Computer Security
[EN] securityvulns.ru no-pyccku


IPv6 DoS
Published:24.08.2014
Source:
SecurityVulns ID:13925
Type:remote
Threat Level:
5/10
Description:Forget ICMPv6 PTB can break communication between two hosts.
Original documentdocumentFernando Gont, DoS attacks (ICMPv6-based) resulting from IPv6 EH drops (24.08.2014)

Apache OpenOffice security vulnerabilities
Published:24.08.2014
Source:
SecurityVulns ID:13926
Type:client
Threat Level:
8/10
Description:Code execution, information leakage.
Affected:LIBREOFFICE : OpenOffice 4.1
CVE:CVE-2014-357
 CVE-2014-3524 (Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet.)
Original documentdocumentAPACHE, CVE-2014-3575:OpenOffice Targeted Data Exposure Using Crafted OLE Objects (24.08.2014)
 documentAPACHE, CVE-2014-3524: Apache OpenOffice Calc Command Injection Vulnerability (24.08.2014)

OpenStack multiple security vulnerabilities
Published:24.08.2014
Source:
SecurityVulns ID:13927
Type:library
Threat Level:
6/10
Description:Ceilometer information leakage, Neutron information leakage and DoS, Glance DoS, Horizon crossite scripting, Keystone restrictions bypass and privilege escalation, Nova timing attacks.
Affected:OPENSTACK : Nova 2014.1
 OPENSTACK : Neutron 2014.1
 OPENSTACK : PyCADF 0.5
 OPENSTACK : Ceilometer 2014.1
 OPENSTACK : Keystone 2014.1
 OPENSTACK : Horizon 2014.1
 OPENSTACK : Glance 2014.1
CVE:CVE-2014-5356 (OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image.)
 CVE-2014-4615 (The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).)
 CVE-2014-3594 (Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.)
 CVE-2014-3555 (OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.)
 CVE-2014-3517 (api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.)
 CVE-2014-3497 (Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header.)
 CVE-2014-3476 (OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.)
 CVE-2014-3475 (Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.)
 CVE-2014-3474 (Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.)
 CVE-2014-3473 (Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.)
 CVE-2014-0187 (The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied.)
 CVE-2013-6433 (The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file.)
Original documentdocumentUBUNTU, [USN-2311-2] OpenStack Ceilometer vulnerability (24.08.2014)
 documentUBUNTU, [USN-2321-1] OpenStack Neutron vulnerabilities (24.08.2014)
 documentUBUNTU, [USN-2322-1] OpenStack Glance vulnerability (24.08.2014)
 documentUBUNTU, [USN-2323-1] OpenStack Horizon vulnerabilities (24.08.2014)
 documentUBUNTU, [USN-2324-1] OpenStack Keystone vulnerabilities (24.08.2014)
 documentUBUNTU, [USN-2325-1] OpenStack Nova vulnerability (24.08.2014)

Ganeti weak permissions
Published:24.08.2014
Source:
SecurityVulns ID:13928
Type:local
Threat Level:
5/10
Description:Weak archives permissions.
Affected:GANETI : Ganeti 2.10
Original documentdocumentAndrea Barisani, [oCERT-2014-006] Ganeti insecure archive permission (24.08.2014)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod