:: IT Security Neophyte Investigator's MEMO ::: 3月 2017

2017年3月31日金曜日

31日金曜日、赤口

+ Linux kernel 4.10.7, 4.9.19, 4.4.58 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.7
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.58

+ ActivePerl 5.24.1.2402, 5.22.3.2204 released
http://www.nntp.perl.org/group/perl.perl5.porters/2017/01/msg242259.html

+ Linux Kernel Out-of-Bounds Memory Error in XFRM xfrm_replay_verify_len() Lets Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1038166
CVE-2017-7184

+ RSA Archer GRC Security Operations Management Logging Function Lets Local Users View Passwords
http://www.securitytracker.com/id/1038162
CVE-2017-4977

+ Trend Micro InterScan Web Security Virtual Appliance Unspecified Flaws Let Remote Users Execute Arbitrary Code on the Target System
http://www.securitytracker.com/id/1038161

JVNDB-2017-000044 CentreCOM AR260S V2 における権限昇格の脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000044.html

データは語る
IoT機器を探す不審な通信は前年比2倍に
http://itpro.nikkeibp.co.jp/atcl/column/16/072600158/033000039/?ST=security&itp_list_theme

セキュリティ人材、「IT部門に6年いたら終わり」
http://itpro.nikkeibp.co.jp/atcl/watcher/14/334361/032800809/?ST=security&itp_list_theme

APT29 Domain Fronting With TOR
http://www.linuxsecurity.com/content/view/171127/169/

Someone is putting lots of work into hacking Github developers
http://www.linuxsecurity.com/content/view/171126/169/

VMware patches critical virtual machine escape flaws
http://www.linuxsecurity.com/content/view/171125/169/

2017年3月30日木曜日

30日木曜日、大安

+ RHSA-2017:0847 Moderate: curl security update
https://rhn.redhat.com/errata/RHSA-2017-0847.html
CVE-2017-2628

+ About the security content of iCloud for Windows 6.2
https://support.apple.com/ja-jp/HT207607
CVE-2017-2383
CVE-2017-5029
CVE-2017-2463
CVE-2017-2479
CVE-2017-2480

+ Google Chrome 57.0.2987.133 released
https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop_29.html

+ CESA-2017:0837 Important CentOS 7 icoutils Security Update
https://lwn.net/Alerts/718353/

+ CESA-2017:0838 Moderate CentOS 7 openjpeg Security Update
https://lwn.net/Alerts/718354/

+ phpMyAdmin 4.7.0, 4.0.10.20 released
https://www.phpmyadmin.net/news/2017/3/29/phpmyadmin-470-released/
https://www.phpmyadmin.net/news/2017/3/29/phpmyadmin-401020-released/

+ JVNVU#92698669 iOS アプリ「Pandora」に SSL サーバ証明書の検証不備の脆弱性
http://jvn.jp/vu/JVNVU92698669/

社長に「よし、分かった」と言わせるセキュリティ会話術
「安い製品に乗り換えろ」と言われたら、部分最適のリスクを説こう
http://itpro.nikkeibp.co.jp/atcl/column/17/021400032/032200006/?ST=security&itp_list_theme

インタビュー＆トーク
高度化するサイバー攻撃、ISV76社とのタッグで次々撃退
http://itpro.nikkeibp.co.jp/atcl/interview/14/262522/032800328/?ST=security&itp_list_theme

AIでサイバー攻撃は防げるか
AI技術によるセキュリティが苦手な検出対象とは？
http://itpro.nikkeibp.co.jp/atcl/column/17/031600083/032800003/?ST=security&itp_list_theme

既存技術とAIの融合でサイバー防御、トレンドマイクロが法人向け新戦略
http://itpro.nikkeibp.co.jp/atcl/news/17/032900968/?ST=security&itp_list_theme

Hacker Who Used Linux Botnet to Send Millions of Spam Emails Pleads Guilty
http://www.linuxsecurity.com/content/view/171123/169/

2017年3月29日水曜日

29日水曜日、仏滅

+ Mozilla Firefox 52.0.2 released
https://www.mozilla.org/en-US/firefox/52.0.2/releasenotes/

+ VMware Workstation 12 Player Version 12.5.5 Released
http://pubs.vmware.com/Release_Notes/en/workstation/12player/player-1255-release-notes.html?__utma=207178772.702043549.1440547077.1490659221.1490745546.345&__utmb=207178772.1.10.1490745546&__utmc=207178772&__utmx=-&__utmz=207178772.1440547077.1.1.utmcsr=my.vmware.com|utmccn=(referral)|utmcmd=referral|utmcct=/web/vmware/free&__utmv=-&__utmk=107205633

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ VMSA-2017-0006 VMware ESXi, Workstation and Fusion updates address critical and moderate security issues
http://www.vmware.com/security/advisories/VMSA-2017-0006.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4902
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4903
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4904
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4905

+ JVNVU#90482935 複数の Apple 製品における脆弱性に対するアップデート
http://jvn.jp/vu/JVNVU90482935/index.html

VU#342303 Pandora iOS app does not properly validate SSL certificates
https://www.kb.cert.org/vuls/id/342303

ニュース解説
これはすごい！Amazon Dash Buttonでツイートできた
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/031700890/?ST=security&itp_list_theme

NSFOCUSジャパンが脅威や攻撃者などの情報を提供するセキュリティクラウドを開始
http://itpro.nikkeibp.co.jp/atcl/news/17/032800961/?ST=security&itp_list_theme

セキュリティ人材は9割の企業で不足、NRIセキュアが調査
http://itpro.nikkeibp.co.jp/atcl/news/17/032800955/?ST=security&itp_list_theme

グーグルChromeに証明書関連のバグ、シマンテックが指摘
http://itpro.nikkeibp.co.jp/atcl/news/17/032800954/?ST=security&itp_list_theme

電子機器の機内持込禁止、きっかけはiPadを使った爆破計画か
http://itpro.nikkeibp.co.jp/atcl/news/17/032800952/?ST=security&itp_list_theme

The uncrackable problem of end-to-end encryption
http://www.linuxsecurity.com/content/view/171118/169/

2017年3月28日火曜日

28日火曜日、先負

+ About the security content of macOS Server 5.3
https://support.apple.com/ja-jp/HT207604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2382

+ About the security content of tvOS 10.2
https://support.apple.com/ja-jp/HT207601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2395
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2475

+ About the security content of iOS 10.3
https://support.apple.com/ja-jp/HT207617
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2487
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2478
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2482
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2380
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2376
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2453
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2393
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2423
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2378
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2486
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2386
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2394
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2367
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2405

+ About the security content of macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite
https://support.apple.com/ja-jp/HT207615

+ About the security content of Safari 10.1
https://support.apple.com/ja-jp/HT207600

+ About the security content of Pages 6.1, Numbers 4.1, and Keynote 7.1 for Mac and Pages 3.1, Numbers 3.1, and Keynote 3.1 for iOS
https://support.apple.com/ja-jp/HT207595

+ nginx 1.11.12 released
http://nginx.org/en/download.html

+ JVNVU#95549222 NTP.org の ntpd に複数の脆弱性
http://jvn.jp/vu/JVNVU95549222/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042

Announcing AgensGraph v1.1 Release
https://www.postgresql.org/about/news/1739/

AIでサイバー攻撃は防げるか
セキュリティ製品の内部でAIは一体何をやっているのか
http://itpro.nikkeibp.co.jp/atcl/column/17/031600083/032500002/?ST=security&itp_list_theme

ニュース解説
「ブロックチェーン版Linux v1.0」は世界を変えられるか
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/032400902/?ST=security&itp_list_theme

グーグルの開発チーム、シマンテック発行の証明書に激しい不信感
http://itpro.nikkeibp.co.jp/atcl/news/17/032700943/?ST=security&itp_list_theme

API flaws said to have left Symantec SSL certificates vulnerable to compromise
http://www.linuxsecurity.com/content/view/171108/169/

2017年3月27日月曜日

27日月曜日、先勝

+ Linux kernel 4.10.6, 4.9.18, 4.4.57 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.6
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.18
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.57

+ UPDATE: JVNVU#93610402 Apache Struts2 に任意のコードが実行可能な脆弱性
http://jvn.jp/vu/JVNVU93610402/

+ NetBSD Xen-amd64 Port Logic Error Lets Local Users on a Guest System Gain Elevated Privileges on the Host System
http://www.securitytracker.com/id/1038127

+ Trend Micro InterScan Messaging Security Input Validation Flaw in DetailReportAction Lets Remote Authenticated Users Traverse the Directory to View Arbitrary Files on the Target System
http://www.securitytracker.com/id/1038125

+ ntp Multiple Bugs Let Remote or Local Users Cause the Target Service to Crash
http://www.securitytracker.com/id/1038123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464

AIでサイバー攻撃は防げるか
無休で働き学び続けるAIはセキュリティ対策に向いている
http://itpro.nikkeibp.co.jp/atcl/column/17/031600083/032300001/?ST=security&itp_list_theme

三菱電機ビルテクノ、ビルのトラブルをスマホ動画で確認するクラウドサービス
http://itpro.nikkeibp.co.jp/atcl/news/17/032400931/?ST=security&itp_list_theme

JINSのWebサイトにStruts2の脆弱性突く不正アクセス、4年前にもStruts2で被害
http://itpro.nikkeibp.co.jp/atcl/news/17/032400930/?ST=security&itp_list_theme

WikiLeaks、新たなCIA機密文書公開でApple製品への侵入手段が明らかに
http://itpro.nikkeibp.co.jp/atcl/news/17/032400919/?ST=security&itp_list_theme

Linux Advisory Watch: March 24th, 2017
http://www.linuxsecurity.com/content/view/171106/187/

Google proposes sending Symantec to TLS sin bin
http://www.linuxsecurity.com/content/view/171105/169/

FBI director floats international framework on access to encrypted data
http://www.linuxsecurity.com/content/view/171104/169/

2017年3月24日金曜日

24日金曜日、仏滅

+ RHSA-2017:0837 Important: icoutils security update
https://rhn.redhat.com/errata/RHSA-2017-0837.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6011

+ RHSA-2017:0838 Moderate: openjpeg security update
https://rhn.redhat.com/errata/RHSA-2017-0838.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9675

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ UPDATE: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl

+ Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download
https://www.samba.org/samba/history/samba-4.6.1.html
https://www.samba.org/samba/history/samba-4.5.7.html
https://www.samba.org/samba/history/samba-4.4.11.html

+ Apple iTunes Multiple Vulnerabilities
https://secuniaresearch.flexerasoftware.com/advisories/75929/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3717
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153

+ Apache Struts < 1.3.10 / < 2.3.16.2 ClassLoader Manipulation Remote Code Execution
https://cxsecurity.com/issue/WLB-2017030205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094

+ Samba Symlink Race Condition Lets Remote Authenticated Users View Non-Exported Files on the Target System
http://www.securitytracker.com/id/1038117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2619

+ VMware AirWatch Input Validation Flaw in Shared Filenames Lets Remote Authenticated Users Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1038116

JVNDB-2017-000050 WordPress 用プラグイン YOP Poll におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000050.html

追跡！犯罪テクノロジーの実態
「報われないから報告しない」、若者ハッカーの本音
http://itpro.nikkeibp.co.jp/atcl/column/17/031500082/031700003/?ST=security&itp_list_theme

岡山県のStruts2稼動サイト、不正アクセスでDoS攻撃の踏み台に
http://itpro.nikkeibp.co.jp/atcl/news/17/032300910/?ST=security&itp_list_theme

ニュース解説
CIAの機密文書で発覚、シスコ製品300種類にパッチ提供未定の危険な脆弱性
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/032300899/?ST=security&itp_list_theme

Is Linux Mint a secure distribution?
http://www.linuxsecurity.com/content/view/171101/169/

Mozilla beats rivals, patches Firefox's Pwn2Own bug
http://www.linuxsecurity.com/content/view/171100/169/

2017年3月23日木曜日

23日木曜日、先負

+ RHSA-2017:0837 Important: icoutils security update
https://rhn.redhat.com/errata/RHSA-2017-0837.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5332
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6011

+ Cisco IOx Data in Motion Stack Overflow Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-iox
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3853

+ Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3859

+ Cisco IOS XE Software HTTP Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3858

+ Cisco IOS XE Software Web User Interface Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-webui
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3856

+ Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3857

+ Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-dhcpc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3864

+ Cisco Application-Hosting Framework Arbitrary File Creation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3852

+ Cisco Application-Hosting Framework Directory Traversal Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3851

+ Linux kernel 4.10.5, 4.9.17, 4.4.56 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.5
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.17
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.56

+ NTP 4.2.8p10 released
https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable

+ Mozilla Firefox Table Use-After-Free
https://cxsecurity.com/issue/WLB-2017030195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404

JVNDB-2017-000049 PhishWall クライアント Internet Explorer版のインストーラにおける任意の DLL 読み込みに関する脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000049.html

追跡！犯罪テクノロジーの実態
潜入、商売上手なダークWeb
http://itpro.nikkeibp.co.jp/atcl/column/17/031500082/031600001/?ST=security&itp_list_theme

記者の眼
そろそろマズいぞ、企業対応進まぬ改正個人情報保護法
http://itpro.nikkeibp.co.jp/atcl/watcher/14/334361/031700804/?ST=security&itp_list_theme

社長に「よし、分かった」と言わせるセキュリティ会話術
「BYODを認める」、禁止ではなく安全に使える仕組みの提案を
http://itpro.nikkeibp.co.jp/atcl/column/17/021400032/031500005/?ST=security&itp_list_theme

ニュース解説
AIと倫理、燃え上がる議論
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/032200895/?ST=security&itp_list_theme

BASEが独自ドメインも常時SSL化、グーグルの「SSL推し」に対応
http://itpro.nikkeibp.co.jp/atcl/news/17/032200901/?ST=security&itp_list_theme

自社が燃えたらどうなる？、竹中工務店が災害VRを開発
http://itpro.nikkeibp.co.jp/atcl/news/17/032200893/?ST=security&itp_list_theme

ヘイトコンテンツでのブランド広告掲載でGoogleが謝罪、対策を説明
http://itpro.nikkeibp.co.jp/atcl/news/17/032200890/?ST=security&itp_list_theme

米国に続き、英国も一部中東からの直行便で電子機器の機内持込を禁止
http://itpro.nikkeibp.co.jp/atcl/news/17/032200886/?ST=security&itp_list_theme

JVNVU#98590454 PCAUSA Rawether for Windows に権限昇格の脆弱性
http://jvn.jp/vu/JVNVU98590454/index.html

JVN#93699304 PhishWall クライアント Internet Explorer版のインストーラにおける任意の DLL 読み込みに関する脆弱性
http://jvn.jp/jp/JVN93699304/index.html

LastPass hit by password stealing and code execution vulnerabilities
http://www.linuxsecurity.com/content/view/171094/169/

US-CERT Warns That HTTPS Inspection Tools Weaken TLS
http://www.linuxsecurity.com/content/view/171093/169/

A simple command allows the CIA to commandeer 318 models of Cisco switches
http://www.linuxsecurity.com/content/view/171092/169/

2017年3月22日水曜日

22日水曜日、友引

+ RHSA-2017:0654 Moderate: coreutils security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0654.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2616

+ RHSA-2017:0574 Moderate: gnutls security, bug fix, and enhancement update
https://rhn.redhat.com/errata/RHSA-2017-0574.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5336
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5337

+ RHSA-2017:0794 Moderate: quagga security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0794.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2236
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1245
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5495

+ RHSA-2017:0630 Moderate: tigervnc security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0630.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5581

+ RHSA-2017:0698 Moderate: subscription-manager security, bug fix, and enhancement update
https://rhn.redhat.com/errata/RHSA-2017-0698.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4455

+ RHSA-2017:0680 Moderate: glibc security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0680.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8779

+ RHSA-2017:0564 Moderate: libguestfs security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0564.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

+ RHSA-2017:0621 Moderate: qemu-kvm security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0621.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3712

+ RHSA-2017:0725 Moderate: bash security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0725.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0634
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401

+ RHSA-2017:0641 Moderate: openssh security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0641.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8325

+ RHSA-2017:0565 Moderate: ocaml security update
https://rhn.redhat.com/errata/RHSA-2017-0565.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8869

+ RHSA-2017:0744 Moderate: samba4 security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0744.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126

+ RHSA-2017:0662 Moderate: samba security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0662.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2126

+ RHSA-2017:0631 Moderate: wireshark security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0631.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3813

+ RHSA-2017:0817 Moderate: kernel security, bug fix, and enhancement update
https://rhn.redhat.com/errata/RHSA-2017-0817.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6480
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9576

+ Red Hat Enterprise Linux 6.9 released
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.9_Release_Notes/index.html

+ nginx 1.11.11 released
http://nginx.org/en/download.html

+ Wireshark 2.2.5, 2.0.11 released
https://www.wireshark.org/docs/relnotes/wireshark-2.2.5.html
https://www.wireshark.org/docs/relnotes/wireshark-2.0.11.html

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ UPDATE: JVNVU#93610402 Apache Struts2 に任意のコードが実行可能な脆弱性
http://jvn.jp/vu/JVNVU93610402/index.html

+ Linux Kernel sg_ioctl() Stack Overflow Lets Local Users Cause Denial of Service Conditions on the Target System
http://www.securitytracker.com/id/1038086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7187

+ Red Hat Subscription Manager /var/lib/rhsm/ Permissions Let Local Users Obtain Potentially Sensitive Information on the Target System
http://www.securitytracker.com/id/1038083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4455

+ OpenSSH Bugs Let Remote Users Decrypt Messages in Certain Cases and Let Remote Authenticated Users Create or Modify Files on the Target System
http://www.securitytracker.com/id/1038071

+ PuTTY Integer Overflow in ssh_agent_channel_data Lets Local Users Gain Elevated Privileges or Deny Service
http://www.securitytracker.com/id/1038067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6542

VU#600671 PCAUSA Rawether for Windows local privilege escalation
https://www.kb.cert.org/vuls/id/600671

JVNTA#96603741 HTTPS 通信監視機器によるセキュリティ強度低下の問題
http://jvn.jp/ta/JVNTA96603741/

追跡！犯罪テクノロジーの実態
だから「なりすまし」は防げない
http://itpro.nikkeibp.co.jp/atcl/column/17/031500082/031600002/?ST=security&itp_list_theme

ニュース解説
これはすごい！Amazon Dash Buttonをプレゼンに使う
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/031400885/?ST=security&itp_list_theme

ニュース解説
猛威振るうStruts2脆弱性への攻撃、どうすれば防げたか
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/032100893/?ST=security&itp_list_theme

シスコのセキュリティクラウド「Umbrella」、機能拡充し4月にリニューアル
http://itpro.nikkeibp.co.jp/atcl/news/17/032100881/?ST=security&itp_list_theme

ネクスウェイ、ビットコイン業者向け本人確認・発送追跡サービス
http://itpro.nikkeibp.co.jp/atcl/news/17/032100880/?ST=security&itp_list_theme

Struts2に新たな脆弱性、攻撃コードも公開される
http://itpro.nikkeibp.co.jp/atcl/news/17/032100877/?ST=security&itp_list_theme

Struts2脆弱性対策、実は無意味だった！JPCERTが指摘
http://itpro.nikkeibp.co.jp/atcl/news/17/032100876/?ST=security&itp_list_theme

Old Linux kernel security bug bites
http://www.linuxsecurity.com/content/view/171091/169/

Firefox gets complaint for labeling unencrypted login page insecure
http://www.linuxsecurity.com/content/view/171090/169/

2017年3月21日火曜日

21日火曜日、先勝

+ RHSA-2017:0559 Moderate: openjpeg security update
https://rhn.redhat.com/errata/RHSA-2017-0559.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9675

+ Selenium Standard Server 3.3.1 released
http://docs.seleniumhq.org/download/

+ Selenium IE Driver Server 3.3 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/cpp/iedriverserver/CHANGELOG

+ Selenium Client & WebDriver 3.3.1 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/java/CHANGELOG

+ Mozilla Firefox 52.0.1 released
https://www.mozilla.org/en-US/firefox/52.0.1/releasenotes/

+ MFSA2017-08 integer overflow in createImageBitmap()
https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5428

+ Logic Pro X 10.3.1 のセキュリティコンテンツについて
https://support.apple.com/ja-jp/HT207519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2374

+ CESA-2017:0559 Moderate CentOS 6 openjpeg Security Update
https://lwn.net/Alerts/717563/

+ CESA-2017:0558 Critical CentOS 7 firefox Security Update
https://lwn.net/Alerts/717562/

+ CESA-2017:0527 Moderate CentOS 6 tomcat6 Security Update
https://lwn.net/Alerts/717564/

+ Cisco IOS and IOS XE Software IPv6 Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-aniipv6
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3850

+ Cisco IOS and IOS XE Software Autonomic Networking Infrastructure Registrar Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170320-ani
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3849

+ Linux kernel 4.10.4, 4.9.16, 4.4.55, 3.12.72 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.4
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.16
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.55
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.72

+ S2-046 Possible RCE when performing file upload based on Jakarta Multipart parser (similar to S2-045)
http://struts.apache.org/docs/s2-046.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

+ Apache Tomcat 8.0.42, 7.0.76, 6.0.51 Released
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.42_(violetagg)
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html#Tomcat_7.0.76_(violetagg)
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html#Tomcat_6.0.51_(violetagg)

+ OpenSSH 7.5 release
http://www.openssh.com/txt/release-7.5

+ UPDATE: JVNVU#93610402 Apache Struts2 に任意のコードが実行可能な脆弱性
http://jvn.jp/vu/JVNVU93610402/index.html

+ Mozilla Firefox Integer Overflow in createImageBitmap() Lets Remote Users Execute Arbitrary Code
http://www.securitytracker.com/id/1038060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5428

+ Microsoft Edge Charkra Incorrect Jit Optimization
https://cxsecurity.com/issue/WLB-2017030168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0071

+ Microsoft Internet Information Services Cross Site Scripting
https://cxsecurity.com/issue/WLB-2017030167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0055

JVNVU#97075940 Commvault Edge にスタックバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97075940/index.html

NEC、金融機関向けのセキュアなネット接続ゲートウエイサービス
http://itpro.nikkeibp.co.jp/atcl/news/17/031700865/?ST=security&itp_list_theme

ニッポン放送もStruts2脆弱性でWebサイト改ざん
http://itpro.nikkeibp.co.jp/atcl/news/17/031700863/?ST=security&itp_list_theme

ワンタイムパスワードでも危ない、警視庁が新型ウイルスの被害を確認
http://itpro.nikkeibp.co.jp/atcl/news/17/031700858/?ST=security&itp_list_theme

ニュース解説
スマホの位置情報を抜き出すGPS捜査、キャリア3社が改めて見解
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/031700889/?ST=security&itp_list_theme

Virtual machine escape fetches $105,000 at Pwn2Own hacking contest
http://www.linuxsecurity.com/content/view/171074/169/

GitHub awards researcher $18,000 for remote code execution flaw discovery
http://www.linuxsecurity.com/content/view/171073/169/

Linux Advisory Watch: March 17th, 2017
http://www.linuxsecurity.com/content/view/171064/187/

Ethical Hacking: The Most Important Job No One Talks About
http://www.linuxsecurity.com/content/view/171063/169/

This laptop-bricking USB stick just got even more dangerous
http://www.linuxsecurity.com/content/view/171062/169/

2017年3月17日金曜日

17日金曜日、先負

+ CESA-2017:0498 Important CentOS 5 thunderbird Security Update
https://lwn.net/Alerts/717357/

+ CESA-2017:0498 Important CentOS 6 thunderbird Security Update
https://lwn.net/Alerts/717356/

+ CESA-2017:0498 Important CentOS 7 thunderbird Security Update
https://lwn.net/Alerts/717355/

+ Linux kernel 3.16.42, 3.2.87 released
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.42
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.87

+ Samba 4.4.11 Available for Download
https://www.samba.org/samba/history/samba-4.4.11.html

+ PHP 7.1.3, 7.0.17 Released
http://www.php.net/ChangeLog-7.php#7.1.3
http://www.php.net/ChangeLog-7.php#7.0.17

+ Microsoft Windows 'LoadUvsTable()' Heap-based Buffer Overflow
https://cxsecurity.com/issue/WLB-2017030152
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7274

+ Microsoft Edge 38.14393.0.0 JavaScript Engine Use-After-Free
https://cxsecurity.com/issue/WLB-2017030151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0070

+ Windows DVD Maker XML External Entity File Disclosure
https://cxsecurity.com/issue/WLB-2017030149

VU#214283 Commvault Edge contains a buffer overflow vulnerability
https://www.kb.cert.org/vuls/id/214283

JVNDB-2017-000047 安全なウェブサイト運営入門における OS コマンドインジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000047.html

JVNVU#96964526 D-Link DIR-130 および DIR-330 に複数の脆弱性
http://jvn.jp/vu/JVNVU96964526/index.html

沖縄電力のStruts2稼動サイトに不正アクセス、約6500件のメールアドレス流出か
http://itpro.nikkeibp.co.jp/atcl/news/17/031600847/?ST=security&itp_list_theme

米政府、Yahoo!大量データ流出でロシア当局者らを起訴
http://itpro.nikkeibp.co.jp/atcl/news/17/031600841/?ST=security&itp_list_theme

In-the-wild exploits ramp up against high-impact sites using Apache Struts
http://www.linuxsecurity.com/content/view/171061/169/

Inside the Russian hack of Yahoo: How they did it
http://www.linuxsecurity.com/content/view/171060/169/

2017年3月16日木曜日

16日木曜日、友引

+ RHSA-2017:0527 Moderate: tomcat6 security update
https://rhn.redhat.com/errata/RHSA-2017-0527.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ Cisco Mobility Express 1800 Access Point Series Authentication Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ap1800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3831

+ Cisco Meshed Wireless LAN Controller Impersonation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-wlc-mesh
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3854

+ Cisco Workload Automation and Tidal Enterprise Scheduler Client Manager Server Arbitrary File Read Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-tes
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3846

+ Cisco StarOS SSH Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asr
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3819

+ Cisco Web Security Appliance URL Filtering Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-wsa
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3870

+ Cisco WebEx Meetings Server XML External Entity Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-wms
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3811

+ Cisco WebEx Meetings Server Authentication Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-webex
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3880

+ Cisco UCS Director Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucs
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3868

+ Cisco Unified Communications Manager Cross-Site Request Forgery Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucm2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3877

+ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucm2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3874

+ Cisco Unified Communications Manager Web Interface Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-ucm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3872

+ Cisco TelePresence Server API Privilege Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-tps
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3815

+ Cisco Prime Service Catalog Multiple Cross-Site Scripting Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-psc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3866

+ Cisco Nexus 9000 Series Switches Remote Login Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-nss1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3879

+ Cisco Nexus 9000 Series Switches Telnet Login Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-nss
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3878

+ Cisco Prime Optical for Service Providers RADIUS Secret Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-cpo
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3871

+ Cisco Prime Infrastructure API Credentials Management Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-cpi
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3869

+ Cisco Nexus 7000 Series Switches Access-Control Filtering Mechanisms Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-cns
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3875

+ Cisco Adaptive Security Appliance BGP Bidirectional Forwarding Detection ACL Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170315-asa
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3867

+ Linux kernel 4.10.3, 4.9.15, 4.4.54 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.3
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.15
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.54

+ UPDATE: JVNVU#95841181 Microsoft Windows の SMB Tree Connect Response パケットの処理にサービス運用妨害 (DoS) の脆弱性
http://jvn.jp/vu/JVNVU95841181/index.html

+ UPDATE: JVNVU#93610402 Apache Struts2 に任意のコードが実行可能な脆弱性
http://jvn.jp/vu/JVNVU93610402/index.html

+ VMware Workstation and Fusion Memory Access Error in Drag and Drop Function Lets Local Users on a Guest System Gain Elevated Privileges on the Host System
http://www.securitytracker.com/id/1038025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4901

+ Microsoft Edge Fetch API Arbitrary Header Setting
https://cxsecurity.com/issue/WLB-2017030144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0140

+ Apache Struts Jakarta Multipart Parser OGNL Injection
https://cxsecurity.com/issue/WLB-2017030143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

VU#553503 D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials
https://www.kb.cert.org/vuls/id/553503

「重要インフラの防御で重要なのは、行動計画の立案だ」とNISC瓜生氏
http://itpro.nikkeibp.co.jp/atcl/news/17/031600839/?ST=security&itp_list_theme

社長に「よし、分かった」と言わせるセキュリティ会話術
「サイバー攻撃を完全に防げ」と言われたら、“折衷案”で説得しよう
http://itpro.nikkeibp.co.jp/atcl/column/17/021400032/030800004/?ST=security&itp_list_theme

Mozilla: Everyone's scared of hackers but clueless about fending them off
http://www.linuxsecurity.com/content/view/171050/169/

Hire a DDoS service to take down your enemies
http://www.linuxsecurity.com/content/view/171049/169/

Debunking 5 Myths About DNS
http://www.linuxsecurity.com/content/view/171048/169/

2017年3月15日水曜日

15日水曜日、先勝

+ 2017 年 3 月のマイクロソフトセキュリティ情報の概要
https://technet.microsoft.com/ja-jp/library/security/ms17-mar

+ MS17-006 - 緊急 Internet Explorer 用の累積的なセキュリティ更新プログラム (4013073)
https://technet.microsoft.com/library/security/MS17-006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0037
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0040
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0049
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0154

+ MS17-007 - 緊急 Microsoft Edge 用のセキュリティ更新プログラム (4013071)
https://technet.microsoft.com/library/security/MS17-007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0032
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0035
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0037
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0094
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0132
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0133
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0134
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0135
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0136
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0137
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0151

+ MS17-008 - 緊急 Windows Hyper-V 用のセキュリティ更新プログラム (4013082)
https://technet.microsoft.com/library/security/MS17-008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0097
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0099
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0109

+ MS17-009 - 緊急 Microsoft Windows PDF ライブラリ用のセキュリティ更新プログラム (4010319)
https://technet.microsoft.com/library/security/MS17-009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0023

+ MS17-010 - 緊急 Microsoft Windows SMB サーバー用のセキュリティ更新プログラム (4013389)
https://technet.microsoft.com/library/security/MS17-010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0146
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0148

+ MS17-011 - 緊急 Microsoft Uniscribe 用のセキュリティ更新プログラム (4013076)
https://technet.microsoft.com/library/security/MS17-011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0087
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0088
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0089
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0091
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0111
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0112
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0113
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0114
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0115
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0116
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0117
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0120
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0122
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0123
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0124
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0126
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0128
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0118
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0121

+ MS17-012 - 緊急 Microsoft Windows 用のセキュリティ更新プログラム (4013078)
https://technet.microsoft.com/library/security/MS17-012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0007
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0039
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0057
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0100
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0104

+ MS17-013 - 緊急 Microsoft Graphics コンポーネント用のセキュリティ更新プログラム (4013075)
https://technet.microsoft.com/library/security/MS17-013
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0047
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0014

+ MS17-014 - 重要 Microsoft Office 用のセキュリティ更新プログラム (4013241)
https://technet.microsoft.com/library/security/MS17-014
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0006
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0030
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0105

+ MS17-015 - 重要 Microsoft Exchange Server 用のセキュリティ更新プログラム (4013242)
https://technet.microsoft.com/library/security/MS17-015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0110

+ MS17-016 - 重要 Windows IIS 用のセキュリティ更新プログラム (4013074)
https://technet.microsoft.com/library/security/MS17-016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0055

+ MS17-017 - 重要 Windows カーネル用のセキュリティ更新プログラム (4013081)
https://technet.microsoft.com/library/security/MS17-017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0050
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0103

+ MS17-018 - 重要 Windows カーネルモードドライバー用のセキュリティ更新プログラム (4013083)
https://technet.microsoft.com/library/security/MS17-018
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0024
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0082

+ MS17-019 - 重要 Active Directory フェデレーションサービス用のセキュリティ更新プログラム (4010320)
https://technet.microsoft.com/library/security/MS17-019
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0043

+ MS17-020 - 重要 Windows DVD メーカー用のセキュリティ更新プログラム　(3208223)
https://technet.microsoft.com/library/security/MS17-020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0045

+ MS17-021 - 重要 Windows DirectShow 用のセキュリティ更新プログラム (4010318)
https://technet.microsoft.com/library/security/MS17-021
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0042

+ MS17-022 - 重要 Microsoft XML Core Services 用のセキュリティ更新プログラム (4010321)
https://technet.microsoft.com/library/security/MS17-022
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0022

+ MS17-023 - 緊急 Adobe Flash Player のセキュリティ更新プログラム (4014329)
https://technet.microsoft.com/library/security/MS17-023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2998
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3003

+ RHSA-2017:0498 Important: thunderbird security update
https://rhn.redhat.com/errata/RHSA-2017-0498.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410

+ APSB17-08 Security update available for Adobe Shockwave Player?
https://helpx.adobe.com/security/products/shockwave/apsb17-08.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2983

+ APSB17-07 Security updates available for Adobe Flash Player
https://helpx.adobe.com/security/products/flash-player/apsb17-07.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2997
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2998
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3003

+ VMware Workstation 12.5.4 released
http://pubs.vmware.com/Release_Notes/en/workstation/12player/player-1254-release-notes.html

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ VU#834067 Apache Struts 2 is vulnerable to remote code execution
https://www.kb.cert.org/vuls/id/834067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

+ SA75787 Apache Tomcat HTTP Connector Information Disclosure Vulnerability
https://secuniaresearch.flexerasoftware.com/advisories/75787/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8747

+ SA75782 Symantec Web Gateway Cross-Site Scripting Vulnerabilities
https://secuniaresearch.flexerasoftware.com/advisories/75782/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9096

+ VMSA-2017-0005 VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability
http://www.vmware.com/security/advisories/VMSA-2017-0005.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4901

+ Apache Tomcat 8.5.12 Released
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.12_(markt)

+ JVNVU#94686945 Apache Tomcat に情報漏えいの脆弱性
http://jvn.jp/vu/JVNVU94686945/index.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8747

ネットワーク・ホットトピックス
パッチ公開で分かったAndroidの脆弱性、1月公開分は90以上
http://itpro.nikkeibp.co.jp/atcl/column/14/277462/030700055/?ST=security&itp_list_theme

米国発！ Appleニュースの読み解き方
ハッキング暴露文書「Vault 7」で米国騒然！アップルは「多くは解決済み」
http://itpro.nikkeibp.co.jp/atcl/column/16/082600184/031100036/?ST=security&itp_list_theme

日本郵便、不正アクセスで約3万件のメールアドレスなど流出か
http://itpro.nikkeibp.co.jp/atcl/news/17/031400825/?ST=security&itp_list_theme

Yahoo!のMarissa Mayer CEO、退職金は2300万ドルか
http://itpro.nikkeibp.co.jp/atcl/news/17/031400813/?ST=security&itp_list_theme

Facebookがポリシー改訂、監視ツールのデータ使用禁止を明確化
http://itpro.nikkeibp.co.jp/atcl/news/17/031400811/?ST=security&itp_list_theme

Malware found preinstalled on 38 Android phones used by 2 companies
http://www.linuxsecurity.com/content/view/171044/169/

It's time to turn on HTTPS: the benefits are well worth the effort
http://www.linuxsecurity.com/content/view/171043/169/

2017年3月14日火曜日

14日火曜日、赤口

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ Linux kernel 4.1.39 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.1.39

JVNDB-2017-000045 Android アプリ「サイボウズ KUNAI for Android」における情報管理不備の脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000045.html

瀧口範子のシリコンバレー通信
ハッキングされないものは皆無！？CIAの巧みな手口
http://itpro.nikkeibp.co.jp/atcl/column/15/060200138/031200092/?ST=security&itp_list_theme

JETROもApache Struts2脆弱性で被害か、メールアドレス2万件超窃取
http://itpro.nikkeibp.co.jp/atcl/news/17/031300794/?ST=security&itp_list_theme

Operation Rosehub patches Java vulnerabilities in open source projects
http://www.linuxsecurity.com/content/view/171032/169/

2017年3月13日月曜日

13日月曜日、大安

+ MantisBT 2.2.1 and 1.3.7 Released
https://www.mantisbt.org/bugs/changelog_page.php?version_id=275
https://www.mantisbt.org/bugs/changelog_page.php?version_id=269

+ PostgreSQL ODBC Driver 09.06.0200 released
https://www.postgresql.org/ftp/odbc/versions/msi/

+ VMware Workstation Player 12.5.3 Released
http://pubs.vmware.com/Release_Notes/en/workstation/12player/player-1253-release-notes.html?__utma=207178772.702043549.1440547077.1489103828.1489363005.334&__utmb=207178772.1.10.1489363005&__utmc=207178772&__utmx=-&__utmz=207178772.1440547077.1.1.utmcsr=my.vmware.com|utmccn=(referral)|utmcmd=referral|utmcct=/web/vmware/free&__utmv=-&__utmk=137475891

+ UPDATE: Apache Struts2 Jakarta Multipart Parser File Upload Code Execution Vulnerability Affecting Cisco Products
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2

+ UPDATE: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl

+ Linux kernel 4.10.2, 4.9.14, 4.4.53 released
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.10.2
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.14
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.53

+ VMSA-2017-0003 VMware Workstation update addresses multiple security issues
http://www.vmware.com/security/advisories/VMSA-2017-0003.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4900

+ VMware Workstation SVGA and DLL Loading Bugs Let Local Users on the Guest System Deny Service on the Guest or Gain Elevated Privileges on the Host System
http://www.securitytracker.com/id/1037979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4900

+ MantisBT Input Validation Flaw in 'bug_change_status_page.php' Lets Remote Users Conduct Cross-Site Scripting Attacks
http://www.securitytracker.com/id/1037978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6797

dbMigration .NET v5 released
https://www.postgresql.org/about/news/1738/

ニュース解説
GMO72万件流出危機の原因、Struts2に「意のままに操られる」深刻な脆弱性
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/031000880/?ST=security&itp_list_theme

IoT推進コンソーシアム、従業員の健康データなど「データ取引事例集」公表
http://itpro.nikkeibp.co.jp/atcl/news/17/031000792/?ST=security&itp_list_theme

法政大学で不正アクセス、学生や職員など4万3103件のアカウント情報が漏洩
http://itpro.nikkeibp.co.jp/atcl/news/17/031000791/?ST=security&itp_list_theme

都税と住宅金融支援機構のクレジット払いサイトに不正アクセス、約72万件流出か
http://itpro.nikkeibp.co.jp/atcl/news/17/031000790/?ST=security&itp_list_theme

「セキュリティの本丸は個人情報ではない」、陸自システム防護隊初代隊長の経産省伊東氏
http://itpro.nikkeibp.co.jp/atcl/news/17/031000788/?ST=security&itp_list_theme

Kaspersky Lab、データを破壊する新マルウエア「StoneDrill」を発見
http://itpro.nikkeibp.co.jp/atcl/news/17/031000785/?ST=security&itp_list_theme

CIAの機密文書漏えいで、WikiLeaks創設者が技術大手との協力を提案
http://itpro.nikkeibp.co.jp/atcl/news/17/031000774/?ST=security&itp_list_theme

UPDATE: JVNVU#91417143 GigaCC OFFICE における複数の脆弱性
http://jvn.jp/vu/JVNVU91417143/index.html

JVNVU#99822187 D-Link 製ルータの HNAP サービスにスタックバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU99822187/index.html

JVNVU#98628696 D-Link DIR-850L にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU98628696/index.html

JVNVU#95084342 iOS アプリ「Flash Seats Mobile App」にSSL サーバ証明書の検証不備の脆弱性
http://jvn.jp/vu/JVNVU95084342/index.html

UPDATE:JVN#84995847 SKYSEA Client View において任意のコードが実行可能な脆弱性
http://jvn.jp/jp/JVN84995847/index.html

2017年3月10日金曜日

10日金曜日、友引

+ Google Chrome 57.0.2987.98 released
https://chromereleases.googleblog.com/2017/03/stable-channel-update-for-desktop.html

+ CESA-2017:0459 Critical CentOS 5 firefox Security Update
https://lwn.net/Alerts/716623/

+ CESA-2017:0459 Critical CentOS 6 firefox Security Update
https://lwn.net/Alerts/716622/

+ CESA-2017:0454 Important CentOS 5 kvm Security Update
https://lwn.net/Alerts/716624/

+ CESA-2017:0461 Critical CentOS 7 firefox Security Update
https://lwn.net/Alerts/716621/

+ Linux kernel 3.12.71 released
https://cdn.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.12.71

+ Samba 4.5.6 Available for Download
https://www.samba.org/samba/history/samba-4.5.6.html

+ JVNVU#93610402 Apache Struts2 に任意のコードが実行可能な脆弱性
http://jvn.jp/vu/JVNVU93610402/

+ UPDATE: JVNVU#92930223 OpenSSL に複数の脆弱性
http://jvn.jp/vu/JVNVU92930223/

+ UPDATE: JVNVU#98667810 OpenSSL に複数の脆弱性
http://jvn.jp/vu/JVNVU98667810/

+ UPDATE: JVNVU#94410990 NTP.org の ntpd にサービス運用妨害 (DoS) など複数の脆弱性
http://jvn.jp/vu/JVNVU94410990/

+ UPDATE: JVNVU#97236594 glibc にバッファオーバーフローの脆弱性
http://jvn.jp/vu/JVNVU97236594/

+ Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System
http://www.securitytracker.com/id/1037973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

趙章恩「Korea on the Web」
韓中外交摩擦がサイバー戦に発展か？
http://itpro.nikkeibp.co.jp/atcl/column/14/549762/030700135/?ST=security&itp_list_theme

ニュース解説
NTT、ビック、積水など11社、「安全なIoT」を急ぐ
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/030800874/?ST=security&itp_list_theme

WikiLeaksのCIA機密文書公開でAppleが声明、「大半の脆弱性は解決済み」
http://itpro.nikkeibp.co.jp/atcl/news/17/030900758/?ST=security&itp_list_theme

UPDATE: JVNVU#90754453 プロキシサーバを使った通信を行うアプリケーションに中間者攻撃 (MITM) が可能な脆弱性
http://jvn.jp/vu/JVNVU90754453/

Hackers exploit Apache Struts vulnerability to compromise corporate web servers
http://www.linuxsecurity.com/content/view/170999/169/

2017年3月9日木曜日

9日木曜日、先勝

+ RHSA-2017:0459 Critical: firefox security update
https://rhn.redhat.com/errata/RHSA-2017-0459.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410

+ RHSA-2017:0461 Critical: firefox security update
https://rhn.redhat.com/errata/RHSA-2017-0461.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410

+ Mozilla Firefox 52.0 released
https://www.mozilla.org/en-US/firefox/52.0/releasenotes/

+ Security vulnerabilities fixed in Firefox 52
https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5411

+ CESA-2017:0386 Important CentOS 7 kernel Security Update
https://lwn.net/Alerts/716336/

+ CESA-2017:0388 Moderate CentOS 7 ipa Security Update
https://lwn.net/Alerts/716335/

+ CESA-2017:0396 Important CentOS 7 qemu-kvm Security Update
https://lwn.net/Alerts/716337/

+ Moziila Thunderbird 45.8.0 released
https://www.mozilla.org/en-US/thunderbird/45.8.0/releasenotes/

+ Security vulnerabilities fixed in Thunderbird 45.8
https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398

+ Samba 4.6.0 Available for Download
https://www.samba.org/samba/history/samba-4.6.0.html

+ SA75579 Linux Kernel SOCK_ZAPPED Race Condition Vulnerabilities
https://secuniaresearch.flexerasoftware.com/advisories/75579/

+ S2-045 Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.
http://struts.apache.org/docs/s2-045.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

+ Apache Struts 2.5.10.1, 2.3.32 released
http://struts.apache.org/docs/version-notes-25101.html
http://struts.apache.org/docs/version-notes-2332.html

+ Linux Kernel l2tp_ip6_bind() Race Condition Lets Local Users Deny Service or Gain Elevated Privileges
http://www.securitytracker.com/id/1037965
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10200

+ Linux Kernel Race Condition in N_HLDC Driver Lets Local Users Gain Elevated Privileges
http://www.securitytracker.com/id/1037963
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2636

+ Wireshark Flaws in Multiple Dissectors Let Remote Users Cause the Target Service to Crash or Enter an Infinite Loop
http://www.securitytracker.com/id/1037960

VU#305448 D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability
https://www.kb.cert.org/vuls/id/305448

VU#247016 Flash Seats Mobile App for iOS fails to validate SSL certificates
https://www.kb.cert.org/vuls/id/247016

VU#355151 ACTi cameras models from the D, B, I, and E series contain multiple security vulnerabilities
https://www.kb.cert.org/vuls/id/355151

VU#608591 PHP FormMail Generator generates code vulnerable to multiple issues
https://www.kb.cert.org/vuls/id/608591

JVNDB-2017-000043 OneThird CMS におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000043.html

JVNDB-2017-000042 OneThird CMS におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000042.html

JVNVU#92233464 ACTi 製の複数のカメラ製品に脆弱性
http://jvn.jp/vu/JVNVU92233464/index.html

JVNVU#96141589 PHP FormMail Generator で作成した PHP コードに複数の脆弱性
http://jvn.jp/vu/JVNVU96141589/index.html

JVN#46830433 アイ・オー・データ製の複数のネットワークカメラ製品に複数の脆弱性
http://jvn.jp/jp/JVN46830433/index.html

JVNVU#96566737 dotCMS に複数の脆弱性
http://jvn.jp/vu/JVNVU96566737/index.html

社長に「よし、分かった」と言わせるセキュリティ会話術
「ネットにつながなければ安全だな？」、多層防御で抜け漏れを防ごう
http://itpro.nikkeibp.co.jp/atcl/column/17/021400032/022800003/?ST=security&itp_list_theme

経営の本音
「女性はもう少し堂々と手を挙げたらいい」、シスコ日本法人社長（下）
http://itpro.nikkeibp.co.jp/atcl/column/16/113000287/030300029/?ST=security&itp_list_theme

従業員によるデータ漏洩に注意、ベライゾンが事例で警告
http://itpro.nikkeibp.co.jp/atcl/news/17/030800752/?ST=security&itp_list_theme

CIAの多様なハッキング手段に関する機密文書、WikiLeaksが公開
http://itpro.nikkeibp.co.jp/atcl/news/17/030800740/?ST=security&itp_list_theme

米Treasure Dataが初代CISOを任命、「ISO 27001」の認定を取得
http://itpro.nikkeibp.co.jp/atcl/news/17/030700729/?ST=security&itp_list_theme

150万サイトが被害、WordPressを狙った改ざんの教訓
http://itpro.nikkeibp.co.jp/atcl/column/14/346926/030100866/?ST=security&itp_list_theme

70GbpsのDDoS攻撃や本物のウイルス攻撃を実体験、スパイレント社製テストツール
http://itpro.nikkeibp.co.jp/atcl/news/17/030700737/?ST=security&itp_list_theme

デバイス証明書でIoTセキュリティ強化、パナソニックの監視カメラ新製品
http://itpro.nikkeibp.co.jp/atcl/news/17/030700735/?ST=security&itp_list_theme

アシスト、インターネット分離が可能な仮想ブラウザーにURL自動判別機能
http://itpro.nikkeibp.co.jp/atcl/news/17/030600717/?ST=security&itp_list_theme

IIJがセキュリティオペレーションセンターを初公開、最新設備にリニューアル
http://itpro.nikkeibp.co.jp/atcl/news/17/030600716/?ST=security&itp_list_theme

WikiLeaks publishes docs from what it says is trove of CIA hacking tools
http://www.linuxsecurity.com/content/view/170991/169/

Google’s ‘SHA-1 Countdown Clock’ Could Undermine Enterprise Security
http://www.linuxsecurity.com/content/view/170990/169/

Wikileaks Just Dumped a Cache of Information on Alleged CIA Hacking Tools
http://www.linuxsecurity.com/content/view/170969/169/

Put down the coffee, stop slacking your app chaps or whatever ? and patch Wordpress
http://www.linuxsecurity.com/content/view/170968/169/

2017年3月6日月曜日

6日月曜日、仏滅

+ Selenium Standalone Server 3.2.0 released
http://docs.seleniumhq.org/download/

+ Selenium IE Driver Server 3.2 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/cpp/iedriverserver/CHANGELOG

+ Selenium Client & WebDriver 3.2.0 released
https://raw.githubusercontent.com/SeleniumHQ/selenium/master/java/CHANGELOG

+ Wireshark 2.2.5, 2.0.11 released
https://www.wireshark.org/docs/relnotes/wireshark-2.2.5.html
https://www.wireshark.org/docs/relnotes/wireshark-2.0.11.html

+ UPDATE: Cisco IOS for Catalyst 2960X and 3750X Switches Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170118-catalyst

+ UPDATE: Cisco Secure Access Control System Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs3

+ UPDATE: Cisco Secure Access Control System Open Redirect Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs2

+ SA75652 Zimbra Collaboration Server XML External Entity Denial of Service Vulnerability
https://secuniaresearch.flexerasoftware.com/advisories/75652/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9924

+ VMSA-2017-0002 Horizon DaaS update addresses an insecure data validation issue
http://www.vmware.com/security/advisories/VMSA-2017-0002.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4897

+ VMware Horizon DaaS Input Validation Flaw Lets Remote Users Access Devices and Drives on the Target System
http://www.securitytracker.com/id/1037951
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4897

+ Vim Buffer Overflows in Processing Undo Files Let Local Users Execute Arbitrary Code
http://www.securitytracker.com/id/1037949
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6349
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6350

+ OpenBSD Wifi WPA1/WPA2 Protocol Implementation Flaw Lets Remote Users Access and Modify Wifi Sessio Data
http://www.securitytracker.com/id/1037948

JNSAが「SHA-1衝突」攻撃実現による影響と対策を公表
http://itpro.nikkeibp.co.jp/atcl/news/17/030300701/?ST=security&itp_list_theme

「記事の見返りに報酬」続報、共同通信は見解変えず
http://itpro.nikkeibp.co.jp/atcl/news/17/030300703/?ST=security&itp_list_theme

2017年3月3日金曜日

3日金曜日、先勝

+ RHSA-2017:0396 Important: qemu-kvm security and bug fix update
https://rhn.redhat.com/errata/RHSA-2017-0396.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620

+ Zabbix 3.2.4, 3.0.8 released
http://repo.zabbix.com/zabbix/3.2/rhel/7/x86_64/?C=M;O=D
http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/?C=M;O=D

+ UPDATE: Cisco Secure Access Control System XML External Entity Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs1

+ UPDATE: Cisco Secure Access Control System Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-acs

+ UPDATE: Cisco Email Security Appliance SMTP Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161207-esa1

+ Apache Log4j 2.8.1 released
http://logging.apache.org/log4j/2.x/changes-report.html#a2.8.1

JVNDB-2017-000041 アイ・オー・データ製の複数のネットワークカメラ製品におけるバッファオーバーフローの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000041.html

JVNDB-2017-000040 アイ・オー・データ製の複数のネットワークカメラ製品における OS コマンドインジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000040.html

JVNDB-2017-000039 アイ・オー・データ製の複数のネットワークカメラ製品における HTTP ヘッダインジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000039.html

恐怖！ダークWeb
ダークWebなら捕まらない？追跡されないサーバー構成とは
http://itpro.nikkeibp.co.jp/atcl/column/17/022700054/022700003/?ST=security&itp_list_theme

新説・パスワードとはこう付き合う
パスワードの定期変更に意味はあるのか？
http://itpro.nikkeibp.co.jp/atcl/column/17/022200042/030100003/?ST=security&itp_list_theme

1万円台の家庭用IPS「Bitdefender Box」、IoT機器の脆弱性を自動検出
http://itpro.nikkeibp.co.jp/atcl/news/17/030200694/?ST=security&itp_list_theme

2017年3月2日木曜日

2日木曜日、赤口

+ RHSA-2017:0352 Important: qemu-kvm security update
https://rhn.redhat.com/errata/RHSA-2017-0352.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620

+ CESA-2017:0352 Important CentOS 6 qemu-kvm Security Update
https://lwn.net/Alerts/716024/

+ Cisco NetFlow Generation Appliance Stream Control Transmission Protocol Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-nga
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3826

+ UPDATE: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170130-openssl

+ Cisco Prime Infrastructure Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-cpi
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3848

+ UPDATE: Cisco Smart Install Protocol Misuse
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi

+ Samba 4.4.10 Available for Download
https://www.samba.org/samba/history/samba-4.4.10.html

JVNDB-2017-000033 PrimeDrive デスクトップアプリケーションのインストーラにおける任意の DLL 読み込みに関する脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000033.html

JVNDB-2017-000034 スマートフォンアプリ「アクセスCX」における SSL サーバ証明書の検証不備の脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000034.html

社長に「よし、分かった」と言わせるセキュリティ会話術
「このセキュリティ投資は本当に必要か」、対策の最大公約数を見つけよう
http://itpro.nikkeibp.co.jp/atcl/column/17/021400032/022200002/?ST=security&itp_list_theme

恐怖！ダークWeb
次のサイバー犯罪は何？ダークWebの取引商品から読み解く
http://itpro.nikkeibp.co.jp/atcl/column/17/022700054/022700002/?ST=security&itp_list_theme

イスラエルレポート
歌舞伎町より安全？行ってわかったイスラエルの今
http://itpro.nikkeibp.co.jp/atcl/column/17/022000038/022200006/?ST=security&itp_list_theme

新説・パスワードとはこう付き合う
パスワードを使わない認証技術「FIDO」の実像と可能性
http://itpro.nikkeibp.co.jp/atcl/column/17/022200042/030100002/?ST=security&itp_list_theme

キヤノンITSがセキュリティ製品「GUARDIANWALL」を一新、2020年に100億
http://itpro.nikkeibp.co.jp/atcl/news/17/030100681/?ST=security&itp_list_theme

F5がSSL可視化とDDoS対策の専用機、新ブランド「Herculon」の第一弾
http://itpro.nikkeibp.co.jp/atcl/news/17/030100674/?ST=security&itp_list_theme

JVNVU#95946252 Sage XRT Treasury にアクセス制限不備の脆弱性
http://jvn.jp/vu/JVNVU95946252/index.html

2017年3月1日水曜日

1日水曜日、大安

+ RHSA-2017:0340 Low: Red Hat Enterprise Linux 5 One-Month Retirement Notice
https://rhn.redhat.com/errata/RHSA-2017-0340.html

+ UPDATE: Cisco AsyncOS Software for Cisco ESA and Cisco WSA Filtering Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170215-asyncos

+ Linux Kernel CVE-2017-6353 Incomplete Fix Local Denial of Service Vulnerability
http://www.securityfocus.com/bid/96473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6353

VU#742632 Sage XRT Treasury database fails to properly restrict access to authorized users
https://www.kb.cert.org/vuls/id/742632

JVNDB-2017-000037 WBCE CMS における SQL インジェクションの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000037.html

JVNDB-2017-000036 WBCE CMS におけるディレクトリトラバーサルの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000036.html

JVNDB-2017-000035 WBCE CMS におけるクロスサイトスクリプティングの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000035.html

JVNDB-2017-000038 CubeCart におけるディレクトリトラバーサルの脆弱性
http://jvndb.jvn.jp/ja/contents/2017/JVNDB-2017-000038.html

恐怖！ダークWeb
正しく怖がるダークWeb、Facebookも存在する
http://itpro.nikkeibp.co.jp/atcl/column/17/022700054/022700001/?ST=security&itp_list_theme

新説・パスワードとはこう付き合う
100個超のパスワード、ツールで一元管理
http://itpro.nikkeibp.co.jp/atcl/column/17/022200042/022800001/?ST=security&itp_list_theme

イスラエルレポート
最も熱いセキュリティのイスラエルスタートアップ60
http://itpro.nikkeibp.co.jp/atcl/column/17/022000038/022000003/?ST=security&itp_list_theme

登録: 投稿 (Atom)