From security em unicamp.br Tue Jul 7 08:37:42 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 7 Jul 2020 08:37:42 -0300 Subject: [SECURITY-L] [SECURITY] [DSA 4719-1] php7.3 security update In-Reply-To: References: Message-ID: Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4719-1 security em debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2019-11048 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064 CVE-2020-7065 CVE-2020-7066 CVE-2020-7067 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 7.3.19-1~deb10u1. We recommend that you upgrade your php7.3 packages. For the detailed security status of php7.3 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.3 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce em lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8DlcBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TPrg/+O/2SmuM/9AdyHAnRu7SJ0dlkEkF+FIR8SI2O7orDVLMYuNMdzN6oW9e4 oe+hhFE2iIOcl5lskxXLcnmd30izBxJXq+xJ000k6O0AfRZgVul+OTl5zDUJRKod Y1BuoVt2wUw0BT8V2FjYfu8XTGvDVqQVxc/GuZFExI6OkNcj0WFgdMP0wGu1VRxw FExRyZVHlATSVdH04gMI9BK1B4BVNZh05Qwb8bDD5sO16eamXIR6peuES1OJ4jUn YOfUMP2UgVLBywvHe+5VuXIW2AFj02Aw3Zl9Dgw2QTdylJs+ttf30NKWZP44/VFK wuyZa4y7tq2H31w9LBIvWIogYWe6CZYQeCvpVgSkLQwptRXqFSRC9OPTSKCKqnhN x8DXvLj6MzSO3jokZOLxxO473RGnV+WE1jgZ6LWK5LY8h5HjH5xPkef9v4UBpDQ/ UlEtEwMwceZK2jh3aI3yPoWQ2LIXASBe4+u1bG7Iln31MpTWJ/AdZ0sxWgGX1VqT JevU0IqRdKTX5kY8dE6mlje5G15AG1dNFigeWLHMZ1rJ/VSb2kiM4vrqL1lNBZwe jvsbpnyII4OeL/Zc7fEBnnKtzdDdu6PSv8aI1gSnFQCflMx8/nUbbWxu4J4HxGcW EZg1p2IaCW0hVTMhCwFTDH2EgseAS23XwloXp0i49FM23eJwuMM= =CeOY -----END PGP SIGNATURE----- === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Tue Jul 7 09:25:09 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 7 Jul 2020 09:25:09 -0300 Subject: [SECURITY-L] =?utf-8?q?Emiss=C3=A3o_de_certificados_SSL_-_Parcer?= =?utf-8?q?ia_Unicamp_RNP?= Message-ID: Prezados(as), Com o intuito de sanar algumas dúvidas sobre a necessidade de reemissão dos certificados SSL utilizados pela Unicamp através da parceria da RNP, seguem abaixo algumas respostas: *Como saberei se meu certificado é OV?* Na parceria RNP, todos os certificados são do tipo OV. *Precisarei emitir um novo CSR ou posso utilizar o mesmo?* Recomendamos a reemissão de um novo CSR para que possamos solicitar o novo certificado. *Quando terei meu novo certificado?* Tendo em vista o grande volume de certificados impactados por essa vulnerabilidade, solicitamos aos administradores que solicitem primeiramente os certificados críticos à unidade. Cabe mencionar que os novos certificados somente poderão ser solicitados à partir da correção por parte da GlobalSign, que está prevista para hoje (07/07/2020) e que poderá ocorrer atrasos na emissão. *À partir de que dia devo emitir o novo CSR?* Desde o momento da leitura desta mensagem, o novo CSR já pode ser gerado e a requisição realizada no site do CCUEC ( https://www.ccuec.unicamp.br/ccuec/index.php/servicos/certificados-digitais) Estamos à disposição. Atenciosamente, === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Wed Jul 29 15:05:43 2020 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 29 Jul 2020 15:05:43 -0300 Subject: [SECURITY-L] [Security-news] Hostmaster (Aegir) - Moderately critical - Access bypass, Arbitrary code execution - SA-CONTRIB-2020-031 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2020-031 Project: Hostmaster (Aegir) [1] Version: 7.x-3.x-dev Date: 2020-July-29 Security risk: *Moderately critical* 14?25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass, Arbitrary code execution Description: Aegir [3] is a powerful hosting system that sits alongside a LAMP or LEMP server to create, deploy and manage Drupal sites. Given that * Aegir can use both Apache and Nginx Web servers, * Apache allows configuration-writing users to escalate their privileges to the superuser root, and * Aegir's operations are performed by the GNU/Linux user aegir, It follows that: * Users with access to the aegir account can escalate their privileges to root. * Any PHP code submitted through the front-end Web UI via enabling modules (such as PHP [4], Views PHP [5], and Computed Field [6]) could be run as root though a cron [7] hook implementation [8]. (Aegir runs cron through the aegir user via Drush [9].) This vulnerability is mitigated by the fact that * an attacker must have access to the aegir account, and * the Web server must be Apache. While it was generally assumed that aegir access should only be provided to trusted users (i.e. users who also have access to root), this wasn't explicitly stated. The documentation has since been updated. Solution: If you're running Aegir and have granted untrusted users access to the aegir account, 1) revoke aegir account access for users who you would not trust with root access, 2) disable any module functionality on the hosted Drupal sites that allows PHP code to be entered on the front-end Web UI. Computed Field, for example, can still be used safely by providing code from the back-end only. (See Stop allowing PHP from being entered on the Web UI [10] for a plan to enforce this.) We do not recommend switching to an Nginx Web server instead of revoking access. This is because there could be as-yet-unknown privilege-escalation exploits involving Nginx (as with any other piece of software). /Switching to Nginx/ While not recommended, if this is something you'd like to do in addition to making the above change, we can offer some information on how to do it. While there may eventually be a migration path to convert existing Apache installations to Nginx, the recommended approach is currently: 1) Set up a new Aegir installation [11] using Nginx. 2) Remotely import sites [12] from the original Apache server. 3) Decommission the original Apache server. Also see the Hostmaster (Aegir) [13] project page. Reported By: * Noam Rathaus [14] Fixed By: * Colan Schwartz [15] Coordinated By: * Heine [16]of the Drupal Security Team * Greg Knaddison [17]of the Drupal Security Team [1] https://www.drupal.org/project/hostmaster [2] https://www.drupal.org/security-team/risk-levels [3] https://www.aegirproject.org/ [4] https://www.drupal.org/project/php [5] https://www.drupal.org/project/views_php [6] https://www.drupal.org/project/computed_field [7] https://www.drupal.org/docs/administering-a-drupal-site/cron-automated-tasks/cron-automated-tasks-overview [8] https://www.drupal.org/docs/creating-custom-modules/understanding-hooks [9] https://en.wikipedia.org/wiki/Drush [10] https://www.drupal.org/project/computed_field/issues/3143854 [11] https://docs.aegirproject.org/install/ [12] https://docs.aegirproject.org/usage/sites/importing/#remote-import [13] https://www.drupal.org/project/hostmaster [14] https://www.drupal.org/user/3645736 [15] https://www.drupal.org/user/58704 [16] https://www.drupal.org/user/17943 [17] https://www.drupal.org/user/36762 _______________________________________________ Security-news mailing list Security-news em drupal.org -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: