:: IT Security Neophyte Investigator's MEMO ::: 2月 2016

2016年2月29日月曜日

29日月曜日、仏滅

+ Zabbix 3.0.1 released
http://www.zabbix.com/rn3.0.1.php

+ Wireshark 2.0.2, 1.12.10 released
https://www.wireshark.org/docs/relnotes/wireshark-2.0.2.html
https://www.wireshark.org/docs/relnotes/wireshark-1.12.10.html

+ UPDATE: Vulnerability in GNU glibc Affecting Cisco Products: February 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

+ Linux kernel 3.12.55, 3.2.78 released
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.55
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.78

+ Nmap 7.00 Released
https://nmap.org/7/

+ Wireshark Multiple Dissector/Parser Bugs Let Remote Users Deny Service and Let Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1035118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2525
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2531
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2532

+ Symantec Endpoint Protection 12.1.4013 Denial Of Service
https://cxsecurity.com/issue/WLB-2016010045

+ Linux Kernel USERNS Issues
https://cxsecurity.com/issue/WLB-2016020225

+ IBM Lotus Domino <= R8 Password Hash Extraction Exploit
https://cxsecurity.com/issue/WLB-2016020218
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2428

辻伸弘の裏読みセキュリティ事件簿
「GHOST」は危険じゃなかった！？求められる脆弱性情報の見極め方
http://itpro.nikkeibp.co.jp/atcl/column/16/012900025/022500001/?ST=security

1分で理解するプロの知恵［セキュリティ編］
パッチ適用は現実に即して判断
http://itpro.nikkeibp.co.jp/atcl/column/16/022200041/022200001/?ST=security

Apple、「iPhone」ロック解除の裁判所命令に正式申立
http://itpro.nikkeibp.co.jp/atcl/news/16/022600587/?ST=security

JVNVU#92717873 QNAP Signage Station と iArtist Lite に複数の脆弱性
http://jvn.jp/vu/JVNVU92717873/index.html

2016年2月26日金曜日

26日金曜日、先勝

+ About the security content of Apple TV 7.2.1
https://support.apple.com/ja-jp/HT205795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3806
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5757
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6685
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3660
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3732
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3751

+ tvOS 9.1.1 のセキュリティコンテンツについて
https://support.apple.com/ja-jp/HT205729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1717
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1719
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1721
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1727

+ UPDATE: Vulnerability in GNU glibc Affecting Cisco Products: February 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ UPDATE: Vulnerability in Java Deserialization Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

+ UPDATE: Cisco Unified Computing System Manager and Cisco Firepower 9000 Remote Command Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160120-ucsm

+ Linux kernel 4.4.3, 3.14.62, 3.10.98 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.3
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.62
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.98

+ Postfix 3.1 Patchlevel 0 released
http://mirror.postfix.jp/postfix-release/official/postfix-3.1.0.HISTORY

VU#444472 QNAP Signage Station and iArtist Lite contain multiple vulnerabilities
https://www.kb.cert.org/vuls/id/444472

JVNVU#99797968 無線接続するキーボードやマウスなどの入力機器が安全でない独自通信プロトコルを使用している問題
http://jvn.jp/vu/JVNVU99797968/

私用LINEの業務利用はこれで止める
［4］Wantedlyがビジネスチャット「Sync」を投入した理由
http://itpro.nikkeibp.co.jp/atcl/column/16/021800038/021800004/?ST=security

VU#444472 QNAP Signage Station and iArtist Lite contain multiple vulnerabilities
http://www.kb.cert.org/vuls/id/444472

2016年2月25日木曜日

25日木曜日、赤口

+ nginx 1.9.12 released
http://nginx.org/

+ squid 3.5.15 released
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.15-RELEASENOTES.html

+ UPDATE: Vulnerability in GNU glibc Affecting Cisco Products: February 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

+ Cisco FirePOWER Management Center Unauthenticated Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160224-fmc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1342

+ Cisco ACE 4710 Application Control Engine Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160224-ace
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1297

+ Cisco Nexus 2000 Series Fabric Extender Software Default Credential Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160223-nx2000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1341

+ Samba 4.3.5 Available for Download
https://www.samba.org/samba/history/samba-4.3.5.html

+ UPDATE: JVNVU#97236594 glibc にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97236594/

+ JVNVU#94679988 Apache Tomcat の複数の脆弱性に対するアップデート
http://jvn.jp/vu/JVNVU94679988/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763

+ Squid HTTP Response Processing Bugs Let Remote Users Deny Service to Proxy Client Users
http://www.securitytracker.com/id/1035101

+ Linux Kernel Double-Free Memory Error in usb-midi Driver Lets Physically Local Users Crash the System or Execute Arbitrary Code
http://www.securitytracker.com/id/1035072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384

+ Apache Tomcat Bugs Let Remote Users Bypass Security Restrictions, Hijack Sessions, and Obtain Potentially Sensitive Information
http://www.securitytracker.com/id/1035069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763

+ Apache Tomcat 9.0.0.M1 Security Manager Persistence Bypass
https://cxsecurity.com/issue/WLB-2016020190
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714

+ Apache Tomcat 8.0.26 Limited Directory Traversal
https://cxsecurity.com/issue/WLB-2016020188
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174

+ Apache Tomcat 9.0.0.M1 Security Manager StatusManagerServlet Bypass
https://cxsecurity.com/issue/WLB-2016020189
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706

+ Apache Tomcat 9.0.0.M2 CSRF Token Leak
https://cxsecurity.com/issue/WLB-2016020187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351

VU#981271 Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol
https://www.kb.cert.org/vuls/id/981271

瀧口範子のシリコンバレー通信
Apple対FBIの「ロック解除論争」、真っ二つに割れる米国世論
http://itpro.nikkeibp.co.jp/atcl/column/15/060200138/022400038/?ST=security

ハミングヘッズ、ホワイトリスト型サイバー攻撃対策ソフトのパッケージ版を発売
http://itpro.nikkeibp.co.jp/atcl/news/16/022400566/?ST=security

iPhoneロック解除問題、「ビル・ゲイツ氏は米政府を支持」と英紙報道
http://itpro.nikkeibp.co.jp/atcl/news/16/022400552/?ST=security

私用LINEの業務利用はこれで止める
［2］技術者を魅了する「Slack」とは？
http://itpro.nikkeibp.co.jp/atcl/column/16/021800038/021800003/?ST=security

BIGLOBEが中小向け標的型攻撃対策、クラウドでサンドボックス提供
http://itpro.nikkeibp.co.jp/atcl/news/16/022300548/?ST=security

NEC、Webサイト閲覧でのマルウエア感染を防ぐ装置を出荷
http://itpro.nikkeibp.co.jp/atcl/news/16/022300541/?ST=security

Apple、政府に命令取り下げと委員会設置を提案　iPhoneロック解除問題で
http://itpro.nikkeibp.co.jp/atcl/news/16/022300536/?ST=security

JVNVU#91895172 FlexNet Publisher の lmgrd にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU91895172/

2016年2月23日火曜日

23日火曜日、仏滅

+ phpMyAdmin 4.5.5 released
https://www.phpmyadmin.net/news/2016/2/22/phpmyadmin-455-released/

+ UPDATE: Vulnerability in GNU glibc Affecting Cisco Products: February 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ VMSA-2016-0002 VMware product updates address a critical glibc security vulnerability
http://www.vmware.com/security/advisories/VMSA-2016-0002.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ glibc 2.23 released
https://www.sourceware.org/ml/libc-alpha/2016-02/msg00502.html

+ Postfix 3.0.4 released
http://www.postfix.org/announcements/postfix-3.0.4.html
http://mirror.postfix.jp/postfix-release/official/postfix-3.0.4.HISTORY

+ JDBC 1208 released
http://www.postgresql.org/about/news/1649/
https://jdbc.postgresql.org/documentation/changelog.html#version_9.4-1208

+ Sysstat 11.2.1.1 released (stable version)
http://sebastien.godard.pagesperso-orange.fr/

+ UPDATE: JVNVU#97236594 glibc にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97236594/

+ UPDATE: JVNVU#95668716 OpenSSL の DH プロトコルにおける脆弱性
http://jvn.jp/vu/JVNVU95668716/

VU#485744 Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability
https://www.kb.cert.org/vuls/id/485744

JVNDB-2016-000031 Log-Chat におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000031.html

記者の眼
できる人に任せ過ぎ？堺市68万個人情報流出事件、最大の問題
http://itpro.nikkeibp.co.jp/atcl/watcher/14/334361/021900491/?ST=security

富士ソフトがECサイト向けオンライン詐欺防止サービス、不正ユーザーをクラウドで判定
http://itpro.nikkeibp.co.jp/atcl/news/16/022200531/?ST=security

2016年2月22日月曜日

22日月曜日、先負

+ CESA-2016:0258 Important CentOS 5 thunderbird Security Update
http://lwn.net/Alerts/676453/

+ CESA-2016:0258 Important CentOS 6 thunderbird Security Update
http://lwn.net/Alerts/676452/

+ CESA-2016:0258 Important CentOS 7 thunderbird Security Update
http://lwn.net/Alerts/676451/

+ UPDATE: Vulnerability in GNU glibc Affecting Cisco Products: February 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ UPDATE: Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd

+ Check Point response to ZoneAlarm DLL injection
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk110055&src=securityAlerts

+ Linux kernel 4.3.6, 3.10.97 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.6
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.97

+ HS16-007 Server-Side Request Forgery (SSRF) Vulnerability in Hitachi Command Suite
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-007/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5255

+ HS16-006 Remote File Inclusion Vulnerability in Hitachi Command Suite
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-006/index.html

+ HS16-007 Hitachi Command Suite製品におけるSSRFに関する脆弱性
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS16-007/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5255

+ HS16-006 Hitachi Command Suite製品における外部のファイルをブラウザにロードできる問題
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS16-006/index.html

+ JVNDB-2016-000028 Internet Explorer におけるクロスドメインポリシーを回避される脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000028.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0069

+ UPDATE: JVNVU#97236594 glibc にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97236594/index.html

+ Symantec Encryption Management Server Bugs Let Remote and Local Users Gain Elevated Privileges and Remote Users Deny Service and Obtain Potentially Sensitive Information
http://www.securitytracker.com/id/1035063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8148
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8151

JVNDB-2016-000029 Windows 版および Mac OS 版 LINE におけるサービス運用妨害 (DoS) の脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000029.html

JVNDB-2016-000027 EC-CUBE 用プラグイン「ヘルプ機能プラグイン」における SQL インジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000027.html

JVNDB-2016-000030 baserCMS における OS コマンドインジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000030.html

1分で理解するプロの知恵［ネットワーク設計＆運用編］
面ファスナーと拘束バンド、LANケーブルはどっちで留める？
http://itpro.nikkeibp.co.jp/atcl/column/16/020400029/020500010/?ST=security

JVNVU#99757346 Android Platform の URLConnection クラスに HTTP ヘッダインジェクションの脆弱性
http://jvn.jp/vu/JVNVU99757346/index.html

2016年2月19日金曜日

19日金曜日、赤口

+ RHSA-2016:0258 Important: thunderbird security update
https://rhn.redhat.com/errata/RHSA-2016-0258.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1930
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1935

+ Google Chrome 48.0.2564.116 released
http://googlechromereleases.blogspot.jp/2016/02/stable-channel-update_18.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1629

+ Cisco ASR 5000 Series StarOS SSH Subsystem Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-asr
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1335

+ UPDATE: Vulnerability in Java Deserialization Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

+ Vulnerability in GNU glibc Affecting Cisco Products: February 2016
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ UPDATE: Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160202-wms

+ SYM16-002 Security Advisories Relating to Symantec Products - Symantec Encryption Management Server Multiple Security Issues
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160218_00
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8148

+ UPDATE: JVNVU#97236594 glibc にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97236594/index.html

+ Squid SSL Handshake Error Processing Flaw Lets Remote Users Deny Service
http://www.securitytracker.com/id/1035045
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2390

Postgres-XL 9.5 R1 Beta1 Announced
http://www.postgresql.org/about/news/1648/

1分で理解するプロの知恵［ネットワーク設計＆運用編］
スイッチのファームは安定版、セキュリティ機器は最新版
http://itpro.nikkeibp.co.jp/atcl/column/16/020400029/020500009/?ST=security

News ＆ Trend
3年連続で8割の企業でセキュリティ人材が不足、NRIセキュア調査
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/021800448/?ST=security

こうすれば秘密は漏れない！LINEのセキュリティ
［5］ LINEに聞く「使いやすさとセキュリティのバランス」
http://itpro.nikkeibp.co.jp/atcl/column/16/021000034/021000006/?ST=security

米国防総省、400万台をWindows 10にアップグレードへ
http://itpro.nikkeibp.co.jp/atcl/news/16/021800500/?ST=security

Apple、iPhoneロック解除の裁判所命令を拒否、銃乱射事件捜査で
http://itpro.nikkeibp.co.jp/atcl/news/16/021800495/?ST=security

JVNVU#99656630 Swann NVW-470 に複数の脆弱性
http://jvn.jp/vu/JVNVU99656630/index.html

JVNVU#90746018 Zhuhai RaySharp 由来のファームウェアを使用しているデジタルビデオレコーダにパスワードがハードコードされている問題
http://jvn.jp/vu/JVNVU90746018/index.html

2016年2月18日木曜日

18日木曜日、大安

+ Selenium Standard Server 2.52.0 released
http://docs.seleniumhq.org/download/

+ Selenium IE Driver Server 2.52.0 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/cpp/iedriverserver/CHANGELOG

+ Selenium Client & WebDriver 2.52.0 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/java/CHANGELOG

+ CESA-2016:0185 Important CentOS 7 kernel Security Update
http://lwn.net/Alerts/676015/

+ CESA-2016:0175 Critical CentOS 6 glibc Security Update
http://lwn.net/Alerts/676013/

+ CESA-2016:0204 Important CentOS 7 389-ds-base Security Update
http://lwn.net/Alerts/676009/

+ CESA-2016:0197 Critical CentOS 5 firefox Security Update
http://lwn.net/Alerts/676010/

+ CESA-2016:0197 Critical CentOS 7 firefox Security Update
http://lwn.net/Alerts/676012/

+ CESA-2016:0176 Critical CentOS 7 glibc Security Update
http://lwn.net/Alerts/676014/

+ CESA-2016:0188 Moderate CentOS 7 sos Security Update
http://lwn.net/Alerts/676017/

+ CESA-2016:0197 Critical CentOS 6 firefox Security Update
http://lwn.net/Alerts/676011/

+ CESA-2016:0189 Moderate CentOS 7 polkit Security Update
http://lwn.net/Alerts/676016/

+ VU#457759 glibc vulnerable to stack buffer overflow in DNS resolver
https://www.kb.cert.org/vuls/id/457759
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ Linux kernel 4.4.2, 3.14.61 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.2
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.61

+ Apache Tomcat 7.0.68 Released
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

+ [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow
https://www.sourceware.org/ml/libc-alpha/2016-02/msg00416.html

+ JVNVU#97236594 glibc にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97236594/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ LibreOffice LWP File Processing Flaw Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1035022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0794
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0795

+ glibc - getaddrinfo Stack-Based Buffer Overflow
https://cxsecurity.com/issue/WLB-2016020159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

VU#899080 Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials
https://www.kb.cert.org/vuls/id/899080

VU#923388 Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password
https://www.kb.cert.org/vuls/id/923388

JVNVU#99862126 Hirschmann Classic Platform スイッチの管理者パスワードが SNMP コミュニティ名を通じて漏えいする問題
http://jvn.jp/vu/JVNVU99862126/

チェックしておきたい脆弱性情報＜2016.02.18＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/021000100/?ST=security

［第4回］インターネットに直結されるIoT機器（後編）
http://itpro.nikkeibp.co.jp/atcl/column/16/020200028/020200004/?ST=security

こうすれば秘密は漏れない！LINEのセキュリティ
［4］「友だち」からLINEの会話が漏れるリスク
http://itpro.nikkeibp.co.jp/atcl/column/16/021000034/021000005/?ST=security

2016年2月17日水曜日

17日水曜日、仏滅

+ RHSA-2016:0197 Critical: firefox security update
https://rhn.redhat.com/errata/RHSA-2016-0197.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523

+ RHSA-2016:0175 Critical: glibc security and bug fix update
https://rhn.redhat.com/errata/RHSA-2016-0175.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ RHSA-2016:0188 Moderate: sos security and bug fix update
https://rhn.redhat.com/errata/RHSA-2016-0188.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7529

+ RHSA-2016:0204 Important: 389-ds-base security and bug fix update
https://rhn.redhat.com/errata/RHSA-2016-0204.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0741

+ RHSA-2016:0176 Critical: glibc security and bug fix update
https://rhn.redhat.com/errata/RHSA-2016-0176.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5229
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ RHSA-2016:0189 Moderate: polkit security update
https://rhn.redhat.com/errata/RHSA-2016-0189.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3256

+ RHSA-2016:0185 Important: kernel security and bug fix update
https://rhn.redhat.com/errata/RHSA-2016-0185.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7872

+ Zabbix 3.0.0 released
http://www.zabbix.com/rn3.0.0.php

+ squid 3.5.14 released
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.14-RELEASENOTES.html

+ UPDATE: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

+ Cisco 1000 Series Connected Grid Routers SNMP BRIDGE MIB Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160216-grid

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ Cisco Small Business 500 Series Wireless Access Point Configuration Modification Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160216-wap

+ Linux kernel 4.1.18, 3.18.27 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.18
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.18.27

+ Glibc getaddrinfo() Stack Overflow Lets Remote or Local Users Execute Arbitrary Code
http://www.securitytracker.com/id/1035020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

+ Mozilla Firefox libgraphite Font Processing Flaw Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1035017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523

+ Windows Kerberos Security Feature Bypass (MS16-014)
https://cxsecurity.com/issue/WLB-2016020155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0049

+ Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation MS14-040
https://cxsecurity.com/issue/WLB-2016020154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1767

+ Ntpd ntp-4.2.6p5 ctl_putdata() Buffer Overflow
https://cxsecurity.com/issue/WLB-2016020152

+ Microsoft Internet Explorer Type Confusion
https://cxsecurity.com/issue/WLB-2016020145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0063

VU#507216 Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default
https://www.kb.cert.org/vuls/id/507216

事例で理解するIoT時代の新たな脅威と対策
［第3回］インターネットに直結されるIoT機器（前編）
http://itpro.nikkeibp.co.jp/atcl/column/16/020200028/020200003/?ST=security

終活×ITに勝機はあるか
新興終活サービス、ITにこだわらず他業種を巻き込んで収益構造を築く
http://itpro.nikkeibp.co.jp/atcl/column/16/021000035/021200003/?ST=security

こうすれば秘密は漏れない！LINEのセキュリティ
［3］ iPhoneのLINEは「複製」できる？
http://itpro.nikkeibp.co.jp/atcl/column/16/021000034/021000004/?ST=security

富士電機と日本IBMが協業、約1400億円「自治体セキュリティ商戦」に先鞭
http://itpro.nikkeibp.co.jp/atcl/news/16/021600481/?ST=security

日立情報通信エンジ、マイナンバー対応でICカード認証製品のセキュリティ強化
http://itpro.nikkeibp.co.jp/atcl/news/16/021600476/?ST=security

2016年2月16日火曜日

16日火曜日、先負

+ Mozilla Thunderbird 38.6.0 released
https://www.mozilla.org/en-US/thunderbird/38.6.0/releasenotes/

+ Cisco IOS Software for Cisco Industrial Ethernet 2000 Series Switches Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160215-ie2000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1330

+ Cisco Emergency Responder Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160215-er
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1331

+ Linux kernel 3.12.54 released
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.54

+ UPDATE: Oracle Critical Patch Update Advisory - January 2016
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html

PGConf US 2016 Schedule Posted; Registration Open
http://www.postgresql.org/about/news/1646/

JVNDB-2016-000026 サイボウズ Office におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000026.html

JVNDB-2016-000025 サイボウズ Office におけるオープンリダイレクトの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000025.html

JVNDB-2016-000024 サイボウズ Office におけるクロスサイトリクエストフォージェリの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000024.html

JVNDB-2016-000023 サイボウズ Office におけるアクセス制限回避の脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000023.html

JVNDB-2016-000022 サイボウズ Office における情報漏えいの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000022.html

JVNDB-2016-000021 サイボウズ Office における情報漏えいの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000021.html

JVNDB-2016-000020 サイボウズ Office におけるサービス運用妨害 (DoS) の脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000020.html

終活×ITに勝機はあるか
「見込みが甘かった」、撤退した終活ITサービスは何を失敗したのか
http://itpro.nikkeibp.co.jp/atcl/column/16/021000035/021200002/?ST=security

ラッコの眼～サイバーセキュリティ最前線～
DNSを悪用する新たな標的型攻撃が日本を襲う
http://itpro.nikkeibp.co.jp/atcl/column/15/071200172/021000009/?ST=security

事例で理解するIoT時代の新たな脅威と対策
［第2回］「CIA」の視点で見るIoT機器のセキュリティ（後編）
http://itpro.nikkeibp.co.jp/atcl/column/16/020200028/020200002/?ST=security

こうすれば秘密は漏れない！LINEのセキュリティ
［2］ PCのLINEで覗かれるのを防ぐには
http://itpro.nikkeibp.co.jp/atcl/column/16/021000034/021000003/?ST=security

統計＆調査
［データは語る］2015年のセキュリティ10大脅威、組織では「標的型攻撃による情報流出」が第1位に―IPA
http://itpro.nikkeibp.co.jp/atcl/news/14/110601779/021500500/?ST=security

マイナンバーカードをポイントカードに　商店街から意見相次ぐ
http://itpro.nikkeibp.co.jp/atcl/news/16/021400446/?ST=security

2016年2月15日月曜日

15日月曜日、友引

+ UPDATE: APSB16-05 Security updates available for Adobe Experience Manager
https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html

+ Cisco Universal Small Cell Devices Unauthorized Firmware Retrieval Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160212-usc

+ UPDATE: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

+ UPDATE: Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ Linux kernel 3.2.77 released
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.77

+ Apache Tomcat 6.0.45 Released
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

+ Mozilla Firefox Plugin Request Processing Lets Remote Users Bypass Security Restrictions on the Target System
http://www.securitytracker.com/id/1035007

+ PostgreSQL Bugs Let Remote Users Deny Service and Let Remote Authenticated Users Gain Elevated Privileges
http://www.securitytracker.com/id/1035005

+ Microsoft Windows WebDAV BSoD Proof Of Concept
https://cxsecurity.com/issue/WLB-2016020126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0051

PgConf.Russia 2016 is finished
http://www.postgresql.org/about/news/1645/

JVNDB-2016-000019 iOS アプリ「Akerun - Smart Lock Robot」における SSL サーバ証明書の検証不備の脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000019.html

JVNDB-2016-000018 Microsoft Producer for Microsoft Office PowerPoint におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000018.html

瀧口範子のシリコンバレー通信
米国政府機関で相次ぐハッカー攻撃、「ソーシャルエンジニアリング」に注意
http://itpro.nikkeibp.co.jp/atcl/column/15/060200138/021200035/?ST=security

事例で理解するIoT時代の新たな脅威と対策
［第1回］「CIA」の視点で見るIoT機器のセキュリティ（前編）
http://itpro.nikkeibp.co.jp/atcl/column/16/020200028/020200001/?ST=security

News ＆ Trend
日本を襲うDDoSサイバー攻撃、打つ手はあるか？
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/020300433/?ST=security

こうすれば秘密は漏れない！LINEのセキュリティ
［1］ LINEの秘密は「ロック」で守る
http://itpro.nikkeibp.co.jp/atcl/column/16/021000034/021000002/?ST=security

News ＆ Trend
「誰がなぜ狙うのか」、シマンテックが攻撃元情報の提供を開始
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/021100444/?ST=security

JVNVU#90170158 Cisco Adaptive Security Appliance (ASA) の IKEv1 と IKEv2 の処理にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU90170158/

UPDATE: JVN#54686544 HOME SPOT CUBE における複数の脆弱性
http://jvn.jp/jp/JVN54686544/

2016年2月12日金曜日

12日金曜日、大安

+ Mozilla Firefox 44.0.2 released
https://www.mozilla.org/en-US/firefox/44.0.2/releasenotes/

+ MFSA 2016-14 Vulnerabilities in Graphite 2
https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1523

+ MFSA 2016-13 Same-origin-policy violation using Service Workers with plugins
https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1949

+ CESA-2016:0152 Moderate CentOS 6 sos Security Update
http://lwn.net/Alerts/675023/

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ Cisco Advanced Malware Protection and Email Security Appliance Proxy Engine Security Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160211-esaamp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1315

+ Cisco Spark Representational State Transfer Interface Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-sp3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1324

+ Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-sp2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1323

+ Cisco Spark Representational State Transfer Interface Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-sp2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1323

+ Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1287

+ UPDATE: Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl

+ CTX206001 Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates
http://support.citrix.com/article/CTX206001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2072

+ HS16-005 Multiple Vulnerabilities in JP1/Automatic Operation
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-005/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5255

+ HS16-005 JP1/Automatic Operationにおける複数の脆弱性
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS16-005/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3269
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5255

+ Apache Tomcat 8.0.32 Released
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.32_(markt)

+ 2016-02-11 Security Update Release
http://www.postgresql.org/about/news/1644/

+ PostgreSQL 9.5.1, 9.4.6, 9.3.11, 9.2.15, 9.1.20 released
http://www.postgresql.org/docs/9.5/static/release-9-5-1.html
http://www.postgresql.org/docs/9.4/static/release-9-4-6.html
http://www.postgresql.org/docs/9.3/static/release-9-3-11.html
http://www.postgresql.org/docs/9.2/static/release-9-2-15.html
http://www.postgresql.org/docs/9.1/static/release-9-1-20.html

VU#327976 Cisco Adaptive Security Appliance (ASA) IKEv1 and IKEv2 contains a buffer overflow vulnerability
https://www.kb.cert.org/vuls/id/327976

UPDATE: JVN#48135658 複数のルータ製品におけるクリックジャッキングの脆弱性
http://jvn.jp/jp/JVN48135658/

1分で理解するプロの知恵［ネットワーク設計＆運用編］
ユーザーの手が届くスイッチはループ対策オンがマスト
http://itpro.nikkeibp.co.jp/atcl/column/16/020400029/020400004/?ST=security

News ＆ Trend
年金機構事件が残した“宿題”、改正サイバー法は政府機関を守れるのか？
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/020900440/?ST=security

林伸夫のLong and Winding Mac
マイナンバーカード取得の光と闇
http://itpro.nikkeibp.co.jp/atcl/column/15/051100119/020900018/?ST=security

日本オラクル、「セキュリティ・リスク・アセスメント」をユーザーに無償提供
http://itpro.nikkeibp.co.jp/atcl/news/16/021000421/?ST=security

米政府、17年度予算から190億ドルをサイバーセキュリティ対策へ
http://itpro.nikkeibp.co.jp/atcl/news/16/021000420/?ST=security

2016年2月10日水曜日

10日水曜日、先負

+ 2016 年 2 月のマイクロソフトセキュリティ情報の概要
https://technet.microsoft.com/ja-jp/library/security/ms16-feb

+ MS16-009 - 緊急 Internet Explorer 用の累積的なセキュリティ更新プログラム (3134220)
https://technet.microsoft.com/library/security/MS16-009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0069

+ MS16-011 - 緊急 Microsoft Edge 用の累積的なセキュリティ更新プログラム (3134225)
https://technet.microsoft.com/library/security/MS16-011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0084

+ MS16-012 - 緊急リモートでのコード実行に対処する Microsoft Windows PDF ライブラリ用のセキュリティ更新プログラム (3138938)
https://technet.microsoft.com/ja-jp/library/security/ms16-012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0058

+ MS16-013 - 緊急リモートでのコード実行に対処する Windows Journal 用のセキュリティ更新プログラム (3134811)
https://technet.microsoft.com/library/security/MS16-013
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0038

+ MS16-014 - 重要リモートでのコード実行に対処する Microsoft Windows 用のセキュリティ更新プログラム (3134228)
https://technet.microsoft.com/library/security/MS16-014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0040
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0049

+ MS16-015 - 緊急リモートでのコード実行に対処する Microsoft Office 用のセキュリティ更新プログラム (3134226)
https://technet.microsoft.com/library/security/MS16-015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0039

+ MS16-016 - 重要特権の昇格に対処する WebDAV 用のセキュリティ更新プログラム (3136041)
https://technet.microsoft.com/library/security/MS16-016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0051

+ MS16-017 - 重要特権の昇格に対処するリモートデスクトップディスプレイドライバー用のセキュリティ更新プログラム (3134700)
https://technet.microsoft.com/library/security/MS16-017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0036

+ MS16-018 - 重要特権の昇格に対処する Windows カーネルモードドライバー用のセキュリティ更新プログラム (3136082)
https://technet.microsoft.com/ja-jp/library/security/ms16-018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0048

+ MS16-019 - 重要サービス拒否に対処する .NET Framework 用のセキュリティ更新プログラム (3137893)
https://technet.microsoft.com/library/security/MS16-019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0047

+ MS16-020 - 重要サービス拒否に対処する Active Directory フェデレーションサービス用のセキュリティ更新プログラム (3134222)
https://technet.microsoft.com/library/security/MS16-020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0037

+ MS16-021 - 重要サービス拒否に対処する NPS RADIUS サーバー用のセキュリティ更新プログラム (3133043)
https://technet.microsoft.com/library/security/MS16-021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0050

+ MS16-022 - 緊急 Adobe Flash Player のセキュリティ更新プログラム (3135782)
https://technet.microsoft.com/library/security/MS16-022

+ マイクロソフトセキュリティアドバイザリ 3137909 ASP.NET テンプレートの脆弱性により改ざんが起こる
https://technet.microsoft.com/ja-jp/library/security/3137909

+ UPDATE: マイクロソフトセキュリティアドバイザリ 2871997 資格情報の保護と管理を改善する更新プログラム
https://technet.microsoft.com/ja-jp/library/security/2871997

+ RHSA-2016:0152 Moderate: sos security and bug fix update
https://rhn.redhat.com/errata/RHSA-2016-0152.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7529

+ Google Chrome 48.0.2564.109 released
http://googlechromereleases.blogspot.jp/2016/02/stable-channel-update_9.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1622
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1623
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1627

+ Mozilla Firefox 44.0.1 released
https://www.mozilla.org/en-US/firefox/44.0.1/releasenotes/

+ nginx 1.9.11 released
http://nginx.org/

+ APSB16-07 Security update available for Adobe Connect
https://helpx.adobe.com/security/products/connect/apsb16-07.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0948
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0950

+ APSB16-05 Security updates available for Adobe Experience Manager
https://helpx.adobe.com/security/products/experience-manager/apsb16-05.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0958

+ APSB16-04 Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb16-04.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0964
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0966
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0967
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0969
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0972
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0980
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0981
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0985

+ APSB16-03 Security updates available for Adobe Photoshop CC and Bridge CC
https://helpx.adobe.com/security/products/photoshop/apsb16-03.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0952
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0953

+ Cisco Prime Collaboration Provisioning Local Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160209-pcp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1320

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ Check Point response to NTP "panic threshold" Bypass Vulnerability (CVE-2015-5300)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk109942&src=securityAlerts
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300

+ Linux Kernel Bugs in hugetlb_vmtruncate_list() Lets Local Users Cause Denial of Service Conditions on the Target System
http://www.securitytracker.com/id/1034968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0617

News ＆ Trend
個人番号カード、パソコンやスマホのオンライン申請で別人のカード交付の恐れ
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/020800439/?ST=security

オラクルが放った最新プロセッサ「SPARC M7」の実像
セキュリティ対策と不具合検知の両方に効く、M7の「SSM」
http://itpro.nikkeibp.co.jp/atcl/column/16/020400031/020500003/?ST=security

エルテス、内部不正を働く従業員を予測するサービスを開始
http://itpro.nikkeibp.co.jp/atcl/news/16/020900415/?ST=security

Internet Archiveに80～90年代コンピュータウイルスの博物館がオープン
http://itpro.nikkeibp.co.jp/atcl/news/16/020900404/?ST=security

2016年2月9日火曜日

9日火曜日、友引

+ Android-x86 4.4-r5 released
http://www.android-x86.org/releases/releasenote-4-4-r5

+ Cisco Application Policy Infrastructure Controller Enterprise Module Web Framework Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-apic
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1318

+ Cisco Video Communications Server Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-vcs
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1316

+ Cisco Unified Products Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160208-ucm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1319

+ Cisco Unified Communications Manager Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-201600208-ucm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1317

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Product
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

オラクルが放った最新プロセッサ「SPARC M7」の実像
M7が搭載するSQL専用アクセラレーターは何をするのか
http://itpro.nikkeibp.co.jp/atcl/column/16/020400031/020500002/?ST=security

2016年2月8日月曜日

8日月曜日、先勝

+ Selenium Standalone Server 2.51.0 released
http://docs.seleniumhq.org/download/

+ Selenium Client & WebDriver 2.51.0 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/java/CHANGELOG

+ Selenium IE Driver Server 2.51.0 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/cpp/iedriverserver/CHANGELOG

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ UPDATE: Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160202-wms

+ Oracle Security Alert for CVE-2016-0603
http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0603

+ Java SE 8u73/8u74 Released
http://www.oracle.com/technetwork/java/javase/8u-relnotes-2225394.html

+ OpenLDAP 2.4.44 released
http://www.openldap.org/software/download/

+ MySQL 5.7.11 released
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-11.html

+ BIND NXDOMAIN Redirection Processing Bug Lets Remote Users Cause the Target Service to Crash
http://www.securitytracker.com/id/1034935
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1284

チェックしておきたい脆弱性情報＜2016.02.08＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/020200098/?ST=security

オラクルが放った最新プロセッサ「SPARC M7」の実像
「SPARC M7はOracleの気持ちが入ったプロセッサ」の真意
http://itpro.nikkeibp.co.jp/atcl/column/16/020400031/020500001/?ST=security

News ＆ Trend
「Windows 7、最新CPUでは来夏でサポート終了」、波紋呼ぶMSの方針変更
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/020500437/?ST=security

スマホで簡単に追加認証、RSAが生体認証のこれからを解説
http://itpro.nikkeibp.co.jp/atcl/news/16/020500383/?ST=security

Appleに6億2560万ドルの損害賠償命令、VirnetXの特許侵害訴訟で
http://itpro.nikkeibp.co.jp/atcl/news/16/020500379/?ST=security

JVNVU#93051628 Comodo Chromodo に同一生成元ポリシーを適用していない問題および旧バージョンの Chromium を使用している問題
http://jvn.jp/vu/JVNVU93051628/

2016年2月5日金曜日

5日金曜日、友引

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ UPDATE: Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products - January 2016
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd

+ SYM16-001 Security Advisories Relating to Symantec Products - Symantec DV Certificate Issuance System Improperly Handled Domain Email Address Special Characters
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160204_00
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6553

+ PHP 7.0.3, 5.6.18, 5.5.32 released
http://php.net/ChangeLog-7.php#7.0.3
http://php.net/ChangeLog-5.php#5.6.18
http://php.net/ChangeLog-5.php#5.5.32

+ MySQL 5.6.29, 5.5.48 released
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-29.html
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-48.html

VU#305096 Comodo Chromodo browser does not enforce same origin policy and is based on an outdated version of Chromium
https://www.kb.cert.org/vuls/id/305096

PL/Java 1.5.0-BETA1 announced; security note.
http://www.postgresql.org/about/news/1643/

JVNVU#96743693 Netgear NMS300 に任意のファイルアップロードとパストラバーサルの脆弱性
http://jvn.jp/vu/JVNVU96743693/

瀧口範子のシリコンバレー通信
IoTのセキュリティ脆弱性が、政府による監視活動の役に立つ？
http://itpro.nikkeibp.co.jp/atcl/column/15/060200138/020400034/?ST=security

2016年2月4日木曜日

4日木曜日、先勝

+ Google Chrome 48.0.2564.103 released
http://googlechromereleases.blogspot.jp/2016/02/stable-channel-update.html

+ UPDATE: Cisco Jabber STARTTLS Downgrade Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151224-jab

+ UPDATE: Cisco Adaptive Security Appliance Information Disclosure Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160115-asa

+ Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-uc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1310

+ Cisco Jabber Guest Server HTTP Web-Based Management Interface Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-jgs
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1311

+ Cisco Unified Communications Manager SQL Injection Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-ucm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1308

+ Cisco ASA-CX and Cisco Prime Security Manager Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-prsm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1301

+ Cisco Application Policy Infrastructure Controller Access Control Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-apic
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1302

+ Cisco Nexus 9000 Series ACI Mode Switch ICMP Record Route Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160203-n9knci
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6398

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ Samba 4.2.8 Available for Download
https://www.samba.org/samba/history/samba-4.2.8.html

+ A Tale of openssl_seal(), PHP,d Apache2handle
https://cxsecurity.com/issue/WLB-2016020027

VU#777024 Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities
https://www.kb.cert.org/vuls/id/777024

記者の眼
マルウエアと正面から向き合うのはもうやめよう
http://itpro.nikkeibp.co.jp/atcl/watcher/14/334361/020300476/?ST=security

チェックしておきたい脆弱性情報＜2016.02.04＞
http://itpro.nikkeibp.co.jp/atcl/column/14/268561/020200097/?ST=security

LRMがクラウド上の個人情報管理規格「ISO27018」認証取得支援サービス開始
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/020200431/?ST=security

サイバー法改正案が閣議決定、「情報処理安全確保支援士」新設へ
http://itpro.nikkeibp.co.jp/atcl/news/16/020300358/?ST=security

欧州と米国、セーフハーバー協定に代わるデータ移転の枠組みで合意
http://itpro.nikkeibp.co.jp/atcl/news/16/020300349/?ST=security

JVNVU#99349751 フィッシャープライス Smart Toy 向けウェブサービスにおいて認証なしで API を呼び出せる脆弱性
http://jvn.jp/vu/JVNVU99349751/index.html

JVNVU#99850969 OpenELEC と RasPlex に root の SSH パスワードがハードコードされている問題
http://jvn.jp/vu/JVNVU99850969/index.html

2016年2月3日水曜日

3日水曜日、赤口

+ Opera 35 released
http://www.opera.com/docs/changelogs/unified/3500/

+ phpMyAdmin 4.5.4.1, 4.4.15.4, 4.0.10.14 released
https://www.phpmyadmin.net/news/2016/1/29/phpmyadmin-401014-44154-and-451/

+ Cisco WebEx Meetings Server Multiple Cross-Site Scripting Vulnerabilities
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160202-wms
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1309

+ Cisco Finesse Desktop and Cisco Unified Contact Center Express Applications XMPP Unauthorized Access Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160202-fducce
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1307

+ UPDATE: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl

+ UPDATE: Vulnerability in Java Deserialization Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

+ curl remote file name path traversal in curl tool for Windows
https://cxsecurity.com/issue/WLB-2016020025

+ curl NTLM credentials not-checked for proxy connection re-use
https://cxsecurity.com/issue/WLB-2016020024

VU#544527 OpenELEC and RasPlex have a hard-coded SSH root password
https://www.kb.cert.org/vuls/id/544527

VU#719736 Fisher-Price Smart Toy platform allows some unauthenticated web API commands
https://www.kb.cert.org/vuls/id/719736

ヤフー系FX事業者の顧客情報など18万件超が流出、従業員貸与PCからアップ
http://itpro.nikkeibp.co.jp/atcl/news/16/020200343/?ST=security

UPDATE: JVNVU#92574416 Huawei E5151 および Huawei E5186 に不十分なランダム値を使用している問題
http://jvn.jp/vu/JVNVU92574416/

2016年2月2日火曜日

2日火曜日、大安

+ CESA-2016:0083 Important CentOS 7 qemu-kvm Security Update
http://lwn.net/Alerts/674220/

+ CESA-2016:0082 Important CentOS 6 qemu-kvm Security Update
http://lwn.net/Alerts/674219/

+ Cisco Application Policy Infrastructure Controller Enterprise Module Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160201-apic-em
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1305

+ UPDATE: Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl

+ Cisco Fog Director Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160201-fd
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1306

+ UPDATE: JVNVU#95668716 OpenSSL の DH プロトコルにおける脆弱性
http://jvn.jp/vu/JVNVU95668716/

+ UPDATE: JVNVU#96264182 ISC BIND 9 に複数のサービス運用妨害 (DoS) の脆弱性
http://jvn.jp/vu/JVNVU96264182/index.html

+ MacOS X 10.11 Kernel IOAccelDisplayPipeUserClient2 Use-After-Free
https://cxsecurity.com/issue/WLB-2016020012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7047

+ MacOS X 10.11 IOBluetoothHCIUserClient Arbitrary Kernel Code
https://cxsecurity.com/issue/WLB-2016020011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7108

+ MacOS X 10.11 IOBluetoothHCIPacketLogUserClient Memory Corruption
https://cxsecurity.com/issue/WLB-2016020010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7047

+ MacOS X 10.11 Kernel - IOAccelMemoryInfoUserClient Use-After-Free
https://cxsecurity.com/issue/WLB-2016020009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7047

+ MacOS X 10.11 Kernel - no-more-senders Use-After-Free
https://cxsecurity.com/issue/WLB-2016020008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7047

VU#972224 Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries
https://www.kb.cert.org/vuls/id/972224

遠隔操作にDNS通信を使うマルウエアが上陸、ラックが注意喚起
http://itpro.nikkeibp.co.jp/atcl/news/16/020100322/?ST=security

IIJ、標的型対策サンドボックスをメール/Web両面でクラウド提供
http://itpro.nikkeibp.co.jp/atcl/news/16/020100319/?ST=security

2016年2月1日月曜日

1日月曜日、仏滅

+ Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160129-openssl
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701

+ Linux kernel 4.4.1, 4.3.5, 4.1.17, 3.14.60, 3.10.96, 2.6.32.70 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.1
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.5
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.17
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.14.60
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.96
https://cdn.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/ChangeLog-2.6.32.70

+ HS16-004 Multiple Vulnerabilities in Cosminexus
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-004/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0534
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000

+ HS16-003 Multiple Vulnerabilities in Cosminexus
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS16-003/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494

+ HS16-004 Cosminexusにおける複数の脆弱性
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS16-004/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0534
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000

+ HS16-003 Cosminexusにおける複数の脆弱性
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS16-003/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494

+ FreeBSD-SA-16:11.openssl OpenSSL SSLv2 ciphersuite downgrade vulnerability
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:11.openssl.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197

+ UPDATE: JVNVU#96176042 NTP が DDoS 攻撃の踏み台として使用される問題
http://jvn.jp/vu/JVNVU96176042/

+ UPDATE: JVNVU#91445763 OpenSSL に複数の脆弱性
http://jvn.jp/vu/JVNVU91445763/

+ UPDATE: JVNVU#95877131 OpenSSL に複数の脆弱性
http://jvn.jp/vu/JVNVU95877131/

+ UPDATE: JVNVU#96605606 Network Time Protocol daemon (ntpd) に複数の脆弱性
http://jvn.jp/vu/JVNVU96605606/

+ JVNVU#95668716 OpenSSL の DH プロトコルにおける脆弱性
http://jvn.jp/vu/JVNVU95668716/

+ Linux Kernel Initialization Bug in vivid_fb_ioctl() Lets Local Users View Portions of System Memory on the Target System
http://www.securitytracker.com/id/1034893
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7884

+ Linux Kernel Protocol Identifier Bug Lets Local Users Cause Denial of Service Conditions on the Target System
http://www.securitytracker.com/id/1034892
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543

+ libcurl Lets Remote Users Bypass NTLM Proxy Authentication on the Target System
http://www.securitytracker.com/id/1034882
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755

+ FreeBSD Linux Support issetugid(2) Error Lets Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1034872
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1883

+ nginx DNS Processing Flaws Let Remote Users Deny Service
http://www.securitytracker.com/id/1034869
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0746
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0747

JVNDB-2016-000017 JOB-CUBE におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000017.html

JVNDB-2016-000016 Vine MV におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000016.html

JVNDB-2016-000015 CLUSTERPRO X におけるディレクトリトラバーサルの脆弱性
http://jvndb.jvn.jp/ja/contents/2016/JVNDB-2016-000015.html

反捕鯨DDoS攻撃「キリング・ベイ作戦」への対処呼び掛け、米アカマイ
http://itpro.nikkeibp.co.jp/atcl/news/16/012900304/?ST=security

登録: 投稿 (Atom)