(Jul 16) An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More…]
Posts Tagged security
(Jul 17) Updated kernel packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More…]
(Jul 17) Updated nss and nspr packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. [More…]
(Dec 9) Update to 3.12.5 This update fixes the following security flaw:
CVE-2009-3555 TLS: MITM attacks via session renegotiation
(Jul 18) Updated glibc packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate [More…]
(Jul 17) Updated nss, nss-util, and nspr packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. [More…]
(Jul 24) Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux 6.0 Extended Update Support. The Red Hat Security Response Team has rated this update as having [More…]
(Jul 25) An updated perl-DBD-Pg package that fixes two security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate [More…]
(Dec 11) Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing
multiple security issues. The list for 1.9.7 release:
————————– Security issues * MSA-09-0022 – Multiple
CSRF problems fixed * MSA-09-0023 – Fixed user account disclosure in LAMS
module * MSA-09-0024 – Fixed insufficient access control in Glossary module
* MSA-09-0025 – Unneeded MD5 hashes removed from user table * MSA-09-0026 –
Fixed invalid application access control in MNET interface * MSA-09-0027 –
Ensured login information is always sent secured when using
SSL for logins * MSA-09-0028 – Passwords and secrets are no longer ever
saved in backups, new backup capabilities
moodle/backup:userinfo and moodle/restore:userinfo for
controlling who can backup/restore user data, new checks in
the security overview report help admins identify dangerous
backup permissions * MSA-09-0029 – A strong password
policy is now enabled by default, enabling password salt in
encouraged in config.php, admins are forced to change
password after the upgrade and admins can force password
change on other users via Bulk user actions *
MSA-09-0030 – New detection of insecure Flash player plugins, Moodle
won’t serve Flash to insecure plugins * MSA-09-0031 – Fixed SQL injection
in SCORM module The list for 1.8.11 release: —————————-
Security issues * MSA-09-0022 – Multiple CSRF problems fixed *
MSA-09-0023 – Fixed user account disclosure in LAMS module * MSA-09-0024 –
Fixed insufficient access control in Glossary module * MSA-09-0025 –
Unneeded MD5 hashes removed from user table * MSA-09-0026 – Fixed invalid
application access control in MNET interface * MSA-09-0027 – Ensured login
information is always sent secured when using SSL for
logins * MSA-09-0028 – Passwords and secrets are no longer ever saved in
backups, new backup capabilities moodle/backup:userinfo and
moodle/restore:userinfo for controlling who can
backup/restore user data * MSA-09-0029 – Enabling a password salt in
encouraged in config.php and admins are forced to change
password after the upgrade * MSA-09-0031 –
Fixed SQL injection in SCORM module References: ———–
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://docs.moodle.org/en/Moodle_1.8.11_release_notes CVE Request:
———— http://www.openwall.com/lists/oss-security/2009/12/06/1
(Dec 11) Moodle upstream has released latest stable versions (1.9.7 and 1.8.11), fixing
multiple security issues. The list for 1.9.7 release:
————————– Security issues * MSA-09-0022 – Multiple
CSRF problems fixed * MSA-09-0023 – Fixed user account disclosure in LAMS
module * MSA-09-0024 – Fixed insufficient access control in Glossary module
* MSA-09-0025 – Unneeded MD5 hashes removed from user table * MSA-09-0026 –
Fixed invalid application access control in MNET interface * MSA-09-0027 –
Ensured login information is always sent secured when using
SSL for logins * MSA-09-0028 – Passwords and secrets are no longer ever
saved in backups, new backup capabilities
moodle/backup:userinfo and moodle/restore:userinfo for
controlling who can backup/restore user data, new checks in
the security overview report help admins identify dangerous
backup permissions * MSA-09-0029 – A strong password
policy is now enabled by default, enabling password salt in
encouraged in config.php, admins are forced to change
password after the upgrade and admins can force password
change on other users via Bulk user actions *
MSA-09-0030 – New detection of insecure Flash player plugins, Moodle
won’t serve Flash to insecure plugins * MSA-09-0031 – Fixed SQL injection
in SCORM module The list for 1.8.11 release: —————————-
Security issues * MSA-09-0022 – Multiple CSRF problems fixed *
MSA-09-0023 – Fixed user account disclosure in LAMS module * MSA-09-0024 –
Fixed insufficient access control in Glossary module * MSA-09-0025 –
Unneeded MD5 hashes removed from user table * MSA-09-0026 – Fixed invalid
application access control in MNET interface * MSA-09-0027 – Ensured login
information is always sent secured when using SSL for
logins * MSA-09-0028 – Passwords and secrets are no longer ever saved in
backups, new backup capabilities moodle/backup:userinfo and
moodle/restore:userinfo for controlling who can
backup/restore user data * MSA-09-0029 – Enabling a password salt in
encouraged in config.php and admins are forced to change
password after the upgrade * MSA-09-0031 –
Fixed SQL injection in SCORM module References: ———–
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://docs.moodle.org/en/Moodle_1.8.11_release_notes CVE Request:
———— http://www.openwall.com/lists/oss-security/2009/12/06/1
(Jul 18) Updated glibc packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More…]
(Jul 23) Updated bind packages that fix one security issue are now available for Red Hat Enterprise Linux 4 Extended Life Cycle Support. The Red Hat Security Response Team has rated this update as having [More…]
[*] phpMyAdmin has been updated to version 3.4.10.2
[-] Includes functional fixes, stability improvements, and security updates – including for third-party products.
Parallels has become aware of yet unsubstantiated claims of a Security Vulnerability in Parallels Plesk Panel version 10.4 and earlier. The goal of this communication is to make you aware of the situation.
Impact
Some recent vulnerability claims seem to be based on old vulnerabilities that already have been patched –but possibly where Passwords were not completely reset or where Customers changed back to old and vulnerable passwords. We are currently investigating this new reported vulnerability on Plesk 10.4 and earlier. At this time the claims are unsubstantiated and we are unable to confirm this vulnerability and cannot confirm that this vulnerability is limited to any specific operating system.
As always, Parallels strongly recommends you to keep your software up-to date and upgrade to the latest version of Parallels Plesk Panel. Security has been one of the key areas of focus for Parallels Plesk Panel 11 released in June and we will diligently continue to work on security going forward.
We will update the article http://kb.parallels.com/114330 as we learn more.
WordPress 3.4.1 is now available for download. WordPress 3.4 has been a very smooth release, and copies are flying off the shelf — 3 million downloads in two weeks! This maintenance release addresses 18 bugs with version 3.4, including: Fixes an issue where a theme’s page templates were sometimes not detected. Addresses problems with some category permalink […]
With cPanel & WHM 11.28 the ability for server owners to provide custom webmail applications was introduced. To demonstrate this feature we introduced the Atmail Open plugin. Recently Atmail Inc., the creators of Atmail Open, decided to no longer provide…
WordPress 3.3.2 is available now and is a security update for all previous versions. Three external libraries included in WordPress received security updates: Plupload (version 1.5.4), which WordPress uses for uploading media. SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins. SWFObject, which WordPress previously used to embed […]
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 2.5.3 and all earlier 2.5.x versions
- Exploit type: XSS Vulnerability
- Reported Date: 2012-February-3
- Fixed Date: 2012-April-2
Description
Inadequate filtering in update manager leads to XSS vulnerability.
Affected Installs
Joomla! versions 2.5.3 and all earlier 2.5.x versions
Solution
Upgrade to version 2.5.4
Reported by Alex Andreae
Contact
The JSST at the Joomla! Security Center.
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 2.5.3 and all earlier 2.5.x versions
- Exploit type: Information Disclosure
- Reported Date: 2012-January-7
- Fixed Date: 2012-April-2
Description
Inadequate permission checking allows unauthorised viewing of some administrative back end information.
Affected Installs
Joomla! versions 2.5.3 and all earlier 2.5.x versions
Solution
Upgrade to version 2.5.4
Reported by Cyrille Barthelemy
Contact
The JSST at the Joomla! Security Center.
The following bug has been fixed:
[-] Fixed moderate security issue in Courier IMAP server (#79692)
The following bug has been fixed:
[-] Fixed moderate security issue in Courier IMAP server (#79692)
Rank Company site OS Outagehh:mm:ss FailedReq% DNS […]
Rank Company site OS Outagehh:mm:ss FailedReq% DNS […]
Social network Bebo is still inaccessible after an apparent technical error took the site offline yesterday.
The United States Department of Justice appears to be under attack for the second time since the popular MegaUpload file sharing site was taken down.
Plans by Anonymous to launch a distributed denial of service attack against www.governo.it were changed half an hour before the attack was scheduled to commence.
WordPress 3.3.1 is now available. This maintenance release fixes 15 issues with WordPress 3.3, as well as a fix for a cross-site scripting vulnerability that affected version 3.3. Thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K., and the Go Daddy security team for responsibly disclosing the bug to our security team. Download 3.3.1 or visit […]
We have published Security Update #3 for Parallels Plesk Panel 9.3.0 that fixes PHP fasCGI vulnerability:
[-] An unauthenticated remote attacker being able to compromise the system and gain control over it security issues were resolved.
Parallels Plesk Panel 9.5 is now available for downloads on Parallels PartnerNet.
http://www.parallels.com/partnernet/rtmdownloads/panel/
http://www.parallels.com/products/plesk95/
Changelog
1. [+] PCI Compliance: Parallels Plesk Panel can be made compliant with the Payment Card Industry Data Security Standard. This can be achieved by running a special PCI compliance resolver utility and additional tuning of system components, as described in the document Achieving PCI Compliance for Servers Managed by Parallels Plesk Panel 9.5. The document is available at http://www.parallels.com/products/plesk/docs/parallels-plesk-panel-9.5-pci-compliance/index.htm.
2. [+] Compatibility with Microsoft Internet Explorer 8: Parallels Plesk Panel is now compatible with Microsoft Internet Explorer 8.
3. [+] CloudLinux support: Parallels Plesk Panel can now work under CloudLinux operating system.
4. [+] Google Services for Websites support (beta): Parallels Plesk Panel 9.5 can now be easily integrated with Google Services for Websites. To learn more, refer to Parallels Plesk Panel 9.5 Administrator’s Guide at http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-administrators-guide/64635.htm.
5. [+] More virtualization solutions supported: Parallels Plesk Panel 9.5 can operate in virtual environments created by the following virtualization solutions: Parallels Virtuozzo Containers, Microsoft Hyper-V, Xen, and VMWare. There are special licensing options for Parallels Panel software operating inside virtual environments. For more information about licensing options, contact your vendor or call Parallels sales team. The phone numbers are listed at http://www.parallels.com/contact/.
6. [+] Upgraded components: phpMyAdmin to the version 2.9.11, and Horde Application Framework to the version 3.3.6.
7. [-] SpamAssassin spam filter incorrectly classified most of the messages delivered in the year 2010 as spam – issue resolved.
8. [-] Horde webmail did not open properly in Internet Explorer 8 – issue resolved.
9. [-] Cross-site scripting vulnerability was eliminated.
10. [-] A number of security issues were identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it – these issues were resolved.
11. [-] Migration failed if the /tmp file system was full – issue resolved. Now you can specify any other location for the temporary directory.
Linux/Unix-specific
12. [-] Migration of websites from Plesk Control Panel 7.5.4 to Parallels Plesk Panel 9.2.1 failed if the SpamAssassin spam filter was configured to remove spam e-mail – issue resolved.
13. [-] ProFTPD 1.3.1 was prone to a security vulnerability that allowed attackers to perform cross-site request forgery types of attacks – to resolve this issue, ProFTPD was upgraded to the version 1.3.2e.
14. [-] If temporary directory on the server was full, FTP network error occurred on attempt to move a file from an FTP storage to the server repository – issue resolved.
15. [-] If, in Parallels Plesk Panel, there is a domain with the same name as server’s hostname, then a message sent to postmaster@$HOSTNAME is bounced back – issue resolved.
16. [-] During upgrade, the default client and domain template values were reset – issue resolved.
17. [-] Plesk 8.x key was not updated automatically to 9.x during product upgrade – issue resolved.
18. [-] After upgrade, var/qmail/control/me file contained only the hostname – issue resolved.
19. [-] Scheduled security scanning by Watchdog (System Monitoring) Module could not start – issue resolved.
20. [-] Postfix mail server occasionally failed to deliver some e-mail messages with the “Unprocessed command” errors – issue resolved.
21. [-] After upgrading Parallels Plesk Panel from versions 8.x to 9.x, scheduled backups could stop working – issue resolved.
22. [-] Web statistics were not calculated properly when the piped logs feature was switched on – issue resolved.
23. [-] The Watchdog (System Monitoring) Module showed security warnings (false positives) due to incorrect default configuration – issue resolved.
24. [+] Upgraded components: IceWarp (Merak) Mail Server to the version 10, Bind DNS server to the version 9.4.3-P4, PHP to the version 5.2.13
25. [+] It is now possible to specify an arbitrary temporary folder as a command-line parameter of the backup tool.
26. [*] Operation of Plesksrv.exe component was stabilized.
27. [-] Standard Parallels Plesk Panel configuration allowed to view extra information (read webmail folder) – issue resolved.
28. [-] If temporary directory on the server was full, FTP network error occurred on attempt to move a file from an FTP storage to the server repository – issue resolved.
29. [-] Parallels Plesk Panel hanged on attempt to remove domains with several mailboxes – issue resolved.
30. [-] Parallels Plesk Panel failed to install the DotNetNuke application on websites – issue resolved.