| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Nov 2017 14:45:47 +1030 From: Matthew Hart <mhart@...assian.com> To: bugtraq@...urityfocus.com Subject: Advisory - Remote code execution in HipChat for Mac desktop client - CVE-2017-14586 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/x/NXEGO . CVE ID: * CVE-2017-14586. Product: Hipchat for Mac desktop client. Affected Hipchat for Mac desktop client product versions: 4.0 <= version < 4.30 Fixed Hipchat for Mac desktop client product versions: * Hipchat for Mac desktop client 4.30 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 4.0 of Hipchat for Mac desktop client. Versions of Hipchat for Mac desktop client starting with versions of Hipchat for Mac desktop client from 4.0 but less than 4.30 (the fixed version) are affected by this vulnerability. Customers who have upgraded Hipchat for Mac desktop client to version 4.30 are not affected. Customers who have downloaded and installed Hipchat for Mac desktop client >= 4.0 but less than 4.30 please upgrade your Hipchat for Mac desktop client installations immediately to fix this vulnerability. Remote code execution in HipChat for Mac desktop client - CVE-2017-14586 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: The Hipchat for Mac desktop client is vulnerable to client-side remote code execution via video call link parsing. Versions of Hipchat for Mac desktop client starting with versions of Hipchat for Mac desktop client from 4.0 but less than 4.30 (the fixed version) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/HCPUB-3473? . Fix: To address this issue, we've released the following versions containing a fix: * Hipchat for Mac desktop client version 4.30 Remediation: Upgrade Hipchat for Mac desktop client to version 4.30 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. For a full description of the latest version of Hipchat for Mac desktop client, see the release notes found at https://www.hipchat.com/release_notes/mac. You can download the latest version of Hipchat for Mac desktop client from the download centre found at https://www.hipchat.com/downloads#mac. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJaF5WmAAoJECQgl6K8Unag2T8P/3ogJA7Q5WpkwsVpxja4eX+U 5NUpA0wGOCJfEceZfLDnEWOcL9wh3VAqDBHojZlV+kogYMACKItuf+T9Hh6q6gqi esJykgAumYi0gNmC1dbk801tb4VK59K4tgtzFS523ARy1/uglNah0JlPEP89BOoq n7jwb5Ox2Hb+RYuktvAnZQdfxV6151ayeqB9GFpGr5w4xDh3HwdaOO28aVK0lfvF KjA7e0NT7k7Ghf6cQOHcLGcGfrle5SmMmz5iQQm41fUY1nnfFRVpBOVTZEZTGe+8 8maKgzK2f5IdAwcqMGgkvGn3b7BkoG0da4M5QRdGx3gvrNWPRuU4rf4S5Og0L8OE ABR0ygi7NJy4sY69KTl/I9Y30nW9I9xiXGoaTus+iWA48j3HH6YPaI/vsZp+hEc7 O5EPLcdQVM6JUofzmF0pDHjaupliXNsXJllEf2fn1rAvkN67mCE/h3QJVkSrQPtG Dv6bwpHxfGIHWSEV0+Rxenl7AfM5phb4ymTsyWWuG9D9lOOKO6JVrYZsOmT9n22v FPPUAza1Lin2CuloGuM9h4Od4ZVkQlTtd3QKRkrMJWxzjh23/0xIfFa/wFTtkktm uKZF9gyHzEOVB2CuHIexLZLAePgmKfiPzkQ626I0rHWU57QeoAcFX5QUNCNmM3YC wM8G/9hq+2ED7zClXRLQ =RCIT -----END PGP SIGNATURE-----
Powered by blists - more mailing lists