• Support
  • Forums
  • Blogs

Security Advisory, AlienVault v4.11.1 addresses three (3) vulnerabilities

jhansenjhansen

AlienVault Employee
+10
Three critical vulnerabilities were discovered that have been confirmed and fixed in AlienVault v4.11.1 patch release.  Due to the severity of these vulnerabilities, AlienVault encourages customers to upgrade immediately to v4.11.1.

See the v4.11.1 patch release notice for details on the patch release.


Debian Security Update (DSA-3032-1)


AlienVault ID: ENG-97400
Description: Stephane Chazelas discovered a vulnerability in bash, the GNU Bourne-Again Shell, related to how environment variables are processed.  In many common configurations, this vulnerability is exploitable over the network, especially if bash has been configured as the system shell.
Debian Package: bash
CVE ID: CVE-2014-6271
CVSS v2 Base Score: 10.0
CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

See the Debian Security Advisory DSA-3032-1 for more information.


Debian Security Update (DSA-3035-1)


AlienVault ID: ENG-97427
Description: Tavis Ormandy discovered that the patch applied to fix CVE-2014-6271 released in DSA-3032-1 for bash, the GNU Bourne-Again Shell, was incomplete and could still allow some characters to be injected into another environment (CVE-2014-7169). With this update prefix and suffix for environment variable names which contain shell functions are added as hardening measure.
Debian Package: bash
CVE ID: CVE-2014-7169
CVSS v2 Base Score: 10.0
CVSS v2 Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

See the Debian Security Advisory DSA-3035-1 for more information.


Debian Security Update (DSA-3031-1)


AlienVault ID: ENG-97391
Description:The Google Security Team discovered a buffer overflow vulnerability in the HTTP transport code in apt-get. An attacker able to man-in-the-middle a HTTP request to an apt repository can trigger the buffer overflow, leading to a crash of the 'http' apt method binary, or potentially to arbitrary code execution.
Debian Package: apt
CVE ID: CVE-2014-6273
CVSS v2 Base Score: Waiting on NVD
CVSS v2 Vector: Waiting on NVD

See the Debian Security Advisory DSA-3031-1 for more information.

Share post:

This discussion has been closed.