Security Updates from SECLISTS

Subscribe to Security Updates from SECLISTS feed
The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
Updated: 13 min 27 sec ago

[SECURITY] [DSA 4545-1] mediawiki security update

17 hours 30 min ago

Posted by Moritz Muehlenhoff on Oct 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4545-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
October 18, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : mediawiki
CVE ID : CVE-2019-16738

It was...

[SECURITY] [DSA 4546-1] openjdk-11 security update

17 hours 35 min ago

Posted by Moritz Muehlenhoff on Oct 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4546-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
October 20, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjdk-11
CVE ID : CVE-2019-2894 CVE-2019-2945...

Trend Micro Anti-Threat Toolkit <= v1.62.0.1218 / Remote Code Execution 0day

17 hours 38 min ago

Posted by apparitionsec on Oct 21

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt
[+] ISR: Apparition Security

[Vendor]
www.trendmicro.com

[Product]
Trend Micro Anti-Threat Toolkit (ATTK)
1.62.0.1218 and below

Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections.
It can be...

[slackware-security] python (SSA:2019-293-01)

17 hours 42 min ago

Posted by Slackware Security Team on Oct 21

[slackware-security] python (SSA:2019-293-01)

New python packages are available for Slackware 14.0, 14.1, 14.2, and -current
to fix security issues.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/python-2.7.17-i586-1_slack14.2.txz: Upgraded.
This update fixes bugs and security issues:
Update vendorized expat library version to 2.2.8.
Disallow URL paths with embedded whitespace or...

[SECURITY] [DSA 4547-1] tcpdump security update

17 hours 46 min ago

Posted by Moritz Muehlenhoff on Oct 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4547-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
October 21, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : tcpdump
CVE ID : CVE-2018-10103 CVE-2018-10105...

[SECURITY] [DSA 4548-1] openjdk-8 security update

17 hours 50 min ago

Posted by Moritz Muehlenhoff on Oct 21

-------------------------------------------------------------------------
Debian Security Advisory DSA-4548-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
October 21, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openjdk-8
CVE ID : CVE-2019-2894 CVE-2019-2945...

CA20191015-01: Security Notice for CA Performance Management

Thu, 10/17/2019 - 10:21

Posted by Kevin Kotas on Oct 17

CA20191015-01: Security Notice for CA Performance Management

Issued: October 15th, 2019
Last Updated: October 15th, 2019

CA Technologies, A Broadcom Company, is alerting customers to a
potential risk with CA Performance Management. A vulnerability exists
that can allow a remote attacker to execute arbitrary commands. CA
published solutions to address the vulnerabilities and recommends
that all affected customers implement these solutions.

The...

CVE-2019-5533 - VMware VeloCloud Authorization Bypass

Wed, 10/16/2019 - 16:19

Posted by Advisories on Oct 16

#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: VeloCloud
# Vendor: VMware
# CVE ID: CVE-2019-5533
# CSNC ID: CSNC-2019-007
# Subject: Authorization Bypass
# Risk:...

[SECURITY] [DSA 4509-3] apache2 security update

Wed, 10/16/2019 - 10:18

Posted by Salvatore Bonaccorso on Oct 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-4509-3 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
October 15, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : apache2
CVE ID : CVE-2019-10092
Debian Bug :...

[SECURITY] [DSA 4544-1] unbound security update

Wed, 10/16/2019 - 10:14

Posted by Sebastien Delafond on Oct 16

-------------------------------------------------------------------------
Debian Security Advisory DSA-4544-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
October 16, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : unbound
CVE ID : CVE-2019-16866
Debian Bug :...

CVE-2019-3010 - Local privilege escalation on Solaris 11.x via xscreensaver

Wed, 10/16/2019 - 10:11

Posted by Marco Ivaldi on Oct 16

Dear Bugtraq,

Please find attached an advisory for the following vulnerability, fixed in Oracle's Critical Patch Update (CPU) of
October 2019:

"Exploitation of a design error vulnerability in xscreensaver, as distributed with Solaris 11.x, allows local attackers
to create (or append to) arbitrary files on the system, by abusing the -log command line switch introduced in version
5.06. This flaw can be leveraged to cause a denial of...

[SECURITY] [DSA 4543-1] sudo security update

Tue, 10/15/2019 - 03:27

Posted by Salvatore Bonaccorso on Oct 15

-------------------------------------------------------------------------
Debian Security Advisory DSA-4543-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
October 14, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : sudo
CVE ID : CVE-2019-14287
Debian Bug :...

[slackware-security] sudo (SSA:2019-287-01)

Tue, 10/15/2019 - 03:23

Posted by Slackware Security Team on Oct 15

[slackware-security] sudo (SSA:2019-287-01)

New sudo packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix a security issue.

Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/sudo-1.8.28-i586-1_slack14.2.txz: Upgraded.
Fixed a bug where an sudo user may be able to run a command as root when
the Runas specification explicitly disallows root access as long as the
ALL...

SEC Consult SA-20191014-0 :: Reflected XSS vulnerability in OpenProject

Mon, 10/14/2019 - 12:10

Posted by SEC Consult Vulnerability Lab on Oct 14

SEC Consult Vulnerability Lab Security Advisory < 20191014-0 >
=======================================================================
title: Reflected XSS vulnerability
product: OpenProject
vulnerable version: <= 9.0.3, <=10.0.1
fixed version: 9.0.4, 10.0.2
CVE number: CVE-2019-17092
impact: medium
homepage: https://www.openproject.org
found: 2019-09-27...

APPLE-SA-2019-10-11-1 Swift 5.1.1 for Ubuntu

Sun, 10/13/2019 - 17:53

Posted by Apple Product Security on Oct 13

APPLE-SA-2019-10-11-1 Swift 5.1.1 for Ubuntu

Swift 5.1.1 for Ubuntu is now available and addresses the following:

Foundation
Available for: Ubuntu 14.04, 16.04 and 18.04
Impact: Incorrect management of file descriptors in URLSession could
lead to inadvertent data disclosure
Description: This issue was addresses by updating incorrect
URLSession file descriptors management logic to match Swift 5.0.
CVE-2019-8790: Apple

Installation note:

Swift...

[SECURITY] [DSA 4539-3] openssl regression update

Sun, 10/13/2019 - 17:49

Posted by Salvatore Bonaccorso on Oct 13

-------------------------------------------------------------------------
Debian Security Advisory DSA-4539-3 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
October 13, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : openssl
Debian Bug : 941987

The update for openssl...

[SYSS-2019-033]: Microsoft Designer Bluetooth Desktop - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)

Thu, 10/10/2019 - 07:56

Posted by matthias . deeg on Oct 10

Advisory ID: SYSS-2019-033
Product: Designer Bluetooth Desktop
Manufacturer: Microsoft
Affected Version(s): n/a
Tested Version(s): n/a
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-07-31
Solution Date: -
Public Disclosure: 2019-10-10
CVE Reference: Not assigned yet
Author of Advisory: Matthias Deeg (SySS...

[SYSS-2019-034]: Microsoft Surface Keyboard - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)

Thu, 10/10/2019 - 07:53

Posted by matthias . deeg on Oct 10

Advisory ID: SYSS-2019-034
Product: Surface Keyboard
Manufacturer: Microsoft
Affected Version(s): WS2-00005
Tested Version(s): WS2-00005
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-07-31
Solution Date: -
Public Disclosure: 2019-10-10
CVE Reference: Not assigned yet
Author of Advisory: Matthias Deeg (SySS...

[SYSS-2019-035]: Microsoft Surface Mouse - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)

Thu, 10/10/2019 - 07:49

Posted by matthias . deeg on Oct 10

Advisory ID: SYSS-2019-035
Product: Surface Mouse
Manufacturer: Microsoft
Affected Version(s): WS3-00002
Tested Version(s): WS3-00002
Vulnerability Type: Insufficient Protection of Code (Firmware) and
Data (Cryptographic Key)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-07-31
Solution Date: -
Public Disclosure: 2019-10-10
CVE Reference: Not assigned yet
Author of Advisory: Matthias Deeg (SySS GmbH)...

PBS Professional MoM Authentication Bypass (CVE-2019-15719)

Wed, 10/09/2019 - 04:38

Posted by john on Oct 09

===========================================================
PBS Professional MoM Authentication Bypass (CVE-2019-15719)
===========================================================

* Software: PBS Professional
* Affected Versions: All versions up to and including 19.2.3
* Vendor: Altair Engineering, Inc
* CVE Reference: CVE-2019-15719
* Severity: CVSS 9.0 [CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H]
* Author: John Fitzpatrick
* Date: 2019-10-08...

Pages