Debian Security Update for python-django (DSA 3678-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for python-django to fix the vulnerabilities.

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Refer to Debian security advisory DSA 3678-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3678-1: Debian

0day

Debian Security Update for libarchive (DSA 3677-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for libarchive to fix the vulnerabilities.

漏洞危害

The sandboxing code in libarchive mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.

解决方案

Refer to Debian security advisory DSA 3677-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3677-1: Debian

0day

Debian Security Update for unadf (DSA 3676-1)

漏洞类别:Debian

漏洞等级:

漏洞信息

Debian has released security update for unadf to fix the vulnerabilities.

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Refer to Debian security advisory DSA 3676-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

DSA 3676-1: Debian

0day

Cisco AnyConnect Secure Mobility Client Arbitrary Code Execution Vulne…

漏洞类别:Local

漏洞等级:

漏洞信息

Cisco AnyConnect is a VPN Client for multiple platforms.

Cisco AnyConnect Secure Mobility Client contains a vulnerability that could allow an authenticated, local attacker to execute arbitrary code with elevated privileges.

Affected Versions:
Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier

漏洞危害

On successful exploitation allows local users to gain privileges via crafted IPC messages that trigger use of root privileges for a software-package installation

解决方案

Solution or updates are not available.

0day

EOL/Obsolete Software: HP Data Protector 6.0x Detected.

漏洞类别:Local

漏洞等级:

漏洞信息

HPE Data Protector software provides comprehensive data backup and recovery across physical, virtual and hybrid environments.

Hewlett Packard Enterprise is announcing the version discontinuance of HP Data Protector 6.0x

Affected Version :
HP Data Protector 6.0x

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

解决方案

Please visit HP Data Protector 6.0x for more information.

0day

Joomla! com_videogallerylite ajax_url.php SQL Injection Vulnerability

漏洞类别:CGI

漏洞等级:

漏洞信息

Joomla! is a free open-source content management system written in PHP. It uses object oriented programming techniques and is built on a model-view-controller web application framework. It includes features such as page caching, RSS feeds, printable versions of pages, news flashes, blogs, polls, search, and support for language internationalization. Huge-IT Video Gallery is a Joomla! video gallery component.

The vulnerability exists in the components/com_videogallerylite/ajax_url.php source file that fails to sanitize user supplied input received via the load_videos_content argument. An unauthenticated, remote attacker could exploit this vulnerability by transmitting crafted HTTP GET requests to inject malicious SQL code in a targeted Joomla! installation.

Affected versions:
Joomla Huge-IT Video Gallery (com_videogallerylite) component 3.3.6

漏洞危害

Successful exploitation allows an unauthenticated, remote attacker to manipulate SQL queries by injecting arbitrary SQL code or further exploit latent vulnerabilities in the underlying database.

解决方案

The vendor has not confirmed this vulnerability.

Workaround:
Although the vendor has not confirmed this vulnerability, updated version is available, which may fix the vulnerability. Customers are advised to install the updated version.

0day

Oracle Enterprise Linux Security Update for openssl (ELSA-2016-1940)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for openssl to fix the vulnerabilities.

Affected Products:
Oracle Linux 7
Oracle Linux 6

漏洞危害

Successful exploitation allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisoryOracle Linux 7 Oracle Linux 6 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2016-1940: Oracle Linux 7

ELSA-2016-1940: Oracle Linux 6

0day

SUSE Enterprise Linux Security Update for openssh (SUSE-SU-2016:2388-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for openssh to fix the vulnerabilities.

Affected Products:
SUSE OpenStack Cloud 5 SUSE Manager Proxy 2.1
SUSE Manager 2.1
SUSE Linux Enterprise Server 11-SP3-LTSS
SUSE Linux Enterprise Point of Sale 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP3

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory SUSE-SU-2016:2388-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2016:2388-1: SUSE Enterprise Linux

0day

SUSE Enterprise Linux Security Update for libtcnative-1-0 (SUSE-SU-2016:2385-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for libtcnative-1-0 to fix the vulnerabilities.

Affected Products:
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4

漏洞危害

Malicious users could use this vulnerability to change partial contents or configuration on the system.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory SUSE-SU-2016:2385-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

SUSE-SU-2016:2385-1: SUSE Enterprise Linux

0day

EOL/Obsolete Software: Drupal 5.x Detected

漏洞类别:CGI

漏洞等级:

漏洞信息

Drupal is a free and open-source content-management framework written in PHP and distributed under the GNU General Public License.

Drupal 5 has been detected on the host. Drupal 5 has reached end of life on January 6, 2011 and will no longer be supported for security advisories. Since there will be no further bug fixes or security updates for this version, it is recommended that you migrate from version 5 to Drupal supported releases such as 7 or Drupal 8.

漏洞危害

Depending on the vulnerability being exploited, an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the targeted system.

解决方案

Customers are advised to upgrade to Drupal 7,8 or later versions to remediate this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Latest Drupal

0day

Apple Mac OS X v10.11.5 and Security Update 2016-003 Not Installed (APPLE-SA-2016-05-16-4)

漏洞类别:Local

漏洞等级:

漏洞信息

Apple Mac OS X v10.11.5 and Security Update 2016-003 are missing on the target host.

Apple Mac OS X El Capitan 10.11.5 and Security Update 2016-003 are available to resolve multiple security vulnerabilities.

漏洞危害

Successfully exploiting these vulnerabilities might allow an attacker to execute arbitrary code. Other attacks are also possible.

解决方案

Apple Mac OS X v10.11.5 and Security Update 2016-003 has been released to address these issues. The update can be downloaded and installed via Apple Downloads.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

APPLE-SA-2016-05-16-4

0day

Red Hat Update for flash-plugin (RHSA-2016:1238)

漏洞类别:RedHat

漏洞等级:

漏洞信息

The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in.

This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities, detailed in the Adobe Security Bulletin listed in the References section, could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content. (CVE-2016-4122, CVE-2016-4123, CVE-2016-4124, CVE-2016-4125, CVE-2016-4127, CVE-2016-4128, CVE-2016-4129, CVE-2016-4130, CVE-2016-4131, CVE-2016-4132, CVE-2016-4133, CVE-2016-4134, CVE-2016-4135, CVE-2016-4136, CVE-2016-4137, CVE-2016-4138, CVE-2016-4139, CVE-2016-4140, CVE-2016-4141, CVE-2016-4142, CVE-2016-4143, CVE-2016-4144, CVE-2016-4145, CVE-2016-4146, CVE-2016-4147, CVE-2016-4148, CVE-2016-4149, CVE-2016-4150, CVE-2016-4151, CVE-2016-4152, CVE-2016-4153, CVE-2016-4154, CVE-2016-4155, CVE-2016-4156, CVE-2016-4166, CVE-2016-4171)

漏洞危害

On successful exploitation it could allow an attacker to create a specially crafted SWF file that would cause flash-plugin to crash, execute arbitrary code, or disclose sensitive information when the victim loaded a page containing the malicious SWF content.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2016:1238 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2016:1238: Red Hat Enterprise Linux

0day

EOL/Obsolete Software: Atlassian JIRA 6.2.x Detected

漏洞类别:CGI

漏洞等级:

漏洞信息

JIRA is used for issue tracking and project management.

JIRA 6.1.x reached end of life on June 8, 2016 and is no longer be supported by Atlassian.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since Atlassian no longer provides updates, obsolete software is more vulnerable to attacks.

解决方案

Upgrade to the latest supported version of Atlassian JIRA. Refer to Atlassian End of Life Policy to obtain more information.

0day

EOL/Obsolete Operating System: Citrix XenServer 5.6 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

The host is running XenServer 5.6. Microsoft ended support for XenServer 5.6 on 31st March 2014 and provides no further support for this operating system.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

解决方案

Update to the latest supported XenServer operating system from Citrix. Refer to Citrix Legacy Product Matrix for more information.

0day

EOL/Obsolete Operating System: Citrix XenServer 5.5 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

The host is running XenServer 5.5. Microsoft ended support for XenServer 5.5 on 15th September 2013 and provides no further support for this operating system.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

解决方案

Update to the latest supported XenServer operating system from Citrix. Refer to Citrix Legacy Product Matrix for more information.

0day

OpenSuSE Security Update for flash-player (openSUSE-SU-2016:1625-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for flash-player to fix the vulnerabilities.

Affected Products:
openSUSE 13.1 NonFree

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory openSUSE-SU-2016:1625-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2016:1625-1: OpenSuse

0day

OpenSuSE Security Update for flash-player (openSUSE-SU-2016:1621-1)

漏洞类别:SUSE

漏洞等级:

漏洞信息

Suse has released security update for flash-player to fix the vulnerabilities.

Affected Products:
openSUSE 13.2 NonFree

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

解决方案

Upgrade to the latest packages which contain a patch. To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product.

To install packages using the command line interface, use the command “yum update”.

Refer to Suse security advisory openSUSE-SU-2016:1621-1 to address this issue and obtain further details.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

openSUSE-SU-2016:1621-1: OpenSuse

0day

CentOS Security Update for firefox (CESA-2016:1217)

漏洞类别:CentOS

漏洞等级:

漏洞信息

CentOS has released security update for firefox to fix the vulnerabilities.

Affected Products:
centos 6
centos 5
centos 7

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to CentOS advisory centos 6centos 5 centos 7 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

CESA-2016:1217: centos 6

CESA-2016:1217: centos 5

CESA-2016:1217: centos 7

0day

Oracle Enterprise Linux Security Update for firefox (ELSA-2016-1217)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for firefox to fix the vulnerabilities.

Affected Products:
Oracle Linux 7
Oracle Linux 6
Oracle Linux 5

漏洞危害

Successful exploitation allows remote attackers to execute arbitrary code via foreign-context HTML5 fragments, as demonstrated by fragments within an SVG element.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisoryOracle Linux 7 Oracle Linux 6 Oracle Linux 5 for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2016-1217: Oracle Linux 7

ELSA-2016-1217: Oracle Linux 6

ELSA-2016-1217: Oracle Linux 5

0day

EOL/Obsolete Software: Oracle WebLogic Server 10.3 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation.

Oracle WebLogic Server 10.3.x has been detected on the host. Oracle WebLogic Server 10.3 has reached end of life on January 2014 and will no longer be supported for security advisories. Since there will be no further bug fixes or security updates for this version, it is recommended that you migrate from version 10.3 to latest supported releases.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since Oracle no longer provides updates, obsolete software is more vulnerable to attacks.

解决方案

Upgrade to the latest supported version of WebLogic Server. Refer to Oracle Lifetime Support Policy to obtain more information.

0day