Security Updates from SECLISTS

Subscribe to Security Updates from SECLISTS feed
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 1 hour 57 min ago

[slackware-security] php (SSA:2018-341-01)

Sun, 12/09/2018 - 22:26

Posted by Slackware Security Team on Dec 09

[slackware-security] php (SSA:2018-341-01)

New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
Several security bugs have been fixed in this release:
Segfault when using convert.quoted-printable-encode filter.
Null pointer dereference in imap_mail.
imap_open allows to run arbitrary shell commands via...

[SECURITY] [DSA 4352-1] chromium-browser security update

Sun, 12/09/2018 - 22:23

Posted by Michael Gilbert on Dec 09

-------------------------------------------------------------------------
Debian Security Advisory DSA-4352-1 security () debian org
https://www.debian.org/security/ Michael Gilbert
December 07, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : chromium-browser
CVE ID : CVE-2018-17480...

[SECURITY] [DSA 4351-1] libphp-phpmailer security update

Sun, 12/09/2018 - 22:20

Posted by Salvatore Bonaccorso on Dec 09

-------------------------------------------------------------------------
Debian Security Advisory DSA-4351-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
December 07, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : libphp-phpmailer
CVE ID : CVE-2018-19296
Debian Bug...

[SECURITY] [DSA 4350-1] policykit-1 security update

Thu, 12/06/2018 - 22:56

Posted by Moritz Muehlenhoff on Dec 06

-------------------------------------------------------------------------
Debian Security Advisory DSA-4350-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
December 06, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : policykit-1
CVE ID : CVE-2018-19788
Debian Bug...

APPLE-SA-2018-12-06-1 watchOS 5.1.2

Thu, 12/06/2018 - 22:52

Posted by Apple Product Security on Dec 06

APPLE-SA-2018-12-06-1 watchOS 5.1.2

watchOS 5.1.2 is now available and addresses the following:

Airport
Available for: Apple Watch Series 1 and later
Impact: A malicious application may be able to elevate privileges
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4303: Mohamed Ghannam (@_simo36)

Disk Images
Available for: Apple Watch Series 1 and later
Impact: An application may be able to execute...

[slackware-security] gnutls (SSA:2018-339-01)

Thu, 12/06/2018 - 04:40

Posted by Slackware Security Team on Dec 06

[slackware-security] gnutls (SSA:2018-339-01)

New gnutls packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/gnutls-3.6.5-i586-1_slack14.2.txz: Upgraded.
This update fixes a security issue:
Bleichenbacher-like side channel leakage in PKCS#1 1.5 verification and
padding oracle verification.
For more...

[slackware-security] nettle (SSA:2018-339-02)

Thu, 12/06/2018 - 04:36

Posted by Slackware Security Team on Dec 06

[slackware-security] nettle (SSA:2018-339-02)

New nettle packages are available for Slackware 14.2 and -current to
fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
This update fixes a security issue:
A Bleichenbacher type side-channel based padding oracle attack was found
in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5
data. An attacker who is able to run...

APPLE-SA-2018-12-05-7 Shortcuts 2.1.2

Wed, 12/05/2018 - 21:42

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-7 Shortcuts 2.1.2

Shortcuts 2.1.2 is now available and addresses the following:

This update has no published CVE entries. We would like to
acknowledge Micah A for their assistance.

Installation note:

Shortcuts 2.1.2 for iOS may be obtained from the App Store.

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT201222

This message is signed with Apple's Product...

APPLE-SA-2018-12-05-6 iCloud for Windows 7.9

Wed, 12/05/2018 - 21:36

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-6 iCloud for Windows 7.9

iCloud for Windows 7.9 is now available and addresses the following:

Safari
Available for: Windows 7 and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A logic issue was addressed with improved state
management.
CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab
(xlab.tencent.com)

Safari
Available for: Windows 7 and later
Impact: Visiting a malicious...

SEC Consult SA-20181205-0 :: Inadequate cryptography implementation in Kerio Control VPN protocol

Wed, 12/05/2018 - 21:35

Posted by SEC Consult Vulnerability Lab on Dec 05

SEC Consult Vulnerability Lab Security Advisory < 20181205-0 >
=======================================================================
title: Inadequate cryptography implementation
product: Kerio Control VPN protocol
vulnerable version: <=9.2.7
fixed version: 9.2.8
CVE number: -
impact: High
homepage: http://www.kerio.com/products/kerio-control
found: 2018-10...

APPLE-SA-2018-12-05-3 tvOS 12.1.1

Wed, 12/05/2018 - 21:34

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-3 tvOS 12.1.1

tvOS 12.1.1 is now available and addresses the following:

Airport
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: A malicious application may be able to elevate privileges
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4303: Mohamed Ghannam (@_simo36)

Disk Images
Available for: Apple TV 4K and Apple TV (4th generation)
Impact: An application may be...

APPLE-SA-2018-12-05-5 iTunes 12.9.2 for Windows

Wed, 12/05/2018 - 21:33

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-5 iTunes 12.9.2 for Windows

iTunes 12.9.2 for Windows is now available and addresses the
following:

Safari
Available for: Windows 7 and later
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A logic issue was addressed with improved state
management.
CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab
(xlab.tencent.com)

Safari
Available for: Windows 7 and later
Impact: Visiting a...

APPLE-SA-2018-12-05-4 Safari 12.0.2

Wed, 12/05/2018 - 21:26

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-4 Safari 12.0.2

Safari 12.0.2 is now available and addresses the following:

Safari
Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and
macOS Mojave 10.14.1
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A logic issue was addressed with improved state
management.
CVE-2018-4440: Wenxu Wu of Tencent Security Xuanwu Lab
(xlab.tencent.com)

Safari
Available for: macOS Sierra...

APPLE-SA-2018-12-05-1 iOS 12.1.1

Wed, 12/05/2018 - 21:23

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-1 iOS 12.1.1

iOS 12.1.1 is now available and addresses the following:

Airport
Available for: iPhone 5s and later, iPad Air and later, and iPod
touch 6th generation
Impact: A malicious application may be able to elevate privileges
Description: A type confusion issue was addressed with improved
memory handling.
CVE-2018-4303: Mohamed Ghannam (@_simo36)

Disk Images
Available for: iPhone 5s and later, iPad Air and later, and...

APPLE-SA-2018-12-05-2 macOS Mojave 10.14.2, Security Update 2018-003 High Sierra, Security Update 2018-006 Sierra

Wed, 12/05/2018 - 21:20

Posted by Apple Product Security on Dec 05

APPLE-SA-2018-12-05-2 macOS Mojave 10.14.2, Security Update
2018-003 High Sierra, Security Update 2018-006 Sierra

macOS Mojave 10.14.2, Security Update 2018-003 High Sierra,
Security Update 2018-006 Sierra are now available
and addresses the following:

Airport
Available for: macOS Mojave 10.14.1
Impact: A malicious application may be able to elevate privileges
Description: A type confusion issue was addressed with improved
memory handling....

Hasan MWB v1.0 - Multiple Time-Based SQL Injections

Tue, 12/04/2018 - 22:08

Posted by Socket_0x03 on Dec 04

===================================================
Hasan MWB v1.0 - Multiple Time-Based SQL Injections
===================================================

FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve

Tue, 12/04/2018 - 22:04

Posted by FreeBSD Security Advisories on Dec 04

=============================================================================
FreeBSD-SA-18:14.bhyve Security Advisory
The FreeBSD Project

Topic: Insufficient bounds checking in bhyve(8) device model

Category: core
Module: bhyve
Announced: 2018-12-04
Credits: Reno Robert
Affects: All supported versions of...

[slackware-security] mozilla-nss (SSA:2018-337-01)

Tue, 12/04/2018 - 01:32

Posted by Slackware Security Team on Dec 03

[slackware-security] mozilla-nss (SSA:2018-337-01)

New mozilla-nss packages are available for Slackware 14.0, 14.1, 14.2,
and -current to fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/mozilla-nss-3.40.1-i586-1_slack14.2.txz: Upgraded.
Upgraded to nss-3.40.1 and nspr-4.20.
Mitigate cache side-channel variant of the Bleichenbacher attack.
For more information,...

CSRF Vulnerability in MicroStrategy Web application

Sun, 12/02/2018 - 22:26

Posted by wissam . bashour on Dec 02

#####################################
Title: Cross-Site Request Forgery (CSRF) Vulnerability in MicroStrategy Web application allows modifying user's
preferences.
Author: Wissam Bashour
Vendor: MicroStrategy
Product: MicroStrategy Web
Version: All versions below 10.4.0026.0049
Tested Version: Version 10.4.0026.0049
Severity: HIGH
CVE Reference: CVE-2018-18696

# About the Product:
MicroStrategy provides software solutions and expert...

[SECURITY] [DSA 4349-1] tiff security update

Sun, 12/02/2018 - 22:22

Posted by Moritz Muehlenhoff on Dec 02

-------------------------------------------------------------------------
Debian Security Advisory DSA-4349-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
November 30, 2018 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tiff
CVE ID : CVE-2017-11613 CVE-2017-17095...

Pages