From US-CERT:
Bulletin (SB14-307) Vulnerability Summary for the Week of October 27, 2014
Items of note:
HIGH
f5 - big-ip: F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cookie, which makes it easier for remote attackers to have unspecified impact by guessing the value.
gnu - wget: Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
mcafee - network_data_loss_prevention (3)
1. The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access.
2. Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins.
3. McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to execute arbitrary code via vectors related to ICMP redirection
php: Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.
python: The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.
No comments:
Post a Comment