Next Page >>
August
Due to negative response in previous report (`<bmsa200806.html>`_), Blue Moon Consulting decided not to report this bug to the vendor but contacted the Vietnam Computer Emergency Response Team -- VNCERT.
:Initial contact:
August 01, 2009: Initial security alert sent to office@vncert.vn, vncert@mpt.gov.vn, vncert@mic.gov.vn
:Co-ordinator response:
August 01, 2009: Operation team replied that it would be the point of contact for VNCERT.
. Novell iManager 2.7.4
6. *Vendor Information, Solutions and Workarounds*
Novell has a planned release of iManager 2.7.4 in August 2010; this
release should fix these issues. The Novell team notifies they will
provide patches for the current vulnerable versions with the 2.7.3
ftf4 release before August, but this release was not confirmed yet
(see the timeline for more details). In the meantime, users can
mitigate these flaws by applying these countermeasures:
Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.
:Initial vendor contact:
August 13, 2010: Notice sent to Ben Darnell.
:Vendor response:
August 13, 2010: Ben replied confirming the bug.
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-007
- Original release date: August 11th, 2010
- Last revised: May 1st, 2011
- Discovered by: Vicente Aguilera Diaz
- Severity: 5.0/10 (CVSS Base Scored)
=============================================
I. VULNERABILITY
-------------------------
Core requests an update on the publication date of fixes, and
reschedules publication of its advisory to May 10th, 2011.
. 2011-04-26:
Vendor informs that it has tentatively scheduled this case for a
bulletin release on August 9, 2011, and is actively targeting this
date. Vendor requests Core to hold off on the advisory publication
until fixes are released.
. 2011-05-02:
Core agrees to reschedule the publication of its advisory for August
disclosure issue. That will be released in v1.6.1.
9. Report Timeline
----------------------------------------------------------------------------------------------
24th August 2009 - Andrew Horton at MorningStar Security notifies
Brandon Keep from Open Auto Classifieds of the vulnerabilities.
25th August 2009 - Brandon Keep from Open Auto Classifieds provides
fixes for the security vulnerabilities.
26th August 2009 - Open Auto Classifieds releases patched version 1.6.0
on FreshMeat.net
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12834-su9-us5.tar.z
Solaris x64/x86 [3.0.3 (a64.sol/211)]
ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12832-a64-sol.tar.z
Ingres r3 Vulnerability Updates Install Steps (August 1, 2008)
Unix/Linux:
1. Log on to your system using the installation owner account and
make sure the environment is set up correctly:
1. II_SYSTEM must be set to the Ingres system files
Status: Published
========
TimeLine
========
Discovered: 1 August 2006
Released: 1 August 2006
Approved: 1 August 2006
Reported: 1 August 2006
Fixed: 25 October 2007
Published: 29 October 2007
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | August 7, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Wei Wang of McAfee AVERT Labs |
|--------------------+---------------------------------------------------|
| Posted On | August 7, 2007 |
|--------------------+---------------------------------------------------|
Description: Local buffer overflow vulnerability in McAfee Virus Scan
for Linux and Unix allows arbitrary code execution
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com)
Date: August 15th, 2007
Severity: Low-Medium
References: http://www.devtarget.org/mcafee-advisory-08-2007.txt
|--------------------+---------------------------------------------------|
| Severity | Moderate |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | August 9, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Jon Moldenauer (bugs.digium.com user |
| | jmoldenhauer) |
|--------------------+---------------------------------------------------|
| Posted On | August 21, 2007 |
|--------------------+---------------------------------------------------|
| Severity | minor |
|--------------------+---------------------------------------------------|
| Exploits Known | No |
|--------------------+---------------------------------------------------|
| Reported On | August 23, 2007 |
|--------------------+---------------------------------------------------|
| Reported By | Kevin Stewart |
|--------------------+---------------------------------------------------|
| Posted On | August 24, 2007 |
|--------------------+---------------------------------------------------|
. 2010-07-02:
Core acknowledges receipt of the update, and reminds that although the
vulnerable code is owned by the IE team this also affects Office
(including 2010). Core offers to postpone publication of its advisory
from July 13th to August 10th on the basis of a firm commitment to a
release date from the vendor's side. Core informs that it is evaluating
the possibility of using Office killbit recently introduced by MS10-036
as a workaround, but that MS10-036 points to a knowledge base article
[2] that is no longer available.
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-008
- Original release date: August 30th, 2010
- Last revised: September 21st, 2010
- Discovered by: Vicente Aguilera Diaz
- Severity: 4/10 (CVSSv2 Base Scored)
=============================================
I. VULNERABILITY
-------------------------
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-009
- Original release date: August 30th, 2010
- Last revised: September 21st, 2010
- Discovered by: Vicente Aguilera Diaz
- Severity: 4.3/10 (CVSSv2 Base Scored)
=============================================
I. VULNERABILITY
-------------------------
Product Name: Cisco Wireless Control System
Vendor: http://www.cisco.com
Date: 4 August, 2010
Author: tom@tomneaves.com <tom@tomneaves.com>
Original URL: http://www.tomneaves.com/Cisco_Wireless_Control_System_XSS.txt
Discovered: 8 July, 2010
Disclosed: 4 August, 2010
I. DESCRIPTION
Core requests an update about this report, and asks the vendor whether
it is still targeting the release of a patch in October at the earliest.
. 2010-06-25:
Vendor responds that it is now working agressively to ship a patch for
this issue on August 8th, 2010; and asks Core whether that would be an
acceptable timeline for a coordinated disclosure.
. 2010-06-25:
Core agrees to postpone publication of its advisory to August 10th,
2010; and communicates that the new publication date is final.
hook callback) the bug is in a different function than the original
issue and occurs due to a different, previously unknown, issue with
the window handle that the original fix does not address. A solid
timeline for general availability of patches is not yet available. The
July 2010 Patch Tuesday day is mentioned as tentative but the patch
release may slip to August.
. 2010-06-23:
Core says that its analysis coincides with the vendor's and therefore
it will treat the issue as a new vulnerability assigning
CORE-2010-0623 to the corresponding security advisory. The discoverer
CORRECTION:
===========
TPTI-10-07: SAP Crystal Reports 2008 GIOP Message Size Integer Overflow Remote Code Execution Vulnerability
http://dvlabs.tippingpoint.com/advisory/TPTI-10-07
August 11, 2010
==============
Should replace
==============
ZDI-10-151: SAP Crystal Reports 2008 GIOP Message Size Integer Overflow Remote Code Execution Vulnerability
# Vendor: OpenKM http://www.openkm.com/
# Subject: Privilege Escalation, Improper Access Control
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Brunschwiler (cyrill.brunschwiler@csnc.ch)
# Date: August 6th 2011
#
########################################################################
##
Description:
Status: Published
========
TimeLine
========
Discovered: 26 August 2011
Released: 26 August 2011
Approved: 26 August 2011
Reported: 26 August 2011
Fixed: July 2011
Published: 5 January 2012
|----------------------+-------------------------------------------------|
| Reported On | July 27, 2009 |
|----------------------+-------------------------------------------------|
| Reported By | Marcus Hunger <hunger AT sipgate DOT de> |
|----------------------+-------------------------------------------------|
| Posted On | August 2, 2009 |
|----------------------+-------------------------------------------------|
| Last Updated On | August 2, 2009 |
|----------------------+-------------------------------------------------|
| Advisory Contact | Mark Michelson <mmichelson AT digium DOT com> |
|----------------------+-------------------------------------------------|
program@eth-0.nl
== eth0:2010 -- Call for Papers / Participation ==
Tuesday August 10th to Friday august 13th 2010
Location: Het Boshuis, Wieringerwerf, Netherlands
http://www.eth-0.nl
== Important Dates ==
Rapid7 Advisory R7-0033
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Discovered: July 25, 2008
Published: August 5, 2008
Revision: 1.1
http://www.rapid7.com/advisories/R7-0033
CVE: CVE-2008-2939
|---------------------+--------------------------------------------------|
| Reported On | July 28, 2009 |
|---------------------+--------------------------------------------------|
| Reported By | Nick Baggott < nbaggott AT mudynamics DOT com > |
|---------------------+--------------------------------------------------|
| Posted On | August 10, 2009 |
|---------------------+--------------------------------------------------|
| Last Updated On | August 10, 2009 |
|---------------------+--------------------------------------------------|
| Advisory Contact | Tilghman Lesher < tlesher AT digium DOT com > |
|---------------------+--------------------------------------------------|
http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml
Revision 1.0
For Public Release 2009 August 18 1500 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
http://hotelsolamar.com
SPECIAL DATES
August 4th, 2008 - Call for papers released
August 22nd, 2008 - First round of selection announced
August 29th, 2008 - Call for papers closes
September 5th, 2008 - Speaker & sponsor selection finalized
September 24th, 2008 - ToorCon training workshops start
September 26th, 2008 - ToorCon seminars & conference reception
http://hotelsolamar.com
SPECIAL DATES
August 4th, 2008 - Call for papers released
August 22nd, 2008 - First round of selection announced
August 29th, 2008 - Call for papers closes
September 5th, 2008 - Speaker & sponsor selection finalized
September 24th, 2008 - ToorCon training workshops start
September 26th, 2008 - ToorCon seminars & conference reception
victims to load of arbitrary URLs including the "asfunction" protocol
handler:
http://www.example.com/FLVPlayer_Progressive.swf?skinName=asfunction:getURL,javascript:alert(1)//
Adobe was contacted on August 8, 2007. This issue was fixed in the
December Flash player release.
Adobe Acrobat Connect/Macromedia Dreamweaver
"main.swf" is the controller file in all Connect/Breeze online
Application: Banner -- Student Services
Version: 7.3
Bug: Cross-site Request Forgery, cross site scripting
Exploitation: Remote, versus authenticated users
Discovery Date: August 21, 2007
Notification Date: August 22, 2007
Disclosure Date: January 29, 2008
Author: Brendan M. Hickey
Website: http://www.bhickey.net
Next Page>>
|
