IT Security Alerts Weekly Digest (15 Feb ~ 21 Feb 2015)

1. Vulnerability in Cisco TelePresence MCU Software
[18/02/2015] Vulnerability was identified in the Cisco TelePresence MCU Software. An attacker could bypass security restrictions, cause a denial of service condition and crash the system. This vulnerability affects multiple versions of the mentioned product. Security patches are available to resolve this vulnerability.

URL:tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0621
URL:xforce.iss.net/xforce/xfdb/100936
2. Vulnerability in Image Metadata Cruncher plugin for WordPress (100926)
[18/02/2015] Vulnerability was identified in the Image Metadata Cruncher plugin for WordPress. An attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code and perform cross-site scripting attacks. The affected version was not specified.

URL:xforce.iss.net/xforce/xfdb/100926
3. Security Updates in Gentoo Linux (GLSA 201502-13)
[18/02/2015] Gentoo has released security update packages for fixing the vulnerabilities identified in the chromium packages for multiple versions of Gentoo Linux. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, gain elevated privileges, execute arbitrary code, cause a denial of service condition and compromise the system.

URL:security.gentoo.org/glsa/glsa-201502-13.xml
4. Security Updates in Mageia (MGASA-2015-0068, MGASA-2015-0069, MGASA-2015-0070, MGASA-2015-0071, MGASA-2015-0072, MGASA-2015-0073)
[18/02/2015] Mageia has released security update packages for fixing the vulnerabilities identified in the patch, postgresql9.0, postgresql9.1, postgresql9.2, postgresql9.3, kernel, kernel-userspace-headers, kmod-vboxadditions, kmod-virtualbox, kmod-xtables-addons, kmod-broadcom-wl, kmod-fglrx, kmod-nvidia173, kmod-nvidia304, kmod-nvidia-current, dbus, glibc and x11-server packages for multiple versions of Mageia. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, gain elevated privileges, execute arbitrary code, cause a denial of service condition and compromise the system.

URL:advisories.mageia.org/MGASA-2015-0068.html
URL:advisories.mageia.org/MGASA-2015-0069.html
URL:advisories.mageia.org/MGASA-2015-0070.html
URL:advisories.mageia.org/MGASA-2015-0071.html
URL:advisories.mageia.org/MGASA-2015-0072.html
URL:advisories.mageia.org/MGASA-2015-0073.html
5. Security Updates in SUSE (SUSE-SU-2015:0298-1, SUSE-SU-2015:0304-1, SUSE-SU-2015:0306-1)
[18/02/2015] SUSE has released security update packages for fixing the vulnerabilities identified in the clamav, java-1_7_1-ibm and java-1_6_0-ibm packages of SUSE Linux Enterprise 10, 11 and 12. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, gain elevated privileges, execute arbitrary code, cause a denial of service condition and crash the system.

URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00020.html
URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00021.html
URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00022.html
6. Security Updates in Ubuntu GNU/Linux (USN-2500-1, USN-2501-1, USN-2502-1)
[18/02/2015] Ubuntu has released security update packages for fixing the vulnerabilities identified in the xorg-server, xorg-server-lts-trusty, xorg-server-lts-utopic, php5 and unzip packages for version 12.04 LTS, 14.04 LTS, 14.10 of Ubuntu GNU/Linux. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code, cause a denial of service condition and crash the system.

URL:www.ubuntu.com/usn/usn-2500-1/
URL:www.ubuntu.com/usn/usn-2501-1/
URL:www.ubuntu.com/usn/usn-2502-1/
7. Vulnerabilities in Cisco Products
[17/02/2015] Vulnerabilities were identified in the Cisco ASR 5000 Series Software, Cisco TelePresence Management Suite (TMS) and Cisco Adaptive Security Appliance (ASA) Software. An attacker could bypass security restrictions, cause a denial of service condition and crash the system. These vulnerabilities affect multiple versions of the mentioned products. Security patches are available to resolve these vulnerabilities.

URL:tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0617
URL:tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0620
URL:tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8023
8. Vulnerabilities in IBM Websphere Application Server (1695392)
[17/02/2015] Vulnerabilities were identified in the IBM Websphere Application Server. An attacker could bypass security restrictions, gain elevated privileges, obtain sensitive information, execute arbitrary code, perform cross site scripting attacks, cause a denial of service condition and compromise the system. These vulnerabilities affect multiple versions of the mentioned product. Security patches are available to resolve these vulnerabilities.

URL:www-01.ibm.com/support/docview.wss?uid=swg21695392
URL:www.hkcert.org/my_url/en/alert/15021701
9. Vulnerability in Lexmark MarkVision Enterprise (TE677)
[17/02/2015] Vulnerability was identified in the Lexmark MarkVision Enterprise. An attacker could bypass security restrictions, gain elevated privileges, execute arbitrary code and compromise the system. This vulnerability affects version 2.0 of the mentioned product. Security patches are available to resolve this vulnerability.

URL:support.lexmark.com/index?page=content&id=TE677&locale=EN&userlocale=EN_US
URL:xforce.iss.net/xforce/xfdb/100913
10. Vulnerability in UNIT4 Prosoft HRMS (100903)
[17/02/2015] Vulnerability was identified in the UNIT4 Prosoft HRMS. An attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code and perform cross-site scripting attacks. This vulnerability affects versions prior to 8.14.330.43 of the mentioned product. Security patches are available to resolve this vulnerability.

URL:xforce.iss.net/xforce/xfdb/100903
11. Security Updates in SUSE (SUSE-SU-2015:0290-1, SUSE-SU-2015:0290-2, SUSE-SU-2015:0011-2, SUSE-SU-2015:0259-3)
[17/02/2015] SUSE has released security update packages for fixing the vulnerabilities identified in the krb5, bind and ntp packages of SUSE Linux Enterprise 11 and 12. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, gain elevated privileges, execute arbitrary code, perform brute-force attacks, cause a denial of service condition and crash the system.

URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html
URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00017.html
URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00018.html
URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00019.html
12. Security Updates in Slackware (SSA:2015-047-01, SSA:2015-047-02, SSA:2015-047-03)
[17/02/2015] Slackware has released security update packages for fixing the vulnerabilities identified in the patch, seamonkey and sudo packages for multiple versions of Slackware Linux. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code, cause a denial of service condition and crash the application.

URL:www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.492777
URL:www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.503409
URL:www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.513277
13. Vulnerabilities in F5 Products (SOL16118, SOL16121, SOL16126, SOL16139)
[16/02/2015] Vulnerabilities were identified in the F5 BIG-IP LTM, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP Edge Gateway, BIG-IP GTM, BIG-IP Link Controller, BIG-IP PEM, BIG-IP PSM, BIG-IP WebAccelerator, BIG-IP WOM, ARX, Enterprise Manager, BIG-IQ Cloud, BIG-IQ Device, BIG-IQ Security, BIG-IQ-ADC, LineRate and Traffix-SDC. An attacker could bypass security restrictions, obtain sensitive information, gain elevated privileges, cause a denial of service condition and crash the system. These vulnerabilities affect multiple versions of the mentioned products. Security patches are available to resolve these vulnerabilities.

URL:support.f5.com/kb/en-us/solutions/public/16000/100/sol16118.html
URL:support.f5.com/kb/en-us/solutions/public/16000/100/sol16121.html
URL:support.f5.com/kb/en-us/solutions/public/16000/100/sol16126.html
URL:support.f5.com/kb/en-us/solutions/public/16000/100/sol16139.html
14. Vulnerability in Novell NetIQ Sentinel (5200670)
[16/02/2015] Vulnerability was identified in the Novell NetIQ Sentinel. An attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code, cause a denial of service condition and crash the system. This vulnerability affects versions prior to 7.3 of the mentioned product. Security patches are available to resolve this vulnerability.

URL:download.novell.com/Download?buildid=WA2o2ZIiUMM~
15. Vulnerabilities in Huawei Products (Huawei-SA-20150213-01-Smartphone, HW-408044)
[16/02/2015] Vulnerabilities were identified in multiple Huawei products. An attacker could bypass security restrictions, obtain sensitive information, gain elevated privileges, execute arbitrary code, cause a denial of service condition and crash the system. These vulnerabilities affect multiple firmware versions of the mentioned products.

URL:www.huawei.com/en/security/psirt/security-bulletins/security-advisories/archive/hw-414289.htm
URL:www.huawei.com/en/security/psirt/security-bulletins/security-notices/archive/hw-408044.htm
16. Vulnerability in Henry Spencer regular expressions library (VU#695940)
[16/02/2015] Vulnerability was identified in the Henry Spencer regular expressions (regex) C library. An attacker could bypass security restrictions and execute arbitrary code. This vulnerability affects multiple versions of the mentioned product. Security patches are available to resolve this vulnerability.

URL:www.kb.cert.org/vuls/id/695940
17. Vulnerability in Linux ASLR implementation (100900)
[16/02/2015] Vulnerability was identified in the Linux ASLR implementation. An attacker could bypass security restrictions and execute arbitrary code. This vulnerability affects version 3.17 of the mentioned product.

URL:xforce.iss.net/xforce/xfdb/100900
18. Vulnerability in Video Gallery plugin for WordPress (100876)
[16/02/2015] Vulnerability was identified in the Video Gallery plugin for WordPress. An attacker could bypass security restrictions, execute arbitrary code, perform code injection attacks. This vulnerability affects the mentioned product for WordPress 2.7. Security patches are available to resolve this vulnerability.

URL:xforce.iss.net/xforce/xfdb/100876
19. Security Updates in Gentoo Linux (GLSA 201502-10, GLSA 201502-11, GLSA 201502-12)
[16/02/2015] Gentoo has released security update packages for fixing the vulnerabilities identified in the libpng, GNU cpio, oracle jre and oracle jdk packages for multiple versions of Gentoo Linux. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code, cause a denial of service condition and crash the system.

URL:www.gentoo.org/security/en/glsa/glsa-201502-10.xml
URL:www.gentoo.org/security/en/glsa/glsa-201502-11.xml
URL:www.gentoo.org/security/en/glsa/glsa-201502-12.xml
20. Security Updates in Mageia (MGASA-2015-0065, MGASA-2015-0066, MGASA-2015-0067)
[16/02/2015] Mageia has released security update packages for fixing the vulnerabilities identified in the rsync, krb5 and cups packages for multiple versions of Mageia. Due to multiple errors, an attacker could bypass security restrictions, execute arbitrary code, perform impersonation attacks, cause a denial of service condition and crash the system.

URL:advisories.mageia.org/MGASA-2015-0065.html
URL:advisories.mageia.org/MGASA-2015-0066.html
URL:advisories.mageia.org/MGASA-2015-0067.html
21. Security Updates in SUSE (openSUSE-SU-2015:0285-1, SUSE-SU-2015:0259-2)
[16/02/2015] SUSE has released security update packages for fixing the vulnerabilities identified in the clamav package of openSUSE 13.1 and 13.2, and ntp package of SUSE Linux Enterprise 11. Due to multiple errors, an attacker could bypass security restrictions, obtain sensitive information, execute arbitrary code, perform brute-force attacks, cause a denial of service condition and crash the system.

URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00014.html
URL:lists.opensuse.org/opensuse-security-announce/2015-02/msg00015.html