Core Security Technologies Advisory - PDFCool Studio Suite is prone to a security vulnerability when processing PDF files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing users to open a specially crafted PDF file (client-side attack). PDFAX0722_IconCool.dll version 7.22.1125.2121 is affected.
323c5add9641831fed5532e2a6ac9c1a00b8d2ddeb873e0a1b86fff6cb87a4be
RootedCON 2014 Call For Papers - RootedCON is a security congress that will take place between March 6th to the 8th, 2014 in Madrid (Spain). With an estimated capacity of about 1000 people, is one of the largest specialized conferences that take place in the country and one of the largest in Europe, with attendees profiles ranging from students, state forces, to professionals within security market in IT or simply technology enthusiasts.
9f810e96b672a49c4f7f33044027e0c4e4589d954199a74e9d6155dd79675073
Ubuntu Security Notice 1985-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.
0f366392969f20155d45311d551bc121f8cca2af29a02d07e5e1e546d84e407f
Ubuntu Security Notice 1983-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. This issue only affected Ubuntu 13.04. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.
9ab7514520e21d4cb81b76c6be2121d9d8ecc991fae05d293e5e8061b9f84a2a
Ubuntu Security Notice 1984-1 - Florian Weimer discovered that Python incorrectly handled matching multiple wildcards in ssl certificate hostnames. An attacker could exploit this to cause Python to consume resources, resulting in a denial of service. Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.
c673c920639adac95e57596bc8aab64ff8ca0183257ddb8017aaad829ee17e9a
Ubuntu Security Notice 1982-1 - Ryan Sleevi discovered that Python did not properly handle certificates with NULL characters in the Subject Alternative Name field. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
bc6597611282dc3a251d61da8083bd226403c9d6532f0fcc3ca5d47ce5ee0b7e
Ubuntu Security Notice 1986-1 - Hamid Zamani discovered multiple security issues in the Network Audio System (NAS) server. An attacker could possibly use these issues to cause a denial of service or execute arbitrary code.
e69af382d95bfcbe086efae15984d595df5fbd3d8bee8f991759b4a3dfc02778
Red Hat Security Advisory 2013-1294-01 - Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion.
863a860708a79179285b4d30836d74e035da527e520bef60b085acc522a7adec
Red Hat Security Advisory 2013-1399-01 - In accordance with the Red Hat Enterprise MRG Life Cycle policy, the Red Hat Enterprise MRG products, which include the MRG-Messaging, MRG-Realtime, and MRG-Grid, Version 1 and Version 2 offerings for Red Hat Enterprise Linux 5 will be retired as of March 31, 2014, and support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including critical impact security patches or urgent priority bug fixes, for MRG-Messaging, MRG-Realtime, and MRG-Grid on Red Hat Enterprise Linux 5 after that date. In addition, technical support through Red Hat's Global Support Services will no longer be provided for these products on Red Hat Enterprise Linux 5 after March 31, 2014.
1a07477f78cf34bf4ed77d392775bbd9c2566da699aee98691cec0f9546f719d
Red Hat Security Advisory 2013-1295-01 - Red Hat Enterprise MRG is a next-generation IT infrastructure for enterprise computing. MRG offers increased performance, reliability, interoperability, and faster computing for enterprise customers. MRG Grid provides high-throughput computing and enables enterprises to achieve higher peak computing capacity as well as improved infrastructure utilization by leveraging their existing technology to build high performance grids. MRG Grid provides a job-queueing mechanism, scheduling policy, and a priority scheme, as well as resource monitoring and resource management. Users submit their jobs to MRG Grid, where they are placed into a queue. MRG Grid then chooses when and where to run the jobs based upon a policy, carefully monitors their progress, and ultimately informs the user upon completion.
d9d2f9615620e1c143f385fe575ddaebf9bb0002d0f65c958533009a2d2441b5
Red Hat Security Advisory 2013-1323-01 - Chip/Smart Card Interface Devices is a USB smart card reader standard followed by most modern smart card readers. The ccid package provides a Generic, USB-based CCID driver for readers, which follow this standard. An integer overflow, leading to an array index error, was found in the way the CCID driver processed a smart card's serial number. A local attacker could use this flaw to execute arbitrary code with the privileges of the user running the PC/SC Lite pcscd daemon, by inserting a specially-crafted smart card.
2da3fa4fe75ef1c976d5c6c383db8f8320ad377a63cade41ec75485fe33e2286
Red Hat Security Advisory 2013-1310-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. It was discovered that the Samba Web Administration Tool did not protect against being opened in a web page frame. A remote attacker could possibly use this flaw to conduct a clickjacking attack against SWAT users or users with an active SWAT session. A flaw was found in the Cross-Site Request Forgery protection mechanism implemented in SWAT. An attacker with the knowledge of a victim's password could use this flaw to bypass CSRF protections and conduct a CSRF attack against the victim SWAT user.
e69591f6034a9eb52e597ccf7c3fb76cdd24eea4c83d5ed81e5a7e8a17ef3a95
Red Hat Security Advisory 2013-1307-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. It was found that PHP did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. It was found that PHP did not check for carriage returns in HTTP headers, allowing intended HTTP response splitting protections to be bypassed. Depending on the web browser the victim is using, a remote attacker could use this flaw to perform HTTP response splitting attacks.
329966a55bfeee91b34efdf6e4c6fdb40fa5bff4b1c4705ad759326610acb9fd
Red Hat Security Advisory 2013-1319-01 - SSSD provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides NSS and PAM interfaces toward the system and a pluggable back end system to connect to multiple different account sources. A race condition was found in the way SSSD copied and removed user home directories. A local attacker who is able to write into the home directory of a different user who is being removed could use this flaw to perform symbolic link attacks, possibly allowing them to modify and delete arbitrary files with the privileges of the root user.
68634b43e7aee4755426c826c0975dcc8942e7311527465241566e06d2153a51
Red Hat Security Advisory 2013-1348-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. It was found that a deadlock could occur in the Out of Memory killer. A process could trigger this deadlock by consuming a large amount of memory, and then causing request_module() to be called. A local, unprivileged user could use this flaw to cause a denial of service.
d448f19336e43060f6ea012ad8b6ad5fc6b42872a884e53f7da36f8c5ae39de4
Red Hat Security Advisory 2013-1302-01 - The xinetd package provides a secure replacement for inetd, the Internet services daemon. xinetd provides access control for all services based on the address of the remote host and/or on time of access, and can prevent denial-of-access attacks. When xinetd services are configured with the "TCPMUX" or "TCPMUXPLUS" type, and the tcpmux-server service is enabled, those services are accessible via port 1. It was found that enabling the tcpmux-server service allowed every xinetd service, including those that are not configured with the "TCPMUX" or "TCPMUXPLUS" type, to be accessible via port 1. This could allow a remote attacker to bypass intended firewall restrictions.
27581daef8415d493d1a3cd28c9fceefe72fcf600211fea0dc86214e4e7eb768
Red Hat Security Advisory 2013-1353-01 - The sudo utility allows system administrators to give certain users the ability to run commands as root. A flaw was found in the way sudo handled time stamp files. An attacker able to run code as a local user and with the ability to control the system clock could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password. It was found that sudo did not properly validate the controlling terminal device when the tty_tickets option was enabled in the /etc/sudoers file. An attacker able to run code as a local user could possibly gain additional privileges by running commands that the victim user was allowed to run via sudo, without knowing the victim's password.
f25bdd3057f827733e856a4ea89cd02628b34925763720a3735ef6bbeabeddf3
UniCredit Bank suffers from cross site request forgery, cross site scripting, and remote shell upload vulnerabilities. They have not responded to the authors notifications.
4b24c6a6204b07ab95aaa3e329aadafb43c09c8b0febd049f499b640d5f76727