[App_rpt-users] Fw: Weekly Vulnerability Summary - Nov 24 2014
Steven Donegan
steve at donegan.org
Tue Nov 25 18:26:34 UTC 2014
Lots of Asterisk vulnerabilities in this summary :-( ____________
Steven Donegan
KK6IVC
SSCC/NORC Life Member, Car #86
www.sscc.us
----- Forwarded Message -----
From: SecurityTracker <newsletters at SECURITYTRACKER.COM>
To: SECURITYTRACKER-WEEKLY-ALL at PEACH.EASE.LSOFT.COM
Sent: Monday, November 24, 2014 1:10 AM
Subject: Weekly Vulnerability Summary - Nov 24 2014
SecurityTracker Monday Morning Vulnerability Summary - Nov 24 2014
http://www.securitytracker.com
If you run a web site and would like to publish SecurityTracker
vulnerability headlines on your web site for free, then join our
Affiliate Program:
http://securitytracker.com/affiliate/affiliate_signup.html
Subscriptions to this newsletter are available for free. Just visit
our web site to sign up:
http://www.securitytracker.com/signup/signup_now.html
------------------------------------------------------------------------
In This Week's SecurityTracker Vulnerability Summary
SecurityTracker Alerts: 22
Vendors: Apple Computer - Cisco - Digium (Linux Support
Services) - drupal.org - F5 Networks - Google - Microsoft -
moodle.org - rubyforge.org - Tcpdump.org - wordpress.org
Products: Aironet - Apple iOS - Apple TV - Asterisk - Cisco
IOS - Cisco Unified Communications Manager - Drupal - F5
BIG-IP - Google Chrome - Kerberos - Mac OS X - Moodle - Rails
- Tcpdump - WordPress
Headlines:
1. WordPress Bugs Let Remote Users Conduct Cross-Site
Scripting, Cross-Site Request Forgery, and Denial of Service
Attacks
2. Moodle Bugs Permit Cross-Site Scripting, Cross-Site
Request Forgery, and Information Disclosure Attacks
3. Cisco Aironet DHCP Lease Renewal Flaw Lets Remote
Users Deny Service
4. Rails Action Pack Bug Lets Remote Users Determine
if Specified Files Exist on the Target System
5. Tcpdump Multiple Flaws Let Remote Users Deny Service
6. Asterisk CONFBRIDGE Lets Remote Authenticated Users
Execute Arbitrary System Commands
7. Asterisk DB Dialplan Function Lets Remote
Authenticated Users Gain Elevated Privileges
8. Asterisk PJSIP Channel Driver Flaw in
res_pjsip_refer Module Lets Remote Users Deny Service
9. Microsoft Windows Kerberos KDC Signature Validation
Flaw Lets Remote Authenticated Users
10. Cisco IOS DLSw Processing Flaw Lets Remote Users
Obtain Potentially Sensitive Information
11. Apple TV Bugs Let Remote Users Execute Arbitrary
Code and Local Users Gain Elevated Privileges
12. Asterisk PJSIP Channel Driver Race Condition Lets
Remote Users Deny Service
13. Asterisk ConfBridge State Transition Error Lets
Remote Users Deny Service
14. Cisco Unified Communications Manager IM and
Presence Service Discloses Valid Usernames to Remote Users
15. Apple iOS Lets Local Users Bypass Access Controls
and Remote Applications Launch Arbitrary Binaries
16. Drupal Bugs Let Remote Users Highjack User
Sessions and Deny Service
17. Cisco Aironet EAP Processing Error Lets Remote
Users Deny Service
18. Google Chrome Multiple Bugs Let Remote Users
Execute Arbitrary Code and Obtain Information
19. Apple OS X Bugs Let Remote Users Execute
Arbitrary Code and Obtain Potentially Sensitive Information
20. F5 BIG-IP Lets Remote Authenticated Users Delete
Files on the Target System
21. Asterisk PJSIP ACL Bug Lets Remote Users Bypass
Access Controls
22. Asterisk IP Address Checking Flaw Lets Remote
Users Bypass Access Controls in Certain Cases
------------------------------------------------------------------------
Your SecurityTracker Vulnerability Alerts
1. WordPress
Vendor: wordpress.org
Several vulnerabilities were reported in WordPress. A remote
user can cause denial of service conditions. A remote user can
conduct cross-site scripting attacks. A remote user can conduct
cross-site request forgery attacks. A remote user can compromise a
target user's account.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031243
2. Moodle
Vendor: moodle.org
Multiple vulnerabilities were reported in Moodle. A remote user
can conduct cross-site scripting attacks. A remote user can conduct
cross-site request forgery attacks. A remote authenticated user can
obtain potentially sensitive information.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/id/1031215
3. Aironet
Vendor: Cisco
A vulnerability was reported in Cisco Aironet. A remote user
can cause denial of service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031218
4. Rails
Vendor: rubyforge.org
A vulnerability was reported in Rails. A remote user can
determine whether specified files exist on the target system.
Impact: Disclosure of system information
Alert: http://securitytracker.com/id/1031217
5. Tcpdump
Vendor: Tcpdump.org
Several vulnerabilities were reported in Tcpdump. A remote user
can cause denial of service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031235
6. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote
authenticated user can gain elevated privileges on the target system.
Impact: Execution of arbitrary code via network
Alert: http://securitytracker.com/id/1031250
7. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote
authenticated user can execute arbitrary code on the target system.
Impact: User access via network
Alert: http://securitytracker.com/id/1031251
8. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote user can
cause denial of service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031249
9. Kerberos
Vendor: Microsoft
A vulnerability was reported in Microsoft Windows Kerberos. A
remote authenticated user can gain elevated privileges.
Impact: User access via network
Alert: http://securitytracker.com/id/1031237
10. Cisco IOS
Vendor: Cisco
A vulnerability was reported in Cisco IOS. A remote user can
obtain potentially sensitive information.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/id/1031220
11. Apple TV
Vendor: Apple Computer
Several vulnerabilities were reported in Apple TV. A remote
user can execute arbitrary code on the target system. A local user
can obtain elevated privileges on the target system.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/id/1031231
12. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote user can
cause denial of service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031248
13. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote user can
cause denial of service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031247
14. Cisco Unified Communications Manager
Vendor: Cisco
A vulnerability was reported in Cisco Unified Communications
Manager IM and Presence Service. A remote user can determine valid
usernames on the target system.
Impact: Disclosure of system information
Alert: http://securitytracker.com/id/1031240
15. Apple iOS
Vendor: Apple Computer
Several vulnerabilities were reported in Apple iOS. A
physically local user can bypass access controls. An application
can launch arbitrary binaries on the target system.
Impact: Execution of arbitrary code via local system
Alert: http://securitytracker.com/id/1031232
16. Drupal
Vendor: drupal.org
Two vulnerabilities were reported in Drupal. A remote user can
hijack another user's session. A remote user can cause denial of
service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031244
17. Aironet
Vendor: Cisco
A vulnerability was reported in Cisco Aironet. A remote user
can cause denial of service conditions.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031219
18. Google Chrome
Vendor: Google
Multiple vulnerabilities were reported in Google Chrome. A
remote user can cause arbitrary code to be executed on the target
user's system. A remote user can obtain potentially sensitive
information.
Impact: Disclosure of system information
Alert: http://securitytracker.com/id/1031241
19. Mac OS X
Vendor: Apple Computer
Several vulnerabilities were reported in Apple OS X. A remote
user can cause arbitrary code to be executed on the target user's
system. A remote user can obtain potentially sensitive information.
Impact: Disclosure of system information
Alert: http://securitytracker.com/id/1031230
20. F5 BIG-IP
Vendor: F5 Networks
A vulnerability was reported in F5 BIG-IP. A remote
authenticated user can delete files on the target system.
Impact: Denial of service via network
Alert: http://securitytracker.com/id/1031216
21. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote user can
bypass access controls.
Impact: Host/resource access via network
Alert: http://securitytracker.com/id/1031246
22. Asterisk
Vendor: Digium (Linux Support Services)
A vulnerability was reported in Asterisk. A remote user can
bypass access controls.
Impact: Host/resource access via network
Alert: http://securitytracker.com/id/1031245
------------------------------------------------------------------------
To join, delete, or otherwise change your subscription, visit:
http://www.securitytracker.com/help/accounts.html
To contact us, send e-mail to help at securitytracker.com
(mailto:help at securitytracker.com)
If you need to refer to this weekly vulnerability summary when you
mail us, please provide us with following SecurityTracker message ID:
<WS.ALL.2014Nov24.2244.235812.XND>
Keep Track of the Latest Vulnerabilities with SecurityTracker!
http://www.securitytracker.com
copyright 2014, SecurityGlobal.net LLC
See disclaimer notice at:
http://www.securitytracker.com/learn/disclaimer.html
------------------------------------------------------------------------
############################
To unsubscribe from the SECURITYTRACKER-WEEKLY-ALL list:
write to: mailto:SECURITYTRACKER-WEEKLY-ALL-SIGNOFF-REQUEST at PEACH.EASE.LSOFT.COM
or click the following link:
http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=SECURITYTRACKER-WEEKLY-ALL&A=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20141125/614f0428/attachment.html>
More information about the App_rpt-users
mailing list