<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div dir="ltr" id="yui_3_16_0_1_1416869507754_33550"><span id="yui_3_16_0_1_1416869507754_33588">Lots of Asterisk vulnerabilities in this summary :-(</span></div><div id="yui_3_16_0_1_1416869507754_33587"> </div><div id="yui_3_16_0_1_1416869507754_33631" class="signature"><div id="yui_3_16_0_1_1416869507754_33630">____________<br>Steven Donegan<br>KK6IVC<br>SSCC/NORC Life Member, Car #86<br>www.sscc.us<br></div></div><br> <div id="yui_3_16_0_1_1416869507754_33636" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div id="yui_3_16_0_1_1416869507754_33635" style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> ----- Forwarded Message -----<br> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> SecurityTracker <newsletters@SECURITYTRACKER.COM><br> <b><span style="font-weight: bold;">To:</span></b> SECURITYTRACKER-WEEKLY-ALL@PEACH.EASE.LSOFT.COM <br> <b><span style="font-weight: bold;">Sent:</span></b> Monday, November 24, 2014 1:10 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Weekly Vulnerability Summary - Nov 24 2014<br> </font> </div> <div id="yui_3_16_0_1_1416869507754_33634" class="y_msg_container"><br>SecurityTracker Monday Morning Vulnerability Summary - Nov 24 2014<br><a href="http://www.securitytracker.com/" target="_blank">http://www.securitytracker.com</a><br> <br><br><br>If you run a web site and would like to publish SecurityTracker<br>vulnerability headlines on your web site for free, then join our<br>Affiliate Program:<br><a href="http://securitytracker.com/affiliate/affiliate_signup.html" target="_blank">http://securitytracker.com/affiliate/affiliate_signup.html</a><br><br><br>Subscriptions to this newsletter are available for free. Just visit<br>our web site to sign up:<br><a href="http://www.securitytracker.com/signup/signup_now.html" target="_blank">http://www.securitytracker.com/signup/signup_now.html</a><br><br><br> <br>------------------------------------------------------------------------<br> In This Week's SecurityTracker Vulnerability Summary<br> <br>SecurityTracker Alerts: 22<br> <br>Vendors: Apple Computer - Cisco - Digium (Linux Support<br> Services) - drupal.org - F5 Networks - Google - Microsoft -<br> moodle.org - rubyforge.org - Tcpdump.org - wordpress.org<br> <br>Products: Aironet - Apple iOS - Apple TV - Asterisk - Cisco<br> IOS - Cisco Unified Communications Manager - Drupal - F5<br> BIG-IP - Google Chrome - Kerberos - Mac OS X - Moodle - Rails<br> - Tcpdump - WordPress<br> <br>Headlines: <br> <br> 1. WordPress Bugs Let Remote Users Conduct Cross-Site<br> Scripting, Cross-Site Request Forgery, and Denial of Service<br> Attacks<br><br> 2. Moodle Bugs Permit Cross-Site Scripting, Cross-Site<br> Request Forgery, and Information Disclosure Attacks<br><br> 3. Cisco Aironet DHCP Lease Renewal Flaw Lets Remote<br> Users Deny Service<br><br> 4. Rails Action Pack Bug Lets Remote Users Determine<br> if Specified Files Exist on the Target System<br><br> 5. Tcpdump Multiple Flaws Let Remote Users Deny Service<br><br> 6. Asterisk CONFBRIDGE Lets Remote Authenticated Users<br> Execute Arbitrary System Commands<br><br> 7. Asterisk DB Dialplan Function Lets Remote<br> Authenticated Users Gain Elevated Privileges<br><br> 8. Asterisk PJSIP Channel Driver Flaw in<br> res_pjsip_refer Module Lets Remote Users Deny Service<br><br> 9. Microsoft Windows Kerberos KDC Signature Validation<br> Flaw Lets Remote Authenticated Users<br><br> 10. Cisco IOS DLSw Processing Flaw Lets Remote Users<br> Obtain Potentially Sensitive Information<br><br> 11. Apple TV Bugs Let Remote Users Execute Arbitrary<br> Code and Local Users Gain Elevated Privileges<br><br> 12. Asterisk PJSIP Channel Driver Race Condition Lets<br> Remote Users Deny Service<br><br> 13. Asterisk ConfBridge State Transition Error Lets<br> Remote Users Deny Service<br><br> 14. Cisco Unified Communications Manager IM and<br> Presence Service Discloses Valid Usernames to Remote Users<br><br> 15. Apple iOS Lets Local Users Bypass Access Controls<br> and Remote Applications Launch Arbitrary Binaries<br><br> 16. Drupal Bugs Let Remote Users Highjack User<br> Sessions and Deny Service<br><br> 17. Cisco Aironet EAP Processing Error Lets Remote<br> Users Deny Service<br><br> 18. Google Chrome Multiple Bugs Let Remote Users<br> Execute Arbitrary Code and Obtain Information<br><br> 19. Apple OS X Bugs Let Remote Users Execute<br> Arbitrary Code and Obtain Potentially Sensitive Information<br><br> 20. F5 BIG-IP Lets Remote Authenticated Users Delete<br> Files on the Target System<br><br> 21. Asterisk PJSIP ACL Bug Lets Remote Users Bypass<br> Access Controls<br><br> 22. Asterisk IP Address Checking Flaw Lets Remote<br> Users Bypass Access Controls in Certain Cases<br> <br> <br>------------------------------------------------------------------------<br> Your SecurityTracker Vulnerability Alerts<br><br>1. WordPress<br> <br> Vendor: wordpress.org<br> <br> Several vulnerabilities were reported in WordPress. A remote<br> user can cause denial of service conditions. A remote user can<br> conduct cross-site scripting attacks. A remote user can conduct<br> cross-site request forgery attacks. A remote user can compromise a<br> target user's account.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031243" target="_blank">http://securitytracker.com/id/1031243</a><br> <br><br>2. Moodle<br> <br> Vendor: moodle.org<br> <br> Multiple vulnerabilities were reported in Moodle. A remote user<br> can conduct cross-site scripting attacks. A remote user can conduct<br> cross-site request forgery attacks. A remote authenticated user can<br> obtain potentially sensitive information.<br> <br> Impact: Disclosure of authentication information<br> <br> Alert: <a href="http://securitytracker.com/id/1031215" target="_blank">http://securitytracker.com/id/1031215</a><br> <br><br>3. Aironet<br> <br> Vendor: Cisco<br> <br> A vulnerability was reported in Cisco Aironet. A remote user<br> can cause denial of service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031218" target="_blank">http://securitytracker.com/id/1031218</a><br> <br><br>4. Rails<br> <br> Vendor: rubyforge.org<br> <br> A vulnerability was reported in Rails. A remote user can<br> determine whether specified files exist on the target system.<br> <br> Impact: Disclosure of system information<br> <br> Alert: <a href="http://securitytracker.com/id/1031217" target="_blank">http://securitytracker.com/id/1031217</a><br> <br><br>5. Tcpdump<br> <br> Vendor: Tcpdump.org<br> <br> Several vulnerabilities were reported in Tcpdump. A remote user<br> can cause denial of service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031235" target="_blank">http://securitytracker.com/id/1031235</a><br> <br><br>6. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote<br> authenticated user can gain elevated privileges on the target system.<br> <br> Impact: Execution of arbitrary code via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031250" target="_blank">http://securitytracker.com/id/1031250</a><br> <br><br>7. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote<br> authenticated user can execute arbitrary code on the target system.<br> <br> Impact: User access via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031251" target="_blank">http://securitytracker.com/id/1031251</a><br> <br><br>8. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote user can<br> cause denial of service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031249" target="_blank">http://securitytracker.com/id/1031249</a><br> <br><br>9. Kerberos<br> <br> Vendor: Microsoft<br> <br> A vulnerability was reported in Microsoft Windows Kerberos. A<br> remote authenticated user can gain elevated privileges.<br> <br> Impact: User access via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031237" target="_blank">http://securitytracker.com/id/1031237</a><br> <br><br>10. Cisco IOS<br> <br> Vendor: Cisco<br> <br> A vulnerability was reported in Cisco IOS. A remote user can<br> obtain potentially sensitive information.<br> <br> Impact: Disclosure of authentication information<br> <br> Alert: <a href="http://securitytracker.com/id/1031220" target="_blank">http://securitytracker.com/id/1031220</a><br> <br><br>11. Apple TV<br> <br> Vendor: Apple Computer<br> <br> Several vulnerabilities were reported in Apple TV. A remote<br> user can execute arbitrary code on the target system. A local user<br> can obtain elevated privileges on the target system.<br> <br> Impact: Execution of arbitrary code via local system<br> <br> Alert: <a href="http://securitytracker.com/id/1031231" target="_blank">http://securitytracker.com/id/1031231</a><br> <br><br>12. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote user can<br> cause denial of service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031248" target="_blank">http://securitytracker.com/id/1031248</a><br> <br><br>13. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote user can<br> cause denial of service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031247" target="_blank">http://securitytracker.com/id/1031247</a><br> <br><br>14. Cisco Unified Communications Manager<br> <br> Vendor: Cisco<br> <br> A vulnerability was reported in Cisco Unified Communications<br> Manager IM and Presence Service. A remote user can determine valid<br> usernames on the target system.<br> <br> Impact: Disclosure of system information<br> <br> Alert: <a href="http://securitytracker.com/id/1031240" target="_blank">http://securitytracker.com/id/1031240</a><br> <br><br>15. Apple iOS<br> <br> Vendor: Apple Computer<br> <br> Several vulnerabilities were reported in Apple iOS. A<br> physically local user can bypass access controls. An application<br> can launch arbitrary binaries on the target system.<br> <br> Impact: Execution of arbitrary code via local system<br> <br> Alert: <a href="http://securitytracker.com/id/1031232" target="_blank">http://securitytracker.com/id/1031232</a><br> <br><br>16. Drupal<br> <br> Vendor: drupal.org<br> <br> Two vulnerabilities were reported in Drupal. A remote user can<br> hijack another user's session. A remote user can cause denial of<br> service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031244" target="_blank">http://securitytracker.com/id/1031244</a><br> <br><br>17. Aironet<br> <br> Vendor: Cisco<br> <br> A vulnerability was reported in Cisco Aironet. A remote user<br> can cause denial of service conditions.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031219" target="_blank">http://securitytracker.com/id/1031219</a><br> <br><br>18. Google Chrome<br> <br> Vendor: Google<br> <br> Multiple vulnerabilities were reported in Google Chrome. A<br> remote user can cause arbitrary code to be executed on the target<br> user's system. A remote user can obtain potentially sensitive<br> information.<br> <br> Impact: Disclosure of system information<br> <br> Alert: <a href="http://securitytracker.com/id/1031241" target="_blank">http://securitytracker.com/id/1031241</a><br> <br><br>19. Mac OS X<br> <br> Vendor: Apple Computer<br> <br> Several vulnerabilities were reported in Apple OS X. A remote<br> user can cause arbitrary code to be executed on the target user's<br> system. A remote user can obtain potentially sensitive information.<br> <br> Impact: Disclosure of system information<br> <br> Alert: <a href="http://securitytracker.com/id/1031230" target="_blank">http://securitytracker.com/id/1031230</a><br> <br><br>20. F5 BIG-IP<br> <br> Vendor: F5 Networks<br> <br> A vulnerability was reported in F5 BIG-IP. A remote<br> authenticated user can delete files on the target system.<br> <br> Impact: Denial of service via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031216" target="_blank">http://securitytracker.com/id/1031216</a><br> <br><br>21. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote user can<br> bypass access controls.<br> <br> Impact: Host/resource access via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031246" target="_blank">http://securitytracker.com/id/1031246</a><br> <br><br>22. Asterisk<br> <br> Vendor: Digium (Linux Support Services)<br> <br> A vulnerability was reported in Asterisk. A remote user can<br> bypass access controls.<br> <br> Impact: Host/resource access via network<br> <br> Alert: <a href="http://securitytracker.com/id/1031245" target="_blank">http://securitytracker.com/id/1031245</a><br> <br><br><br>------------------------------------------------------------------------<br>To join, delete, or otherwise change your subscription, visit: <br><a href="http://www.securitytracker.com/help/accounts.html" target="_blank">http://www.securitytracker.com/help/accounts.html</a><br> <br>To contact us, send e-mail to <a ymailto="mailto:help@securitytracker.com" href="mailto:help@securitytracker.com">help@securitytracker.com</a> <br>(mailto:<a ymailto="mailto:help@securitytracker.com" href="mailto:help@securitytracker.com">help@securitytracker.com</a>)<br> <br>If you need to refer to this weekly vulnerability summary when you<br>mail us, please provide us with following SecurityTracker message ID:<br><WS.ALL.2014Nov24.2244.235812.XND><br> <br> <br>Keep Track of the Latest Vulnerabilities with SecurityTracker!<br> <br><a href="http://www.securitytracker.com/" target="_blank">http://www.securitytracker.com</a><br> <br> <br>copyright 2014, SecurityGlobal.net LLC<br> <br>See disclaimer notice at:<br><a href="http://www.securitytracker.com/learn/disclaimer.html" target="_blank">http://www.securitytracker.com/learn/disclaimer.html</a><br> <br>------------------------------------------------------------------------<br><br>############################<br><br>To unsubscribe from the SECURITYTRACKER-WEEKLY-ALL list:<br>write to: mailto:<a ymailto="mailto:SECURITYTRACKER-WEEKLY-ALL-SIGNOFF-REQUEST@PEACH.EASE.LSOFT.COM" href="mailto:SECURITYTRACKER-WEEKLY-ALL-SIGNOFF-REQUEST@PEACH.EASE.LSOFT.COM">SECURITYTRACKER-WEEKLY-ALL-SIGNOFF-REQUEST@PEACH.EASE.LSOFT.COM</a><br>or click the following link:<br><a href="http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=SECURITYTRACKER-WEEKLY-ALL&A=1" target="_blank">http://peach.ease.lsoft.com/scripts/wa-PEACH.exe?SUBED1=SECURITYTRACKER-WEEKLY-ALL&A=1</a><br><br><br></div> </div> </div> </div></body></html>