Ike.ninja

xen: various flaws (#1685577) grant table transfer issues on large hosts [XSA-284] race with pass-through device hotplug [XSA-285] x86: steal_page violates page_struct access discipline [XSA-287] x86: Inconsistent PV IOMMU discipline [XSA-288] missing preemption in x86 PV page table unvalidation [XSA-290] x86/PV: page type reference counting issue with failed IOMMU update

new upstream version, to fix CVE-2018-10936

Francis McBratney discovered that the Windows Azure Linux Agent created swap files with world-readable permissions, resulting in information disclosure.

Ross Geerlings discovered that the XMLTooling library didn’t correctly handle exceptions on malformed XML declarations, which could result in denial of service against the application using XMLTooling.

WALinuxAgent could be made to expose sensitive information.

• Project: Joomla!
• SubProject: CMS
• Impact: Low
• Severity: Low
• Versions: 3.2.0 through 3.9.3
• Exploit type: XSS
• Reported Date: 2019-March-04
• Fixed Date: 2019-March-12
• CVE Number: CVE-2019-9712

Description

The JSON handler in com_config lacks input validation, leading to XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.9.3

Solution

Upgrade to version 3.9.4

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Impact: Low
• Severity: Low
• Versions: 3.0.0 through 3.9.3
• Exploit type: XSS
• Reported Date: 2019-February-25
• Fixed Date: 2019-March-12
• CVE Number: CVE-2019-9714

Description

The media form field lacks escaping, leading to a XSS vulnerability.

Affected Installs

Joomla! CMS versions 3.2.0 through 3.9.3

Solution

Upgrade to version 3.9.4

Contact

The JSST at the Joomla! Security Centre.

Joomla 3.9.4 is now available. This is a security fix release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains 28 bug fixes and improvements.

An extremely convincing phishing attack that impersonates a multi-game skin trade bot appears to be using a fake Extended Validation TLS certificate to steal Steam accounts. The ongoing phishing attack impersonates TradeIt.gg, which facilitates the trading of skins, weapons and other in-game commodities within popular games like CS:GO, TF2 and DOTA. When a victim attempts […]

WordPress 5.1.1 is now available! This security and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2. This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously […]