16日 火曜日、赤口

+ RHSA-2014:1193 Important: axis security update
https://rhn.redhat.com/errata/RHSA-2014-1193.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596

+ Mozilla Firefox 32.0.1 released
https://www.mozilla.org/en-US/firefox/32.0.1/releasenotes/

+ UPDATE: APSB14-20 Prenotification Security Advisory for Adobe Reader and Acrobat
http://helpx.adobe.com/security/products/reader/apsb14-20.html

+ phpMyAdmin 4.0.10.3, 4.1.14.4 and 4.2.8.1 are released
http://sourceforge.net/p/phpmyadmin/news/2014/09/phpmyadmin-40103-41144-and-4281-are-released/

+ PMASA-2014-10 XSRF/CSRF due to DOM based XSS in the micro history feature
http://www.phpmyadmin.net/home_page/security/PMASA-2014-10.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300

+ UPDATE: HPSBGN02740 rev.2 - HP Operations Manager, Operations Agent, Performance Agent, Service Health Reporter, Service Health Optimizer, Performance Manager, Remote Execution of Arbitrary Code
https://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c03179825-2%257CdocLocale%253Dja_JP%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

+ HPSBMU03075 rev.1 - HP Network Node Manager I (NNMi) for Windows and Linux, Remote Execution of Arbitrary Code
https://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04378450-1%257CdocLocale%253Dja_JP%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2624

+ HPSBOV03099 rev.1 - HP OpenVMS running OpenSSL, Remote Denial of Service (DoS) or Disclosure of Information
https://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04426586-1%257CdocLocale%253Dja_JP%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510

+ Linux kernel 3.2.63 released
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.63

+ Multiple vulnerabilities fixed in Firefox 24.2.0 ESR
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_fixed_in_firefox

+ CVE-2014-5356 Permissions, Privileges, and Access Control vulnerability in OpenStack Glance
https://blogs.oracle.com/sunsecurity/entry/cve_2014_5356_permissions_privileges
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5356

+ CVE-2014-3594 Cross-site scripting (XSS) vulnerability vulnerability in OpenStack Horizon
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3594_cross_site
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3594

+ CVE-2014-3589 Input Validation vulnerability in Python Imaging Library (PIL)
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3589_input_validation
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3589

+ Multiple Buffer Errors vulnerabilities in Wireshark
https://blogs.oracle.com/sunsecurity/entry/multiple_buffer_errors_vulnerabilities_in3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5164
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5165

+ Multiple Denial Of Service(DoS) vulnerabilities in Apache HTTP Server
https://blogs.oracle.com/sunsecurity/entry/multiple_denial_of_service_dos5
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4352
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231

+ Multiple vulnerabilities in Net-SNMP
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_net_snmp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2310

+ CVE-2014-3508 Information Disclosure vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3508_information_disclosure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508

+ CVE-2014-5139 Denial Of Service(DoS) vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_5139_denial_of
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139

+ CVE-2014-3509 Race Conditions vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3509_race_conditions
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509

+ CVE-2014-3505 Denial Of Service(DoS) vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3505_denial_of
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505

+ CVE-2014-3506 Resource Management Errors vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3506_resource_management
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506

+ CVE-2014-3507 Resource Management Errors vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3507_resource_management
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507

+ CVE-2014-3510 Denial Of Service(DoS) vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3510_denial_of
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510

+ CVE-2014-3511 Cryptographic vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3511_cryptographic_vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511

+ CVE-2014-3512 Buffer Errors vulnerability in OpenSSL
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3512_buffer_errors
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512

+ CVE-2014-0178 Information Disclosure vulnerability in Samba
https://blogs.oracle.com/sunsecurity/entry/cve_2014_0178_information_disclosure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0178

+ CVE-2014-0092 Cryptographic Issues vulnerability in GnuTLS
https://blogs.oracle.com/sunsecurity/entry/cve_2014_0092_cryptographic_issues
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092

+ Multiple Input Validation vulnerabilities in Apache HTTP Server
https://blogs.oracle.com/sunsecurity/entry/multiple_input_validation_vulnerabilities_in1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098

+ Multiple vulnerabilities in Samba
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_samba1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493

+ Samba 4.0.22 Available for Download
http://samba.org/samba/history/samba-4.0.22.html

+ Moodle Bugs Let Remote Users Obtain Potentially Sensitive Information and Bypass Security Controls
http://www.securitytracker.com/id/1030839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3617
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4172

+ Squid Off-by-One in snmpHandleUdp() Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1030838
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6270

+ SA61010 phpMyAdmin Micro History DOM-based Cross-Site Scripting Vulnerability
http://secunia.com/advisories/61010/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300

+ SA61203 Moodle phpCAS Security Bypass Vulnerability
http://secunia.com/advisories/61203/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4172

+ Linux Kernel udf infinite loop when processing indirect ICBs
http://cxsecurity.com/issue/WLB-2014090071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6410

+ Linux Kernel net guard tcp_set_keepalive against crash
http://cxsecurity.com/issue/WLB-2014090072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6657

+ Linux Kernel 'tcp_set_keepalive()' Function Denial of Service Vulnerability
http://www.securityfocus.com/bid/69803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6657

+ phpMyAdmin Micro History Feature Cross Site Scripting Vulnerability
http://www.securityfocus.com/bid/69790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300

+ Linux Kernel CVE-2014-3185 'whiteheat.c' Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/69781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185

LedgerSMB 1.4.0 Released
http://www.postgresql.org/about/news/1543/

JVNDB-2014-000105 複数の Adobe 製品のヘルプページにおけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000105.html

JVNVU#97910946 Embarcadero Delphi と C++Builder の VCL にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97910946/

【社長に説明できるセキュリティ】
社内営業で経営層の判断を促す（後編）リスクを点数化して優先度を付ける
http://itpro.nikkeibp.co.jp/atcl/column/14/511845/090300002/?ST=security

【被害最小化の切り札「CSIRT」】
遅れる対応、拡大する被害
http://itpro.nikkeibp.co.jp/atcl/column/14/090500060/090500001/?ST=security

日産がサイバー攻撃に2カ月気づかず、「ステルス改ざん」にご用心
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/091200054/?ST=security

JR東の「My JR-EAST」サイトに2万件の不正ログイン、サービス停止
http://itpro.nikkeibp.co.jp/atcl/news/14/091200877/?ST=security

ショートカット悪用の標的型攻撃が急増、Androidスマホも狙われる
http://itpro.nikkeibp.co.jp/atcl/news/14/091200873/?ST=security

REMOTE: Http File Server 2.3.x - Remote Command Execution
http://www.exploit-db.com/exploits/34668

REMOTE: Railo Remote File Include
http://www.exploit-db.com/exploits/34669

REMOTE: ManageEngine Eventlog Analyzer Arbitrary File Upload
http://www.exploit-db.com/exploits/34670

REMOTE: SolarWinds Storage Manager Authentication Bypass
http://www.exploit-db.com/exploits/34671