Hackin9
 
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Lifehacker Australia

What's Your Biggest Infosec Fear?
Lifehacker Australia
It's an interesting question. When it comes to your business's information assets, security policies and defensive measures — what is it that makes your CSO or CISO lose sleep? Online data picture from Shutterstock. At the recent RSA Conference in ...

 

Anthem Breach Linked To Black Vine Group & Beijing InfoSec Firm
Dark Reading
Anthem Breach Linked To Black Vine Group & Beijing InfoSec Firm. Health insurer's breach of 80 million records attributed to 'well-resourced cyberespionage group' Black Vine. Could they also be behind breaches at OPM and United Airlines? The Anthem ...

and more »
 

Researchers have developed an attack that puts more than 50 percent of Android phones into the digital equivalent of a persistent vegetative state in which they're almost completely unresponsive and are unable to perform most functions, including making or receiving calls.

The vulnerability, which resides in the mediaserver service Android uses to index media files, can most easily be exploited by luring a vulnerable phone to a booby-trapped website. Presumably, the phone can be revived by restarting it, but according to a blog post published Wednesday by a researcher from security firm Trend Micro, the bug can also be exploited by malicious apps. In this latter scenario, the malicious app could be designed to automatically start each time the phone is turned on, causing it to crash shortly after each restart.

Trend Micro researcher Wish Wu wrote:

Read 2 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03366 rev.1 - HP Business Process Insight with RC4 Stream Cipher, Remote Disclosure of Information
 
Cross-Site Scripting (XSS) in qTranslate WordPress Plugin
 
[security bulletin] HPSBGN03367 rev.1 - HP TransactionVision with RC4 Stream Cipher, Remote Disclosure of Information
 
 
LinuxSecurity.com: This update includes the latest stable release of **Apache Subversion**, version **1.8.13**.Three security vulnerabilities are fixed in this update:* CVE-2015-0202: https://subversion.apache.org/security/CVE-2015-0202-advisory.txt* CVE-2015-0248: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt* CVE-2015-0251: https://subversion.apache.org/security/CVE-2015-0251-advisory.txtIn addition, the following changes are included in the Subversion 1.8.13 update:**Client-side bugfixes:*** ra_serf: prevent abort of commits that have already succeeded * ra_serf: support case-insensitivity in HTTP headers * better error message if an external is shadowed * ra_svn: fix reporting of directory read errors * fix a redirect handling bug in 'svn log' over HTTP * properly copy tree conflict information * fix 'svn patch' output for reordered hunks http://subversion.tigris.org/issues/show_bug.cgi?id=4533* svnrdump load: don't load wrong props with no-deltas dump http://subversion.tigris.org/issues/show_bug.cgi?id=4551* fix working copy corruption with relative file external http://subversion.tigris.org/issues/show_bug.cgi?id=4411* don't crash if config file is unreadable * svn resolve: don't ask a question with only one answer * fix assertion failure in svn move * working copy performance improvements * handle existing working copies which become externals * fix recording of WC meta-data for foreign repos copies * fix calculating repository path of replaced directories * fix calculating repository path after commit of switched nodes * svnrdump: don't provide HEAD+1 as base revision for deletes * don't leave conflict markers on files that are moved * avoid unnecessary subtree mergeinfo recording * fix diff of a locally copied directory with props**Server-side bugfixes:*** fsfs: fix a problem verifying pre-1.4 repos used with 1.8 * svnadmin freeze: fix memory allocation error * svnadmin load: tolerate invalid mergeinfo at r0* svnadmin load: strip references to r1 from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4538* svnsync: strip any r0 references from mergeinfo http://subversion.tigris.org/issues/show_bug.cgi?id=4476* fsfs: reduce memory consumption when operating on dag nodes * reject invalid get-location-segments requests in mod_dav_svn and svnserve * mod_dav_svn: reject invalid txnprop change requests **Client-side and server-side bugfixes:*** fix undefined behaviour in string buffer routines * fix consistency issues with APR r/w locks on Windows * fix occasional SEGV if threads load DSOs in parallel * properly duplicate svn error objects * fix use-after-free in config parser
 
LinuxSecurity.com: Security fix for CVE-2015-3281
 
LinuxSecurity.com: **Release 1.1.2*** Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#1490358)* Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below]* Fix handling of %-encoded entities in mailto: URLs (#1490346)* Fix zipped messages downloads after selecting all messages in a folder (#1490339)* Fix vpopmaild driver of password plugin* Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#1490343)* Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#1490337)* Fix message list header in classic skin on window resize in Internet Explorer (#1490213)* Fix so text/calendar parts are listed as attachments even if not marked as such (#1490325)* Fix lack of signature separator for plain text signatures in html mode (#1490352)* Fix font artifact in Google Chrome on Windows (#1490353)* Fix bug where forced extwin page reload could exit from the extwin mode (#1490350)* Fix bug where some unrelated attachments in multipart/related message were not listed (#1490355)* Fix mouseup event handling when dragging a list record (#1490359)* Fix bug where preview_pane setting wasn't always saved into user preferences (#1490362)* Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372)* Fix security issue in contact photo handling (#1490379)* Fix possible memcache/apc cache data consistency issues (#1490390)* Fix bug where imap_conn_options were ignored in IMAP connection test (#1490392)* Fix bug where some files could have "executable" extension when stored in temp folder (#1490377)* Fix attached file path unsetting in database_attachments plugin (#1490393)* Fix issues when using moduserprefs.sh without --user argument (#1490399)* Fix potential info disclosure issue by protecting directory access (#1490378)* Fix blank image in html_signature when saving identity changes (#1490412)* Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)* Fix XSS vulnerability in _mbox argument handling (#1490417)
 
LinuxSecurity.com: Security fix for CVE-2015-3281
 
LinuxSecurity.com: New upstream bug-fix release, which fixes CVE-2015-0839
 
LinuxSecurity.com: Update to 0.163. Hardening fixes. Updated eu-addr2line utility. Various bug fixes. Updated translations.
 
LinuxSecurity.com: Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security [More...]
 
LinuxSecurity.com: 10 Jul 2015, **PHP 5.6.11****Core:*** Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb)* Fixed bug #69703 (Use __builtin_clzl on PowerPC). (dja at axtens dot net, Kalle)* Fixed bug #69732 (can induce segmentation fault with basic php code). (Dmitry)* Fixed bug #69642 (Windows 10 reported as Windows 8). (Christian Wenz, Anatol Belski)* Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation fault). (Christoph M. Becker)* Fixed bug #69781 (phpinfo() reports Professional Editions of Windows 7/8/8.1/10 as "Business"). (Christian Wenz)* Fixed bug #69740 (finally in generator (yield) swallows exception in iteration). (Nikita)* Fixed bug #69835 (phpinfo() does not report many Windows SKUs). (Christian Wenz)* Fixed bug #69892 (Different arrays compare indentical due to integer key truncation). (Nikita)* Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776. (Yasuo)**GD:*** Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb)**GMP:*** Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP number). (Nikita)**PCRE:*** Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the string). (cmb)* Fixed bug #69864 (Segfault in preg_replace_callback) (cmb, ab)**PDO_pgsql:*** Fixed bug #69752 (PDOStatement::execute() leaks memory with DML Statements when closeCuror() is u). (Philip Hofstetter)* Fixed bug #69362 (PDO-pgsql fails to connect if password contains a leading single quote). (Matteo)* Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps). (Matteo)**SimpleXML:*** Refactored the fix for bug #66084 (simplexml_load_string() mangles empty node name). (Christoph Michael Becker)**SPL:*** Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). (Stas)* Fixed bug #67805 (SplFileObject setMaxLineLength). (Willian Gustavo Veiga).* Fixed bug #69970 (Use-after-free vulnerability in spl_recursive_it_move_forward_ex()). (Laruence)**Sqlite3:*** Fixed bug #69972 (Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()). (Laruence)
 
LinuxSecurity.com: Security fix for CVE-2015-2059
 
LinuxSecurity.com: **Release 1.1.2*** Add new plugin hook 'identity_create_after' providing the ID of the inserted identity (#1490358)* Add option to place signature at bottom of the quoted text even in top-posting mode [sig_below]* Fix handling of %-encoded entities in mailto: URLs (#1490346)* Fix zipped messages downloads after selecting all messages in a folder (#1490339)* Fix vpopmaild driver of password plugin* Fix PHP warning: Non-static method PEAR::setErrorHandling() should not be called statically (#1490343)* Fix tables listing routine on mysql and postgres so it skips system or other database tables and views (#1490337)* Fix message list header in classic skin on window resize in Internet Explorer (#1490213)* Fix so text/calendar parts are listed as attachments even if not marked as such (#1490325)* Fix lack of signature separator for plain text signatures in html mode (#1490352)* Fix font artifact in Google Chrome on Windows (#1490353)* Fix bug where forced extwin page reload could exit from the extwin mode (#1490350)* Fix bug where some unrelated attachments in multipart/related message were not listed (#1490355)* Fix mouseup event handling when dragging a list record (#1490359)* Fix bug where preview_pane setting wasn't always saved into user preferences (#1490362)* Fix bug where messages count was not updated after message move/delete with skip_deleted=false (#1490372)* Fix security issue in contact photo handling (#1490379)* Fix possible memcache/apc cache data consistency issues (#1490390)* Fix bug where imap_conn_options were ignored in IMAP connection test (#1490392)* Fix bug where some files could have "executable" extension when stored in temp folder (#1490377)* Fix attached file path unsetting in database_attachments plugin (#1490393)* Fix issues when using moduserprefs.sh without --user argument (#1490399)* Fix potential info disclosure issue by protecting directory access (#1490378)* Fix blank image in html_signature when saving identity changes (#1490412)* Installer: Use openssl_random_pseudo_bytes() (if available) to generate des_key (#1490402)* Fix XSS vulnerability in _mbox argument handling (#1490417)
 
LinuxSecurity.com: Security fix for CVE-2015-2059
 
LinuxSecurity.com: The update adds a patch for the security issue in bug 1241907.
 
phpFileManager 0.9.8 CSRF Backdoor Shell Vulnerability
 
FreeBSD Security Advisory FreeBSD-SA-15:17.bind
 
FreeBSD Security Advisory FreeBSD-SA-15:16.openssh
 
FreeBSD Security Advisory FreeBSD-SA-15:15.tcp
 
FreeBSD Security Advisory FreeBSD-SA-15:14.bsdpatch
 
[security bulletin] HPSBGN03372 rev.1 - HP Business Process Monitor using RC4, Remote Disclosure of Information
 
Internet Storm Center Infocon Status