VU#967332: GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow
Vulnerability Note VU#967332 GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow Original Release date: 28 Jan 2015 | Last revised: 28 Jan 2015 Overview The __nss_hostname_digits_dots() function of the GNU C Library (glibc) allows a buffer overflow condition in which arbitrary code may be executed. This vulnerability has been assigned CVE-2015-0235, and is referred to in the media by the name “GHOST”. Description According to Qualys, the vulnerability is “a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library ( glibc ).
Original release date: January 27, 2015 Apple has released security updates for OS X, Safari, iOS and Apple TV to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system. Updates available include: OS X v10.10.2 and Security Update 2015-001 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10 and v10.10.1 Safari 8.0.3, Safari 7.1.3, and Safari 6.2.3 for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, and OS X Yosemite v10.10.1 iOS 8.1.3 for iPhone 4s and later, iPod touch 5th generation and later, and iPad 2 and later Apple TV 7.0.3 for Apple TV 3rd generation and later US-CERT encourages users and administrators to review Apple security updates HT204244 , HT204243 , HT204245 and HT204246 , and apply the necessary updates
Original release date: January 26, 2015 Adobe has released Flash Player desktop version 126.96.36.1996 to address a critical vulnerability ( CVE-2015-0311 ) in 188.8.131.527 and earlier versions for Windows and Macintosh. This vulnerability could allow an attacker to take control of the affected system. Users and administrators are encouraged to review Adobe Security Bulletin APSB15-01 and apply the necessary updates.
Original release date: January 26, 2015 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT).
Adobe apparently just released Flash version 184.108.40.2066. There is nothing on Adobes website if this is a patch. As a matter of fact, Adobe still lists 220.127.116.117 as the most recent version .
Original release date: January 23, 2015 The FBI has released an article addressing ransomware campaigns that use intimidating messages claiming to be from the FBI or other government agencies. Scam operators use ransomware – a type of malicious software – to infect a computer and restrict access to it until a ransom is paid to unlock it. Users and administrators are encouraged to review the FBI article ” Ransomware on the Rise ” for details and refer to Alert TA-295A for information on Crypto Ransomware.
Vulnerability Note VU#546340 QPR Portal contains multiple vulnerabilities Original Release date: 23 Jan 2015 | Last revised: 23 Jan 2015 Overview QPR Portal versions 2014.1.1 and older contain reflected and stored cross-site scripting vulnerabilities, and versions 2012.2.0 and older contain an insecure direct object reference vulnerability.
The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen. CVE Fixed in Flash Version”> yes APSA15-01 So in short: There is still one unpatchedFlash vulnerability
Vulnerability Note VU#637068 LabTech contains privilege escalation vulnerability Original Release date: 23 Jan 2015 | Last revised: 23 Jan 2015 Overview LabTech startup scripts and directories on Linux platforms are world-writeable and the scripts execute with root privileges. Description CWE-284 : Improper Access Control LabTech startup scripts and directories on Linux platforms are world-writeable and the scripts execute with root privileges.