Newest Plugins

Solaris 10 (sparc) : 138195-04


Synopsis:

The remote host is missing Sun Security Patch number 138195-04

Description:

Service Tags 1.0: patch for Solaris 10.
Date this patch was last updated by Sun : Mar/19/10

See also :

https://getupdates.oracle.com/readme/138195-04

Solution :

You should install this patch for your system to be up-to-date.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Scientific Linux Security Update : glibc on SL5.x, SL6.x i386/x86_64


Synopsis:

The remote Scientific Linux host is missing one or more security
updates.

Description:

An off-by-one heap-based buffer overflow flaw was found in glibc's
internal __gconv_translit_find() function. An attacker able to make an
application call the iconv_open() function with a specially crafted
argument could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-5119)

A directory traveral flaw was found in the way glibc loaded locale
files. An attacker able to make an application use a specially crafted
locale name value (for example, specified in an LC_* environment
variable) could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-0475)

See also :

http://www.nessus.org/u?9824d4c7

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

RHEL 5 / 6 / 7 : glibc (RHSA-2014:1110)


Synopsis:

The remote Red Hat host is missing one or more security updates.

Description:

Updated glibc packages that fix two security issues are now available
for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system
cannot function properly.

An off-by-one heap-based buffer overflow flaw was found in glibc's
internal __gconv_translit_find() function. An attacker able to make an
application call the iconv_open() function with a specially crafted
argument could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-5119)

A directory traveral flaw was found in the way glibc loaded locale
files. An attacker able to make an application use a specially crafted
locale name value (for example, specified in an LC_* environment
variable) could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-0475)

Red Hat would like to thank Stephane Chazelas for reporting
CVE-2014-0475.

All glibc users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2014-0475.html
https://www.redhat.com/security/data/cve/CVE-2014-5119.html
https://access.redhat.com/solutions/1176253
http://rhn.redhat.com/errata/RHSA-2014-1110.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Oracle Linux 5 / 6 / 7 : glibc (ELSA-2014-1110)


Synopsis:

The remote Oracle Linux host is missing one or more security updates.

Description:

From Red Hat Security Advisory 2014:1110 :

Updated glibc packages that fix two security issues are now available
for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system
cannot function properly.

An off-by-one heap-based buffer overflow flaw was found in glibc's
internal __gconv_translit_find() function. An attacker able to make an
application call the iconv_open() function with a specially crafted
argument could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-5119)

A directory traveral flaw was found in the way glibc loaded locale
files. An attacker able to make an application use a specially crafted
locale name value (for example, specified in an LC_* environment
variable) could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-0475)

Red Hat would like to thank Stephane Chazelas for reporting
CVE-2014-0475.

All glibc users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

See also :

https://oss.oracle.com/pipermail/el-errata/2014-August/004389.html
https://oss.oracle.com/pipermail/el-errata/2014-August/004390.html
https://oss.oracle.com/pipermail/el-errata/2014-August/004391.html

Solution :

Update the affected glibc packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-18 : NRPE: Multiple Vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-18
(NRPE: Multiple Vulnerabilities)

Multiple vulnerabilities have been discovered in NRPE. Please review the
CVE identifiers referenced below for details.

Impact :

A remote attacker can utilize multiple vectors to execute arbitrary
code.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-18.xml

Solution :

All NRPE users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-analyzer/nrpe-2.15'

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-17 : QEMU: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-17
(QEMU: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in QEMU. Please review the
CVE identifiers referenced below for details.

Impact :

A local attacker could possibly execute arbitrary code with the
privileges of the process, or cause a Denial of
Service condition.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-17.xml

Solution :

All QEMU users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=app-emulation/qemu-2.0.0-r1'

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-16 : Chromium: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-16
(Chromium: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in Chromium. Please review
the CVE identifiers referenced below for details.

Impact :

A remote attacker could conduct a number of attacks which include: cross
site scripting attacks, bypassing of sandbox protection, potential
execution of arbitrary code with the privileges of the process, or cause
a Denial of Service condition.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-16.xml

Solution :

All chromium users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
'>=www-client/chromium-37.0.2062.94'

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-15 : PostgreSQL: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-15
(PostgreSQL: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in PostgreSQL. Please
review the CVE identifiers referenced below for details.

Impact :

A remote authenticated attacker may be able to create a Denial of
Service condition, bypass security restrictions, or have other
unspecified impact.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-15.xml

Solution :

All PostgreSQL 9.3 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-9.3.3'
All PostgreSQL 9.2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-9.2.7'
All PostgreSQL 9.1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-9.1.12'
All PostgreSQL 9.0 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-9.0.16'
All PostgreSQL 8.4 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-db/postgresql-server-8.4.20'

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-14 : stunnel: Information disclosure


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-14
(stunnel: Information disclosure)

stunnel does not properly update the state of the pseudo-random
generator after fork-threading which causes subsequent children with the
same process ID to use the same entropy pool. ECDSA and DSA keys, when
not used in deterministic mode (RFC6979), rely on random data for its k
parameter to not leak private key information.

Impact :

A remote attacker may gain access to private key information from ECDSA
or DSA keys.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-14.xml

Solution :

All stunnel users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=net-misc/stunnel-5.02'

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-13 : Jinja2: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-13
(Jinja2: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in Jinja2. Please review
the CVE identifiers referenced below for details.

Impact :

A local attacker could gain escalated privileges via a specially crafted
cache file or pre-created temporary directory.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-13.xml

Solution :

All Jinja2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-python/jinja-2.7.3'

Risk factor :

Medium / CVSS Base Score : 4.4
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 3.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-12 : Apache HTTP Server: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-12
(Apache HTTP Server: Multiple vulnerabilities)

Multiple vulnerabilities have been found in Apache HTTP Server. Please
review the CVE identifiers referenced below for details.

Impact :

A remote attacker could send a specially crafted request to possibly
execute arbitrary code, cause Denial of Service, or obtain sensitive
information.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-12.xml

Solution :

All Apache HTTP Server users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-servers/apache-2.2.27-r4'

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-11 : PHP: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-11
(PHP: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.

Impact :

A context-dependent attacker can cause arbitrary code execution, create
a Denial of Service condition, read or write arbitrary files, impersonate
other servers, hijack a web session, or have other unspecified impact.
Additionally, a local attacker could gain escalated privileges.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-11.xml

Solution :

All PHP 5.5 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-lang/php-5.5.16'
All PHP 5.4 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-lang/php-5.4.32'
All PHP 5.3 users should upgrade to the latest version. This release
marks the end of life of the PHP 5.3 series. Future releases of this
series are not planned. All PHP 5.3 users are encouraged to upgrade to
the current stable version of PHP 5.5 or previous stable version of PHP
5.4, which are supported till at least 2016 and 2015 respectively.
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-lang/php-5.3.29'

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-10 : Libgcrypt: Side-channel attack


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-10
(Libgcrypt: Side-channel attack)

A vulnerability in the implementation of ElGamal decryption procedures
of Libgcrypt leaks information to various side-channels.

Impact :

A physical side-channel attack allows a remote attacker to fully extract
decryption keys during the decryption of a chosen ciphertext.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-10.xml

Solution :

All Libgcrypt users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-libs/libgcrypt-1.5.4'

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 1.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-09 : GNU Libtasn1: Multiple vulnerabilities


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-09
(GNU Libtasn1: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in GNU Libtasn1. Please
review the CVE identifiers referenced below for details.

Impact :

A context-dependent attacker could possibly cause a Denial of Service
condition.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-09.xml

Solution :

All GNU Libtasn1 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-libs/libtasn1-3.6'
Packages which depend on this library may need to be recompiled. Tools
such as revdep-rebuild may assist in identifying some of these packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2014 Tenable Network Security, Inc.

GLSA-201408-08 : file: Denial of Service


Synopsis:

The remote Gentoo host is missing one or more security-related
patches.

Description:

The remote host is affected by the vulnerability described in GLSA-201408-08
(file: Denial of Service)

BEGIN regular expression in the awk script detector in
magic/Magdir/commands uses multiple wildcards with unlimited repetitions.

Impact :

A context-dependent attacker could entice a user to open a specially
crafted file,
possibly resulting in a Denial of Service condition.

Workaround :

There is no known workaround at this time.

See also :

http://www.gentoo.org/security/en/glsa/glsa-201408-08.xml

Solution :

All file users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=sys-apps/file-5.15'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : kernel-3.15.10-201.fc20 (2014-9959)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update contains an important fix for NFS and a security fix for
isofs CVE-2014-5471 and CVE-2014-5472.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1134099
http://www.nessus.org/u?8f349e10

Solution :

Update the affected kernel package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : zarafa-7.1.10-4.fc20 (2014-9754)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Fixed multiple incorrect default permissions (CVE-2014-5447,
CVE-2014-5448 and CVE-2014-5449)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1133439
http://www.nessus.org/u?eb328207

Solution :

Update the affected zarafa package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : cas-client-3.3.3-1.fc20 (2014-9662)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- update to 3.3.3

- fix CVE-2014-4172 (rhbz#1131371)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1131350
http://www.nessus.org/u?a83c5260

Solution :

Update the affected cas-client package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : springframework-security-3.1.7-1.fc20 (2014-9648)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2014-3527

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1131359
http://www.nessus.org/u?c03d352e

Solution :

Update the affected springframework-security package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 19 : springframework-security-3.1.7-1.fc19 (2014-9646)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2014-3527

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1131359
http://www.nessus.org/u?067f60fc

Solution :

Update the affected springframework-security package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 19 : distcc-3.2rc1-4.fc19 (2014-9632)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Fix CVE-2014-4607 by upgrading to minilzo 2.08

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1112418
http://www.nessus.org/u?bd6755f8

Solution :

Update the affected distcc package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 19 : httpcomponents-client-4.2.5-4.fc19 (2014-9629)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2014-3577

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1129074
http://www.nessus.org/u?8c63b231

Solution :

Update the affected httpcomponents-client package.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : httpcomponents-client-4.2.5-4.fc20 (2014-9617)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2014-3577

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1129074
http://www.nessus.org/u?a00de90f

Solution :

Update the affected httpcomponents-client package.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : distcc-3.2rc1-8.fc20 (2014-9591)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Fix CVE-2014-4607 by upgrading to minilzo 2.08

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1112418
http://www.nessus.org/u?89c3df0e

Solution :

Update the affected distcc package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 19 : ppp-2.4.5-33.fc19 (2014-9401)


Synopsis:

The remote Fedora host is missing a security update.

Description:

Security fix for CVE-2014-3158

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1128748
http://www.nessus.org/u?db75ca48

Solution :

Update the affected ppp package.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 19 : pixman-0.30.0-5.fc19 (2014-9399)


Synopsis:

The remote Fedora host is missing a security update.

Description:

fix tests on big endians CVE-2013-6425, added patches from
https://bugzilla.redhat.com/show_bug.cgi?id=1043743

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1037975
https://bugzilla.redhat.com/show_bug.cgi?id=1043743
http://www.nessus.org/u?b78a900d

Solution :

Update the affected pixman package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : gvfs-1.18.3-3.fc20 / ifuse-1.1.3-3.fc20 / libgpod-0.8.3-2.fc20 / etc (2014-9092)


Synopsis:

The remote Fedora host is missing one or more security updates.

Description:

Add support for devices running iOS7

Fixes CVE-2013-2142: libimobiledevice: Insecure temporary file use
when both $XDG_CONFIG_HOME and $HOME are unset

http://www.openwall.com/lists/oss-security/2013/06/04/11

See also :

http://www.openwall.com/lists/oss-security/2013/06/04/11
https://bugzilla.redhat.com/show_bug.cgi?id=970172
http://www.nessus.org/u?c44f194f
http://www.nessus.org/u?ca426f1a
http://www.nessus.org/u?1b409518
http://www.nessus.org/u?403256e6
http://www.nessus.org/u?8e15708f
http://www.nessus.org/u?5e43f1ae
http://www.nessus.org/u?17c55f4b
http://www.nessus.org/u?860d384e

Solution :

Update the affected packages.

Risk factor :

Low / CVSS Base Score : 3.3
(CVSS2#AV:L/AC:M/Au:N/C:N/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

CentOS 5 / 6 / 7 : glibc (CESA-2014:1110)


Synopsis:

The remote CentOS host is missing one or more security updates.

Description:

Updated glibc packages that fix two security issues are now available
for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The glibc packages contain the standard C libraries used by multiple
programs on the system. These packages contain the standard C and the
standard math libraries. Without these two libraries, a Linux system
cannot function properly.

An off-by-one heap-based buffer overflow flaw was found in glibc's
internal __gconv_translit_find() function. An attacker able to make an
application call the iconv_open() function with a specially crafted
argument could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-5119)

A directory traveral flaw was found in the way glibc loaded locale
files. An attacker able to make an application use a specially crafted
locale name value (for example, specified in an LC_* environment
variable) could possibly use this flaw to execute arbitrary code with
the privileges of that application. (CVE-2014-0475)

Red Hat would like to thank Stephane Chazelas for reporting
CVE-2014-0475.

All glibc users are advised to upgrade to these updated packages,
which contain backported patches to correct these issues.

See also :

http://www.nessus.org/u?0b883b3e
http://www.nessus.org/u?042285a0
http://www.nessus.org/u?64e0d14f

Solution :

Update the affected glibc packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.3 Multiple Vulnerabilities


Synopsis:

The remote application server may be affected by multiple
vulnerabilities.

Description:

The remote host appears to be running IBM WebSphere Application Server
8.5 prior to Fix Pack 8.5.5.3. It is, therefore, affected by the
following vulnerabilities :

- A flaw exists in the Elliptic Curve Digital Signature
Algorithm implementation which could allow a malicious
process to recover ECDSA nonces.
(CVE-2014-0076, PI19700)

- A denial of service flaw exists in the 'mod_log_config'
when logging a cookie with an unassigned value. A remote
attacker, using a specially crafted request, can cause
the program to crash. (CVE-2014-0098, PI13028)

- A denial of service flaw exists within the IBM Security
Access Manager for Web with the Reverse Proxy component.
This could allow a remote attacker, using specially
crafted TLS traffic, to cause the application on the
system to become unresponsive. (CVE-2014-0963, PI17025)

- An information disclosure flaw exists when handling SOAP
responses. This could allow a remote attacker to
potentially gain access to sensitive information.
(CVE-2014-0965, PI11434)

- An information disclosure flaw exists. A remote
attacker, using a specially crafted URL, could gain
access to potentially sensitive information.
(CVE-2014-3022, PI09594)

- A flaw exists within the 'addFileRegistryAccount'
Virtual Member Manager SPI Admin Task, which creates
improper accounts. This could allow a remote attacker
to bypass security checks. (CVE-2014-3070, PI16765)

- An unspecified information disclosure flaw exists. This
could allow a remote attacker access to gain sensitive
information. (CVE-2014-3083, PI17768)

- An information disclosure flaw exists within the
'share/classes/sun/security/rsa/RSACore.java' class
related to 'RSA blinding' caused during operations using
private keys and measuring timing differences. This
could allow a remote attacker to gain information about
used keys. (CVE-2014-4244)

- A flaw exists within the 'validateDHPublicKey' function
in the 'share/classes/sun/security/util/KeyUtil.java'
class which is triggered during the validation of
Diffie-Hellman public key parameters. This could allow a
remote attacker to recover a key. (CVE-2014-4263)

- A flaw exists within the Load Balancer for IPv4
Dispatcher component. This could allow a remote attacker
to crash the Load Balancer. (CVE-2014-4764, PI21189)

- A flaw exists within the Liberty Repository when
installing features. This could allow an authenticated
remote attacker to install and execute arbitrary code.
(CVE-2014-4767, PI21284)

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg24038133
http://www-01.ibm.com/support/docview.wss?uid=swg27036319#8553
https://www-304.ibm.com/support/docview.wss?uid=swg21681249
https://www-304.ibm.com/support/docview.wss?uid=swg21680418

Solution :

Apply Fix Pack 8.5.5.3 for version 8.5 (8.5.0.0) or later.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.2
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Kaspersky Internet Security Heartbeat Information Disclosure (Heartbleed)


Synopsis:

The remote host has software installed that is affected by an
information disclosure vulnerability.

Description:

The remote host has a version of Kaspersky Internet Security (KIS)
installed that is missing a vendor patch. It is, therefore, affected
by an information disclosure vulnerability.

An out-of-bounds read error, known as the 'Heartbleed Bug', exists
related to handling TLS heartbeat extensions that could allow an
attacker to obtain sensitive information such as primary key material,
secondary key material, and other protected content.

See also :

http://support.kaspersky.com/10235#block1
http://support.kaspersky.com/us/8049#patches
http://www.heartbleed.com

Solution :

Upgrade to Kaspersky Internet Security 13.0.1.4190 Patch K /
14.0.0.4651 Patch G or later.

In the case of other versions, please contact the vendor for guidance.

Risk factor :

High / CVSS Base Score : 9.4
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
CVSS Temporal Score : 8.2
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Ubuntu 10.04 LTS / 12.04 LTS / 14.04 : eglibc vulnerability (USN-2328-1)


Synopsis:

The remote Ubuntu host is missing a security-related patch.

Description:

Tavis Ormandy and John Haxby discovered that the GNU C Library
contained an off-by-one error when performing transliteration module
loading. A local attacker could exploit this to gain administrative
privileges. (CVE-2014-5119)

USN-2306-1 fixed vulnerabilities in the GNU C Library. On Ubuntu 10.04
LTS and Ubuntu 12.04 LTS the security update for CVE-2014-0475 caused
a regression with localplt on PowerPC. This update fixes the problem.
We apologize for the inconvenience.

Solution :

Update the affected libc6 package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Ubuntu Security Notice (C) 2014 Canonical, Inc. / NASL script (C) 2014 Tenable Network Security, Inc.

SuSE 11.3 Security Update : MySQL (SAT Patch Number 9624)


Synopsis:

The remote SuSE 11 host is missing one or more security updates.

Description:

This MySQL update provides the following :

- upgrade to version 5.5.39, [bnc#887580]

- CVE's fixed: (CVE-2014-2484 / CVE-2014-4258 /
CVE-2014-4260 / CVE-2014-2494 / CVE-2014-4238 /
CVE-2014-4207 / CVE-2014-4233 / CVE-2014-4240 /
CVE-2014-4214 / CVE-2014-4243) See also:
http://www.oracle.com/technetwork/topics/security/cpujul
2014-1972956.html

See also :

https://bugzilla.novell.com/show_bug.cgi?id=887580
http://support.novell.com/security/cve/CVE-2014-2484.html
http://support.novell.com/security/cve/CVE-2014-2494.html
http://support.novell.com/security/cve/CVE-2014-4207.html
http://support.novell.com/security/cve/CVE-2014-4214.html
http://support.novell.com/security/cve/CVE-2014-4233.html
http://support.novell.com/security/cve/CVE-2014-4238.html
http://support.novell.com/security/cve/CVE-2014-4240.html
http://support.novell.com/security/cve/CVE-2014-4243.html
http://support.novell.com/security/cve/CVE-2014-4258.html
http://support.novell.com/security/cve/CVE-2014-4260.html

Solution :

Apply SAT patch number 9624.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

SuSE 11.3 Security Update : MySQL (SAT Patch Number 9624)


Synopsis:

The remote SuSE 11 host is missing one or more security updates.

Description:

This MySQL update provides the following :

- upgrade to version 5.5.39, [bnc#887580]

- CVE's fixed: (CVE-2014-2484 / CVE-2014-4258 /
CVE-2014-4260 / CVE-2014-2494 / CVE-2014-4238 /
CVE-2014-4207 / CVE-2014-4233 / CVE-2014-4240 /
CVE-2014-4214 / CVE-2014-4243) See also:
http://www.oracle.com/technetwork/topics/security/cpujul
2014-1972956.html

See also :

https://bugzilla.novell.com/show_bug.cgi?id=887580
http://support.novell.com/security/cve/CVE-2014-2484.html
http://support.novell.com/security/cve/CVE-2014-2494.html
http://support.novell.com/security/cve/CVE-2014-4207.html
http://support.novell.com/security/cve/CVE-2014-4214.html
http://support.novell.com/security/cve/CVE-2014-4233.html
http://support.novell.com/security/cve/CVE-2014-4238.html
http://support.novell.com/security/cve/CVE-2014-4240.html
http://support.novell.com/security/cve/CVE-2014-4243.html
http://support.novell.com/security/cve/CVE-2014-4258.html
http://support.novell.com/security/cve/CVE-2014-4260.html

Solution :

Apply SAT patch number 9624.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

SuSE 11.3 Security Update : gpgme (SAT Patch Number 9644)


Synopsis:

The remote SuSE 11 host is missing one or more security updates.

Description:

This gpgme update fixes the following security issue :

- Fix possible overflow in gpgsm and uiserver engines
(CVE-2014-3564). (bnc#890123)

See also :

https://bugzilla.novell.com/show_bug.cgi?id=890123
http://support.novell.com/security/cve/CVE-2014-3564.html

Solution :

Apply SAT patch number 9644.

Risk factor :

High

This script is Copyright (C) 2014 Tenable Network Security, Inc.

openSUSE Security Update : phpMyAdmin (openSUSE-SU-2014:1069-1)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This phpMyAdmin update addresses several security and non security
issues :

- This is a phpMyAdmin version upgrade (bnc#892401): (From
4.1.14.3) :

- sf#4501 [security] XSS in table browse page
(CVE-2014-5273)

- sf#4502 [security] Self-XSS in enum value editor
(CVE-2014-5273)

- sf#4503 [security] Self-XSSes in monitor (CVE-2014-5273)

- sf#4505 [security] XSS in view operations page
(CVE-2014-5274)

- sf#4504 [security] Self-XSS in query
charts
(CVE-2014-5273)

- sf#4517 [security] XSS in relation view (CVE-2014-5273)
(From 4.1.14.2) :

- sf#4488 [security] XSS injection due to unescaped table
name (triggers)(CVE-2014-4955)

- sf#4492 [security] XSS in AJAX confirmation messages
(CVE-2014-4986)

- sf#4491 [security] Missing validation for accessing User
groups feature (CVE-2014-4987) (From 4.1.14.1) :

- sf#4464 [security] XSS injection due to unescaped
db/table name in navigation hiding (CVE-2014-4349) (From
4.1.14.0 through 4.1.9.0) :

- Numerous non-security bugfixes are listed at
https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_
14/ChangeLog

See also :

http://lists.opensuse.org/opensuse-updates/2014-08/msg00045.html
https://bugzilla.novell.com/show_bug.cgi?id=892401
https://github.com/phpmyadmin/phpmyadmin/blob/MAINT_4_1_14/ChangeLog

Solution :

Update the affected phpMyAdmin package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

openSUSE Security Update : python3 (openSUSE-SU-2014:1070-1)


Synopsis:

The remote openSUSE host is missing a security update.

Description:

This python3 update fixes the following security and non security
issues :

- CGIHTTPServer filedisclosure and directory traversal
through URL-encoded characters (CVE-2014-4650,
bnc#885882)

- DoS on ssl.match_hostname via a crafted certificate with
too many wildcards (CVE-2013-2099, bnc#886001)

- fix import_failed hook file names

See also :

http://lists.opensuse.org/opensuse-updates/2014-08/msg00046.html
https://bugzilla.novell.com/show_bug.cgi?id=885882
https://bugzilla.novell.com/show_bug.cgi?id=886001

Solution :

Update the affected python3 packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : glibc-2.18-14.fc20 (2014-9824)


Synopsis:

The remote Fedora host is missing a security update.

Description:

- Locale names, including those obtained from environment
variables (LANG and the LC_* variables), are more
tightly checked for proper syntax. setlocale will now
fail (with EINVAL) for locale names that are overly
long, contain slashes without starting with a slash, or
contain '..' path components. (CVE-2014-0475)
Previously, some valid locale names were silently
replaced with the 'C' locale when running in AT_SECURE
mode (e.g., in a SUID program). This is no longer
necessary because of the additional checks.

- Support for loadable gconv transliteration modules has
been removed because it did not work at all. Regular
gconv conversion modules are still supported.
(CVE-2014-5119)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1102353
https://bugzilla.redhat.com/show_bug.cgi?id=1129743
http://www.nessus.org/u?cbef587b

Solution :

Update the affected glibc package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : gtk3-3.10.9-2.fc20 (2014-9794)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update fixes an issue that could lead to opening a cascade of
menus on top of menus when holding down the menu key.

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1064695
http://www.nessus.org/u?b19a633e

Solution :

Update the affected gtk3 package.

Risk factor :

Medium / CVSS Base Score : 6.6
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:N)
CVSS Temporal Score : 6.6
(CVSS2#E:ND/RL:U/RC:ND)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : subversion-1.8.10-1.fc20 (2014-9636)


Synopsis:

The remote Fedora host is missing a security update.

Description:

This update includes the latest stable release of **Apache
Subversion**, version **1.8.10**.

**Client-side bugfixes:**

- guard against md5 hash collisions when finding cached
credentials

- ra_serf: properly match wildcards in SSL certs.

- ra_serf: ignore the CommonName in SSL certs where
there are Subject Alt Names

- ra_serf: fix a URI escaping bug that prevented
deleting locked paths

- rm: Display the proper URL when deleting a URL in the
commit log editor

- log: Fix another instance of broken pipe error

- copy: Properly handle props not present or excluded on
cross wc copy

- copy: Fix copying parents of locally deleted nodes
between wcs

- externals: Properly delete ancestor directories of
externals when removing the external by changing
svn:externals.

- ra_serf: fix memory lifetime of some hash values

**Server-side bugfixes:**

- fsfs: omit config file when creating pre-1.5 format
repos

**Bindings:**

- ruby: removing warning about Ruby 1.9 support being new.

- python: fix notify_func callbacks

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=1125800
https://bugzilla.redhat.com/show_bug.cgi?id=1128884
https://bugzilla.redhat.com/show_bug.cgi?id=1129100
http://www.nessus.org/u?ede7be2c

Solution :

Update the affected subversion package.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 3.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Fedora 20 : GraphicsMagick-1.3.20-1.fc20 (2014-9596)


Synopsis:

The remote Fedora host is missing a security update.

Description:

New stable upstream release, patched for CVE-2014-1947. See also:
http://www.graphicsmagick.org/NEWS.html#august-16-2014

See also :

http://www.graphicsmagick.org/NEWS.html#august-16-2014
https://bugzilla.redhat.com/show_bug.cgi?id=1064098
http://www.nessus.org/u?a96d0e01

Solution :

Update the affected GraphicsMagick package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

This script is Copyright (C) 2014 Tenable Network Security, Inc.