November 2014 - Arch-security - lists.archlinux.org

[arch-security] [Arch Linux Security Advisory ASA-201411-3] mantisbt: sql injection
by Levente Polyak 05 Nov '14

05 Nov '14

Arch Linux Security Advisory ASA-201411-3 ========================================= Severity: Critical Date : 2014-11-05 CVE-ID : CVE-2014-8554 Package : mantisbt Type : sql injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package mantisbt before version 1.2.17-3 is vulnerable to SQL injection. Resolution ========== Upgrade to 1.2.17-3. # pacman -Syu "mantisbt>=1.2.17-3" The problem has been fixed upstream [0] but no release version is available yet. Workaround ========== None. Description =========== Edwin Gozeling and Wim Visser discovered that when the project_id parameter of the SOAP-request starts with the integer of a project to which the user (or anonymous) is authorized, the ENTIRE value will become the first item of $t_projects. As this value is concatenated in the SQL statement, SQL-injection becomes possible. Impact ====== A remote attacker is able to perform SQL injection via specially crafted SOAP-requests. Depending on the configuration this can be escalated to code execution. References ========== [0] https://github.com/mantisbt/mantisbt/commit/99ffb0af https://access.redhat.com/security/cve/CVE-2014-8554 http://seclists.org/oss-sec/2014/q4/478 https://bugs.archlinux.org/task/42683

1 0

[arch-security] [Arch Linux Security Advisory ASA-201411-2] aircrack-ng: multiple vulnerabilities
by Levente Polyak 03 Nov '14

03 Nov '14

Arch Linux Security Advisory ASA-201411-2 ========================================= Severity: Critical Date : 2014-11-03 CVE-ID : CVE-2014-8321, CVE-2014-8322, CVE-2014-8323, CVE-2014-8324 Package : aircrack-ng Type : multiple vulnerabilities Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package aircrack-ng before version 1.2rc1-1 is vulnerable to multiple security issues which may result in remote/local code execution, privilege escalation and denial of service. Resolution ========== Upgrade to 1.2rc1-1. # pacman -Syu "aircrack-ng>=1.2rc1-1" The problem has been fixed upstream in version 1.2rc1. Workaround ========== None. Description =========== Nick Sampanis discovered the following vulnerabilities: - CVE-2014-8321 (code execution and privilege escalation) A stack overflow at airodump-ng gps_tracker() which may lead to code execution and privilege escalation. - CVE-2014-8322 (remote code execution) A length parameter inconsistency at aireplay tcp_test() which may lead to remote code execution. - CVE-2014-8323 (denial of service) A missing check for data format at buddy-ng which may lead to denial of service. - CVE-2014-8324 (denial of service) A missing check for invalid values at airserv-ng net_get() which may lead to denial of service. Impact ====== A remote attacker in an adjacent network is able to perform code execution, privilege escalation and denial of service via multiple vulnerabilities. References ========== http://www.securityfocus.com/archive/1/533869/30/0/threaded https://access.redhat.com/security/cve/CVE-2014-8321 https://access.redhat.com/security/cve/CVE-2014-8322 https://access.redhat.com/security/cve/CVE-2014-8323 https://access.redhat.com/security/cve/CVE-2014-8324 https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd https://github.com/aircrack-ng/aircrack-ng/commit/091b153f2 https://github.com/aircrack-ng/aircrack-ng/commit/da0872389 https://github.com/aircrack-ng/aircrack-ng/commit/88702a3ce

1 0

[arch-security] [Arch Linux Security Advisory ASA-201411-1] tnftp: arbitrary command execution
by Levente Polyak 01 Nov '14

01 Nov '14

Arch Linux Security Advisory ASA-201411-1 ========================================= Severity: High Date : 2014-11-01 CVE-ID : CVE-2014-8517 Package : tnftp Type : arbitrary command execution Remote : No Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package tnftp before version 20141031-1 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 20141031-1. # pacman -Syu "tnftp>=20141031-1" The problem has been fixed upstream in version 20141031. Workaround ========== Specifying the output filename with -o when using tnftp with HTTP will prevent from arbitrary command execution. Description =========== A malicious webserver can trick tnftp below 20141031 via HTTP redirects into executing arbitrary commands. Impact ====== A malicious webserver can create an evil redirect which will execute arbitrary commands when a local user fetches that URL with tnftp. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8517 https://bugzilla.redhat.com/show_bug.cgi?id=1158286 https://bugs.archlinux.org/task/42646 http://seclists.org/oss-sec/2014/q4/459

1 0