From security em unicamp.br Wed May 3 15:33:51 2023 From: security em unicamp.br (CSIRT Unicamp) Date: Wed, 3 May 2023 15:33:51 -0300 Subject: [SECURITY-L] [Security-news] S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014 In-Reply-To: References: Message-ID: View online: https://www.drupal.org/sa-contrib-2023-014 Project: S3 File System [1] Version: 8.x-3.18.x-3.08.x-3.0-rc28.x-3.0-rc18.x-3.0-beta78.x-3.0-beta68.x-3.0-beta58.x-3.0-beta48.x-3.0-beta38.x-3.0-beta28.x-3.0-beta18.x-3.0-alpha17 Date: 2023-May-03 Security risk: *Moderately critical* 13?25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description: S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them. This vulnerability is mitigated by the fact that another vulnerability must already exist outside of s3fs. Solution: Install the latest version: * If you use the S3 File System module for Drupal 8.x, upgrade to s3fs 8.x-3.2 [3] Reported By: * Conrad Lara [4] Fixed By: * Conrad Lara [5] Coordinated By: * Greg Knaddison [6] of the Drupal Security Team [1] https://www.drupal.org/project/s3fs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/s3fs/releases/8.x-3.2 [4] https://www.drupal.org/user/1790054 [5] https://www.drupal.org/user/1790054 [6] https://www.drupal.org/user/36762 _______________________________________________ Security-news mailing list Security-news em drupal.org Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Mon May 22 15:18:39 2023 From: security em unicamp.br (CSIRT Unicamp) Date: Mon, 22 May 2023 15:18:39 -0300 Subject: [SECURITY-L] Extended Security Maintenance for Ubuntu 18.04 (Bionic Beaver) begins 31 May 2023 In-Reply-To: References: Message-ID: ---------- Forwarded message --------- De: Steve Langasek Date: seg., 22 de mai. de 2023 às 15:09 Subject: Extended Security Maintenance for Ubuntu 18.04 (Bionic Beaver) begins 31 May 2023 To: Ubuntu announced its 18.04 (Bionic Beaver) release 5 years ago, on April 26, 2018. As with the earlier LTS releases, Ubuntu committed to ongoing security and critical fixes for a period of 5 years. The standard support period is now nearing its end and Ubuntu 18.04 LTS will transition to Extended Security Maintenance (ESM) on Wednesday, May 31, 2023. Users are encouraged to evaluate and upgrade to our latest 22.04 LTS release via 20.04 LTS. The supported upgrade path from Ubuntu 18.04 LTS is via Ubuntu 20.04 LTS. Instructions and caveats for the upgrades may be found at: https://help.ubuntu.com/community/FocalUpgrades for Ubuntu 20.04 LTS https://help.ubuntu.com/community/JammyUpgrades for Ubuntu 22.04 LTS Ubuntu 20.04 LTS and 22.04 LTS continue to be actively supported with security updates and bug fixes. All announcements of official security updates for Ubuntu releases are sent to the ubuntu-security-announce mailing list, information about which may be found here: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce Canonical provides Extended Security Maintenance for Ubuntu 18.04 LTS to customers through Ubuntu Pro. Further information can be found here: https://ubuntu.com/blog/18-04-end-of-standard-support https://www.ubuntu.com/esm Since its launch in October 2004, Ubuntu has become one of the most highly regarded Linux distributions with millions of users in homes, schools, businesses and governments around the world. Ubuntu is Open Source software, costs nothing to download, and users are free to customise or alter their software in order to meet their needs. On behalf of the Ubuntu Release Team, -- Steve Langasek === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From security em unicamp.br Tue May 23 14:53:39 2023 From: security em unicamp.br (CSIRT Unicamp) Date: Tue, 23 May 2023 14:53:39 -0300 Subject: [SECURITY-L] [RNP/CAIS Alerta #0109] Vulnerabilidades em Switches Cisco In-Reply-To: <1627160411.2853.1684851482496.JavaMail.zimbra@rnp.br> References: <1627160411.2853.1684851482496.JavaMail.zimbra@rnp.br> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CAIS-Alerta 23-05-2023-Vulnerabilidades em Switches Cisco Prezados(as), O CAIS alerta para uma série de vulnerabilidades críticas divulgadas para Switches Cisco voltados para Small Business. A exploração dessas vulnerabilidades pode permitir que invasores remotos não autenticados causem uma condição de negação de serviço (DoS), executem código arbitrário com privilégios de root ou acessem informações não autorizadas em dispositivos comprometidos. Essas vulnerabilidades ocorrem devido à validação inadequada das solicitações enviadas à interface web. Até a última revisão deste alerta, não foram identificados códigos capazes de explorar esta vulnerabilidade. Produtos afetados - - 250 Series Smart Switches - - 350 Series Managed Switches - - 350X Series Stackable Managed Switches - - 550X Series Stackable Managed Switches - - Business 250 Series Smart Switches - - Business 350 Series Managed Switches - - Small Business 200 Series Smart Switches - - Small Business 300 Series Managed Switches - - Small Business 500 Series Stackable Managed Switches Correções disponíveis Recomenda-se executar as atualizações disponibilizadas pelo fornecedor do produto. Identificadores CVE (http://cve.mitre.org) CVE-2023-20024 CVE-2023-20156 CVE-2023-20157 CVE-2023-20158 CVE-2023-20159 CVE-2023-20160 CVE-2023-20161 CVE-2023-20162 CVE-2023-20189 Mais informações - - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sg-web-multi-S9g4Nkgv O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as últimas versões e correções oferecidas pelos fabricantes. Os alertas do CAIS também podem ser acompanhados pelas redes sociais da RNP. Siga-nos!! Twitter: @caisRNP Facebook: facebook.com/RedeNacionaldeEnsinoePesquisaRNP. ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br https://cais.rnp.br/ # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponível https://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: OpenPGP.js v2.6.2 Comment: https://openpgpjs.org wsFcBAEBCAAQBQJkbMr7CRDU96v9U5pXgAAAUrAP/3mao38x4PY6CaPHT2la 0mKrnLnZV61nWZoJxEJOH9gbd42xJ6A/tOM8kWbUrCH+BjY8gmeBnoR/JcDR kFMvEMxrHLwj7bff6cTVUc1zKbnIZwl4Nb7MpG4PewpnZ12jJYPe0KuQzYDo uAtIu4+3xtmQ/Lpt2jpRumlRBk4kQbBl7pvMHFuxhco863Qb/Q6aQGNCXWzu T8yiJjNcI/0JsA/Eu/i0JbO3fExiFRZ7n2yY5Z+7aZAPs8W1OI89ECANjHDR dqsfjwk/pXvOQyeKqKMOxlNfcpQLh15UM0a4LnwAq5vX7FM6Kj191cTwxjWY nNWSo2QneHWP1TM73HYigEej/UUxL+a0Xpt67XFtwNq7dNSGd5NbJRsKX7hM /ogJ0E3v2Ey/X08YJt73sqiOcyI9+k3ScgA8knqHOBveYv10MYjs+ypSAXAy /WqJuQIw5YyujF5WLTCX4hnh4eqGqAhjLtamaWFhOSyXvQKyGz6zmWMGDC5r 0ZXolQnW/XbvI46k0iQcBevFa+Rkap/2/hH0rDMwCfyK3JY3dMFfVLn1Wu0o QR1a3uNWOanxA4aicpuoe5fzIrO0Lam41+Z2cCzC/YK5Kjkjq3sdcAJoJY8a q0i8IztupplohYPUFuDn1aiKCA0GXhNhzVbpf8ed8uoqoQihsF8YJNhcLD/X kVxh =QANX -----END PGP SIGNATURE----- _______________________________________________ RNP-Alerta rnp-alerta em listas.rnp.br https://listas.rnp.br/mailman/listinfo/rnp-alerta === Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - Unicamp Centro de Computacao - CCUEC GnuPG Public Key: http://www.security.unicamp.br/security.asc [^] Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830 -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: