From security em unicamp.br  Mon May  9 07:00:35 2016
From: security em unicamp.br (CSIRT Unicamp)
Date: Mon, 9 May 2016 07:00:35 -0300
Subject: [SECURITY-L] WordPress 4.5.2 Security Release
Message-ID: <57305FC3.9000802@unicamp.br>

WordPress 4.5.2 is now available. This is a security release for all
previous versions and we strongly encourage you to update your sites
immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME
vulnerability through Plupload, the third-party library WordPress uses
for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable
to reflected XSS using specially crafted URIs through MediaElement.js,
the third-party library used for media players. MediaElement.js and
Plupload have also released updates fixing these issues.

Both issues were analyzed and reported by Mario Heiderich, Masato
Kinugawa, and Filedescriptor from Cure53. Thanks to the team for
practicing responsible disclosure, and to the Plupload and
MediaElement.js teams for working closely with us to coördinate and fix
these issues.

Download WordPress 4.5.2 from https://wordpress.org/download/, or
venture over to Dashboard ? Updates and simply click ?Update Now.? Sites
that support automatic background updates are already beginning to
update to WordPress 4.5.2.


Additionally, there are multiple widely publicized vulnerabilities in
the ImageMagick image processing library, which is used by a number of
hosts and is supported in WordPress. For our current response to these
issues, see this post on the core development blog:

https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-information/

Source:
https://wordpress.org/news/2016/05/wordpress-4-5-2/


From security em unicamp.br  Tue May 10 07:30:58 2016
From: security em unicamp.br (CSIRT Unicamp)
Date: Tue, 10 May 2016 07:30:58 -0300
Subject: [SECURITY-L] [USN-2966-1] OpenSSH vulnerabilities
In-Reply-To: <5730E55C.6080909@canonical.com>
References: <5730E55C.6080909@canonical.com>
Message-ID: <5731B862.40503@unicamp.br>



-------- Mensagem encaminhada --------
Assunto: 	[USN-2966-1] OpenSSH vulnerabilities
Data: 	Mon, 9 May 2016 15:30:36 -0400
De: 	Marc Deslauriers <marc.deslauriers em canonical.com>
Responder a: 	ubuntu-users em lists.ubuntu.com, Ubuntu Security
<security em ubuntu.com>
Para: 	ubuntu-security-announce em lists.ubuntu.com



==========================================================================
Ubuntu Security Notice USN-2966-1
May 09, 2016

openssh vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in OpenSSH.

Software Description:
- openssh: secure shell (SSH) for secure access to remote machines

Details:

Shayan Sadigh discovered that OpenSSH incorrectly handled environment files
when the UseLogin feature is enabled. A local attacker could use this issue
to gain privileges. (CVE-2015-8325)

Ben Hawkes discovered that OpenSSH incorrectly handled certain network
traffic. A remote attacker could possibly use this issue to cause OpenSSH
to crash, resulting in a denial of service. This issue only applied to
Ubuntu 15.10. (CVE-2016-1907)

Thomas Hoger discovered that OpenSSH incorrectly handled untrusted X11
forwarding when the SECURITY extension is disabled. A connection configured
as being untrusted could get switched to trusted in certain scenarios,
contrary to expectations. (CVE-2016-1908)

It was discovered that OpenSSH incorrectly handled certain X11 forwarding
data. A remote authenticated attacker could possibly use this issue to
bypass certain intended command restrictions. (CVE-2016-3115)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  openssh-server                  1:6.9p1-2ubuntu0.2

Ubuntu 14.04 LTS:
  openssh-server                  1:6.6p1-2ubuntu2.7

Ubuntu 12.04 LTS:
  openssh-server                  1:5.9p1-5ubuntu1.9

In general, a standard system update will make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2966-1
  CVE-2015-8325, CVE-2016-1907, CVE-2016-1908, CVE-2016-3115

Package Information:
  https://launchpad.net/ubuntu/+source/openssh/1:6.9p1-2ubuntu0.2
  https://launchpad.net/ubuntu/+source/openssh/1:6.6p1-2ubuntu2.7
  https://launchpad.net/ubuntu/+source/openssh/1:5.9p1-5ubuntu1.9





-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20160510/bc846e6a/attachment.html>
-------------- Próxima Parte ----------
-- 
ubuntu-security-announce mailing list
ubuntu-security-announce em lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce


From security em unicamp.br  Mon May 16 08:24:51 2016
From: security em unicamp.br (CSIRT - UNICAMP)
Date: Mon, 16 May 2016 08:24:51 -0300
Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de SeguranXa da
	Microsoft Maio 2016
Message-ID: <20160516112450.GC17404@unicamp.br>

----- Forwarded message from CAIS/RNP Alerta <rnp-alerta em cais.rnp.br> -----

Date: Fri, 13 May 2016 18:00:53 -0300 (BRT)
From: CAIS/RNP Alerta <rnp-alerta em cais.rnp.br>
To: rnp-alerta em cais.rnp.br
Subject: CAIS-Alerta: Resumo dos Boletins de SeguranXa da Microsoft Maio 2016

Prezados,

A Microsoft publicou 16 boletins de seguran?a em 10 de maio de 2016 que abordam ao todo 37 vulnerabilidades 
em produtos da empresa. As explora??es destas vulnerabilidades permitem execu??o remota de c?digo, eleva??o 
de privil?gio, desvio de recurso de seguran?a, nega??o de servi?o e divulga??o n?o autorizada de informa??o. At?  
o momento da publica??o deste alerta n?o foram divulgados c?digos de explora??o para as vulnerabilidades listadas.


Severidade

Cr?tica
. MS16-051 - Atualiza??o de seguran?a cumulativa para o Internet Explorer
. MS16-052 - Atualiza??o de seguran?a cumulativa do Microsoft Edge
. MS16-053 - Atualiza??o de seguran?a para JScript e VBScript
. MS16-054 - Atualiza??o de seguran?a para o Microsoft Office
. MS16-055 - Atualiza??o de seguran?a para o componente gr?fico da Microsoft
. MS16-056 - Atualiza??o de seguran?a do Di?rio do Windows
. MS16-057 - Atualiza??es de seguran?a para o Windows Shell
. MS16-064 - Atualiza??o de seguran?a para o Adobe Flash Player

Importante

. MS16-058 - Atualiza??o de seguran?a para o Windows IIS
. MS16-059 - Atualiza??o de seguran?a para o Windows Media Center
. MS16-060 - Atualiza??o de seguran?a para kernel do Windows
. MS16-061 - Atualiza??o de seguran?a para RPC da Microsoft
. MS16-062 - Atualiza??o de seguran?a para drivers do modo Kernel do Windows
. MS16-065 - Atualiza??o de seguran?a para o .NET Framework
. MS16-066 - Atualiza??o de seguran?a para o Modo de Seguran?a Virtual
. MS16-067 - Atualiza??o de seguran?a para o Driver de Gerenciador de Volumes

Moderada

Nenhum boletim

Baixa

Nenhum boletim

O sistema de classifica??o de severidade das vulnerabilidades adotado pelo CAIS ? o da pr?pria Microsoft. O CAIS
recomenda que se apliquem as corre??es para vulnerabilidades classificadas como cr?tica e importante. No caso de
corre??es para vulnerabilidades classificadas como moderadas o CAIS recomenda que ao menos as recomenda??es de 
mitiga??o sejam seguidas.

. Cr?tica - Vulnerabilidades cuja explora??o possa permitir a propaga??o de um worm sem a necessidade de intera??o com o usu?rio.
. Importante - Vulnerabilidades cuja explora??o possa resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usu?rios ou a integridade ou disponibilidade de recursos de processamento.
. Moderada - explora??o ? mitigada significativamente por fatores como configura??o padr?o, auditoria ou dificuldade de explora??o.
. Baixa - uma vulnerabilidade cuja explora??o seja extremamente dif?cil ou cujo impacto seja m?nimo.


Corre??es dispon?veis
Recomenda-se atualizar os sistemas para as vers?es dispon?veis em:
Microsoft Update
https://www.update.microsoft.com/microsoftupdate
Microsoft Download Center
http://www.microsoft.com/en-us/download/default.aspx


Mais informa??es

Resumo do Boletim de Seguran?a da Microsoft de maio de 2016
https://technet.microsoft.com/pt-br/library/security/ms16-may.aspx

Microsoft TechCenter de Seguran?a
https://technet.microsoft.com/pt-br/security

Microsoft Security Response Center . MSRC
https://technet.microsoft.com/pt-br/security/dn440717

Microsoft Security Research & Defense . MSRD
http://blogs.technet.com/b/srd/

Central de Prote??o e Seguran?a Microsoft
https://www.microsoft.com/pt-br/security/default.aspx


Identificador CVE (http://cve.mitre.org):

CVE-2016-0187,CVE-2016-0188,CVE-2016-0189
CVE-2016-0192,CVE-2016-0194,CVE-2016-0186
CVE-2016-0191,CVE-2016-0192,CVE-2016-0193
CVE-2016-0187,CVE-2016-0189,CVE-2016-0126
CVE-2016-0140,CVE-2016-0183,CVE-2016-0198
CVE-2016-0168,CVE-2016-0169,CVE-2016-0170
CVE-2016-0184,CVE-2016-0195,CVE-2016-0182
CVE-2016-0179,CVE-2016-0152,CVE-2016-0185
CVE-2016-0180,CVE-2016-0178,CVE-2016-0171
CVE-2016-0173,CVE-2016-0174,CVE-2016- 0175
CVE-2016-0176,CVE-2016-0196,CVE-2016-0197
CVE-2016-0149,CVE-2016-0181,CVE-2016-0190

O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo 
com as ?ltimas vers?es e corre??es oferecidas pelos fabricantes.
Os alertas do CAIS tamb?m s?o oferecidos no Twitter:
Siga @caisrnp

Atenciosamente,

CAIS/RNP

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.rnp.br/servicos/seguranca  #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################



----- End forwarded message -----