From security em unicamp.br Tue Jan 3 14:37:38 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 3 Jan 2017 14:37:38 -0200 Subject: [SECURITY-L] Vulnerabilidade no PHPMailer (CVE-2016-10045 e CVE-2016-10033 ) Message-ID: Foi encontrada uma vulnerabilidade crítica no PHPMailer - código muito utilizado para enviar e-mails com PHP. Essa vulnerabilidade permite que um atacante remoto não autenticado consiga executar comandos arbitrários no servidor, podendo assim comprometer o ambiente web em questão. Escrevemos um artigo em nosso site sobre essa vulnerabilidade: https://www.security.unicamp.br/blog/nova-vulnerabilidade-no-phpmailer/ Att. -- === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 From security em unicamp.br Wed Jan 11 16:21:45 2017 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Jan 2017 16:21:45 -0200 Subject: [SECURITY-L] [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-17:01.openssh] Message-ID: <20170111182145.GN32394@unicamp.br> ----- Forwarded message from FreeBSD Security Advisories ----- Date: Wed, 11 Jan 2017 06:27:37 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:01.openssh ============================================================================= FreeBSD-SA-17:01.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: OpenSSH Announced: 2017-01-11 Affects: All supported versions of FreeBSD. Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE) 2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7) 2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE) 2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-10009, CVE-2016-10010 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH supports accessing keys provided by a PKCS#11 token. II. Problem Description The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009] When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010] III. Impact A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009] When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010] IV. Workaround Systems not running ssh-agent(1) and sshd(8) services are not affected. System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009. System administrators should enable privilege separation when running OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision ------------------------------------------------------------------------- stable/10/ r311915 releng/10.3/ r311916 stable/11/ r311915 releng/11.0/ r311916 ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at _______________________________________________ freebsd-security-notifications em freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe em freebsd.org" ----- End forwarded message ----- From security em unicamp.br Fri Jan 27 11:42:38 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 27 Jan 2017 11:42:38 -0200 Subject: [SECURITY-L] WordPress 4.7.2 Security Release Message-ID: <17c42a12-c9f5-1312-2418-629b25967064@unicamp.br> WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.1 and earlier are affected by three security issues: 1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive. 2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we?ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo). 3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team. Thank you to the reporters of these issues for practicing responsible disclosure. Download WordPress 4.7.2 or venture over to Dashboard ? Updates and simply click ?Update Now.? Sites that support automatic background updates are already beginning to update to WordPress 4.7.2. https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ From security em unicamp.br Tue Jan 3 14:37:40 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 03 Jan 2017 16:37:40 -0000 Subject: [SECURITY-L] Vulnerabilidade no PHPMailer (CVE-2016-10045 e CVE-2016-10033 ) Message-ID: Foi encontrada uma vulnerabilidade crítica no PHPMailer - código muito utilizado para enviar e-mails com PHP. Essa vulnerabilidade permite que um atacante remoto não autenticado consiga executar comandos arbitrários no servidor, podendo assim comprometer o ambiente web em questão. Escrevemos um artigo em nosso site sobre essa vulnerabilidade: https://www.security.unicamp.br/blog/nova-vulnerabilidade-no-phpmailer/ Att. -- === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 From security em unicamp.br Wed Jan 11 16:21:46 2017 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 11 Jan 2017 18:21:46 -0000 Subject: [SECURITY-L] [security-advisories@freebsd.org: FreeBSD Security Advisory FreeBSD-SA-17:01.openssh] Message-ID: <20170111182145.GN32394@unicamp.br> ----- Forwarded message from FreeBSD Security Advisories ----- Date: Wed, 11 Jan 2017 06:27:37 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-17:01.openssh ============================================================================= FreeBSD-SA-17:01.openssh Security Advisory The FreeBSD Project Topic: OpenSSH multiple vulnerabilities Category: contrib Module: OpenSSH Announced: 2017-01-11 Affects: All supported versions of FreeBSD. Corrected: 2017-01-11 05:56:40 UTC (stable/11, 11.0-STABLE) 2017-01-11 06:01:23 UTC (releng/11.0, 11.0-RELEASE-p7) 2017-01-11 05:56:40 UTC (stable/10, 10.3-STABLE) 2017-01-11 06:01:23 UTC (releng/10.3, 10.3-RELEASE-p16) CVE Name: CVE-2016-10009, CVE-2016-10010 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. OpenSSH supports accessing keys provided by a PKCS#11 token. II. Problem Description The ssh-agent(1) agent supports loading a PKCS#11 module from outside a trusted whitelist. An attacker can request loading of a PKCS#11 module across forwarded agent-socket. [CVE-2016-10009] When privilege separation is disabled, forwarded Unix domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. [CVE-2016-10010] III. Impact A remote attacker who have control of a forwarded agent-socket on a remote system and have the ability to write files on the system running ssh-agent(1) agent can run arbitrary code under the same user credential. Because the attacker must already have some control on both systems, it is relatively hard to exploit this vulnerability in a practical attack. [CVE-2016-10009] When privilege separation is disabled (on FreeBSD, privilege separation is enabled by default and has to be explicitly disabled), an authenticated attacker can potentially gain root privileges on systems running OpenSSH server. [CVE-2016-10010] IV. Workaround Systems not running ssh-agent(1) and sshd(8) services are not affected. System administrators may remove ssh-agent(1) to mitigate CVE-2016-10009. System administrators should enable privilege separation when running OpenSSH server, which is the FreeBSD default, to mitigate CVE-2016-10010. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch # fetch https://security.FreeBSD.org/patches/SA-17:01/openssh.patch.asc # gpg --verify openssh.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Kill all running ssh-agent(1) process and restart sshd(8) service. A reboot is recommended but not required. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision ------------------------------------------------------------------------- stable/10/ r311915 releng/10.3/ r311916 stable/11/ r311915 releng/11.0/ r311916 ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at _______________________________________________ freebsd-security-notifications em freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe em freebsd.org" ----- End forwarded message ----- From security em unicamp.br Fri Jan 27 12:22:39 2017 From: security em unicamp.br (CSIRT Unicamp) Date: Fri, 27 Jan 2017 14:22:39 -0000 Subject: [SECURITY-L] WordPress 4.7.2 Security Release Message-ID: <17c42a12-c9f5-1312-2418-629b25967064@unicamp.br> WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.1 and earlier are affected by three security issues: 1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive. 2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we?ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo). 3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team. Thank you to the reporters of these issues for practicing responsible disclosure. Download WordPress 4.7.2 or venture over to Dashboard ? Updates and simply click ?Update Now.? Sites that support automatic background updates are already beginning to update to WordPress 4.7.2. https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/