(Sep 24) An updated rtkit package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having [More…]
Comment
(Sep 24) Updated puppet packages that fix several security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having moderate [More…]
SUMMARY
Three CVEs were reported for WordPress 3.6 and WordPress has released
an upgraded version to address theses vulnerabilities. cPanel has
updated the WordPress version delivered via the cPAddons functionality
in WHM to the new version of 3.6.1.
AFFECTED VERSIONS
All versions of WordPress 3.6.0 and below.
SECURITY RATING
US-CERT/NIST has given the following severities for the WordPress
vulnerabilities:
CVE-2013-4338
CVSS v2 Base Score: 7.5 (HIGH)
CVE-2013-4339
CVSS v2 Base Score: 7.5 (HIGH)
CVE-2013-4339
CVSS v2 Base Score: 3.5 (LOW)
SOLUTION
cPanel, Inc. has updated the version of WordPress in the cPAddons
system to 3.6.1. The cPanel Security Team highly recommends that
all installations of WordPress be update on your servers. The WHM
Admins can upgrade the installations of WordPress on their servers
using the Manage cPAddons Site Software functionality in WHM. cPanel
account users may also update from the WordPress link in the Site
Software section of their cPanel account interface.
REFERENCES
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4338
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340
For the PGP signed message go here
Extended Validation, or EV, certificates are designed to provide evidence of a greater level of verification by the Certificate Authority of the legal identity of the company in control of the SSL certificate and domain name. By way of contrast, the most common type of certificate, domain-validated, only requires the CA to verify control of the domain name. Browsers display EV-specific cues within the user interface to highlight this additional verification: most notably, the company name is displayed in the address bar, often with a green padlock or a green bar.
An Extended Validation certificate for login.live.com in Google Chrome
EV certificates are subject to additional requirements, over and above those specified in the Baseline Requirements. As with the Baseline Requirements, the EV guidelines were drawn up by the CA/B forum, an industry group of both browser vendors and CAs. The EV guidelines prohibit EV certificates from using wildcards (i.e. www.example.com, mail.example.com, and paypal.example.com would all match *.example.com) and explicitly mention this restriction twice “Wildcard certificates are not allowed for EV Certificates”.
Nevertheless, Verizon Business has chosen to test browsers’ approach to wildcard EV certificates by issuing a certificate to Accenture for *.cclearning.accenture.com. Verizon Business — which is not a member of the CA/B forum — is known for its maverick approach to certificate issuance having issued certificates (including EV certificates) which violate the Baseline Requirements.
Despite the EV guidelines prohibiting wildcard EV certificate issuance, presently most major browsers fail to enforce this restriction. Google Chrome, Firefox, Internet Explorer, Opera, and Safari (Desktop) all retain the EV browser cues when visiting a website using this EV certificate.
Clockwise from top left: Google Chrome, Internet Explorer, Opera, and Firefox. All display the conventional EV browser cues.
The only exception was Safari — Desktop Safari displays the EV browser cues as normal, as do the remainder of the desktop browsers; however, Safari on iOS 7 does not display the EV UI.
Safari (Desktop)
Safari on iOS 7 does not display the conventional EV UI for the wildcard EV certificate. An example of the EV UI in iOS 7.
Netcraft offers a Baseline Requirements checking service for CAs to provide third-party verification of Baseline Requirements conformance. For more information contact [email protected]
The following features have been improved:
[+] Administrators can forbid renaming primary domains of subscriptions.
The primary domain of a subscription is the domain that you set when creating the subscription. The subscription’s name is the same as its primary domain name. Administrators can forbid customers to modify this name by selecting the corresponding option in Tools & Settings or by means of the command-line interface:
- On Linux: plesk bin server_pref –update -forbid-subscription-rename true|false
- On Windows: “%plesk_dir%inserver_pref.exe” –update -forbid-subscription-rename true|false
Note: Administrators can modify the names of customers’ subscriptions, even if this option is selected. By default, this option is not selected.
[+] The Horde webmail was upgraded to the version 5.1.4
The following issues have been fixed:
[-] Panel did not load proper SSL certificates for domains. (142545)