Welcome to the Network Security website at the IAS

This website is intended to bring you the latest news, how to's, tools and resources in Information Security.  Security Awareness of our Faculty, Members and Staff is key in creating a safer computing environment.

The three major Principles of Information Security, Availability, Integrity and Confidentiality, will be covered throughout the security awareness program at the Institute.  For a description of these principles, please see our About section.

In keeping with the spirit of the Institute, I encourage questions and open discussions about security.  And if you discover anything out of the ordinary, please feel free to bring it to my attention so that we can work together to create a more productive, safer environment.

Thanks,
Brian Epstein <security@ias.edu>
twitter: @epepepep


Apache HTTP Server (httpd) 2.2.15 Released - includes security fixes

http://www.apache.org/dist/httpd/Announcement2.2.html

Version 2.2.15 fixes these three vulnerabilities.

* important: mod_isapi module unload flaw CVE-2010-0425 (Windows)
* low: Subrequest handling of request headers (mod_headers) CVE-2010-0434
* moderate: mod_proxy_ajp DoS CVE-2010-0408

It is recommended that Apache be updated to the latest code version.

Thanks,
ep

SpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection Vulnerability

http://www.securityfocus.com/bid/38578/info

A lack of input sanitization could lead to arbitrary code execution on
systems using the spamassassin milter plugin. The exploit given
specifically targets PostFix installations, however, this issue may
affect other mail services as well.

SpamAssassin Milter Plugin 0.3.1 is affected, although other versions
may be affected as well. v0.3.1 was released in April 2006.

SpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection Vulnerability

http://www.securityfocus.com/bid/38578/info

A lack of input sanitization could lead to arbitrary code execution on
systems using the spamassassin milter plugin. The exploit given
specifically targets PostFix installations, however, this issue may
affect other mail services as well.

SpamAssassin Milter Plugin 0.3.1 is affected, although other versions
may be affected as well. v0.3.1 was released in April 2006.

Opera Browser "Content-Length" Header Buffer Overflow Vulnerability in newly released 10.50

http://secunia.com/advisories/38820/

Two new vulnerabilities have been found in 10.50 and earlier versions.
The first can cause a DoS, the second could allow for remote code execution.

No patches are available as of yet. Recommendations from the Secunia
report are "do not browse untrusted websites or follow untrusted links."
This is a good recommendation in general. Other recommendations have
been to stop using Opera all together until an official patch is available.

VMSA-2010-0004 ESX Service Console and vMA third party updates

http://lists.vmware.com/pipermail/security-announce/2010/000082.html

Affected Software:

VMware ESX 4.0.0 without patch ESX400-201002404-SG, ESX400-201002407-SG,
ESX400-201002406-SG

VMware vMA 4.0 before patch 3

Vulnerabilities range from DoS, to arbitrary code execution, to access
restriction bypass.

Please see the URL above for more information.
Thanks,
Brian

Apache HTTP Server (httpd) 2.2.15 Released - includes security fixes

http://www.apache.org/dist/httpd/Announcement2.2.html

Version 2.2.15 fixes these three vulnerabilities.

* important: mod_isapi module unload flaw CVE-2010-0425 (Windows)
* low: Subrequest handling of request headers (mod_headers) CVE-2010-0434
* moderate: mod_proxy_ajp DoS CVE-2010-0408

It is recommended that Apache be updated to the latest code version.

Thanks,
ep

SpamAssassin Milter Plugin 'mlfi_envrcpt()' Remote Arbitrary Command Injection Vulnerability

http://www.securityfocus.com/bid/38578/info

A lack of input sanitization could lead to arbitrary code execution on
systems using the spamassassin milter plugin. The exploit given
specifically targets PostFix installations, however, this issue may
affect other mail services as well.

SpamAssassin Milter Plugin 0.3.1 is affected, although other versions
may be affected as well. v0.3.1 was released in April 2006.

SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

http://drupal.org/node/731710

Multiple vulnerabilities in Drupal 6.x before version 6.16 and Drupal
5.x before version 5.22 have been fixed in the latest release. These
vulnerabilities include:

* Installation cross site scripting
* Open redirection
* Locale module cross site scripting
* Blocked user session regeneration

Priority 4: This vulnerability has a lower probability of exploitation,
but should still be mitigated.

SA-CORE-2010-001 - Drupal core - Multiple vulnerabilities

http://drupal.org/node/731710

Multiple vulnerabilities in Drupal 6.x before version 6.16 and Drupal
5.x before version 5.22 have been fixed in the latest release. These
vulnerabilities include:

* Installation cross site scripting
* Open redirection
* Locale module cross site scripting
* Blocked user session regeneration

Priority 4: This vulnerability has a lower probability of exploitation,
but should still be mitigated.

Pages