CERT.br aponta aumento de notifica��es de ataques a servidores Web Incidentes de seguran�a reportados em 2015 tamb�m revelam crescimento de varreduras O Centro de Estudos, Resposta e Tratamento de Incidentes de Seguran�a no Brasil (CERT.br) do N�cleo de Informa��o e Coordena��o do Ponto BR (NIC.br) recebeu, em 2015, 722.205 notifica��es de incidentes de seguran�a envolvendo redes conectadas � Internet no Pa�s, n�mero 31% menor que o total de 2014. Reportados ao CERT.br voluntariamente por administradores de redes e usu�rios de Internet, os incidentes de seguran�a s�o divulgados, desde 1999, por meio de gr�ficos e dados estat�sticos. No ano passado, as notifica��es de ataques a servidores Web destacaram-se com aumento de 128% em rela��o a 2014, totalizando 65.647 notifica��es. Os atacantes exploram vulnerabilidades em aplica��es Web para, ent�o, hospedar nesses s�tios p�ginas falsas de institui��es financeiras, Cavalos de Troia (usados para furtar informa��es e credenciais), ferramentas utilizadas em ataques a outros servidores Web e scripts para envio de spam ou scam. ?A seguran�a deve ser pensada e implementada logo no in�cio do desenvolvimento Web, no processo de especifica��o de requisitos de um software, na concep��o inicial de um s�tio. Os n�meros s� evidenciam essa necessidade?, considera Cristine Hoepers, gerente do CERT.br. Boas pr�ticas para que administradores e desenvolvedores invistam na mitiga��o dos riscos de seguran�a em aplica��es Web e recomenda��es sobre programa��o segura para Web foram tratadas em apresenta��es recentes da equipe do CERT.br. Pelo terceiro ano seguido, observou-se uma grande quantidade de notifica��es de ataques de for�a bruta contra sistemas de gerenciamento de conte�do (Content Management System - CMS), tais como WordPress e Joomla. Esse tipo de ataque, que consiste em adivinhar, por tentativa e erro, o nome de usu�rio e senha de administra��o destes sistemas, pode ser prevenido com a elabora��o de senhas fortes, assim como a implementa��o de verifica��o em duas etapas, que adiciona uma camada extra de prote��o ao acesso de uma conta. ... Continua: http://nic.br/noticia/releases/cert-br-aponta-aumento-de-notificacoes-de-ataques-a-servidores-web/ From security em unicamp.br Wed Mar 23 17:24:41 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 23 Mar 2016 17:24:41 -0300 Subject: [SECURITY-L] [Security-news] Login one time - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2016-017 Message-ID: <20160323202441.GA6151@unicamp.br> View online: https://www.drupal.org/node/2692953 * Advisory ID: DRUPAL-SA-CONTRIB-2016-017 * Project: Login one time [1] (third-party module) * Version: 6.x, 7.x * Date: 2016-March-23 * Security risk: 15/25 ( Critical) AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting -------- DESCRIPTION --------------------------------------------------------- The Login one time module provides the ability to email one-time login links to users. The module doesn't sufficiently sanitize user input supplied to an ajax callback function. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, * in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * Login one time 7.x-2.x versions prior to 7.x-2.10. Drupal core is not affected. If you do not use the contributed Login one time [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Login on time module for Drupal 7.x, upgrade to * Login one time 7.x-2.10 [5] Also see the Login one time [6] project page. -------- REPORTED BY --------------------------------------------------------- * Tobias B�hr [7] -------- FIXED BY ------------------------------------------------------------ * Tobias B�hr [8] -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [9] of the Drupal Security Team * Heine Deelstra [10] of the Drupal Security Team * Cash Williams [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/login_one_time [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/login_one_time [5] https://www.drupal.org/node/2692597 [6] https://www.drupal.org/project/login_one_time [7] https://www.drupal.org/u/tobiasb [8] https://www.drupal.org/u/tobiasb [9] https://www.drupal.org/u/greggles [10] https://www.drupal.org/u/heine [11] https://www.drupal.org/u/cashwilliams [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news From security em unicamp.br Mon Mar 28 08:01:47 2016 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 28 Mar 2016 08:01:47 -0300 Subject: [SECURITY-L] [USN-2941-1] Quagga vulnerabilities Message-ID: <20160328110147.GC24176@unicamp.br> ----- Forwarded message from Marc Deslauriers ----- Date: Thu, 24 Mar 2016 09:13:06 -0400 From: Marc Deslauriers To: ubuntu-security-announce em lists.ubuntu.com Subject: [USN-2941-1] Quagga vulnerabilities ========================================================================== Ubuntu Security Notice USN-2941-1 March 24, 2016 quagga vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 15.10 - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Quagga could be made to crash or run programs if it received specially crafted network traffic. Software Description: - quagga: BGP/OSPF/RIP routing daemon Details: Kostya Kortchinsky discovered that Quagga incorrectly handled certain route data when configured with BGP peers enabled for VPNv4. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2342) It was discovered that Quagga incorrectly handled messages with a large LSA when used in certain configurations. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 15.10: quagga 0.99.24.1-2ubuntu0.1 Ubuntu 14.04 LTS: quagga 0.99.22.4-3ubuntu1.1 Ubuntu 12.04 LTS: quagga 0.99.20.1-0ubuntu0.12.04.4 After a standard system update you need to restart Quagga to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2941-1 CVE-2013-2236, CVE-2016-2342 Package Information: https://launchpad.net/ubuntu/+source/quagga/0.99.24.1-2ubuntu0.1 https://launchpad.net/ubuntu/+source/quagga/0.99.22.4-3ubuntu1.1 https://launchpad.net/ubuntu/+source/quagga/0.99.20.1-0ubuntu0.12.04.4 -- ubuntu-security-announce mailing list ubuntu-security-announce em lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce ----- End forwarded message -----