Ubuntu Security Notice 2325-1 - Alex Gaynor discovered that OpenStack Nova would sometimes respond with variable times when comparing authentication tokens. If nova were configured to proxy metadata requests via Neutron, a remote authenticated attacker could exploit this to conduct timing attacks and ascertain configuration details of another instance.
8788b38b5a81104c8f533ce3a4143ab93be8c6996fcfa6dc36bab40aff69999dUbuntu Security Notice 2324-1 - Steven Hardy discovered that OpenStack Keystone did not properly handle chained delegation. A remove authenticated attacker could use this to gain privileges by creating a new token with additional roles. Jamie Lennox discovered that OpenStack Keystone did not properly validate the project id. A remote authenticated attacker may be able to use this to access other projects. Various other issues were also addressed.
1632498be04b1359c92fbf3613e7ffaae0db2f9cddd39c0d312bdc35e22eb168Ubuntu Security Notice 2323-1 - Jason Hullinger discovered that OpenStack Horizon did not properly perform input sanitization on Heat templates. If a user were tricked into using a specially crafted Heat template, an attacker could conduct cross-site scripting attacks. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. Craig Lorentzen discovered that OpenStack Horizon did not properly perform input sanitization when creating networks. If a user were tricked into launching an image using the crafted network name, an attacker could conduct cross-site scripting attacks. Various other issues were also addressed.
af5d9eaa139a9915db9bda1859494977f366c015c3d6601bc6ac733e84f186a0Ubuntu Security Notice 2322-1 - Thomas Leaman and Stuart McLaren discovered that OpenStack Glance did not properly honor the image_size_cap configuration option. A remote authenticated attacker could exploit this to cause a denial of service via disk consumption.
75702fafcd9acb64d5cdae128214cc86612c7fc20bd6e7bae42ebbd1a9b2ea90Ubuntu Security Notice 2321-1 - Liping Mao discovered that OpenStack Neutron did not properly handle requests for a large number of allowed address pairs. A remote authenticated attacker could exploit this to cause a denial of service. Zhi Kun Liu discovered that OpenStack Neutron incorrectly filtered certain tokens. An attacker could possibly use this issue to obtain authentication tokens used in REST requests. Various other issues were also addressed.
5b7b6a9f75cfd520067e6ce6a174281f6d497b3744e0c37c37a61dd014f8632fUbuntu Security Notice 2311-2 - USN-2311-1 fixed vulnerabilities in pyCADF. This update provides the corresponding updates for OpenStack Ceilometer. Zhi Kun Liu discovered that pyCADF incorrectly filtered certain tokens. An attacker could possibly use this issue to obtain authentication tokens used in REST requests. Various other issues were also addressed.
ad7b0e30b51d9f8a5abbb08b6f790464b6327d5cce37067210a3bd846815e2beoclHashcat is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. AMD version.
9482d2e2c51d01147af19350d4b0861c11855b2dd918151a4bb721e877b49566oclHashcat is an advanced GPU hash cracking utility that includes the World's fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker. It also has the first and only GPGPU-based rule engine, focuses on highly iterated modern hashes, single dictionary-based attacks, and more. NVidia version.
01ecb4373ce5556dc9e13c02318a734eb042902f76dceebdc04894cc979a9deeToorCon 16 has announced its call for papers. This conference will take place October 24th through the 26th, 2014 in San Diego, CA, USA.
8dc7d28390f95ad5c0039a8b58b1ef87ea3aa20a063688c4137ec5604f280dd9ArcGIS for Server version 10.1.1 suffers from cross site scripting and open redirect vulnerabilities.
df3cafafee2a56ce02291cb9609f9243863e0b48f7556cc7572db5590e99a6d5Red Hat Security Advisory 2014-1086-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.
1869ac672baeb6d6231ed4264632e0262537ca84832e3d8b68ec845527428f94Debian Linux Security Advisory 2940-1 - It was discovered that missing access checks in the Struts ActionForm object could result in the execution of arbitrary code.
a2c5ba27eba620d705bc979e39632bb700c5a4d3e90ae0a26a1a3d26bf11271aDebian Linux Security Advisory 3008-1 - Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.
aba292eea0cbb7cbbfdba617dbea50f35ade910183dcb8ecb26ee494d52b6f34Red Hat Security Advisory 2014-1087-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.
7b43399c8297d76dd46dd0933745d26b4de10eebe9f700a43e687901819a236bRed Hat Security Advisory 2014-1088-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.
4da1d3ba75d748e08e95de45e5cf1defc759a9a506037cddf827b73f39496145The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. The authors investigate a networked traffic signal system currently deployed in the United States and discover a number of security flaws that exist due to systemic failures by the designers. They leverage these flaws to create attacks which gain control of the system, and we successfully demonstrate them on the deployment in coordination with authorities. Their attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage. They make recommendations on how to improve existing systems and discuss the lessons learned for embedded systems security in general.
7eb72c4fe42431b49f23e36bae8a9024cdacfdd85d7d3cab51bf021cdf47aca7MyBB version 1.8 Beta 3 suffers from cross site scripting and remote SQL injection vulnerabilities.
dabab641dae9255bac128fc3d2e933d5be5af5ba51c232b96f0fc9c5c33828a7Content management systems designed by Dashing Times appear susceptible to remote SQL injection vulnerabilities.
8e1e463761d4827cd6a59576788f068dfed5b06371c54dc07fa1ec37a0bf4210Red Hat Security Advisory 2014-1084-01 - OpenStack Compute launches and schedules large networks of virtual machines, creating a redundant and scalable cloud computing platform. Compute provides the software, control panels, and APIs required to orchestrate a cloud, including running virtual machine instances, managing networks, and controlling access through users and projects. It was found that RBAC policies were not enforced in certain methods of the OpenStack Compute EC2 API. A remote attacker could use this flaw to escalate their privileges beyond the user group they were originally restricted to. Note that only certain setups using non-default RBAC rules for OpenStack Compute were affected.
3c25ea0f31a94abd37555dce2866ca455ade1242e9c70c53365d1fb7c26bce19
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed