EasyApache 2017-10-16 Security Release

SUMMARYcPanel, Inc. has released updated RPMs for EasyApache 4 on October 16, 2017, with a patch for Passenger. We strongly encourage all Passenger users to update their system to obtain the patch. AFFECTED VERSIONSAll versions of Passenger DESCRIPTION This update patches a vulnerability where a user can list the contents Continue Reading

The Analysis of ISC BIND NSEC Record Handling DoS (CVE-2016-9147)

The latest patch for BIND from the Internet Systems Consortium (ISC) fixes a NESC record-related bug. Remote BIND recursive servers may crash when attempting to handle the specifically-crafted query response with NESC record sent by attackers, thereby causing a denial of service (DoS). This potential DoS vulnerability is caused by Continue Reading

Analysis of OpenSSL ChaCha20-Poly1305 Heap Buffer Overflow (CVE-2016-7054)

A High-Severity Heap Buffer Overflow vulnerability was recently fixed in a patch  by Openssl Project.  This vulnerability affects the remote SSL servers that support the ChaCha20-Poly1305 cipher suite, and can be exploited to crash the SSL service. This High-Severity Heap Buffer Overflow vulnerability (CVE-2016-7054) is caused by an error when Continue Reading

Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)

OpenSSL released an emergency security update shortly after a patch was issued a few weeks ago. This security update addresses a critical Use After Free vulnerability introduced by the updated code that revised to resolve the earlier low severity vulnerability CVE-2016-6307. This critical Use After Free vulnerability (CVE-2016-6309) is caused Continue Reading

Internet In Danger: Analysis of ISC Bind Patch (part 1)

The Internet Systems Consortium just released a couple of days ago a new patch (version 9.10.3-P4) to fix some issues in the most popular DNS server software in the world. The release note is available at https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html In this series of two articles, we will detail our investigation of these vulnerabilities Continue Reading

Zimbra Collaboration XSS Vulnerability: Be Careful If You're Using Zimbra Email

Summary Recently Zimbra released Zimbra Collaboration 8.6 Patch 5. It fixed 2 Cross-Site Scripting (XSS) vulnerabilities which were discovered and reported by security researcher of Fortinet’s FortiGuard labs in October 2015. CVE-2015-7609 was assigned to identify these 2 XSS vulnerabilities. One of them is caused due to insufficiently sanitizing the content of email message Continue Reading