By Nathan Willis
February 6, 2013
At linux.conf.au
2013 in Canberra, Mozilla's François Marier presented a
talk on the Content
Security Policy (CSP), the browser-maker's proposed approach to
thwarting cross-site scripting attacks with a framework of
granular restrictions on what types of content a page can load.
We covered CSP in July 2009, just a
few months after development started. Since then, the idea has been
expanded, and, in November 2012, version 1.0 was declared a Candidate Recommendation by the
World Wide Web Consortium (W3C).
Cross-site scripting attacks, Marier explained, usually occur when
input and variables in a page are not properly escaped. An
unsanitized variable such as a user input field allows an attacker to
inject JavaScript or other malicious code that is loaded by a
visitor's browser. Even the templating systems used by modern content
management systems (CMS)—many of which auto-escape content—are
not foolproof. CSP offers an additional layer of protection, argued
Marier, because it is implemented as an HTTP header to be delivered
by the web server and not by the CMS. Thus, for an attacker to defeat
a CSP-equipped site, he or she would have to compromise the web
server, which is arguably more robust than the CMS.
A CSP policy is declarative, in which a site or web application
specifies the locations from which it wishes to allow scripts and
other page content to load. The header declares one or more
src directives, each of which specifies a list of acceptable
URIs for a specific content type. For example, the most basic policy
default-src 'self';
permits only loading content from the same site—in this case
meaning matching the protocol scheme, host, and port number. The
specification includes nine src directives:
default-src, script-src, object-src,
style-src, img-src, media-src,
frame-src, font-src, and connect-src. Each
directive can be set to none, or to a set of space-separated
expressions, optionally featuring the * wildcard. URI values are
matched according to a standard algorithm that looks for
scheme:host:port syntax. For example, the directive
img-src 'self' data ;
from a site at www.foo.org would match both www.foo.org and
data.foo.org. A site that uses external hosts for content
delivery or to serve ads would need to specify more complicated rules.
There is also a special reserved expression for allowing inline
content (such as inline scripts or CSS), which is somewhat editorially
named unsafe-inline as a reminder that permitting such inline
content is a risky prospect. The reason this warrants the
unsafe moniker being written
into the specification itself, said Marier, is that a browser has
no way to distinguish inline scripts that are written into the page at
the original server from any scripts which are injected into the page
content by an attacker.
The default-src directive allows
site owners to set a restrictive generic policy, which is then
overwritten only by whitelisting
specific additional content types, he said. At his personal site,
fmarier.org, he has the default-src directive set to
none and only turns on additional directives for "minor
stuff."
Policy makers
At the moment, CSP is available and "works really
well" in Firefox and Chromium/Chrome, and is somewhat
functional in Safari 6 or greater. Nevertheless, he continued, one
does not need to jump directly into converting one's sites over to
full CSP, which can be tricky to get right on the first try. He
instead suggested a few steps to implement CSP progressively.
The first step is removing all inline scripts and styles from the
site's pages. Simply moving them to external files should not affect
page functionality at all, and it removes the need to worry about
unsafe-inline (although, it should be noted, external scripts
and stylesheets do mean longer load times). The next step is to remove all
<javascript:> URIs, which, of course, may entail some
rewriting. Then one can proceed to implementing a CSP policy. Marier
recommended starting with a "relaxed" and permissive policy, then
working one's way progressively toward a stricter policy.
For this, CSP provides a helpful report-uri directive.
Unlike the other directives, report-uri does not set policy;
it tells the browser to report a policy violation to the URI provided
as the value. The example Marier provided is:
report-uri http://example.com/report.cgi
which, he said, would allow one to log false-positive matches. It is
important to note, however, that when report-uri is in place,
CSP does not block the rule violations it catches, so it is
vital to remove it once testing is complete.
Marier also recommended that interested site administrators add
their CSP rules in the web server, not through their CMS or
application framework, specifically to provide the extra layer of
protection described above. It is also useful as a reminder that CSP
is a complement to standard cross-site scripting hygiene, and not a
replacement for input escaping. There are some resources out there
for site maintainers to get started with policy writing, he said, such
as CSPisAwesome.com, a tool for
generating valid policies.
For users who are keen to get the benefits of CSP but cannot wait
for their sites to get it rolling, he recommended installing a browser
extension that implements CSP on the client-side. There appears to be
just one at the moment: UserCSP
for Firefox. This extension allows users to write policies for the
various sites they visit, which Firefox then applies just as it would
a CSP header originating from the server. Obviously, the user needs
to be aware of the risks of "injecting" (so to speak) CSP into their
browser, since applying a user-crafted policy could break the
site's functionality. On the other hand, by putting the policy
decision in the user's hands, the user can find his or her own balance
between what breaks and what risks are left open—as is the case
with other client-side security extensions like NoScript.
HTTPS, almost everywhere
As a "bonus header," Marier also discussed the HTTP Strict
Transport Security (HSTS) policy framework with the time remaining in
his session. HSTS, like CSP, is an HTTP header mechanism. It is
designed to protect again SSL downgrade attacks, in which an HTTPS
connection is stripped down to HTTP, presumably without attracting the
user's attention. HSTS allows the server to declare that it will
only allow browsers to connect over HTTPS. The header does not fix a
permanent condition; it includes a max-age directive giving a
time in seconds for which the browser should cache the HSTS setting.
Firefox has supported HSTS since
Firefox 4, but as a question from the audience revealed, it comes with
one hangup: the browser must successfully connect to the server over
HTTPS the first time in order to get the HSTS header.
Mozilla sought to alleviate the risk of attacks that exploit this by
shipping Firefox 17 pre-loaded with a list of verified banking web
sites that the browser should access over HTTPS the first time.
HSTS is supported in Chromium/Chrome in addition to Firefox, as
well as in Opera. Mozilla cannot do much to implement security policy for other
browsers—particularly the proprietary ones—so when asked
what to tell users of other browsers, Marier's response was "It works
in these browsers. If it doesn't work in your favorite browser
... switch browsers."
That is probably sound advice, which a lot of free software
security mavens would echo. But it is interesting to see that,
with both CSP and HSTS, Mozilla is pushing forward on web security from
the server side as well as within the browser itself.
Comments (4 posted)
Brief items
I continue to be amazed that elected officials can read constant articles
about hacking, and yet readily accept the assurances that there will be no
problems with internet voting. If the SBE [State Board of Elections] is so
good at stopping attacks,
perhaps they should supplement their paltry budget by providing security
for banks, Federal government agencies like DOD [Departement of Defense],
and the nation’s leading
newspapers!
-- Jeremy Epstein
The Internet's design isn't fixed by natural laws. Its history is a
fortuitous accident: an initial lack of commercial interests, governmental
benign neglect, military requirements for survivability and resilience, and
the natural inclination of computer engineers to build open systems that
work simply and easily. This mix of forces that created yesterday's
Internet will not be trusted to create tomorrow's. Battles over the future
of the Internet are going on right now: in legislatures around the world,
in international organizations like the International Telecommunications
Union and the World Trade Organization, and in Internet standards
bodies. The Internet is what we make it, and is constantly being recreated
by organizations, companies, and countries with specific interests and
agendas. Either we fight for a seat at the table, or the future of the
Internet becomes something that is done to us.
-- Bruce
Schneier
Comments (28 posted)
Ars technica reports on a weakness found in various open source (and possibly proprietary) SSL/TLS implementations (e.g. OpenSSL, NSS). Exploiting it is fairly difficult, but it allows attackers to decrypt the ciphertext.
" The attacks start by capturing the ciphertext as it travels over the Internet. Using a long-discovered weakness in TLS's CBC, or cipher block chaining, mode, attackers replace the last several blocks with chosen blocks and observe the amount of time it takes for the server to respond. TLS messages that contain the correct padding will take less time to process. A mechanism in TLS causes the transaction to fail each time the application encounters a TLS message that contains tampered data, requiring attackers to repeatedly send malformed messages in a new session following each previous failure. By sending large numbers of TLS messages and statistically sampling the server response time for each one, the scientists were able to eventually correctly guess the contents of the ciphertext."
Comments (5 posted)
Matthew Garrett calls out Google for not allowing users to install their own keys on Chromebook systems. " Some people don't like Secure Boot because they don't trust Microsoft. If you trust Google more, then a Chromebook is a reasonable choice. But some people don't like Secure Boot because they see it as an attack on user freedom, and those people should be willing to criticise Google's stance. Unlike Microsoft, Chromebooks force the user to choose between security and freedom. Nobody should be forced to make that choice."
Comments (70 posted)
New vulnerabilities
abrt and libreport: two privilege escalation flaws
| Package(s): | abrt and libreport |
CVE #(s): | CVE-2012-5659
CVE-2012-5660
|
| Created: | February 1, 2013 |
Updated: | February 10, 2013 |
| Description: |
From the Red Hat advisory:
It was found that the
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache tool did not
sufficiently sanitize its environment variables. This could lead to Python
modules being loaded and run from non-standard directories (such as /tmp/).
A local attacker could use this flaw to escalate their privileges to that
of the abrt user. (CVE-2012-5659)
A race condition was found in the way ABRT handled the directories used to
store information about crashes. A local attacker with the privileges of
the abrt user could use this flaw to perform a symbolic link attack,
possibly allowing them to escalate their privileges to root.
(CVE-2012-5660) |
| Alerts: |
|
Comments (none posted)
axis: incorrect certificate validation
| Package(s): | axis |
CVE #(s): | CVE-2012-5784
|
| Created: | February 1, 2013 |
Updated: | March 26, 2013 |
| Description: |
From the Fedora advisory:
This update fixes a security vulnerability that caused axis not to verify that the server hostname
matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allowed man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
certificate (CVE-2012-5784). |
| Alerts: |
|
Comments (none posted)
chromium: multiple vulnerabilities
| Package(s): | chromium |
CVE #(s): | CVE-2012-5145
CVE-2012-5146
CVE-2012-5147
CVE-2012-5148
CVE-2012-5149
CVE-2012-5150
CVE-2012-5152
CVE-2012-5153
CVE-2012-5154
CVE-2013-0830
CVE-2013-0831
CVE-2013-0832
CVE-2013-0833
CVE-2013-0834
CVE-2013-0835
CVE-2013-0836
CVE-2013-0837
CVE-2013-0838
|
| Created: | February 4, 2013 |
Updated: | April 8, 2013 |
| Description: |
From the CVE entries:
Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to SVG layout. (CVE-2012-5145)
Google Chrome before 24.0.1312.52 allows remote attackers to bypass the Same Origin Policy via a malformed URL. (CVE-2012-5146)
Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to DOM handling. (CVE-2012-5147)
The hyphenation functionality in Google Chrome before 24.0.1312.52 does not properly validate file names, which has unspecified impact and attack vectors. (CVE-2012-5148)
Integer overflow in the audio IPC layer in Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. (CVE-2012-5149)
Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving seek operations on video data. (CVE-2012-5150)
Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving seek operations on video data. (CVE-2012-5152)
Google V8 before 3.14.5.3, as used in Google Chrome before 24.0.1312.52, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers an out-of-bounds access to stack memory. (CVE-2012-5153)
Integer overflow in Google Chrome before 24.0.1312.52 on Windows allows attackers to cause a denial of service or possibly have unspecified other impact via vectors related to allocation of shared memory. (CVE-2012-5154)
The IPC layer in Google Chrome before 24.0.1312.52 on Windows omits a NUL character required for termination of an unspecified data structure, which has unknown impact and attack vectors. (CVE-2013-0830)
Directory traversal vulnerability in Google Chrome before 24.0.1312.52 allows remote attackers to have an unspecified impact by leveraging access to an extension process. (CVE-2013-0831)
Use-after-free vulnerability in Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to printing. (CVE-2013-0832)
Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to printing. (CVE-2013-0833)
Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving glyphs. (CVE-2013-0834)
Unspecified vulnerability in the Geolocation implementation in Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service (application crash) via unknown vectors. (CVE-2013-0835)
Google V8 before 3.14.5.3, as used in Google Chrome before 24.0.1312.52, does not properly implement garbage collection, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code. (CVE-2013-0836)
Google Chrome before 24.0.1312.52 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the handling of extension tabs. (CVE-2013-0837)
Google Chrome before 24.0.1312.52 on Linux uses weak permissions for shared memory segments, which has unspecified impact and attack vectors. (CVE-2013-0838)
|
| Alerts: |
|
Comments (none posted)
coreutils: multiple vulnerabilities
| Package(s): | coreutils |
CVE #(s): | CVE-2013-0221
CVE-2013-0222
CVE-2013-0223
|
| Created: | February 1, 2013 |
Updated: | April 5, 2013 |
| Description: |
From the Red Hat bugzilla entries [1, 2, 3]:
CVE-2013-0221: It was reported that the sort command suffered from a segfault when processing input streams that contained extremely long strings when used with the -d and -M switches. This flaw is due to the inclusion of the coreutils-i18n.patch.
CVE-2013-0222: It was reported that the uniq command suffered from a segfault when processing input streams that contained extremely long strings. This flaw is due to the inclusion of the coreutils-i18n.patch.
CVE-2013-0223: It was reported that the join command suffered from a segfault when processing input streams that contained extremely long strings when used with the -i switch. This flaw is due to the inclusion of the coreutils-i18n.patch.
|
| Alerts: |
|
Comments (none posted)
couchdb: multiple vulnerabilities
| Package(s): | couchdb |
CVE #(s): | CVE-2012-5649
CVE-2012-5650
|
| Created: | February 6, 2013 |
Updated: | February 8, 2013 |
| Description: |
From the Red Hat bugzilla entries [1, 2]:
CVE-2012-5649: A security flaw was found in the way Apache CouchDB, a distributed, fault-tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain JSON callback. A remote attacker could provide a specially-crafted JSON callback that, when processed could lead to arbitrary JSON code execution via Adobe Flash.
(Couchdb advisory)
CVE-2012-5650: A DOM based cross-site scripting (XSS) flaw was found in the way browser-based test suite of Apache CouchDB, a distributed, fault-tolerant and schema-free document-oriented database accessible via a RESTful HTTP/JSON API, processed certain query parameters. A remote attacker could provide a specially-crafted web page that, when accessed could lead to arbitrary web script or HTML execution in the context of a CouchDB user session. (Couchdb advisory). |
| Alerts: |
|
Comments (none posted)
ettercap: code execution
| Package(s): | ettercap |
CVE #(s): | CVE-2013-0722
|
| Created: | February 1, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the Red Hat bugzilla entry:
A stack-based buffer overflow was reported in Ettercap <= 0.7.5.1. A boundary error within the scan_load_hosts() function (in src/ec_scan.c), when parsing entries from a hosts list, could be exploited to cause a stack-based buffer overflow via an overly long entry. In order to exploit this, a user must be tricked into loading a malicious host file. |
| Alerts: |
|
Comments (none posted)
freeipa: multiple vulnerabilities
| Package(s): | freeipa |
CVE #(s): | CVE-2012-4546
CVE-2013-0199
|
| Created: | February 4, 2013 |
Updated: | March 11, 2013 |
| Description: |
From the Red Hat bugzilla [1], [2]:
[1] FreeIPA 3.0 introduced a Cross-Realm Kerberos trusts with Active Directory, a feature that allows IPA administrators to create a Kerberos trust with an AD. This allows IPA users to be able to access resources in AD trusted domains and vice versa.
When the Kerberos trust is created, an outgoing and incoming keys are stored in the IPA LDAP backend (in ipaNTTrustAuthIncoming and ipaNTTrustAuthOutgoing attributes). However, the IPA LDAP ACIs allow anonymous read acess to these attributes which could allow an unprivileged and unauthenticated user to read the keys. With these keys, an attacker could craft an invented Kerberos ticket with an invented PAC, encrypt the PAC with the retrieved key, and impersonate any AD user in the IPA domain or impersonate any IPA user in the AD domain. (CVE-2013-0199)
[2] It was found that the current default configuration of IPA servers did not publish correct CRLs (Certificate Revocation Lists). The default configuration specifies that every replica is to generate its own CRL, however this can result in inconsistencies in the CRL contents provided to clients from different Identity Management replicas. More specifically, if a certificate is revoked on one Identity Management replica, it will not show up on another Identity Management replica. (CVE-2012-4546)
|
| Alerts: |
|
Comments (1 posted)
jakarta-commons-httpclient: incorrect certificate validation
| Package(s): | jakarta-commons-httpclient |
CVE #(s): | CVE-2012-5783
|
| Created: | February 1, 2013 |
Updated: | April 4, 2013 |
| Description: |
From the Fedora advisory:
This update fixes a security vulnerability that caused jakarta-commons-httpclient not to verify
that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName
field of the X.509 certificate, which allowed man-in-the-middle attackers to spoof SSL servers via
andaarbitrary valid certificate (CVE-2012-5783). |
| Alerts: |
|
Comments (none posted)
java: multiple unspecified vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2013-0431
CVE-2013-0437
CVE-2013-0444
CVE-2013-0448
CVE-2013-0449
CVE-2013-1479
CVE-2013-1489
|
| Created: | February 5, 2013 |
Updated: | March 12, 2013 |
| Description: |
From the CVE entries:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490. (CVE-2013-0431)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2013-0437)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. (CVE-2013-0444)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows remote attackers to affect integrity via unknown vectors related to Libraries. (CVE-2013-0448)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. (CVE-2013-0449)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (CVE-2013-1479)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability. (CVE-2013-1489)
|
| Alerts: |
|
Comments (none posted)
java: multiple unspecified vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2012-1541
CVE-2012-3213
CVE-2012-3342
CVE-2013-0351
CVE-2013-0409
CVE-2013-0419
CVE-2013-0423
CVE-2013-0424
CVE-2013-0425
CVE-2013-0426
CVE-2013-0427
CVE-2013-0428
CVE-2013-0429
CVE-2013-0430
CVE-2013-0432
CVE-2013-0433
CVE-2013-0434
CVE-2013-0435
CVE-2013-0438
CVE-2013-0440
CVE-2013-0441
CVE-2013-0442
CVE-2013-0443
CVE-2013-0445
CVE-2013-0446
CVE-2013-0450
CVE-2013-1473
CVE-2013-1475
CVE-2013-1476
CVE-2013-1478
CVE-2013-1480
CVE-2013-1481
|
| Created: | February 5, 2013 |
Updated: | March 20, 2013 |
| Description: |
From the CVE entries:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. (CVE-2012-1541)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. (CVE-2012-3213)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. (CVE-2012-3342)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. (CVE-2013-0351)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect confidentiality via vectors related to JMX. (CVE-2013-0409)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. (CVE-2013-0419)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. (CVE-2013-0423)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect integrity via vectors related to RMI. (CVE-2013-0424)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0428 and CVE-2013-0426. (CVE-2013-0425)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428. (CVE-2013-0426)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect integrity via unknown vectors related to Libraries. (CVE-2013-0427)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0426. (CVE-2013-0428)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. (CVE-2013-0429)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process of the client. (CVE-2013-0430)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality and integrity via vectors related to AWT. (CVE-2013-0432)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect integrity via unknown vectors related to Networking. (CVE-2013-0433)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality via vectors related to JAXP. (CVE-2013-0434)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality via vectors related to JAX-WS. (CVE-2013-0435)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. (CVE-2013-0438)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect availability via vectors related to JSSE. (CVE-2013-0440)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-1476 and CVE-2013-1475. (CVE-2013-0441)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. (CVE-2013-0442)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. (CVE-2013-0443)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. (CVE-2013-0445)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU. (CVE-2013-0446)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. (CVE-2013-0450)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect integrity via unknown vectors related to Deployment. (CVE-2013-1473)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. (CVE-2013-1475)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-0441 and CVE-2013-1475. (CVE-2013-1476)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2013-1478)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. (CVE-2013-1480)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. (CVE-2013-1481)
See the Oracle Java SE Critical
Patch Update Advisory for additional details. |
| Alerts: |
|
Comments (none posted)
keystone: denial of service
| Package(s): | keystone |
CVE #(s): | CVE-2013-0247
|
| Created: | February 6, 2013 |
Updated: | February 18, 2013 |
| Description: |
From the Ubuntu advisory:
Dan Prince discovered that Keystone did not properly perform input
validation when handling certain error conditions. An unauthenticated user
could exploit this to cause a denial of service in Keystone API servers via
disk space exhaustion. |
| Alerts: |
|
Comments (none posted)
libupnp: multiple vulnerabilities
| Package(s): | libupnp |
CVE #(s): | CVE-2012-5958
CVE-2012-5959
CVE-2012-5960
CVE-2012-5961
CVE-2012-5962
CVE-2012-5963
CVE-2012-5964
CVE-2012-5965
|
| Created: | February 4, 2013 |
Updated: | February 21, 2013 |
| Description: |
From the CVE entries:
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction. (CVE-2012-5958)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet. (CVE-2012-5959)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet. (CVE-2012-5960)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka device) field in a UDP packet. (CVE-2012-5961)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long DeviceType (aka urn) field in a UDP packet. (CVE-2012-5962)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that lacks a :: (colon colon) in a UDP packet. (CVE-2012-5963)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long ServiceType (aka urn service) field in a UDP packet. (CVE-2012-5964)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long DeviceType (aka urn device) field in a UDP packet. (CVE-2012-5965)
|
| Alerts: |
|
Comments (none posted)
libwebp: denial of service
| Package(s): | libwebp |
CVE #(s): | CVE-2012-5127
|
| Created: | February 4, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the CVE entry:
Integer overflow in Google Chrome before 23.0.1271.64 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted WebP image. |
| Alerts: |
|
Comments (none posted)
ndjbdns: ghost domain attack
| Package(s): | ndjbdns |
CVE #(s): | |
| Created: | February 1, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the NVD entry:
The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.
|
| Alerts: |
|
Comments (none posted)
rhncfg: information disclosure
| Package(s): | rhncfg |
CVE #(s): | CVE-2012-2679
|
| Created: | February 4, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the Red Hat bugzilla:
It was discovered that Red Hat Network Configuration Client set insecure (0644) permissions on the /var/log/rhncfg-actions file used to store (besides terminal) the output of different RHN Client actions (diff, verify etc.). A local attacker could use this flaw to obtain sensitive information, if the rhncfg-client diff action has been used to query differences between the (normally for unprivileged user not readable) config files stored by RHN and those, deployed on the system. |
| Alerts: |
|
Comments (none posted)
samba: multiple vulnerabilities in SWAT
| Package(s): | samba |
CVE #(s): | CVE-2013-0213
CVE-2013-0214
|
| Created: | February 4, 2013 |
Updated: | March 25, 2013 |
| Description: |
From the
Samba 4.0.2 announcement:
CVE-2013-0213:
All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.
In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.
CVE-2013-0214:
All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.
In order to be vulnerable, the attacker needs to know the victim's password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.
|
| Alerts: |
|
Comments (3 posted)
squid-cgi: denial of service
| Package(s): | squid-cgi |
CVE #(s): | CVE-2013-0189
|
| Created: | January 31, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that the patch for CVE-2012-5643 was incorrect. A
remote attacker could exploit this flaw to perform a denial of service
attack. (CVE-2013-0189)
|
| Alerts: |
|
Comments (none posted)
tinymce-spellchecker: code execution
| Package(s): | tinymce-spellchecker |
CVE #(s): | CVE-2012-6112
|
| Created: | February 4, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the Red Hat bugzilla:
A security flaw was found in the way Google spellchecker of TinyMCE spellchecker plugin sanitized content of $lang and $str arguments from presence of control characters when checking for matches. A remote attacker could provide a specially-crafted string, to be checked by the TinyMCE spellchecker plugin that, when processed, could lead to arbitrary code execution with the privileges of the user running the TinyMCE spellchecker plugin. |
| Alerts: |
|
Comments (none posted)
v8: multiple vulnerabilities
| Package(s): | v8 |
CVE #(s): | |
| Created: | February 5, 2013 |
Updated: | February 6, 2013 |
| Description: |
The Javascript engine V8 3.16.4.0 fixes lots of bugs and security issues.
See this SUSE bug report for details. |
| Alerts: |
|
Comments (none posted)
virtualbox: unspecified vulnerability
| Package(s): | virtualbox |
CVE #(s): | CVE-2013-0420
|
| Created: | February 4, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the CVE entry:
Unspecified vulnerability in the VirtualBox component in Oracle Virtualization 4.0, 4.1, and 4.2 allows local users to affect integrity and availability via unknown vectors related to Core. |
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | xen |
CVE #(s): | CVE-2013-0151
CVE-2013-0152
|
| Created: | February 4, 2013 |
Updated: | February 6, 2013 |
| Description: |
From the Red Hat bugzilla:
CVE-2013-0151: nested virtualization on 32-bit exposes host crash
When performing nested virtualisation Xen would incorrectly map guest
pages for extended periods using an interface which is only intended
for transient mappings. In some configurations there are a limited
number of slots available for these transient mappings and exhausting
them leads to a host crash and therefore a Denial of Service attack.
A malicious guest administrator can, by enabling nested virtualisation
from within the guest, trigger the issue.
CVE-2013-0152: nested HVM exposes host to being driven out of memory by guest
Guests are currently permitted to enable nested virtualization on
themselves. Missing error handling cleanup in the handling code makes
it possible for a guest, particularly a multi-vCPU one, to repeatedly
invoke this operation, thus causing a leak of - over time - unbounded
amounts of memory.
A malicious domain can mount a denial of service attack affecting the
whole system. |
| Alerts: |
|
Comments (none posted)
xorg-x11-drv-qxl: denial of service
| Package(s): | xorg-x11-drv-qxl |
CVE #(s): | CVE-2013-0241
|
| Created: | February 1, 2013 |
Updated: | February 7, 2013 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way the host's qemu-kvm qxl driver and the guest's
X.Org qxl driver interacted when a SPICE connection terminated. A user able
to initiate a SPICE connection to a guest could use this flaw to make the
guest temporarily unavailable or, potentially (if the sysctl
kernel.softlockup_panic variable was set to "1" in the guest), crash the
guest. (CVE-2013-0241) |
| Alerts: |
|
Comments (none posted)
zim: multiple vulnerabilities
| Package(s): | Zim |
CVE #(s): | |
| Created: | February 5, 2013 |
Updated: | February 6, 2013 |
| Description: |
Zim 0.59 fixes multiple bugs. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
