Mickaël Guessant reports:
20 | +21 | +24 | + 25 | +DavMail 4.6.0 released
22 | +Enhancements: Fix potential CVE-2014-3566 vulnerability.
23 | +
Jake Luciani reports:
25 | +26 | +44 | + 45 | +Under its default configuration, Cassandra binds an unauthenticated 27 | + JMX/RMI interface to all network interfaces. As RMI is an API for the 28 | + transport and remote execution of serialized Java, anyone with access 29 | + to this interface can execute arbitrary code as the running user.
30 | +Mitigation:
31 | +1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade 32 | + to a supported version of Cassandra, or manually configure encryption 33 | + and authentication of JMX, 34 | + (see https://wiki.apache.org/cassandra/JmxSecurity).
35 | +2.0.x users should upgrade to 2.0.14
36 | +2.1.x users should upgrade to 2.1.4
37 | +Alternately, users of any version not wishing to upgrade can 38 | + reconfigure JMX/RMI to enable encryption and authentication according 39 | + to https://wiki.apache.org/cassandra/JmxSecurityor 40 | + http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html
41 | +Credit:
42 | +This issue was discovered by Georgi Geshev of MWR InfoSecurity
43 | +
Colton Myers reports:
20 | +21 | +40 | + 41 | +In order to fix potential shell injection vulnerabilities in salt 22 | + modules, a change has been made to the various cmd module functions. 23 | + These functions now default to python_shell=False, which means that 24 | + the commands will not be sent to an actual shell.
25 | +The largest side effect of this change is that "shellisms", such as 26 | + pipes, will not work by default. The modules shipped with salt have 27 | + been audited to fix any issues that might have arisen from this 28 | + change. Additionally, the cmd state module has been unaffected, and 29 | + use of cmd.run in jinja is also unaffected. cmd.run calls on the 30 | + CLI will also allow shellisms.
31 | +However, custom execution modules which use shellisms in cmd calls 32 | + will break, unless you pass python_shell=True to these calls.
33 | +As a temporary workaround, you can set cmd_safe: False in your 34 | + minion and master configs. This will revert the default, but is 35 | + also less secure, as it will allow shell injection vulnerabilities 36 | + to be written in custom code. We recommend you only set this 37 | + setting for as long as it takes to resolve these issues in your 38 | + custom code, then remove the override.
39 | +
Oracle reports:
20 | +21 | +33 | + 34 | +This Security Alert addresses security issue CVE-2015-3456 22 | + ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy 23 | + Disk Controller (FDC). The vulnerable FDC code is included in 24 | + various virtualization platforms and is used in some Oracle products. 25 | + The vulnerability may be exploitable by an attacker who has access 26 | + to an account on the guest operating system with privilege to access 27 | + the FDC. The attacker may be able to send malicious code to the FDC 28 | + that is executed in the context of the hypervisor process on the host 29 | + operating system. This vulnerability is not remotely exploitable 30 | + without authentication, i.e., may not be exploited over a network 31 | + without the need for a username and password.
32 | +