:: IT Security Neophyte Investigator's MEMO ::: 12月 2014

2014年12月26日金曜日

26日金曜日、先負

+ libpng Buffer Overflow in png_combine_row() Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1031444

+ Facebook Bug Bounty #17 - Migrate Privacy Vulnerability
http://cxsecurity.com/issue/WLB-2014120179

UPDATE: JVNVU#91812636 再帰的名前解決を行う DNS リゾルバの実装に名前解決を無限に繰り返す問題
http://jvn.jp/vu/JVNVU91812636/

UPDATE: JVNVU#97219505 GNU Bash に OS コマンドインジェクションの脆弱性
http://jvn.jp/vu/JVNVU97219505/

UPDATE: JVNVU#90348117 Portable SDK for UPnP にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU90348117/

だまされる、脅される、盗まれる　あなたの「お金」が危ない
［事件ファイル］入力内容が全部漏れてた「クラウド入力事件」
http://itpro.nikkeibp.co.jp/atcl/column/14/120900123/120900005/?ST=security

IIJ、マルウエア感染による不正送金を防止する新サービス
http://itpro.nikkeibp.co.jp/atcl/news/14/122502392/?ST=security

米国外保存のデータ開示問題でアイルランド政府がMS支持の意見書
http://itpro.nikkeibp.co.jp/atcl/news/14/122502385/?ST=security

世界のセキュリティ・ラボから
情報漏洩における組織内からの脅威を考察
http://itpro.nikkeibp.co.jp/atcl/column/14/264220/122200025/?ST=security

ソニーの北朝鮮題材映画、YouTubeやXbox Videoでネット配信、米国のみ
http://itpro.nikkeibp.co.jp/atcl/news/14/122502383/?ST=security

2014年12月25日木曜日

25日木曜日、友引

+ UPDATE: Multiple Vulnerabilities in ntpd Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

UPDATE: JVNVU#91812636 再帰的名前解決を行う DNS リゾルバの実装に名前解決を無限に繰り返す問題
http://jvn.jp/vu/JVNVU91812636/

パソコンとの違いで見る、スマートフォンのセキュリティ対策
［標的型攻撃］スマホ被害の報告は少ないが警戒を
http://itpro.nikkeibp.co.jp/atcl/column/14/120900122/121700003/?ST=security

だまされる、脅される、盗まれる　あなたの「お金」が危ない
［事件ファイル］知人を装い“お願い”「アカウント乗っ取り事件」
http://itpro.nikkeibp.co.jp/atcl/column/14/120900123/120900003/?ST=security

ITproまとめ
Sony Pictures Entertainment
http://itpro.nikkeibp.co.jp/atcl/column/14/494329/122400055/?ST=security

Appleが「ntpd」の重大な脆弱性を修正、自動更新機能を初めて使用
http://itpro.nikkeibp.co.jp/atcl/news/14/122402366/?ST=security

ソニー、北朝鮮題材映画の公開中止を撤回、一部劇場で上映へ
http://itpro.nikkeibp.co.jp/atcl/news/14/122402363/?ST=security

2014年12月24日水曜日

24日水曜日、先勝

+ About OS X NTP Security Update
https://support.apple.com/en-us/HT6601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295

+ nginx 1.7.9 released
http://nginx.org/en/CHANGES

+ CESA-2014:2024 Important CentOS 7 ntp Security Update
http://lwn.net/Alerts/627246/

+ CESA-2014:2024 Important CentOS 6 ntp Security Update
http://lwn.net/Alerts/627248/

+ CESA-2014:2025 Important CentOS 5 ntp Security Update
http://lwn.net/Alerts/627247

+ UPDATE: Multiple Vulnerabilities in ntpd Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

+ Apache POI 3.11 released
http://www.apache.org/dyn/closer.cgi/poi/release/RELEASE-NOTES.txt

+ Advisory: Vulnerability NTP CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
http://www.sophos.com/en-us/support/knowledgebase/121788.aspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296

+ FreeBSD-SA-14:31.ntp Multiple vulnerabilities in NTP suite
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:31.ntp.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296

+ FreeBSD-EN-14:13.freebsd-update freebsd-update attempts to remove the root directory
https://www.freebsd.org/security/advisories/FreeBSD-EN-14:13.freebsd-update.asc

+ UnZip Buffer Overflows in '-t' Command Line Option Let Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1031433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8141

+ REMOTE: Lotus Mail Encryption Server (Protector for Mail) LFI to RCE
http://www.exploit-db.com/exploits/35588

+ libpng 1.6.15 Heap Overflow
http://cxsecurity.com/issue/WLB-2014120165

+ Microsoft SDKs vulnerable
http://cxsecurity.com/issue/WLB-2014120164

+ Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion
http://cxsecurity.com/issue/WLB-2014120161

+ PHP 5.6.3 unserialize() execute arbitrary code
http://cxsecurity.com/issue/WLB-2014120160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142

Help the FSF stay strong for 30 more years
https://www.fsf.org/appeal/

MicroOLAP Database Designer meets PostgreSQL 9.4
http://www.postgresql.org/about/news/1560/

Bucardo 5.3.0 released
http://www.postgresql.org/about/news/1559/

チェックしておきたい脆弱性情報＜2014.12.24＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/121800036/?ST=security

だまされる、脅される、盗まれる　あなたの「お金」が危ない
［事件ファイル］口座から金を盗む「ネットバンキング詐欺事件」
http://itpro.nikkeibp.co.jp/atcl/column/14/120900123/120900002/?ST=security

パソコンとの違いで見る、スマートフォンのセキュリティ対策
［OSの脆弱性］スマホは更新不可のケースも
http://itpro.nikkeibp.co.jp/atcl/column/14/120900122/121700002/?ST=security

時刻同期サービス「ntpd」に重大脆弱性、細工パケット一撃でサーバー乗っ取りも
http://itpro.nikkeibp.co.jp/atcl/news/14/122202355/?ST=security

米大統領がサイバー攻撃への北関与を断定、テロ支援国家再指定を検討
http://itpro.nikkeibp.co.jp/atcl/news/14/122202344/?ST=security

JVNVU#96446762 複数のブロードバンドルータに、脆弱性が存在するバージョンの Allegro RomPager を使用している問題
http://jvn.jp/vu/JVNVU96446762/

UPDATE: JVNVU#96605606 Network Time Protocol daemon (ntpd) に複数の脆弱性
http://jvn.jp/vu/JVNVU96605606/

JVNVU#95399358 AppsGeyser で作成される Android アプリケーションに SSL 証明書の検証不備の脆弱性が作り込まれる問題
http://jvn.jp/vu/JVNVU95399358/

LOCAL: BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability
http://www.exploit-db.com/exploits/35590

LOCAL: GParted 0.14.1 - OS Command Execution
http://www.exploit-db.com/exploits/35595

DoS/PoC: jetAudio 8.1.3 Basic (mp3) - Crash POC
http://www.exploit-db.com/exploits/35592

2014年12月22日月曜日

21日月曜日、大安

+ RHSA-2014:2025 Important: ntp security update
https://rhn.redhat.com/errata/RHSA-2014-2025.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295

+ RHSA-2014:2024 Important: ntp security update
https://rhn.redhat.com/errata/RHSA-2014-2024.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296

+ RHSA-2014:2024 Important: ntp security update
https://access.redhat.com/errata/RHSA-2014:2024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296

+ About the security content of Xcode 6.2 beta 3
http://support.apple.com/en-us/HT204147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390

+ CESA-2014:2023 Moderate CentOS 7 glibc Security Update
http://lwn.net/Alerts/627039/

+ CESA-2014:2010 Important CentOS 7 kernel Security Update
http://lwn.net/Alerts/627042/

+ CESA-2014:2021 Important CentOS 7 jasper Security Update
http://lwn.net/Alerts/627040/

+ CESA-2014:2021 Important CentOS 6 jasper Security Update
http://lwn.net/Alerts/627041/

+ CESA-2014:2008 Important CentOS 5 kernel Security Update
http://lwn.net/Alerts/626811/

+ phpMyAdmin 4.3.3 is released
http://sourceforge.net/p/phpmyadmin/news/2014/12/phpmyadmin-433-is-released/

+ UPDATE: HPSBGN03204 rev.2 - HP Business Process Management running SSLv3, Remote Disclosure of Information
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04510023&docLocale=ja_JP

+ Check Point response to NTP vulnerabilities (CVE-2014-9293, CVE-2014-9294, CVE-2014-9295)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103825&src=securityAlerts
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295

+ GCC 4.8.4 released
https://gcc.gnu.org/gcc-4.8/

+ NTP 4.2.8 released
http://archive.ntp.org/ntp4/ChangeLog-stable

+ PHP 5.6.4, 5.4.36 released
http://php.net/archive/2014.php#id2014-12-18-2
http://php.net/archive/2014.php#id2014-12-18-3

+ PostgreSQL 9.4 Released!
http://www.postgresql.org/docs/9.4/static/release-9-4.html

+ Samba 4.2.0rc3 Available for Download
https://download.samba.org/pub/samba/rc/WHATSNEW-4.2.0rc3.txt

+ VU#852879 Network Time Protocol daemon (ntpd) contains multiple vulnerabilities
http://www.kb.cert.org/vuls/id/852879
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296

+ NTP Uses Weak Default Encryption Key and Weak RNG Seed
http://www.securitytracker.com/id/1031411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9294

+ NTP Logic Error in the receive() Function in 'ntp_proto.c' May Let Remote Users Deny Service
http://www.securitytracker.com/id/1031410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9296

+ NTP Buffer Overflows Let Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1031409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295

+ Apple Xcode Git Path Validation Flaw Lets Remote Users Add Files to the '.git' Folder
http://www.securitytracker.com/id/1031404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390

+ Subversion mod_dav_svn URI Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1031403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108

+ Subversion mod_dav_svn REPORT Request Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1031402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580

+ SA61787 PHP "SoapClient::__getTypes()" Denial of Service Vulnerability
http://secunia.com/advisories/61787/

+ SA60920 PHP Multiple Vulnerabilities
http://secunia.com/advisories/60920/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142

Database .NET 14.0 released
http://www.postgresql.org/about/news/1558/

だまされる、脅される、盗まれる　あなたの「お金」が危ない
今までのセキュリティの常識はもう通じない
http://itpro.nikkeibp.co.jp/atcl/column/14/120900123/120900001/?ST=security

パソコンとの違いで見る、スマートフォンのセキュリティ対策
［ウイルス］スマホは「不正アプリ」を警戒
http://itpro.nikkeibp.co.jp/atcl/column/14/120900122/121700001/?ST=security

パスロジ、マトリックス型パスワード帳アプリ「PassClip」に新版
http://itpro.nikkeibp.co.jp/atcl/news/14/121902339/?ST=security

国内の優秀な研究者を“発掘”、セキュリティ国際会議「CODE BLUE」第2回開催
http://itpro.nikkeibp.co.jp/atcl/news/14/121902337/?ST=security

エヌシーアイ、DDoS攻撃対策装置の運用代行サービスを開始
http://itpro.nikkeibp.co.jp/atcl/news/14/121902336/?ST=security

オプティムがMDMソフトにMac版を追加、遠隔ロック/消去も可能
http://itpro.nikkeibp.co.jp/atcl/news/14/121902331/?ST=security

10年後にプライバシーは存在するか、米調査レポート
http://itpro.nikkeibp.co.jp/atcl/news/14/110601779/121900053/?ST=security

チェックしておきたい脆弱性情報＜2014.12.19＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/121800035/?ST=security

JVNVU#90515133 複数の Dell iDRAC 製品にセッション管理に関する脆弱性
http://jvn.jp/vu/JVNVU90515133/

VU#561444 Multiple broadband routers use vulnerable versions of Allegro RomPager
http://www.kb.cert.org/vuls/id/561444

VU#1680209 AppsGeyser generates Android applications that fail to properly validate SSL certificates
http://www.kb.cert.org/vuls/id/1680209

REMOTE: Varnish Cache CLI Interface Remote Code Execution
http://www.exploit-db.com/exploits/35581

DoS/PoC: Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities
http://www.exploit-db.com/exploits/35580

2014年12月19日金曜日

19日金曜日、先勝

+ RHSA-2014:2021 Important: jasper security update
https://rhn.redhat.com/errata/RHSA-2014-2021.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029

+ RHSA-2014:2021 Important: jasper security update
https://access.redhat.com/errata/RHSA-2014:2021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029

+ RHSA-2014:2023 Moderate: glibc security and bug fix update
https://access.redhat.com/errata/RHSA-2014:2023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817

+ RHSA-2014:2010 Important: kernel security update
https://access.redhat.com/errata/RHSA-2014:2010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322

+ TortoiseSVN 1.8.10 released
http://tortoisesvn.net/downloads.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108

+ UPDATE: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2

+ UPDATE: HPSBGN03204 rev.2 - HP Business Process Management running SSLv3, Remote Disclosure of Information
https://h20565.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04510023&docLocale=ja_JP

+ PHP 5.5.20 is available
http://php.net/ChangeLog-5.php#5.5.20

+ Apache Subversion CVE-2014-3580 Remote Denial of Service Vulnerability
http://www.securityfocus.com/bid/71726
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580

+ Apache Subversion CVE-2014-8108 Remote Denial of Service Vulnerability
http://www.securityfocus.com/bid/71725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108

PostgreSQL 9.4 Increases Flexibility, Scalability and Performance
http://www.postgresql.org/about/news/1557/

JVNDB-2014-000152 WBS ガントチャート for JIRA におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000152.html

JVNDB-2014-000151 WBS ガントチャート for JIRA におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000151.html

JVNDB-2014-000124 Android 版 TSUTAYAアプリにおける任意の Java のメソッドが実行される脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000124.html

JVNDB-2014-000132 アライドテレシス製の複数の製品におけるバッファオーバーフローの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000132.html

世界のセキュリティ・ラボから
小売販売以外にも拡大するPOSマルウエア
http://itpro.nikkeibp.co.jp/atcl/column/14/264220/121500024/?ST=security

日本MS、NTT Com、FFRIが国産の「ゼロデイ攻撃対策サービス」を提供へ
http://itpro.nikkeibp.co.jp/atcl/news/14/121802325/?ST=security

マクニカがホスト型APT攻撃対策に新版、マルウエア実行をブロック
http://itpro.nikkeibp.co.jp/atcl/news/14/121802323/?ST=security

キヤノンITS、メールフィルタリング上位版が仮想アプライアンスに
http://itpro.nikkeibp.co.jp/atcl/news/14/121802311/?ST=security

ITpro
あらゆる関係者が「人質」になる時代
http://itpro.nikkeibp.co.jp/atcl/column/14/560135/121700101/?ST=security

ソニーピクチャーズ、問題の映画「The Interview」を公開中止
http://itpro.nikkeibp.co.jp/atcl/news/14/121802308/?ST=security

VU#843044 Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values
http://www.kb.cert.org/vuls/id/843044

2014年12月18日木曜日

18日木曜日、赤口

+ RHSA-2014:2008 Important: kernel security update
https://rhn.redhat.com/errata/RHSA-2014-2008.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322

+ CESA-2014:1997 Important CentOS 6 kernel Security Update
http://lwn.net/Alerts/626629/

+ CESA-2014:1999 Moderate CentOS 6 mailx Security Update
http://lwn.net/Alerts/626630/

+ CESA-2014:1999 Moderate CentOS 7 mailx Security Update
http://lwn.net/Alerts/626631/

+ UPDATE: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2

+ FreeBSD-SA-14:30.unbound unbound remote denial of service vulnerability
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:30.unbound.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602

+ HP OpenVMS POP Unspecified Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1031387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7880

+ Symantec Web Gateway Lets Remote Authenticated Users Execute Arbitrary Commands
http://www.securitytracker.com/id/1031386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7285

+ Linux Kernel espfix64 Stack Segment Fault Lets Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1031377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322

+ SA61236 PHP "var_push_dtor()" NULL Pointer Dereference Vulnerability
http://secunia.com/advisories/61236/

+ SA61131 Apache Subversion mod_dav_svn Two Denial of Service Vulnerabilities
http://secunia.com/advisories/61131/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108

+ Linux Kernel 'Grinch' polkit/wheel group issue
http://cxsecurity.com/issue/WLB-2014120115

+ Linux Kernel CVE-2014-9322 Local Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/71685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322

+ Linux Kernel 'fs/isofs/rock.c' Infinite Loop Denial of Service Vulnerability
http://www.securityfocus.com/bid/71717

NECフィールディング、中小企業のインターネット脅威対策サービス
http://itpro.nikkeibp.co.jp/atcl/news/14/121702303/?ST=security

ラックが2014年のサイバー事件・事故を総括、「三つの重大な課題が露呈」
http://itpro.nikkeibp.co.jp/atcl/news/14/121702300/?ST=security

ソニー映画「The Interview」上映予定の劇場にハッカー集団が脅迫
http://itpro.nikkeibp.co.jp/atcl/news/14/121702287/?ST=security

2014年12月17日水曜日

17日水曜日、大安

+ RHSA-2014:1999 Moderate: mailx security update
https://rhn.redhat.com/errata/RHSA-2014-1999.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844

+ RHSA-2014:1997 Important: kernel security and bug fix update
https://rhn.redhat.com/errata/RHSA-2014-1997.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322

+ RHSA-2014:1999 Moderate: mailx security updat
https://access.redhat.com/errata/RHSA-2014:1999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844

+ PDFCreator 2.0.1 released
http://www.pdfforge.org/blog/pdfcreator-201

+ HPSBMU03217 rev.1 - HP Vertica Analytics Platform running Bash Shell, Remote Code Execution
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04512907&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187

+ HPSBMU03221 rev.1 - HP Connect-IT running SSLv3, Remote Disclosure of Information
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04518605&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

+ HPSBOV03226 rev.1 - HP TCP/IP Services for OpenVMS, BIND 9 Resolver, Multiple Remote Vulnerabilities
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04530690&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244

+ HPSBOV03225 rev.1 - HP OpenVMS running POP, Remote Denial of Service (DoS)
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04530570&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7880

+ Linux kernel 3.18.1, 3.17.7, 3.14.27, 3.10.63 released
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.1
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.7
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.27
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.63

+ Multiple vulnerabilities fixed in Firefox 24.7.0 ESR
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_fixed_in_firefox1

+ CVE-2014-3707 Information Disclosure vulnerability in Libcurl
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3707_information_disclosure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3707

+ Multiple vulnerabilities in Puppet
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_puppet1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3250

+ Multiple Buffer Errors vulnerabilities in Kerberos
https://blogs.oracle.com/sunsecurity/entry/multiple_buffer_errors_vulnerabilities_in4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342

+ CVE-2014-2285 Input Validation vulnerability in Net-SNMP
https://blogs.oracle.com/sunsecurity/entry/cve_2014_2285_input_validation
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2285

+ CVE-2012-2141 Denial Of Service(DoS) vulnerability in Net-SNMP
https://blogs.oracle.com/sunsecurity/entry/cve_2012_2141_denial_of
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2141

+ CVE-2014-3565 Resource Management Errors vulnerability in Net-SNMP
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3565_resource_management
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3565

+ Multiple vulnerabilities in Jinja2
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_jinja2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1402

+ MIT Kerberos Null Pointer Dereference Bugs Let Remote Authenticated Users Deny Service
http://www.securitytracker.com/id/1031376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5354

+ Apache Buffer Overflow in mod_proxy_fcgi Lets Remote Users Deny Service
http://www.securitytracker.com/id/1031371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583

+ Linux Kernel 3.2 multiple x86_64 vulnerabilities
http://cxsecurity.com/issue/WLB-2014120100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8133
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9090

+ Symantec Web Gateway CVE-2014-7285 Command Injection Vulnerability
http://www.securityfocus.com/bid/71620
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7285

UPDATE: JVNVU#92305751 Apple Safari における複数の脆弱性に対するアップデート
http://jvn.jp/vu/JVNVU92305751/

JVNVU#92844499 CA Release Automation (旧 CA LISA Release Automation) に複数の脆弱性
http://jvn.jp/vu/JVNVU92844499/

JVNVU#99439003 EMC Documentum シリーズの製品に複数の脆弱性
http://jvn.jp/vu/JVNVU99439003/

極めて高度なマルウエア「Regin」、過去の手口を活用
http://itpro.nikkeibp.co.jp/atcl/column/14/264220/121500023/?ST=security

「SSL証明書無償配布」がもたらすWebの変革、企業ネットの管理にも影響
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/121500129/?ST=security

「俺は君の20年後を見ている」、“謎”の脅迫ウイルスが日本人を狙う
http://itpro.nikkeibp.co.jp/atcl/news/14/121602280/?ST=security

エンカレッジ、中小企業向けに月額5000円の特権ID管理
http://itpro.nikkeibp.co.jp/atcl/news/14/121602277/?ST=security

アカマイ、DDoS対策のスクラビングセンターを日本に開設
http://itpro.nikkeibp.co.jp/atcl/news/14/121602271/?ST=security

REMOTE: ActualAnalyzer 'ant' Cookie Command Execution
http://www.exploit-db.com/exploits/35549

2014年12月16日火曜日

16日火曜日、仏滅

+ TortoiseSVN 1.8.9 released
http://tortoisesvn.net/tsvn_1.8_releasenotes.html

+ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS vulnerability with certain invalid REPORT requests.
http://subversion.apache.org/security/CVE-2014-3580-advisory.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3580

+ mod_dav_svn is vulnerable to a remotely triggerable segfault DoS vulnerability for requests with no existant virtual transaction names.
http://subversion.apache.org/security/CVE-2014-8108-advisory.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8108

+ HPSBOV03197 rev.1 - HP OpenVMS running Java, Multiple Remote Vulnerabilities
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04529337&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3213
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1479
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1491
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1540
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2437
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5772
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5809
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5817
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5818
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5819
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5824
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5831
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5832
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5842
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5852
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5884
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5887
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5888
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5907
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5910
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0428

+ DoS/PoC: phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS
http://www.exploit-db.com/exploits/35539

+ glibc 2.21 DNS endless loop in getaddr_r
http://cxsecurity.com/issue/WLB-2014120094

+ phpMyAdmin 4.0.x, 4.1.x, 4.2.x Denial of Service
http://cxsecurity.com/issue/WLB-2014120093

+ SA61425 Linux Kernel Virtual File System Deadlock Denial of Service Vulnerabilities
http://secunia.com/advisories/61425/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8559

+ SA61121 Hitachi JP1/Cm2/Network Node Manager Multiple Vulnerabilities
http://secunia.com/advisories/61121/

+ GNU glibc 'getanswer_r()' Function Infinite Loop Denial of Service Vulnerability
http://www.securityfocus.com/bid/71670

キヤノンPPS、印刷事業者に内部統制ソフト「ESS REC」を発売
http://itpro.nikkeibp.co.jp/atcl/news/14/121502247/?ST=security

NAS上で操作ログを記録する製品、インテリジェントワークスが販売
http://itpro.nikkeibp.co.jp/atcl/news/14/121502245/?ST=security

JVNVU#98107585 Honeywell OPOS Suite にスタックバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU98107585/index.html

VU#343060 CA LISA Release Automation contains multiple vulnerabilities
http://www.kb.cert.org/vuls/id/343060

VU#315340 EMC Documentum products contain multiple vulnerabilities
http://www.kb.cert.org/vuls/id/315340

REMOTE: Tuleap PHP Unserialize Code Execution
http://www.exploit-db.com/exploits/35545

LOCAl: Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.m3u)
http://www.exploit-db.com/exploits/35530

LOCAl: Mediacoder 0.8.33 build 5680 - SEH Buffer Overflow Exploit Dos (.lst)
http://www.exploit-db.com/exploits/35531

LOCAl: jaangle 0.98i.977 - Denial of Service Vulnerability
http://www.exploit-db.com/exploits/35532

LOCAl: HTCSyncManager 3.1.33.0 - Service Trusted Path Privilege Escalation
http://www.exploit-db.com/exploits/35534

LOCAl: Avira 14.0.7.342 - (avguard.exe) Service Trusted Path Privilege Escalation
http://www.exploit-db.com/exploits/35537

LOCAl: CodeMeter 4.50.906.503 - Service Trusted Path Privilege Escalation
http://www.exploit-db.com/exploits/35542

2014年12月15日月曜日

15日月曜日、先負

+ RHSA-2014:1985 Important: bind97 security update
https://rhn.redhat.com/errata/RHSA-2014-1985.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ RHSA-2014:1984 Important: bind security update
https://rhn.redhat.com/errata/RHSA-2014-1984.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ RHSA-2014:1984 Important: bind security updat
https://access.redhat.com/errata/RHSA-2014:1984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ About the security content of Safari 8.0.2, Safari 7.1.2, and Safari 6.2.2
http://support.apple.com/en-us/HT6597

+ CESA-2014:1984 Important CentOS 7 bind Security Update
http://lwn.net/Alerts/625981/

+ CESA-2014:1984 Important CentOS 5 bind Security Update
http://lwn.net/Alerts/625982/

+ CESA-2014:1985 Important CentOS 5 bind97 Security Update
http://lwn.net/Alerts/625983/

+ CESA-2014:1984 Important CentOS 6 bind Security Update
http://lwn.net/Alerts/625980/

+ CESA-2014:1983 Important CentOS 7 xorg-x11-server Security Update
http://lwn.net/Alerts/625984/

+ CESA-2014:1982 Important CentOS 5 xorg-x11-server Security Update
http://lwn.net/Alerts/625986/

+ CESA-2014:1983 Important CentOS 6 xorg-x11-server Security Update
http://lwn.net/Alerts/625985/

+ phpMyAdmin 4.3.2 is released
http://sourceforge.net/p/phpmyadmin/news/2014/12/phpmyadmin-432-is-released/

+ Linux kernel 3.2.65 released
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.65
https://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.65

+ HS14-025 Multiple Vulnerabilities in JP1/Cm2/Network Node Manager i
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-025/index.html

+ HS14-024 Buffer Overflow Vulnerability in JP1/Cm2/Network Node Manager i
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-024/index.html

+ HS14-025 JP1/Cm2/Network Node Manager iにおける複数の脆弱性
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS14-025/index.html

+ HS14-024 JP1/Cm2/Network Node Manager iにおけるバッファオーバーフローの脆弱性
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS14-024/index.html

+ MantisBT 1.2.17 URL redirection issue
http://cxsecurity.com/issue/WLB-2014120085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6316

+ Linux Kernel Qualcomm Innovation Center (QuIC) Android gain privileges
http://cxsecurity.com/issue/WLB-2014120084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4323

+ Apache HTTP Server 'mod_proxy_fcgi' Module Denial of Service Vulnerability
http://www.securityfocus.com/bid/71657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3583

+ Apache HTTP Server 'mod_cache' Module Denial of Service Vulnerability
http://www.securityfocus.com/bid/71656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581

+ Linux Kernel 'kernel/kvm.c' Local Information Disclosure Vulnerability
http://www.securityfocus.com/bid/71650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8134

JVNDB-2014-000150 LinPHA におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000150.html

チェックしておきたい脆弱性情報＜2014.12.15＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/120300034/?ST=security

リスト型攻撃――金銭目当てだけではない、その真の目的とは
http://itpro.nikkeibp.co.jp/atcl/watcher/14/334361/121100138/?ST=security

共同通信社から個人情報1万7000件漏洩の可能性、政財界幹部向け会員誌送付先など
http://itpro.nikkeibp.co.jp/atcl/news/14/121202232/?ST=security

ITproまとめ
Apple ID
http://itpro.nikkeibp.co.jp/atcl/column/14/494329/121000047/?ST=security

ITpro NOW
脆弱性に名前を付けるメリット
http://itpro.nikkeibp.co.jp/atcl/column/14/560135/121100099/?ST=security

VU#659684 Honeywell OPOS suite Stack Buffer Overflow vulnerability
http://www.kb.cert.org/vuls/id/659684

2014年12月12日金曜日

12日金曜日、赤口

+ RHSA-2014:1982 Important: xorg-x11-server security update
https://rhn.redhat.com/errata/RHSA-2014-1982.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102

+ RHSA-2014:1983 Important: xorg-x11-server security update
https://rhn.redhat.com/errata/RHSA-2014-1983.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103

+ RHSA-2014:1983 Important: xorg-x11-server security update
https://access.redhat.com/errata/RHSA-2014:1983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8103

+ Check Point response to TLS 1.x padding vulnerability (CVE-2014-8730)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk103683&src=securityAlerts
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730

+ Linux kernel 3.12.35 released
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.35

+ FreeBSD file(1) and libmagic(3) File Processing Flaws Let Remote Users Deny Service
http://www.securitytracker.com/id/1031344
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117

+ FreeBSD Buffer Overflow in libc stdio Lets Local Users Deny Service or Execute Arbitrary Code
http://www.securitytracker.com/id/1031343
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611

+ Google Doc Embedder 2.5.14 SQL Injection
http://cxsecurity.com/issue/WLB-2014120064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9173

JVNVU#98283300 SSLv3 プロトコルに暗号化データを解読される脆弱性(POODLE 攻撃)
http://jvn.jp/vu/JVNVU98283300/

LOCAL: Mobilis 3G mobiconnect 3G++ ZDServer 1.0.1.2 - (ZTE CORPORATION) Service Trusted Path Privilege Escalation
http://www.exploit-db.com/exploits/35512

2014年12月11日木曜日

11日木曜日、大安

+ About the security content of iOS 8.1.2.
http://support.apple.com/en-us/HT6598

+ CESA-2014:1971 Important CentOS 7 kernel Security Update
http://lwn.net/Alerts/625470/

+ CESA-2014:1976 Important CentOS 7 rpm Security Update
http://lwn.net/Alerts/625473/

+ CESA-2014:1974 Important CentOS 6 rpm Security Update
http://lwn.net/Alerts/625471/

+ CESA-2014:1974 Important CentOS 5 rpm Security Update
http://lwn.net/Alerts/625472/

+ squid 3.4.10 released
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html

+ BIND 9.10.1-P1, 9.9.6-P1 released
https://kb.isc.org/article/AA-01223/81/BIND-9.10.1-P1-Release-Notes.html
https://kb.isc.org/article/AA-01224/81/BIND-9.9.6-P1-Release-Notes.html

+ CVE-2014-8680: Defects in GeoIP features can cause BIND to crash
https://kb.isc.org/article/AA-01217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680

+ CVE-2014-8500: A Defect in Delegation Handling Can Be Exploited to Crash BIND
https://kb.isc.org/article/AA-01216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ HPSBMU03043 rev.1 - HP Smart Update Manager for Windows and Linux, Local Disclosure of Information
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04302476&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2608

+ UPDATE: HPSBST03154 rev.2 - HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell, Remote Code Execution
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04487558&docLocale=ja_JP

+ VMSA-2014-0014 AirWatch by VMware product update addresses information disclosure vulnerabilities
http://www.vmware.com/security/advisories/VMSA-2014-0014.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8372

+ VMSA-2014-0013 VMware vCloud Automation Center product updates address a critical remote privilege escalation vulnerability
http://www.vmware.com/security/advisories/VMSA-2014-0013.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8373

+ FreeBSD-SA-14:29.bind BIND remote denial of service vulnerability
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:29.bind.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ FreeBSD-SA-14:28.file Multiple vulnerabilities in file(1) and libmagic(3)
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8117

+ FreeBSD-SA-14:27.stdio Buffer overflow in stdio
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:27.stdio.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611

+ VU#264212 Recursive DNS resolver implementations may follow referrals infinitely
http://www.kb.cert.org/vuls/id/264212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602

+ ISC BIND CVE-2014-8500 Remote Denial of Service Vulnerability
http://www.securityfocus.com/bid/71590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

JVNDB-2014-000149 Chyrp におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000149.html

次世代サンドボックスをうたう米Lastlineが日本法人設立
http://itpro.nikkeibp.co.jp/atcl/news/14/121002198/?ST=security

パスワードを自動変更する「Password Changer」、Dashlaneがベータ公開
http://itpro.nikkeibp.co.jp/atcl/news/14/121002196/?ST=security

米国における盗難事件の1割はスマホ関連、2013年には100万台以上が盗まれる
http://itpro.nikkeibp.co.jp/atcl/news/14/121002193/?ST=security

UPDATE: JVNVU#98283300 SSLv3 プロトコルに暗号化データを解読される脆弱性(POODLE 攻撃)
http://jvn.jp/vu/JVNVU98283300/

JVN#54775800 FAST/TOOLS における XML 外部実体参照処理の脆弱性
http://jvn.jp/jp/JVN54775800/

JVN#13160869 Chyrp におけるクロスサイトスクリプティングの脆弱性
http://jvn.jp/jp/JVN13160869/

2014年12月10日水曜日

10日水曜日、仏滅

+ 2014 年 12 月のマイクロソフトセキュリティ情報の概要
https://technet.microsoft.com/ja-jp/library/security/ms14-dec

+ MS14-075 - 重要 Microsoft Exchange Server の脆弱性により、特権が昇格される (3009712)
https://technet.microsoft.com/ja-jp/library/security/MS14-075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6319
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6326
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6336

+ MS14-080 - 緊急 Internet Explorer 用の累積的なセキュリティ更新プログラム (3008923)
https://technet.microsoft.com/library/security/ms14-080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6329
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6330
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6366
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6369
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6368
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6363

+ MS14-081 - 緊急 Microsoft Word および Microsoft Office Web Apps の脆弱性により、リモートでコードが実行される (3017301)
https://technet.microsoft.com/library/security/ms14-081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6357

+ MS14-082 - 重要 Microsoft Office の脆弱性により、リモートでコードが実行される (3017349)
https://technet.microsoft.com/library/security/ms14-082
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6364

+ MS14-083 - 重要 Microsoft Excel の脆弱性により、リモートでコードが実行される (3017347)
https://technet.microsoft.com/library/security/ms14-083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6360
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6361

+ MS14-084 - 緊急 VBScript スクリプトエンジンの脆弱性により、リモートでコードが実行される (3016711)
https://technet.microsoft.com/library/security/ms14-084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6363

+ MS14-085 - 重要 Microsoft Graphics コンポーネントの脆弱性により、情報漏えいが起こる (3013126)
https://technet.microsoft.com/library/security/ms14-085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6355

+ UPDATE: マイクロソフトセキュリティアドバイザリ 3009008 SSL 3.0 の脆弱性により、情報漏えいが起こる
https://technet.microsoft.com/ja-jp/library/security/3009008

+ UPDATE: マイクロソフトセキュリティアドバイザリ (2755801) Internet Explorer 上の Adobe Flash Player の脆弱性に対応する更新プログラム
https://technet.microsoft.com/ja-jp/library/security/2755801

+ RHSA-2014:1974 Important: rpm security update
https://rhn.redhat.com/errata/RHSA-2014-1974.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435

+ RHSA-2014:1971 Important: kernel security and bug fix update
https://access.redhat.com/errata/RHSA-2014:1971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3631
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3688
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4652
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4654
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4655
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6410

+ RHSA-2014:1976 Important: rpm security updat
https://access.redhat.com/errata/RHSA-2014:1976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8118

+ Google Chrome 39.0.2171.95 released
http://googlechromereleases.blogspot.jp/2014/12/stable-channel-update.html

+ APSB14-29 Security Update: Hotfixes available for ColdFusion
http://helpx.adobe.com/security/products/coldfusion/apsb14-29.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9166

+ HPSBMU03043 rev.1 - HP Smart Update Manager for Windows and Linux, Local Disclosure of Information
https://h20565.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04302476&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2608

+ UPDATE: HPSBST03154 rev.2 - HP StoreFabric C-series MDS switches and HP C-series Nexus 5K switches running Bash Shell, Remote Code Execution
https://h20565.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04487558&docLocale=ja_JP

+ JVNVU#94007830 ISC BIND 9 に複数の脆弱性
http://jvn.jp/vu/JVNVU94007830/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680

+ ISC BIND GeoIP Bugs Let Remote Users Deny Service
http://www.securitytracker.com/id/1031312
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680

+ ISC BIND Resolver Resource Consumption Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1031311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ Apache Struts Predictable Tokens Let Remote Users Bypass Cross-Site Request Forgery Protection
http://www.securitytracker.com/id/1031309
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7809

+ BIND 9.10.1 A Defect in Delegation Handling Vulnerability
http://cxsecurity.com/issue/WLB-2014120050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ BIND 9.10.1 Defects in GeoIP Crash
http://cxsecurity.com/issue/WLB-2014120051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680

+ Apache Struts 2.3.20 Security Fixes
http://cxsecurity.com/issue/WLB-2014120048

+ SA61156 Google Chrome Flash Player Multiple Vulnerabilities
http://secunia.com/advisories/61156/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9164

+ SA61004 ISC BIND Multiple Denial of Service Vulnerabilities
http://secunia.com/advisories/61004/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8680

+ SA60935 ISC BIND Delegation Handling Denial of Service Vulnerability
http://secunia.com/advisories/60935/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ SA60356 ISC BIND Delegation Handling Denial of Service Vulnerability
http://secunia.com/advisories/60356/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8500

+ Linux Kernel ASLR Security Bypass Weakness
http://www.securityfocus.com/bid/71494

JVNDB-2014-000146 i-HTTPD におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000146.html

JVNDB-2014-000145 i-HTTPD 付属「おまけ BBS」におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000145.html

JVNDB-2014-000144 i-HTTPD におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000144.html

JVNDB-2014-000143 i-HTTPD 付属「ファイルアップロード BBS」において任意のコマンドが実行される脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000143.html

「ソーシャル新人類」の不夜城?10代は何を考えているのか
ネット上を暴走する告白願望、理解・共感を求める気持ちが危険招く
http://itpro.nikkeibp.co.jp/atcl/column/14/537662/120400020/?ST=security

チェックしておきたい脆弱性情報＜2014.12.10＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/120300033/?ST=security

DNSの仕様自体に起因する重大な脆弱性が見つかる、JPRSが対策呼びかけ
http://itpro.nikkeibp.co.jp/atcl/news/14/120902178/?ST=security

ソニーのプレステネットワークにシステム障害、「Lizard Squad」の攻撃か
http://itpro.nikkeibp.co.jp/atcl/news/14/120902171/?ST=security

世界のセキュリティ・ラボから
人質ファイルを1つ解放するランサムウエア「CoinVault」
http://itpro.nikkeibp.co.jp/atcl/column/14/264220/120400022/?ST=security

JVNVU#92305751 Apple Safari における複数の脆弱性に対するアップデート
http://jvn.jp/vu/JVNVU92305751/

2014年12月9日火曜日

9日火曜日、先負

+ MantisBT 1.2.18 Released
http://www.mantisbt.org/blog/?p=301
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9280
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6316
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9117

+ CESA-2014:1959 Moderate CentOS 5 kernel Security Update
http://lwn.net/Alerts/624790/

+ phpMyAdmin 4.3.0 is released
http://sourceforge.net/p/phpmyadmin/news/2014/12/phpmyadmin-430-is-released/

+ phpMyAdmin 4.3.1 is released
http://sourceforge.net/p/phpmyadmin/news/2014/12/phpmyadmin-431-is-released/

+ UPDATE: Cisco IronPort Appliances Telnet Remote Code Execution Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

+ UPDATE: GNU Bash Environment Variable Command Injection Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

+ HPSBGN03222 rev.1 - HP Enterprise Maps running SSLv3, Remote Disclosure of Information
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04518999&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

+ HPSBGN03205 rev.1 - HP Insight Remote Support Clients running SSLv3, Remote Disclosure of Information
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04510081&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

+ HPSBGN03208 rev.1 - HP Cloud Service Automation running SSLv3, Remote Disclosure of Information
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04516572&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

+ HPSBUX03218 SSRT101770 rev.1 - HP-UX running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
https://h20566.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04517477&docLocale=ja_JP
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6493
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6506
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6558

+ Linux kernel 3.17.6, 3.14.26, 3.12.34, 3.10.62 released
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.17.6
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.26
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.26
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.62

+ Apache Struts 2.3.20 released
http://struts.apache.org/announce.html#a20141207

+ Samba 4.0.23 Available for Download
http://samba.org/samba/history/samba-4.0.23.html

+ Glibc Out-of-bounds Memory Read Bugs in Converting IBM Encoded Data Let Remote or Local Users Deny Service
http://www.securitytracker.com/id/1031308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6040

+ SA60610 Microsoft Internet Explorer "display:run-in" Use-After-Free Arbitrary Code Execution Vulnerability
http://secunia.com/advisories/60610/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8967

+ Google App Engine Java security sandbox bypasses
http://cxsecurity.com/issue/WLB-2014120040

+ Windows Kerberos - Elevation of Privilege (MS14-068)
http://cxsecurity.com/issue/WLB-2014120038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324

世界のセキュリティ・ラボから
人質ファイルを1つ解放するランサムウエア「CoinVault」
http://itpro.nikkeibp.co.jp/atcl/column/14/264220/120400022/?ST=security

ソニー米子会社へのサイバー攻撃、北朝鮮は関与否定するも「正義の行為」
http://itpro.nikkeibp.co.jp/atcl/news/14/120802151/?ST=security

チェックしておきたい脆弱性情報＜2014.12.8＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/120300032/?ST=security

RSA幹部がサイバー犯罪のサービス化を指摘、DDoS攻撃は1時間8ドル
http://itpro.nikkeibp.co.jp/atcl/news/14/120502147/?ST=security

CEC、複合機の利用ログを収集管理する小型アプライアンス
http://itpro.nikkeibp.co.jp/atcl/news/14/120502144/?ST=security

DIT、特権IDアクセス管理ソフトでSSH鍵の管理を容易に
http://itpro.nikkeibp.co.jp/atcl/news/14/120502143/?ST=security

NSAの盗聴活動、世界中のキャリアの情報を収集か
http://itpro.nikkeibp.co.jp/atcl/news/14/120502137/?ST=security

JVNVU#98916051 Zenoss Core に複数の脆弱性
http://jvn.jp/vu/JVNVU98916051/

JVN#49154900 Spring Framework におけるディレクトリトラバーサルの脆弱性
http://jvn.jp/jp/JVN49154900/

VU#449452 Zenoss Core contains multiple vulnerabilities
http://www.kb.cert.org/vuls/id/449452

2014年12月5日金曜日

5日金曜日、大安

+ 2014 年 12 月のマイクロソフトセキュリティ情報事前通知
https://technet.microsoft.com/ja-jp/library/security/ms14-dec

+ RHSA-2014:1959 Moderate: kernel security and bug fix update
https://rhn.redhat.com/errata/RHSA-2014-1959.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0181

+ RHSA-2014:1956 Moderate: wpa_supplicant security update
https://access.redhat.com/errata/RHSA-2014:1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686

+ APSB14-28 Prenotification Security Advisory for Adobe Reader and Acrobat
http://helpx.adobe.com/security/products/reader/apsb14-28.html

+ About the security content of Safari 8.0.1, Safari 7.1.1, and Safari 6.2.1
http://support.apple.com/en-us/HT6596
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4475

+ CESA-2014:1919 Critical CentOS 7 firefox Security Update
http://lwn.net/Alerts/624566/

+ CESA-2014:1948 Important CentOS 6 nss Security Update
http://lwn.net/Alerts/624568/

+ CESA-2014:1948 Important CentOS 7 nss Security Update
http://lwn.net/Alerts/624569/

+ CESA-2014:1956 Moderate CentOS 7 wpa_supplicant Security Update
http://lwn.net/Alerts/624572/

+ CESA-2014:1919 Critical CentOS 5 firefox Security Update
http://lwn.net/Alerts/624564/

+ CESA-2014:1919 Critical CentOS 6 firefox Security Update
http://lwn.net/Alerts/624565/

+ CESA-2014:1948 Important CentOS 5 nss Security Update
http://lwn.net/Alerts/624567/

+ CESA-2014:1924 Important CentOS 5 thunderbird Security Update
http://lwn.net/Alerts/624570/

+ CESA-2014:1924 Important CentOS 6 thunderbird Security Update
http://lwn.net/Alerts/624571/

+ Apple Safari Bugs Let Remote Users Execute Arbitrary Code and Obtain Potentially Sensitive Information
http://www.securitytracker.com/id/1031296
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4475

+ SA60454 phpMyAdmin "url" Cross-Site Scripting and Denial of Service Two Vulnerabilities
http://secunia.com/advisories/60454/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9219

+ SA60918 Microsoft Windows "xxxMenuWindowProc()" Denial of Service Vulnerability
http://secunia.com/advisories/60918/

+ SA60458 Apple Safari Multiple Vulnerabilities
http://secunia.com/advisories/60458/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4475

+ tnftp in MacOS X 10.10 & FreeBSD10 Remote Comand Execution Exploit
http://cxsecurity.com/issue/WLB-2014120030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8517

+ tcpdump CVE-2014-9140 Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/71468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9140

+ Microsoft Internet Explorer CVE-2014-8967 Use After Free Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/71483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8967

JVNDB-2014-000148 Android 版拡散性ミリオンアーサーにおける情報管理不備の脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000148.html

JVNDB-2014-000147 KENT-WEB 製 Clip Board におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000147.html

UPDATE: JVNVU#99291862 複数の NAT-PMP デバイスが WAN 側から操作可能な問題
http://jvn.jp/vu/JVNVU99291862/

攻撃者の「無力化」を図る、産官学連携のサイバー犯罪対策組織が始動
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/120100116/?ST=security

Facebook、マルウエア対策強化でESETと提携
http://itpro.nikkeibp.co.jp/atcl/news/14/120402119/?ST=security

Google、自動入力を防止する“CAPTCHA”の新認証手段を発表
http://itpro.nikkeibp.co.jp/atcl/news/14/120402114/?ST=security

2014年12月4日木曜日

4日木曜日、仏滅

+ RHSA-2014:1956 Moderate: wpa_supplicant security updat
https://access.redhat.com/errata/RHSA-2014:1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686

+ Opera 26 released
http://www.opera.com/docs/changelogs/unified/2600/

+ phpMyAdmin 4.0.10.7, 4.1.14.8, 4.2.13.1 and 4.3.0-rc2 have been released
http://sourceforge.net/p/phpmyadmin/news/2014/12/phpmyadmin-40107-41148-42131-and-430-rc2-have-been-released/

+ PMASA-2014-18 XSS vulnerability in redirection mechanism
http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9219

+ PMASA-2014-17 DoS vulnerability with long passwords
http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9218

+ Citrix XenServer Multiple Security Updates
http://support.citrix.com/article/CTX200288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8866
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1666

+ Linux Kernel XFS Hash Collision Lets Local Users Deny Service
http://www.securitytracker.com/id/1031281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7283

+ Linux Kernel ftrace Subsystem Memory Access Flaw Lets Local Users Deny Service
http://www.securitytracker.com/id/1031280
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7826

+ Linux Kernel Perf Subsystem Memory Access Flaw Lets Local Users Deny Service
http://www.securitytracker.com/id/1031279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7825

+ SA60037 Linux Kernel Capabilities Manipulation Security Issue
http://secunia.com/advisories/60037/

+ SA60925 Opera Multiple Vulnerabilities
http://secunia.com/advisories/60925/

+ SA62240 Hitachi Multiple Products USB Storage Device Write Access Security Bypass Vulnerability
http://secunia.com/advisories/62240/

+ Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
http://cxsecurity.com/issue/WLB-2014120022

+ phpMyAdmin CVE-2014-9219 Cross Site Scripting Vulnerability
http://www.securityfocus.com/bid/71435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9219

+ phpMyAdmin Long Password Handling Denial of Service Vulnerability
http://www.securityfocus.com/bid/71434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9218

JVNDB-2014-000142 DBD::PgPP における SQL インジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000142.html

UPDATE: VNVU#98283300 SSLv3 プロトコルに暗号化データを解読される脆弱性(POODLE 攻撃)
http://jvn.jp/vu/JVNVU98283300/

マカフィー、詐欺・迷惑電話を防ぐAndroidスマホアプリを発表
http://itpro.nikkeibp.co.jp/atcl/news/14/120302112/?ST=security

2014年12月3日水曜日

3日水曜日、先負

+ RHSA-2014:1919 Critical: firefox security update
https://rhn.redhat.com/errata/RHSA-2014-1919.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594

+ RHSA-2014:1948 Important: nss, nss-util, and nss-softokn security, bug fix, and enhancement update
https://rhn.redhat.com/errata/RHSA-2014-1948.html

+ RHSA-2014:1924 Important: thunderbird security update
https://rhn.redhat.com/errata/RHSA-2014-1924.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594

+ RHSA-2014:1919 Critical: firefox security updat
https://access.redhat.com/errata/RHSA-2014:1919
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594

+ RHSA-2014:1948 Important: nss, nss-util, and nss-softokn security, bug fix, and enhancement update
https://access.redhat.com/errata/RHSA-2014:1948

+ nginx 1.7.8 released
http://nginx.org/en/download.html

+ VMware Player 7.0 released
https://www.vmware.com/support/player/doc/player-70-release-notes.html

+ Linux kernel 3.4.105 released
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.4.105

+ OpenVPN Control Channel Packet Processing Flaw Lets Remote Authenticated Users Deny Service
http://www.securitytracker.com/id/1031277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104

+ LOCAL: Mac OS X IOKit Keyboard Driver Root Privilege Escalation
http://www.exploit-db.com/exploits/35440

+ OpenSSH ~/.k5users (RedHat 7) log in as another user
http://cxsecurity.com/issue/WLB-2014120018

+ Mac OS X IOKit Keyboard Driver Root Privilege Escalation
http://cxsecurity.com/issue/WLB-2014120014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4404

+ SA62628 OpenVPN / OpenVPN Access Server Control Channel Packet Assertion Denial of Service Vulnerability
http://secunia.com/advisories/62628/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104

+ SA60587 Oracle MySQL OpenSSL Multiple Vulnerabilities
http://secunia.com/advisories/60587/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3513
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3568

+ SA62491 GNU gettext "get_string()" Integer Overflow Vulnerability
http://secunia.com/advisories/62491/

+ OpenVPN CVE-2014-8104 Denial of Service Vulnerability
http://www.securityfocus.com/bid/71402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104

+ Kingsoft Office CVE-2014-2271 Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/71381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2271

+ Multiple FUJITSU Products CVE-2014-7253 Unspecified OS Command Injection Vulnerability
http://www.securityfocus.com/bid/71414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7253

+ ARROWS Me F-11D CVE-2014-7254 Local Information Disclosure Vulnerability
http://www.securityfocus.com/bid/71411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7254

+ WhatsApp Denial of Service Vulnerability
http://www.securityfocus.com/bid/71410

UPDATE: JVNDB-2014-000140 LG Electronics 製モバイルアクセスルータにアクセス制限不備の脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000140.html

UPDATE: JVNDB-2014-000139 ARROWS Me F-11D における任意の領域にアクセス可能な脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000139.html

UPDATE: JVNDB-2014-000138 富士通製の複数の Android 端末における OS コマンドインジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000138.html

JVNDB-2014-000137 Texas Instruments OMAP モバイル・プロセッサの Syslink ドライバにおける複数のデータ検証不備の脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000137.html

「ソーシャル新人類」の不夜城?10代は何を考えているのか
「エアリプ」で安全圏から言いたい放題、人間関係を壊し処分の対象にも
http://itpro.nikkeibp.co.jp/atcl/column/14/537662/112800019/?ST=security

「ドメイン名ハイジャック」攻撃に残るリスク、企業はどう対処する？
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/120200120/?ST=security

ベネッセが希望退職300人募集、間接部門人員を半減へ
http://itpro.nikkeibp.co.jp/atcl/news/14/120202096/?ST=security

「セクシー動画の送信は、ネット上で公開するのと同じ」、IPAが注意喚起
http://itpro.nikkeibp.co.jp/atcl/news/14/120202084/?ST=security

Intelがパスワード管理のPasswordBoxを買収、セキュリティ事業を強化
http://itpro.nikkeibp.co.jp/atcl/news/14/120202083/?ST=security

REMOTE: Tincd Post-Authentication Remote TCP Stack Buffer Overflow
http://www.exploit-db.com/exploits/35441

2014年12月2日火曜日

2日火曜日、友引

+ Mozilla Firefox 34.0.5 released
https://www.mozilla.org/en-US/firefox/34.0.5/releasenotes/

+ Mozilla Thunderbird 31.3 released
https://www.mozilla.org/ja/security/known-vulnerabilities/thunderbird/

+ MFSA-2014-90 Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
https://www.mozilla.org/ja/security/advisories/mfsa2014-90/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1595

+ MFSA-2014-89 Bad casting from the BasicThebesLayer to BasicContainerLayer
https://www.mozilla.org/ja/security/advisories/mfsa2014-89/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594

+ MFSA-2014-88 Buffer overflow while parsing media content
https://www.mozilla.org/ja/security/advisories/mfsa2014-88/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593

+ MFSA-2014-87 Use-after-free during HTML5 parsing
https://www.mozilla.org/ja/security/advisories/mfsa2014-87/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592

+ MFSA-2014-86 CSP leaks redirect data via violation reports
https://www.mozilla.org/ja/security/advisories/mfsa2014-86/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1591

+ MFSA-2014-85 XMLHttpRequest crashes with some input streams
https://www.mozilla.org/ja/security/advisories/mfsa2014-85/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590

+ MFSA-2014-84 XBL bindings accessible via improper CSS declarations
https://www.mozilla.org/ja/security/advisories/mfsa2014-84/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1589

+ MFSA-2014-83 Miscellaneous memory safety hazards (rv:34.0 / rv:31.3)
https://www.mozilla.org/ja/security/advisories/mfsa2014-83/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1588

+ CESA-2014:1912 Moderate CentOS 7 ruby Security Update
http://lwn.net/Alerts/623853/

+ CESA-2014:1911 Moderate CentOS 6 ruby Security Update
http://lwn.net/Alerts/623852/

+ MySQL 5.6.22 released
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-22.html

+ Samba 4.1.14 Available for Download
http://samba.org/samba/history/samba-4.1.14.html

JVNDB-2014-000136 SEIL シリーズルータにおけるサービス運用妨害 (DoS) の脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000136.html

JVNDB-2014-000135 SEIL シリーズルータにおけるサービス運用妨害 (DoS) の脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000135.html

米CapyがアバターCAPTCHA提供開始、複雑なパズルでリスト型攻撃を抑止
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/120100118/?ST=security

トレンドマイクロが家庭向けセキュリティサービス、家族の端末を台数制限なしで保護
http://itpro.nikkeibp.co.jp/atcl/news/14/120102071/?ST=security

ソニーピクチャーズへのサイバー攻撃、北朝鮮が関与か
http://itpro.nikkeibp.co.jp/atcl/news/14/120102067/?ST=security

2014年12月1日月曜日

1日月曜日、先勝

+ phpMyAdmin 4.2.13 is released
http://sourceforge.net/p/phpmyadmin/news/2014/11/phpmyadmin-4213-is-released/

+ HPSBGN03209 rev.1 - HP Application Lifecycle Management running SSLv3, Remote Disclosure of Information
https://h20565.www2.hp.com/hpsc/doc/public/display?calledBy=&docId=emr_na-c04509419&docLocale=ja_JP

+ MySQL 5.5.41 released
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-41.html

+ SA62353 JustSystems Multiple Products Unspecified Code Execution Vulnerability
http://secunia.com/advisories/62353/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7247

+ MantisBT filter API PHP Object Injection
http://cxsecurity.com/issue/WLB-2014110208

+ glibc command execution in wordexp() with WRDE_NOCMD specified
http://cxsecurity.com/issue/WLB-2014110152
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817

JVNDB-2014-000141 FAST/TOOLS における XML 外部実体参照処理の脆弱性
http://jvndb.jvn.jp/ja/contents/2014/JVNDB-2014-000141.html

世界のセキュリティ・ラボから
ホテルに宿泊するエグゼクティブを狙う脅威「Darkhotel」
http://itpro.nikkeibp.co.jp/atcl/column/14/264220/112700021/?ST=security

チェックしておきたい脆弱性情報＜2014.12.1＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/112600030/?ST=security

日立ソリューションズが秘文のコンセプトを一新、「出さない」「見せない」「放さない」
http://itpro.nikkeibp.co.jp/atcl/news/14/112802061/?ST=security

LOCAL: CCH Wolters Kluwer PFX Engagement <= 7.1 - Local Privilege Escalation
http://www.exploit-db.com/exploits/35395

登録: 投稿 (Atom)