CVE-2017-5433 Fedora Security Update for firefox (FEDORA-2017-31c64a0bbf)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for firefox to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

Successful exploitation of the vulnerabilities allow denial of service, remote code execution, buffer overflow and XSS attacks among others.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories:
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-31c64a0bbf: Fedora 25

0day

CVE-2017-3886 Cisco Unified Communications Manager SQL Injection Vulnerability (cisco-sa-20170405-ucm)

漏洞类别:Cisco

漏洞等级:

漏洞信息

A vulnerability in the Cisco Unified Communications Manager web interface could allow an authenticated, remote attacker to impact the confidentiality of the system by executing arbitrary SQL queries. The attacker must be authenticated as an administrative user to execute SQL database queries.
The vulnerability is due to a lack of input validation on HTTP requests that contain user-supplied input.

漏洞危害

An attacker could exploit this vulnerability by sending crafted HTTP requests that contain malicious SQL statements to the affected system. An exploit could allow the attacker to determine the presence of certain values in the database.

解决方案

Cisco has released fixes to resolve these vulnerabilities. Refer cisco-sa-20170419-ucm to obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

cisco-sa-20170405-ucm

0day

CVE-2017-3793 Cisco ASA Software TCP Normalizer Denial of Service Vulnerability (cisco-sa-20170419-asa-norm)

漏洞类别:Cisco

漏洞等级:

漏洞信息

A vulnerability in the TCP normalizer of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause Cisco ASA and FTD to drop any further incoming traffic on all interfaces, resulting in a denial of service condition.
The vulnerability is due to improper limitation of the global out-of-order TCP queue for specific block sizes.

漏洞危害

An attacker could exploit this vulnerability by sending a large number of unique permitted TCP connections with out-of-order segments. An exploit could allow the attacker to exhaust available blocks in the global out-of-order TCP queue, causing the dropping of any further incoming traffic on all interfaces and resulting in a DoS condition.

解决方案

Refer to Cisco ASA advisory cisco-sa-20170419-asa-norm for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

cisco-sa-20170419-asa-norm: Cisco ASA

0day

CVE-2017-5429 Mozilla Firefox Multiple Vulnerabilities. (MFSA2017-10 to MFSA2017-12)

漏洞类别:Local

漏洞等级:

漏洞信息

Firefox is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android.

Multiple vulnerabilities were reported in Mozilla Firefox. A remote user can cause arbitrary code to be executed on the target user’s system. A remote user can obtain files on the target system. A remote user can spoof URLs. A remote user can conduct cross-site scripting attacks.
A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user’s system.

Affected Version :
Firefox prior to 53.0
Firefox ESR prior to 52.1
Firefox ESR prior to 45.9

漏洞危害

A remote user can create content that, when loaded by the target user, will execute arbitrary code on the target user’s system.
A remote user can obtain files on the target system.
A remote user can spoof a URL.
A remote user can access the target user’s cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

解决方案

The vendor has issued a fix (53.0). Refer to MFSA 2017-10 to MFSA 2017-12

Patch:
Following are links for downloading patches to fix the vulnerabilities:

mfsa2017-10 to mfsa2017-12: Windows

mfsa2017-10 to mfsa2017-12: MAC OS X

0day

CVE-2016-10087 Fedora Security Update for libpng12 (FEDORA-2017-84bc8ac268)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for libpng12 to fix the vulnerability.

Affected OS:
Fedora 25
Fedora 24

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update
Fedora 24 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-84bc8ac268: Fedora 25

FEDORA-2017-84bc8ac268: Fedora 24

0day

CVE-2017-7418 Fedora Security Update for proftpde (FEDORA-2017-e15e37b689)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for proftpde to fix the vulnerability.

Affected OS:
Fedora 25
Fedora 24

漏洞危害

Malicious users could use this vulnerability to change partial contents or configuration on the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update
Fedora 24 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-e15e37b689: Fedora 25

FEDORA-2017-e15e37b689: Fedora 24

0day

CVE-2017-7586 Fedora Security Update for libsndfile (FEDORA-2017-72a971ccf0)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for libsndfile to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-72a971ccf0: Fedora 24

FEDORA-2017-72a971ccf0: Fedora 25

0day

CVE-2016-8667 Fedora Security Update for qemu (FEDORA-2017-01925dba3c)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for qemu to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-01925dba3c: Fedora 25

0day

CVE-2016-10209 Fedora Security Update for libarchive (FEDORA-2017-55a8f10223)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for libarchive to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-55a8f10223: Fedora 25

0day

Fedora Security Update for php-onelogin-php-saml (FEDORA-2017-06f4b88ceb)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-onelogin-php-saml to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-06f4b88ceb: Fedora 24

FEDORA-2017-06f4b88ceb: Fedora 25

0day

CVE-2017-5591 Fedora Security Update for python-sleekxmpp (FEDORA-2017-99ad80f109)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for python-sleekxmpp to fix the vulnerability.

Affected OS:
Fedora 24
Fedora 25

漏洞危害

Malicious users could use this vulnerability to change partial contents or configuration on the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 24 Update
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-99ad80f109: Fedora 24

FEDORA-2017-99ad80f109: Fedora 25

0day

Fedora Security Update for flatpak (FEDORA-2017-174cb400d7)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for flatpak to fix the vulnerability.

Affected OS:
Fedora 24

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 24 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-174cb400d7: Fedora 24

0day

CVE-2017-7413 Fedora Security Update for php-horde-Horde-Crypt (FEDORA-2017-e2a3e6fa12)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for php-horde-horde-crypt to fix the vulnerability.

Affected OS:
Fedora 25
Fedora 24

漏洞危害

This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update
Fedora 24 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-e2a3e6fa12: Fedora 25

FEDORA-2017-e2a3e6fa12: Fedora 24

0day

CVE-2016-10266 Fedora Security Update for libtiff (FEDORA-2017-ab3acddd21)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for libtiff to fix the vulnerability.

Affected OS:
Fedora 25

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 25 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-ab3acddd21: Fedora 25

0day

CVE-2017-7377 Fedora Security Update for xen (FEDORA-2017-03dc811be6)

漏洞类别:Fedora

漏洞等级:

漏洞信息

Fedora has released security update for xen to fix the vulnerability.

Affected OS:
Fedora 24

漏洞危害

This vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

Fedora has issued updated packages to fix this vulnerability. Updates can be installed using the yum utility, which can be downloaded from the Fedora Web site.

For more information about the vulnerability and obtaining patches, refer to the following Fedora security advisories :
Fedora 24 Update

Patch:
Following are links for downloading patches to fix the vulnerabilities:

FEDORA-2017-03dc811be6: Fedora 24

0day

CVE-2017-5461 2017-04-25 10:44:29 Red Hat Update for nss (RHSA-2017-1103)

漏洞类别:RedHat

漏洞等级:

漏洞信息

An out-of-bounds write flaw was found in the way NSS performed certain Base64-decoding operations. (CVE-2017-5461)

漏洞危害

An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2017:1103 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2017:1103: Red Hat Enterprise Linux

0day

安识科技2017年度诚聘英才

公司简介

       安识科技,是一家专注于账号安全、企业风险评估的技术型企业。旗下拥有基于云+端的自研产品多因素令牌、基于多重检测引擎的伏特漏洞扫描云平台等!

安识科技荣获阿里云先知2016年度最佳合作安全公司TOP1阿里巴巴ASRC2016年度优秀生态合作伙伴公司奖;并且与国内多家大型客户及SRC、安全公司形成战略合作伙伴关系。在2017年,安识科技引入天使轮融资,助力公司规模和影响力建设,致力于给企业和用户提供一个更安全的互联网环境。
作为一支技术驱动型的创新创业团队,创始人均来自国内知名互联网企业安全负责人,深知企业安全痛点。
我们推崇在开放、高效的环境中学习、激励和成长。

销售总监

岗位职责:

  • 1、执行公司的销售策略,落实公司下达的业绩目标;
  • 2、负责收集和开发行业内新客户,提升行业市场占有率;
  • 3、维系已经建立联系的客户,建立长期稳固的客户关系;
  • 4、负责信息安全行业竞争市场信息的收集及友商的反馈;
  • 5、了解招投标业务和流程,主动承担招投标工作。

任职要求:

  • 1、信息安全,计算机或相关专业优先;
  • 2、信息安全相关行业销售工作经验,有良好的销售业绩优先;
  • 3、形象良好,语言表达和思维逻辑清晰、性格乐观、抗压能力强;
  • 4、学习能力强、具备积极主动性。
  • 5、能够适应出差安排

薪资范围及福利:

  • 1 、15-25k/月,薪资视能力而定;
  • 2、五险一金。
  • 3、弹性办公时间、每年多次团队旅游、团队激励等等福利

 

高级研发工程师

岗位职责:

  • 1 、从事面向信息安全产品的研发及研究工作,实现部分安全日常工作自动化;
  • 2、根据设计文档或需求说明完成代码编写、调试、测试、维护;
  • 3 、研究与跟进互联网出现的新威胁,分析、梳理实现安全防护策略;

任职要求:

  • 1、 熟练掌握java/python/php任意一种编程语言;
  • 2、具备一些漏洞研究的能力,能够理解系统原理和漏洞原理;
  • 3、热爱信息安全行业,并愿意付出主要精力进行研究和学习;
  • 4、有风控产品开发、账号安全和大数据开发经验者优先考虑;
  • 5、具有良好的分析问题和解决问题的能力,勇于面对挑战性问题,学习能力强,有创造性思维能力;
  • 6 、为人正直、具备良好的沟通能力、理解能力,并拥有强烈的责任心和团队精神,可以承受一定强度的工作压力。

薪资范围及福利:

  • 1 、15-25k/月,薪资视能力而定;
  • 2、五险一金。
  • 3、弹性办公时间、每年多次团队旅游、团队激励等等福利

 

 

安全产品经理

岗位职责:

  • 1、负责安全产品设计,调研用户的安全诉求,研究分析数据,设计产品方案,制定产品迭代计划;
  • 2、负责数据产品需求调研,制定产品营销策略;
  • 3、组织协调研发、前端、测试等资源确保产品按时、高质量交付,并推动产品快速迭代;
  • 4、结合用户数据输出针对客户维度的数据分析报告;对用户需求深入分析和挖掘,为相关业务提出优化或创新的建议;
  • 5、研究业界先进安全产品安全与技术,跟进业界0day漏洞和权威漏洞库;

职位要求:

  • 1、全日制大学本科及以上学历,计算机相关专业最佳;
  • 2、对互联网产品有深刻认识及个人见解,有安全类产品经验最佳;
  • 3、具备优秀的学习能力、沟通协作能力;
  • 4、具有较强的逻辑思维能力,分析与洞察能力以及解决问题能力;

薪资范围及福利:

  • 1 、10-20k/月,薪资视能力而定;
  • 2 、五险一金。
  • 3、弹性办公时间、每年多次团队旅游、团队激励等等福利

渗透测试工程师

岗位职责

  • 1、根据项目需要,实施经过合法授权的主机、网络和Web、APP安全渗透测试并完成报告;
  • 2、提供网络安全攻防技术培训演练及应急响应工作。
  • 3、对互联网领域的重大安全事件进行跟踪、分析;
  • 4、对安全领域的新技术、新方法进行研究,尤其是物联网安全、车联网安全、人工智能等方向。
  • 5、编写相关的漏洞插件EXP。

任职要求:

  • 1、熟悉常见攻击和防御手法,熟悉渗透测试的步骤、方法和流程,有实战经验、能独立完成渗透测试项目;
  • 2、熟知办公网络和生产网络环境渗透测试思路,掌握Linux/Windows环境下的横向渗透方法。
  • 3、思路灵活,熟悉社会工程学,各种曲线救国,”不择手段”,剑走偏锋的渗透思路和技巧。
  • 4、能搭建各类渗透测试的演示环境,能够熟练运用各种手段对系统实施有效的渗透;
  • 5、具有良好的团队合作精神、专业素养、沟通能力和文档编写能力;
  • 6、精通或熟悉掌握python/java/php/shell等一种或多种脚本语言;
  • 7、能独立编写相关黑客工具,在知名网站及论坛发表过文章,或在各大赛中取得优秀成绩者优先考虑。
  • 8、无网络犯罪记录。

薪资范围及福利:

  • 1 、10-25k/月,薪资视能力而定;
  • 2 、五险一金。
  • 3、弹性办公时间、每年多次团队旅游、团队激励等等福利

 

安全运营人员

岗位职责

  • 1、根据公司需要,负责公司微信公众号、微博、头条号等等的内容选材和文章推广,吸纳粉丝,扩大公司影响力。
  • 2、对公司线上产品进行推广。
  • 3、热点事件、节日海报、活动海报的文案及筹备;
  • 4、展会或者其他线下活动的有效执行。
  • 5、行业内的商务合作和安全交流结识。

任职要求:

  • 1、形象好、气质佳,语言表达和思维逻辑清晰、性格乐观、积极主动;
  • 2、扎实的文字功底,对各类文案有比较好的驾驭能力;
  • 3、嗅觉灵敏、反应灵活,能及时跟进热点事件进行运营推广;
  • 4、对互联网推广类平台非常熟悉:如微信公众号,今日头条,微博等等;
  • 5、认真踏实、态度负责、爱好学习。

薪资范围及福利:

  • 1 、6-15k/月,薪资视能力而定;
  • 2 、五险一金。
  • 3、弹性办公时间、每年多次团队旅游、团队激励等等福利

工作地址:

上海 – 徐汇区 – 漕河泾

简历投递邮箱:

hi#duoyinsu.com (#替换成@,投递简历说明来源安全脉搏,并注明意向岗位)

另招安全实习生多名,主要工作内容为安全测试与安全开发方面工作,相信您可以通过在职的工作学到不少知识,如果遇到技术问题,团队内部人员也可以跟您一起解决。0day

Security Policy EOL/Obsolete Software: NetBackup Server and NetBackup Enterprise Server 7.0 – 7.6 Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

Veritas NetBackup (earlier Symantec NetBackup) is an enterprise level heterogeneous backup and recovery suite. Veritas has ended support for NetBackup Server and NetBackup Enterprise on February 1, 2017.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is highly prone to vulnerabilities.

解决方案

Customers are advised to upgrade to the latest NetBackup Server and NetBackup Enterprise Server versions. Refer toVeritas End of Support for Prior NetBackup Versions for more information.

0day

CVE-2016-8743 Oracle Enterprise Linux Security Update for httpd (ELSA-2017-0906)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for httpd to fix the vulnerabilities.

Affected Products:
Oracle Linux 7

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-0906: Oracle Linux 7

0day

Security Policy EOL/Obsolete Operating System: CentOS 5.x Detected

漏洞类别:Security Policy

漏洞等级:

漏洞信息

The host is running CentOS 5.x.
CentOS ended support for 5 on March 31, 2017 and provides no further support for this operating system.

漏洞危害

The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks.

解决方案

Update to the latest supported CentOS operating system. Refer to CentOS.

0day

CVE-2017-2636 Oracle Enterprise Linux Security Update for kernel (ELSA-2017-0933-1)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for kernel (ELSA-2017-0933-1).

Affected Products:
Oracle Linux 7

漏洞危害

Successful exploitation of the vulnerabilities may allow attackers to gain privileges and cause denial of service attacks.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7
.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-0933: Oracle Linux 7

ELSA-2017-0933

0day

CVE-2017-2636 Oracle Enterprise Linux Security Update for kernel (ELSA-2017-0892)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for kernel to fix the vulnerabilities.

Affected Products:
Oracle Linux 6

漏洞危害

Successful exploitation of the vulnerabilities may allow attackers to gain privileges and cause denial of service attacks.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 6

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-0892: Oracle Linux 6

ELSA-2017-0892

0day

CVE-2017-2668 Oracle Enterprise Linux Security Update for 389-ds-base (ELSA-2017-0893)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for 389-ds-base to fix the vulnerabilities.

Affected Products:
Oracle Linux 6

漏洞危害

Successful exploitation allows attacker to compromise the system.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 6

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-0893: Oracle Linux 6

0day

CVE-2016-4946 Cloudera Hue 3.9.0 and Prior Multiple Vulnerabilities

漏洞类别:CGI

漏洞等级:

漏洞信息

Cloudera Hue (Hadoop User Experience) is an open-source Web Interface which supports Apache Hadoop and its ecosystem.

The vulnerability allows remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete.(CVE-2016-4947)

Cloudera Hue is also affected by Multiple cross-site scripting (XSS) vulnerabilities which allows remote attackers to inject arbitrary web script or HTML via the First name or Last name field in the HUE Users page. (CVE-2016-4946)

Affected Versions:

Cloudera Hue 3.9.0 and Prior

漏洞危害

Successful exploitation of the vulnerabilities will allow remote attackers to enumerate user accounts via a request to desktop/api/users/autocomplete and XSS attacks.

解决方案

Customers are advised to download the latest version of Cloudera Hue.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Cloudera Hue

0day

CVE-2016-8745 Oracle Enterprise Linux Security Update for tomcat (ELSA-2017-0935)

漏洞类别:OEL

漏洞等级:

漏洞信息

Oracle Enterprise Linux has released security update for tomcat to fix the vulnerabilities.

Affected Products:
Oracle Linux 7

漏洞危害

This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability.

解决方案

To resolve this issue, upgrade to the latest packages which contain a patch. Refer to Oracle Enterprise Linux advisory below for updates and patch information:

Oracle Linux 7

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ELSA-2017-0935: Oracle Linux 7

0day