SB17-051: Vulnerability Summary for the Week of February 13, 2017

apache_software_foundation — apache_tomcat
  It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu. 2017-02-17 not yet calculated CVE-2017-6056
CONFIRM
CONFIRM
CONFIRM
CONFIRM artifex_software — mupdf
  An issue was discovered in Artifex Software, Inc. MuPDF before 1912de5f08e90af1d9d0a9791f58ba3afdb9d465. The pdf_run_xobject function in pdf-op-run.c encounters a NULL pointer dereference during a Fitz fz_paint_pixmap_with_mask painting operation. 2017-02-15 not yet calculated CVE-2017-5991
CONFIRM
CONFIRM bd — alaris
  An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device’s flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection. 2017-02-13 not yet calculated CVE-2016-8375
BID
MISC
MISC bd — alaris
  An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device’s flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device’s removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker’s convenience. 2017-02-13 not yet calculated CVE-2016-9355
BID
MISC ca_technologies — infrastructure_management
  An issue was discovered in CA Unified Infrastructure Management Version 8.47 and earlier. The Unified Infrastructure Management software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as „..” that can resolve to a location that is outside of that directory. 2017-02-13 not yet calculated CVE-2016-5803
BID
MISC carlo_gavazzi — vmu-c_em
  An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. The access control flaw allows access to most application functions without authentication. 2017-02-13 not yet calculated CVE-2017-5144
BID
MISC carlo_gavazzi — vmu-c_em
  An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Sensitive information is stored in clear-text. 2017-02-13 not yet calculated CVE-2017-5146
BID
MISC carlo_gavazzi — vmu-c_em
  An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Version A11_U05, and VMU-C PV prior to firmware Version A17. Successful exploitation of this CROSS-SITE REQUEST FORGERY (CSRF) vulnerability can allow execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 2017-02-13 not yet calculated CVE-2017-5145
BID
MISC cisco — cisco_ucs
  A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and 6.0.0.1 could allow an authenticated, local attacker to execute arbitrary workflow items with just an end-user profile, a Privilege Escalation Vulnerability. The vulnerability is due to improper role-based access control (RBAC) after the Developer Menu is enabled in Cisco UCS Director. An attacker could exploit this vulnerability by enabling Developer Mode for his/her user profile with an end-user profile and then adding new catalogs with arbitrary workflow items to his/her profile. An exploit could allow an attacker to perform any actions defined by these workflow items, including actions affecting other tenants. Cisco Bug IDs: CSCvb64765. 2017-02-15 not yet calculated CVE-2017-3801
CONFIRM cisco — jasper
  The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command. 2017-02-15 not yet calculated CVE-2016-8692
DEBIAN
MLIST
MLIST
BID
MISC
CONFIRM
CONFIRM
FEDORA cisco — jasper
  Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified impact via a crafted image. 2017-02-15 not yet calculated CVE-2016-9560
MLIST
MLIST
BID
MISC
CONFIRM cisco — jasper
  Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command. 2017-02-15 not yet calculated CVE-2016-8693
SUSE
MLIST
MLIST
BID
MISC
CONFIRM
CONFIRM
FEDORA cisco — jasper
  The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command. 2017-02-15 not yet calculated CVE-2016-8691
DEBIAN
MLIST
MLIST
BID
MISC
CONFIRM
CONFIRM
FEDORA cisco — jasper
  The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command. 2017-02-15 not yet calculated CVE-2016-8690
MLIST
MLIST
BID
MISC
CONFIRM
CONFIRM
FEDORA crypto++ — crypto++
  The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock in Crypto++ (aka cryptopp) before 5.6.4 may be optimized out by the compiler, which allows attackers to conduct timing attacks. 2017-02-13 not yet calculated CVE-2016-3995
MLIST
BID
CONFIRM delta_electronics — delta-electronics
  An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to 2.10.10. Multiple instances of out-of-bounds write conditions may allow malicious files to be read and executed by the affected software. 2017-02-13 not yet calculated CVE-2016-5802
BID
MISC delta_electronics — delta-electronics
  An issue was discovered in Delta Electronics WPLSoft, Versions prior to V2.42.11, ISPSoft, Versions prior to 3.02.11, and PMSoft, Versions prior to2.10.10. There are multiple instances of heap-based buffer overflows that may allow malicious files to cause the execution of arbitrary code or a denial of service. 2017-02-13 not yet calculated CVE-2016-5805
BID
MISC dovecot — dovecot
  The auth component in Dovecot before 2.2.27, when auth-policy is configured, allows a remote attackers to cause a denial of service (crash) by aborting authentication without setting a username. 2017-02-16 not yet calculated CVE-2016-8652
MLIST
MLIST
MLIST
BID eaton — epdu
  An issue was discovered in certain legacy Eaton ePDUs — the affected products are past end-of-life (EoL) and no longer supported: EAMxxx prior to June 30, 2015, EMAxxx prior to January 31, 2014, EAMAxx prior to January 31, 2014, EMAAxx prior to January 31, 2014, and ESWAxx prior to January 31, 2014. An unauthenticated attacker may be able to access configuration files with a specially crafted URL (Path Traversal). 2017-02-13 not yet calculated CVE-2016-9357
BID
MISC ecommerce_shopsoftware — ecommerce_shopsoftware
  Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status parameter to api/easybill/easybillcsv.php. 2017-02-15 not yet calculated CVE-2016-3694
MISC
EXPLOIT-DB emerson — deltav
  An issue was discovered in Emerson DeltaV Easy Security Management DeltaV V12.3, DeltaV V12.3.1, and DeltaV V13.3. Critical vulnerabilities may allow a local attacker to elevate privileges within the DeltaV control system. 2017-02-13 not yet calculated CVE-2016-9345
BID
MISC emerson — emerson
  An issue was discovered in Emerson SE4801T0X Redundant Wireless I/O Card V13.3, and SE4801T1X Simplex Wireless I/O Card V13.3. DeltaV Wireless I/O Cards (WIOC) running the firmware available in the DeltaV system, release v13.3, have the SSH (Secure Shell) functionality enabled unnecessarily. 2017-02-13 not yet calculated CVE-2016-9347
BID
MISC emerson — liebert_sitescan
  An XML External Entity (XXE) issue was discovered in Emerson Liebert SiteScan Web Version 6.5, and prior. An attacker may enter malicious input to Liebert SiteScan through a weakly configured XML parser causing the application to execute arbitrary code or disclose file contents from a server or connected network. 2017-02-13 not yet calculated CVE-2016-8348
BID
MISC eparaksts — eparaksts
  XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3.9 and eParaksts Java lib before 2.5.13 allows remote attackers to read arbitrary files or possibly have unspecified other impact via a crafted edoc file. 2017-02-17 not yet calculated CVE-2017-6055
MISC
MISC facebook — hhmv
  Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 not yet calculated CVE-2016-6873
MLIST
MLIST
CONFIRM facebook — hhmv
  Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. 2017-02-17 not yet calculated CVE-2016-6871
MLIST
MLIST
CONFIRM facebook — hhmv
  The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. 2017-02-17 not yet calculated CVE-2016-6874
MLIST
MLIST
CONFIRM facebook — hhmv
  Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 not yet calculated CVE-2016-6875
MLIST
MLIST
CONFIRM facebook — hhmv
  Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 not yet calculated CVE-2016-6870
MLIST
MLIST
CONFIRM facebook — hhmv
  Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. 2017-02-17 not yet calculated CVE-2016-6872
MLIST
MLIST
CONFIRM fatek — winproloader
  An issue was discovered in Fatek Automation PLC WinProladder Version 3.11 Build 14701. A stack-based buffer overflow vulnerability exists when the software application connects to a malicious server, resulting in a stack buffer overflow. This causes an exploitable Structured Exception Handler (SEH) overwrite condition that may allow remote code execution. 2017-02-13 not yet calculated CVE-2016-8377
BID
MISC fidelix — fidelix_fx-20
  An issue was discovered in Fidelix FX-20 series controllers, versions prior to 11.50.19. Arbitrary file reading via path traversal allows an attacker to access arbitrary files and directories on the server. 2017-02-13 not yet calculated CVE-2016-9364
BID
MISC fortinet — fortimanager
  An improper certificate validation vulnerability in Fortinet FortiManager 5.0.6 through 5.2.7 and 5.4.0 through 5.4.1 allows remote attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack via the Fortisandbox devices probing feature. 2017-02-13 not yet calculated CVE-2016-8495
CONFIRM froxlor — froxlor
  Froxlor before 0.9.35 uses the PHP rand function for random number generation, which makes it easier for remote attackers to guess the password reset token by predicting a value. 2017-02-13 not yet calculated CVE-2016-5100
CONFIRM ge — proficy_hmi/scada
  An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session. 2017-02-13 not yet calculated CVE-2016-9360
BID
MISC genixcms — genixcms
  SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS through 1.0.2 allows remote authenticated users to execute arbitrary SQL commands via the order parameter. 2017-02-17 not yet calculated CVE-2017-6065
MISC google — chrome
  FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed to perform proper bounds checking, which allowed a remote attacker to potentially exploit heap corruption via a crafted video file. 2017-02-17 not yet calculated CVE-2017-5024
BID
CONFIRM
CONFIRM google — chrome
  Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, had an insufficiently strict content security policy on the Chrome app launcher page, which allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. 2017-02-17 not yet calculated CVE-2017-5018
BID
CONFIRM
CONFIRM google — chrome
  Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Mac insufficiently cleared video memory, which allowed a remote attacker to possibly extract image fragments on systems with GeForce 8600M graphics chips via a crafted HTML page. 2017-02-17 not yet calculated CVE-2017-5017
BID
CONFIRM
CONFIRM google — chrome
  A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. 2017-02-17 not yet calculated CVE-2017-5021
BID
CONFIRM
CONFIRM gosa — gosa
  The generate_smb_nt_hash function in include/functions.inc in GOsa allows remote attackers to execute arbitrary commands via a crafted password. 2017-02-13 not yet calculated CVE-2015-8771
MLIST
CONFIRM graphicsmagick — graphicsmagick The AcquireMagickMemory function in MagickCore/memory.c in GraphicsMagick before 7.0.3.3 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. 2017-02-15 not yet calculated CVE-2016-8862
DEBIAN
MLIST
MLIST
BID
MISC
CONFIRM
CONFIRM graphicsmagick — graphicsmagick
  The AcquireMagickMemory function in MagickCore/memory.c in GraphicsMagick 7.0.3.3 before 7.0.3.8 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8862. 2017-02-15 not yet calculated CVE-2016-8866
SUSE
SUSE
SUSE
MLIST
MLIST
MISC
CONFIRM
CONFIRM hanwha_techwin — smart_security_manager
  An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Cross Site Request Forgery vulnerabilities have been identified. The flaws exist within the Redis and Apache Felix Gogo servers that are installed as part of this product. By issuing specific HTTP Post requests, an attacker can gain system level access to a remote shell session. Smart Security Manager Versions 1.5 and prior are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution. 2017-02-13 not yet calculated CVE-2017-5169
MISC hanwha_techwin — smart_security_manager
  An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Multiple Path Traversal vulnerabilities have been identified. The flaws exist within the ActiveMQ Broker service that is installed as part of the product. By issuing specific HTTP requests, if a user visits a malicious page, an attacker can gain access to arbitrary files on the server. Smart Security Manager Versions 1.4 and prior to 1.31 are affected by these vulnerabilities. These vulnerabilities can allow for remote code execution. 2017-02-13 not yet calculated CVE-2017-5168
MISC hirschmann — geko_lite_managed_switch
  An issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. After an administrator downloads a configuration file, a copy of the configuration file, which includes hashes of user passwords, is saved to a location that is accessible without authentication by path traversal. 2017-02-13 not yet calculated CVE-2017-5163
BID
MISC honeywell — experion_pks_platform
  An issue was discovered in Honeywell Experion Process Knowledge System (PKS) platform: Experion PKS, Release 3xx and prior, Experion PKS, Release 400, Experion PKS, Release 410, Experion PKS, Release 430, and Experion PKS, Release 431. Experion PKS does not properly validate input. By sending a specially crafted packet, an attacker could cause the process to terminate. A successful exploit would prevent firmware uploads to the Series-C devices. 2017-02-13 not yet calculated CVE-2016-8344
BID
MISC ibhsoftec — softplc
  An issue was discovered in IBHsoftec S7-SoftPLC prior to 4.12b. Object memory can read a network packet that is larger than the space that is available, a Heap-based Buffer Overflow. 2017-02-13 not yet calculated CVE-2016-8364
BID
MISC ibm — resilient
  IBM Resilient v26.0, v26.1, and v26.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference#: 213457065. 2017-02-16 not yet calculated CVE-2016-6062
BID
CONFIRM ibm — security_access_manager
  IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM Reference #: 1996868. 2017-02-16 not yet calculated CVE-2016-5919
CONFIRM ibm — tivoli
  IBM Tivoli Storage Manager for Virtual Environments 7.1 (VMware) is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM Reference #: 1995545. 2017-02-15 not yet calculated CVE-2016-6033
CONFIRM
BID ibm — websphere
  IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. 2017-02-15 not yet calculated CVE-2016-0360
CONFIRM
BID icoutils — icoutils
  An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the „decode_ne_resource_id” function in the „restable.c” source file. This is happening because the „len” parameter for memcpy is not checked for size and thus becomes a negative integer in the process, resulting in a failed memcpy. This affects wrestool. 2017-02-16 not yet calculated CVE-2017-6009
MISC icoutils — icoutils
  An issue was discovered in icoutils 0.31.1. A buffer overflow was observed in the „extract_icons” function in the „extract.c” source file. This issue can be triggered by processing a corrupted ico file and will result in an icotool crash. 2017-02-16 not yet calculated CVE-2017-6010
MISC icoutils — icoutils
  An issue was discovered in icoutils 0.31.1. An out-of-bounds read leading to a buffer overflow was observed in the „simple_vec” function in the „extract.c” source file. This affects icotool. 2017-02-16 not yet calculated CVE-2017-6011
MISC ikiwiki — ikiwiki
  ikiwiki 3.20161219 does not properly check if a revision changes the access permissions for a page on sites with the git and recentchanges plugins and the CGI interface enabled, which allows remote attackers to revert certain changes by leveraging permissions to change the page before the revision was made. 2017-02-13 not yet calculated CVE-2016-10026
CONFIRM
MLIST
MLIST
CONFIRM imagemagick — imagemagick
  Heap-based buffer overflow in the IsPixelGray function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.8 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted image file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-9556. 2017-02-16 not yet calculated CVE-2016-9773
MLIST
MLIST
MLIST
MISC imagemagick — imagemagick
  The IsPixelMonochrome function in MagickCore/pixel-accessor.h in ImageMagick 7.0.3.0 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted file. NOTE: the vendor says „This is a Q64 issue and we do not support Q64.” 2017-02-15 not yet calculated CVE-2016-8678
MLIST
MLIST
BID
CONFIRM
MISC imagemagick — imagemagick
  The AcquireQuantumPixels function in MagickCore/quantum.c in ImageMagick before 7.0.3-1 allows remote attackers to have unspecified impact via a crafted image file, which triggers a memory allocation failure. 2017-02-15 not yet calculated CVE-2016-8677
SUSE
DEBIAN
MLIST
BID
MISC
CONFIRM
CONFIRM
CONFIRM integraxor — ecava
  An issue was discovered in Ecava IntegraXor Version 5.0.413.0. The Ecava IntegraXor web server has parameters that are vulnerable to SQL injection. If the queries are not sanitized, the host’s database could be subject to read, write, and delete commands. 2017-02-13 not yet calculated CVE-2016-8341
BID
MISC interschalt — vdr
  An issue was discovered in INTERSCHALT Maritime Systems VDR G4e Versions 5.220 and prior. External input is used to construct paths to files and directories without properly neutralizing special elements within the pathname that could allow an attacker to read files on the system, a Path Traversal. 2017-02-13 not yet calculated CVE-2016-9339
BID
MISC kabona — webdatorcentral
  An issue was discovered in Kabona AB WebDatorCentral (WDC) application prior to Version 3.4.0. WDC does not limit authentication attempts that may allow a brute force attack method. 2017-02-13 not yet calculated CVE-2016-8347
BID
MISC libdwarf — libdwarf
  The _dwarf_read_line_table_header function in dwarf_line_table_reader.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. 2017-02-17 not yet calculated CVE-2016-5035
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The print_exprloc_content function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. 2017-02-17 not yet calculated CVE-2016-5033
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The _dwarf_calculate_info_section_end_ptr function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. 2017-02-17 not yet calculated CVE-2016-5030
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The WRITE_UNALIGNED function in dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write and crash) via a crafted DWARF section. 2017-02-17 not yet calculated CVE-2016-5044
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file, related to relocation records. 2017-02-17 not yet calculated CVE-2016-5034
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The dwarf_get_xu_hash_entry function in libdwarf before 20160923 allows remote attackers to cause a denial of service (crash) via a crafted file. 2017-02-17 not yet calculated CVE-2016-5032
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. 2017-02-17 not yet calculated CVE-2016-5031
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The _dwarf_load_section function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. 2017-02-17 not yet calculated CVE-2016-5037
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The dump_block function in print_sections.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted frame data. 2017-02-17 not yet calculated CVE-2016-5036
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The read_line_table_program function in dwarf_line_table_reader_common.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via crafted input. 2017-02-17 not yet calculated CVE-2016-7510
MISC
CONFIRM libdwarf — libdwarf
  The get_attr_value function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted object with all-bits on. 2017-02-17 not yet calculated CVE-2016-5039
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The dwarf_get_macro_startend_file function in dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted string offset for .debug_str. 2017-02-17 not yet calculated CVE-2016-5038
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  Integer overflow in the dwarf_die_deliv.c in libdwarf 20160613 allows remote attackers to cause a denial of service (crash) via a crafted file. 2017-02-17 not yet calculated CVE-2016-7511
CONFIRM
CONFIRM libdwarf — libdwarf
  The create_fullest_file_path function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted dwarf file. 2017-02-17 not yet calculated CVE-2016-5029
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The dwarf_dealloc function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted DWARF section. 2017-02-17 not yet calculated CVE-2016-5043
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The _dwarf_get_size_of_val function in libdwarf/dwarf_util.c in Libdwarf before 20161124 allows remote attackers to cause a denial of service (out-of-bounds read) by calling the dwarfdump command on a crafted file. 2017-02-15 not yet calculated CVE-2016-8679
MLIST
BID
MISC
CONFIRM libdwarf — libdwarf
  The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via an object file with empty bss-like sections. 2017-02-17 not yet calculated CVE-2016-5028
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The _dwarf_get_abbrev_for_code function in dwarf_util.c in libdwarf 20161001 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) by calling the dwarfdump command on a crafted file. 2017-02-15 not yet calculated CVE-2016-8680
MLIST
BID
MISC
CONFIRM
CONFIRM libdwarf — libdwarf
  libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a large length value in a compilation unit header. 2017-02-17 not yet calculated CVE-2016-5040
MLIST
MLIST
CONFIRM libdwarf — libdwarf
  The _dwarf_get_abbrev_for_code function in dwarf_util.c in libdwarf 20161001 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) by calling the dwarfdump command on a crafted file. 2017-02-15 not yet calculated CVE-2016-8681
MLIST
BID
MISC
CONFIRM libdwarf — libdwarf
  The dwarf_get_aranges_list function in libdwarf before 20160923 allows remote attackers to cause a denial of service (infinite loop and crash) via a crafted DWARF section. 2017-02-17 not yet calculated CVE-2016-5042
MLIST
MLIST
CONFIRM
CONFIRM libjpeg — libjpeg
  The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. 2017-02-13 not yet calculated CVE-2016-3616
CONFIRM
CONFIRM libtomcrypt — libtomcrypt
  The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack. 2017-02-13 not yet calculated CVE-2016-6129
CONFIRM
CONFIRM
CONFIRM linux — linux_kernel
  The TCP stack in the Linux kernel 3.x does not properly implement a SYN cookie protection mechanism for the case of a fast network connection, which allows remote attackers to cause a denial of service (CPU consumption) by sending many TCP SYN packets, as demonstrated by an attack against the kernel-3.10.0 package in CentOS Linux 7. 2017-02-14 not yet calculated CVE-2017-5972
MISC
MISC linux — linux_kernel
  Race condition in kernel/events/core.c in the Linux kernel before 4.9.7 allows local users to gain privileges via a crafted application that makes concurrent perf_event_open system calls for moving a software group into a hardware context. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-6786. 2017-02-18 not yet calculated CVE-2017-6001
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM linux — linux_kernel
  Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket.c in the Linux kernel before 4.9.11 allows local users to cause a denial of service (assertion failure and panic) via a multithreaded application that peels off an association in a certain buffer-full state. 2017-02-18 not yet calculated CVE-2017-5986
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM linux — linux_kernel
  The dccp_rcv_state_process function in net/dccp/input.c in the Linux kernel through 4.9.11 mishandles DCCP_PKT_REQUEST packet data structures in the LISTEN state, which allows local users to cause a denial of service (invalid free) or possibly have unspecified other impact via an application that makes an IPV6_RECVPKTINFO setsockopt system call. 2017-02-18 not yet calculated CVE-2017-6074
CONFIRM locus_energy — l_gate
  An issue was discovered in Locus Energy LGate prior to 1.05H, LGate 50, LGate 100, LGate 101, LGate 120, and LGate 320. Locus Energy meters use a PHP script to manage the energy meter parameters for voltage monitoring and network configuration. The PHP code does not properly validate information that is sent in the POST request. 2017-02-13 not yet calculated CVE-2016-5782
BID
BID
MISC mantisbt — mantisbt
  MantisBT before 1.3.1 and 2.x before 2.0.0-beta.2 uses a weak Content Security Policy when using the Gravatar plugin, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors. 2017-02-17 not yet calculated CVE-2016-7111
MLIST
MLIST
CONFIRM
CONFIRM mantisbt — mantisbt
  Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter. 2017-02-17 not yet calculated CVE-2016-5364
MLIST
CONFIRM
CONFIRM
CONFIRM mcafee — intel_security_mcafee_agent
  Unvalidated parameter vulnerability in the remote log viewing capability in Intel Security McAfee Agent 5.0.x versions prior to 5.0.4.449 allows remote attackers to pass unexpected input parameters via a URL that was not completely validated. 2017-02-13 not yet calculated CVE-2017-3896
BID
CONFIRM mitsubishi — melsec-q
  An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock. 2017-02-13 not yet calculated CVE-2016-8368
BID
MISC mitsubishi — melsec-q
  An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. Weakly encrypted passwords are transmitted to a MELSEC-Q PLC. 2017-02-13 not yet calculated CVE-2016-8370
BID
MISC moxa — edr_810
  An issue was discovered in Moxa EDR-810 Industrial Secure Router. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to access configuration and log files (PRIVILEGE ESCALATION). 2017-02-13 not yet calculated CVE-2016-8346
BID
MISC moxa — iologik
  An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12. A password is transmitted in a format that is not sufficiently secure. 2017-02-13 not yet calculated CVE-2016-8372
BID
MISC moxa — iologik
  An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12. The web application fails to sanitize user input, which may allow an attacker to inject script or execute arbitrary code (CROSS-SITE SCRIPTING). 2017-02-13 not yet calculated CVE-2016-8359
BID
MISC moxa — iologik
  An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12. Users are restricted to using short passwords. 2017-02-13 not yet calculated CVE-2016-8379
BID
MISC moxa — iologik
  An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 and prior, ioLogik E1211, firmware Version V2.3 and prior, ioLogik E1212, firmware Version V2.4 and prior, ioLogik E1213, firmware Version V2.5 and prior, ioLogik E1214, firmware Version V2.4 and prior, ioLogik E1240, firmware Version V2.3 and prior, ioLogik E1241, firmware Version V2.4 and prior, ioLogik E1242, firmware Version V2.4 and prior, ioLogik E1260, firmware Version V2.4 and prior, ioLogik E1262, firmware Version V2.4 and prior, ioLogik E2210, firmware versions prior to V3.13, ioLogik E2212, firmware versions prior to V3.14, ioLogik E2214, firmware versions prior to V3.12, ioLogik E2240, firmware versions prior to V3.12, ioLogik E2242, firmware versions prior to V3.12, ioLogik E2260, firmware versions prior to V3.13, and ioLogik E2262, firmware versions prior to V3.12. The web application may not sufficiently verify whether a request was provided by a valid user (CROSS-SITE REQUEST FORGERY). 2017-02-13 not yet calculated CVE-2016-8350
BID
MISC moxa — moxa
  An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 versions prior to 1.4, and E3 versions prior to 1.1. An attacker may be able to brute force an active session cookie to be able to download configuration files. 2017-02-13 not yet calculated CVE-2016-9344
BID
MISC moxa — moxa
  An issue was discovered in Moxa MiiNePort E1 versions prior to 1.8, E2 versions prior to 1.4, and E3 versions prior to 1.1. Configuration data are stored in a file that is not encrypted. 2017-02-13 not yet calculated CVE-2016-9346
BID
MISC moxa — oncell
  An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. User is able to execute arbitrary OS commands on the server. 2017-02-13 not yet calculated CVE-2016-8363
BID
MISC moxa — oncell
  An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. Any user is able to download log files by accessing a specific URL. 2017-02-13 not yet calculated CVE-2016-8362
BID
MISC navidia — navidia All versions of NVIDIA GPU and GeForce Experience installer contain a vulnerability where it fails to set proper permissions on the package extraction path thus allowing a non-privileged user to tamper with the extracted files, potentially leading to escalation of privileges via code execution. 2017-02-15 not yet calculated CVE-2017-0317
CONFIRM navidia — navidia All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper handling of values may cause a denial of service on the system. 2017-02-15 not yet calculated CVE-2017-0319
CONFIRM navidia — navidia NVIDIA GPU Display Driver R378 contains a vulnerability in the kernel mode layer handler where improper access control may lead to denial of service or possible escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0311
CONFIRM navidia — navidia All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where untrusted input is used for buffer size calculation leading to denial of service or escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0308
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler where a NULL pointer dereference caused by invalid user input may lead to denial of service or potential escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0323
CONFIRM navidia — navidia
  All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where a NULL pointer dereference caused by invalid user input may lead to denial of service or potential escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0321
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper handling of values may cause a denial of service on the system. 2017-02-15 not yet calculated CVE-2017-0320
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscapeID 0x100008b where user provided input is used as the limit for a loop may lead to denial of service or potential escalation of privileges 2017-02-15 not yet calculated CVE-2017-0312
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where the size of an input buffer is not validated, leading to denial of service or potential escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0324
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler where a value passed from a user to the driver is not correctly validated and used as the index to an array, leading to denial of service or potential escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0322
CONFIRM navidia — navidia
  All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where multiple integer overflows may cause improper memory allocation leading to a denial of service or potential escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0309
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) implementation of the SubmitCommandVirtual DDI (DxgkDdiSubmitCommandVirtual) where untrusted input is used to reference memory outside of the intended boundary of the buffer leading to denial of service or escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0313
CONFIRM navidia — navidia
  All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper access controls allowing unprivileged user to cause a denial of service. 2017-02-15 not yet calculated CVE-2017-0310
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where an attempt to access an invalid object pointer may lead to denial of service or potential escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0315
CONFIRM navidia — navidia
  All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) implementation of the SubmitCommandVirtual DDI (DxgkDdiSubmitCommandVirtual) where untrusted input is used to reference memory outside of the intended boundary of the buffer leading to denial of service or escalation of privileges. 2017-02-15 not yet calculated CVE-2017-0314
CONFIRM navidia — navidia
  All versions of NVIDIA Linux GPU Display Driver contain a vulnerability in the kernel mode layer handler where improper validation of an input parameter may cause a denial of service on the system. 2017-02-15 not yet calculated CVE-2017-0318
CONFIRM offis — dicom_dcmtk
  Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a long string sent to TCP port 4242. 2017-02-15 not yet calculated CVE-2015-8979
MISC
DEBIAN
MLIST
BID
MISC
CONFIRM openssh — sshd
  sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided. 2017-02-13 not yet calculated CVE-2016-6210
FULLDISC
BID
CONFIRM osisoft — pi_coresight
  An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier versions, and PI Web API 2016 R2 when deployed using the PI AF Services 2016 R2 integrated install kit. An information exposure through server log files vulnerability has been identified, which may allow service account passwords to become exposed for the affected services, potentially leading to unauthorized shutdown of the affected PI services as well as potential reuse of domain credentials. 2017-02-13 not yet calculated CVE-2017-5153
BID
MISC osisoft — pi_web
  An issue was discovered in OSIsoft PI Web API 2015 R2 (Version 1.5.1). There is a weakness in this product that may allow an attacker to access the PI system without the proper permissions. 2017-02-13 not yet calculated CVE-2016-8353
BID
MISC perl — pcre
  The compile_bracket_matchingpath function in pcre_jit_compile.c in PCRE through 8.x before revision 1680 (e.g., the PHP 7.1.1 bundled version) allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted regular expression. 2017-02-16 not yet calculated CVE-2017-6004
CONFIRM
CONFIRM perl — perl
  The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allows attackers to cause a denial of service (out-of-bounds read) via vectors involving an unaligned number of placeholders in WHERE condition and output fields in SELECT expression. 2017-02-16 not yet calculated CVE-2016-1249
CONFIRM
MLIST
BID
CONFIRM phoenix_contact — mguard
  An issue was discovered on Phoenix Contact mGuard devices that have been updated to Version 8.4.0. When updating an mGuard device to Version 8.4.0 via the update-upload facility, the update will succeed, but it will reset the password of the admin user to its default value. 2017-02-13 not yet calculated CVE-2017-5159
BID
MISC phreesoft — phreebookserp
  An issue was discovered in PhreeBooksERP before 2017-02-13. The vulnerability exists due to insufficient filtration of user-supplied data in the „form” HTTP GET parameter passed to the „PhreeBooksERP-master/extensions/ShippingMethods/ups/label_mgr/js_include.php” and „PhreeBooksERP-master/extensions/ShippingMethods/yrc/label_mgr/js_include.php” URLs. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. NOTE: these js_include.php files do not exist in the SourceForge „stable release” (aka R37RC1). 2017-02-15 not yet calculated CVE-2017-5990
CONFIRM
CONFIRM pkexec — pkexec
  pkexec, when used with –user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal’s input buffer. 2017-02-13 not yet calculated CVE-2016-2568
MLIST
CONFIRM puppet_enterprise — mcollective
  MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command. 2017-02-13 not yet calculated CVE-2016-2788
CONFIRM puppet_enterprise — puppet_communications_protocol
  The Puppet Communications Protocol in Puppet Enterprise 2015.3.x before 2015.3.3 does not properly validate certificates for the broker node, which allows remote non-whitelisted hosts to prevent runs from triggering via unspecified vectors. 2017-02-13 not yet calculated CVE-2016-2787
CONFIRM python — pycrypto
  Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. 2017-02-15 not yet calculated CVE-2013-7459
MLIST
BID
CONFIRM
CONFIRM
CONFIRM
FEDORA
FEDORA
MISC python — python
  install.py in click allows remote attackers to gain privileges via a data tarball containing a file with a crafted path. 2017-02-13 not yet calculated CVE-2015-8768
UBUNTU
MLIST
CONFIRM
CONFIRM rockwell_automation — logix5000
  An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By sending malformed common industrial protocol (CIP) packet, an attacker may be able to overflow a stack-based buffer and execute code on the controller or initiate a nonrecoverable fault resulting in a denial of service. 2017-02-13 not yet calculated CVE-2016-9343
BID
MISC rockwell_automation — micrologix
  An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. Because of an Incorrect Permission Assignment for Critical Resource, users with administrator privileges may be able to remove all administrative users requiring a factory reset to restore ancillary web server function. Exploitation of this vulnerability will still allow the affected device to function in its capacity as a controller. 2017-02-13 not yet calculated CVE-2016-9338
BID
MISC rockwell_automation — micrologix
  An issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 controller 1763-L16AWA, Series A and B, Version 14.000 and prior versions; 1763-L16BBB, Series A and B, Version 14.000 and prior versions; 1763-L16BWA, Series A and B, Version 14.000 and prior versions; and 1763-L16DWD, Series A and B, Version 14.000 and prior versions. User credentials are sent to the web server in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server. 2017-02-13 not yet calculated CVE-2016-9334
BID
MISC sap — sap
  The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remote attackers to cause a denial of service (memory consumption and process crash) via multiple msgserver/group?group= requests with a crafted size of the group parameter, aka SAP Security Note 2358972. 2017-02-15 not yet calculated CVE-2017-5997
MISC sauter — novaweb
  An issue was discovered in Sauter NovaWeb web HMI. The application uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user. 2017-02-13 not yet calculated CVE-2016-10224
MISC schneider_electric — connexium_firewalls An issue was discovered in Schneider Electric ConneXium firewalls TCSEFEC23F3F20 all versions, TCSEFEC23F3F21 all versions, TCSEFEC23FCF20 all versions, TCSEFEC23FCF21 all versions, and TCSEFEC2CF3F20 all versions. A stack-based buffer overflow can be triggered during the SNMP login authentication process that may allow an attacker to remotely execute code. 2017-02-13 not yet calculated CVE-2016-8352
BID
MISC schneider_electric — ionxxxx
  An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. No authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes. 2017-02-13 not yet calculated CVE-2016-5815
BID
MISC schneider_electric — ionxxxx
  An issue was discovered on Schneider Electric IONXXXX series power meters ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, and PM5XXX series. There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved. 2017-02-13 not yet calculated CVE-2016-5809
BID
MISC schneider_electric — magelis
  An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker may be able to disrupt a targeted web server, resulting in a denial of service because of UNCONTROLLED RESOURCE CONSUMPTION. 2017-02-13 not yet calculated CVE-2016-8374
BID
MISC schneider_electric — magelis
  An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker can open multiple connections to a targeted web server and keep connections open preventing new connections from being made, rendering the web server unavailable during an attack. 2017-02-13 not yet calculated CVE-2016-8367
BID
MISC schneider_electric — unity_pro
  An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions. 2017-02-13 not yet calculated CVE-2016-8354
BID
MISC schnieder_electric — wonderware_historian
  An issue was discovered in Schneider Electric Wonderware Historian 2014 R2 SP1 P01 and earlier. Wonderware Historian creates logins with default passwords, which can allow a malicious entity to compromise Historian databases. In some installation scenarios, resources beyond those created by Wonderware Historian may be compromised as well. 2017-02-13 not yet calculated CVE-2017-5155
BID
MISC shadow — shadow
  Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. 2017-02-17 not yet calculated CVE-2016-6252
MLIST
MLIST
MLIST
MLIST
CONFIRM
CONFIRM sieclo_sistemi — sieclo_sistemi
  An issue was discovered in Sielco Sistemi Winlog Lite SCADA Software, versions prior to Version 3.02.01, and Winlog Pro SCADA Software, versions prior to Version 3.02.01. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. Exploitation of this vulnerability could give an attacker access to the system with the same level of privilege as the application that utilizes the malicious DLL. 2017-02-13 not yet calculated CVE-2017-5161
BID
MISC siemans — eta4
  An issue was discovered in Siemens ETA4 firmware (all versions prior to Revision 08) of the SM-2558 extension module for: SICAM AK, SICAM TM 1703, SICAM BC 1703, and SICAM AK 3. Specially crafted packets sent to Port 2404/TCP could cause the affected device to go into defect mode. A cold start might be required to recover the system, a Denial-of-Service Vulnerability. 2017-02-13 not yet calculated CVE-2016-7987
BID
MISC siemens — sicam_pas
  An issue was discovered in Siemens SICAM PAS before 8.00. A factory account with hard-coded passwords is present in the SICAM PAS installations. Attackers might gain privileged access to the database over Port 2638/TCP. 2017-02-13 not yet calculated CVE-2016-8567
BID
MISC siemens — sicam_pas
  An issue was discovered in Siemens SICAM PAS before 8.00. Because of Storing Passwords in a Recoverable Format, an authenticated local attacker with certain privileges could possibly reconstruct the passwords of users for accessing the database. 2017-02-13 not yet calculated CVE-2016-8566
BID
MISC simplesamlphp — simplesamlphp
  The validateSignature method in the SAML2Utils class in SimpleSAMLphp before 1.14.10 and simplesamlphp/saml2 library before 1.9.1, 1.10.x before 1.10.3, and 2.x before 2.3.3 allows remote attackers to spoof SAML responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. 2017-02-16 not yet calculated CVE-2016-9814
BID
CONFIRM simplesamlphp — simplesamlphp
  The SimpleSAML_XML_Validator class constructor in SimpleSAMLphp before 1.14.11 might allow remote attackers to spoof signatures on SAML 1 responses or possibly cause a denial of service (memory consumption) by leveraging improper conversion of return values to boolean. 2017-02-16 not yet calculated CVE-2016-9955
BID
CONFIRM smiths-medical — cadd-solis_medication_safety_software
  An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. CADD-Solis Medication Safety Software grants an authenticated user elevated privileges on the SQL database, which would allow an authenticated user to modify drug libraries, add and delete users, and change user permissions. According to Smiths-Medical, physical access to the pump is required to install drug library updates. 2017-02-13 not yet calculated CVE-2016-8355
BID
MISC smiths-medical — cadd-solis_medication_safety_software
  An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. The affected software does not verify the identities at communication endpoints, which may allow a man-in-the-middle attacker to gain access to the communication channel between endpoints. 2017-02-13 not yet calculated CVE-2016-8358
BID
MISC sogo — sogo
  Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) contact fields. 2017-02-17 not yet calculated CVE-2014-9905
MLIST
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM sogo — sogo
  Multiple cross-site scripting (XSS) vulnerabilities in the View Raw Source page in the Web Calendar in SOGo before 3.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Description, (2) Location, (3) URL, or (4) Title field. 2017-02-17 not yet calculated CVE-2016-6191
MLIST
CONFIRM
CONFIRM sogo — sogo
  SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the „View the Date & Time” restriction, as demonstrated by correlating UIDs and DTSTAMPs between all users. 2017-02-17 not yet calculated CVE-2016-6190
MLIST
CONFIRM
CONFIRM
CONFIRM sogo — sogo
  Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. 2017-02-17 not yet calculated CVE-2016-6189
MLIST
CONFIRM
CONFIRM
CONFIRM st_jude_medical — merlin@home
  An issue was discovered in St. Jude Medical Merlin@home, versions prior to Version 8.2.2 (RF models: EX1150; Inductive models: EX1100; and Inductive models: EX1100 with MerlinOnDemand capability). The identities of the endpoints for the communication channel between the transmitter and St. Jude Medical’s web site, Merlin.net, are not verified. This may allow a man-in-the-middle attacker to access or influence communications between the identified endpoints. 2017-02-13 not yet calculated CVE-2017-5149
BID
MISC tesla — model_s
  An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle’s Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the attacker to send messages to the vehicle’s CAN bus, a Command Injection. 2017-02-13 not yet calculated CVE-2016-9337
BID
MISC tre_library_musl_libc — tre_library_musl_libc
  Multiple integer overflows in the TRE library and musl libc allow attackers to cause memory corruption via a large number of (1) states or (2) tags, which triggers an out-of-bounds write. 2017-02-13 not yet calculated CVE-2016-8859
MLIST
MLIST
BID unix — intersect_alliance_snare_epilog
  Cross-site scripting (XSS) vulnerability in InterSect Alliance SNARE Epilog for UNIX version 1.5 allows remote authenticated users to inject arbitrary web script or HTML via the str_log_name parameter in a „Web Admin Portal > Log Configuration > Add” action. 2017-02-17 not yet calculated CVE-2017-5998
MISC visonic — powerlink2
  An issue was discovered in Visonic PowerLink2, all versions prior to October 2016 firmware release. When a specific URL to an image is accessed, the downloaded image carries with it source code used in the web server (INFORMATION EXPOSURE). 2017-02-13 not yet calculated CVE-2016-5813
BID
MISC wago — wago
  An issue was discovered in WAGO 750-8202/PFC200 prior to FW04 (released August 2015), WAGO 750-881 prior to FW09 (released August 2016), and WAGO 0758-0874-0000-0111. By accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to edit and to view settings without authenticating. 2017-02-13 not yet calculated CVE-2016-9362
BID
MISC wso2 — wso2_identity_server
  Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request. 2017-02-16 not yet calculated CVE-2016-4311
MISC
MISC
BUGTRAQ
BID
EXPLOIT-DB wso2 — wso2_identity_server
  XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. 2017-02-16 not yet calculated CVE-2016-4312
MISC
MISC
BUGTRAQ
BID
CONFIRM
EXPLOIT-DB xen — xen
  The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access. 2017-02-16 not yet calculated CVE-2016-9637
BID
SECTRACK
CONFIRM
CONFIRM zabbix — zabbix
  SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. 2017-02-16 not yet calculated CVE-2016-10134
MLIST
MLIST
BID
CONFIRM
CONFIRM zend_framework — zend_framework
  The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.19 might allow remote attackers to conduct SQL injection attacks via vectors related to use of the character pattern [w]* in a regular expression. 2017-02-16 not yet calculated CVE-2016-6233
BID
CONFIRM
FEDORA
FEDORA
FEDORA zend_framework — zend_framework
  The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. 2017-02-16 not yet calculated CVE-2016-4861
JVN
JVNDB
CONFIRM
FEDORA
FEDORA
FEDORA

Famous Bald Eagle Pair Mr. President & the First Lady Have Welcomed the First Egg of 2017 into Their Washington DC Nest

WASHINGTON–(BUSINESS WIRE)–In 2016, the D.C. Eagle Cam took the world by storm, generating more than 63 million views from over 100 countries during a five-month period. Nature and animal enthusiasts intently watched this patriotic eagle pair as they raised their second and third eaglets in their Tulip Poplar nest in the U.S. National Arboretum. These eaglets were initially known as DC2 & DC3 and were later dubbed Freedom and Liberty by the public. In 2015, before the DC Eagle Cam project came to be, the pair raised one eaglet (DC1).

Since the nonprofit American Eagle Foundation (AEF) and USDA re-launched the DC Eagle Cam to the general public on New Year’s Eve, viewers have been patiently watching and waiting for the pair’s next set of eggs and eaglets.

Those who were watching the cams on February 19 around 6:24 p.m. EST were lucky enough to see The First Lady lay her first egg of the season. For all of those who missed it, they can watch the video HERE. Viewers should make sure to watch the cams over the next several days to catch the second, if she lays another (like last year).

Eagle pairs typically produce 1-3 eggs annually (usually laid and hatched a few days apart), but because this pair raised one eaglet during their first nesting season, and two eaglets their second season, there’s no telling what to expect this time around, especially since the nest has gotten larger.

Julia Cecere, a representative of the AEF states, “As long as this egg is viable, in about 35 days we will get to watch a grey fuzzy eaglet emerge from its shell. Over the next several days we’ll find out if this eaglet, which will be called DC4, will have any siblings as well.”

For all the viewers who became glued to the cams last year, what happens after the egg-laying is no surprise. From this point on, the pair will relentlessly incubate and protect any eggs from rain, snow, hail, thunderstorms, and predators. They will take turns throughout the day to let each other take breaks and hunt.

“It’s always fun to watch the behaviors of an eagle pair,” says Cecere. “Sometimes they almost appear to banter about who gets to watch over the eggs next. Of course, we have no clue what they’re saying to each other, but we can certainly have fun imagining!”

ABOUT THE D.C. EAGLE CAM PROJECT

In 2015, American Eagle Foundation (AEF) staff traveled to D.C. to install state-of-the-art cameras, infrared lighting, and other related equipment in-and-around the nest tree with the help of volunteers and experienced tree climbers. The USDA’s U.S. National Arboretum ran a half-mile of fiber optic cable to the cameras’ ground control station, which connects the cameras to the Internet. The entire system is powered by a large mobile solar array (containing several deep cycle batteries) that was designed and built by students and staff from Alfred State College, SUNY College of Technology and was partially funded by the Department of Energy and Environment. USNA has implemented a backup generator that will kick-on if prolonged inclement weather causes the solar array to provide insufficient power to the system. In 2016, APEX Electric Inc. (Kenmore, Washington) traveled to D.C. to assist the AEF in successfully installing audio equipment in and around the tree. The AEF uses Piksel to stream the video images to viewers around the world, and AEF volunteers are trained and coordinated to pan, tilt and zoom the cams, as well as educate the public via LIVE chats while viewers watch the eagles via the cams on the Internet.

New Ravean Down 2.0 Heated Jacket Nearly Triples Crowdfunding Campaign Goal, Raising More Than $146,000 with a Month Remaining on Indiegogo

News Image

Based on the success and popularity of our Ravean 2.0 crowdfunding campaign, we have given consumers exactly what they want in a heated winter jacket.

Ravean, the leader in the development of heated jackets, is on pace to soon triple its campaign goal for the new Ravean Down 2.0 Heated Jacket – raising more than $146,000 (and counting) from over 500 backers as crowdfunding enters its final month on Indiegogo.

Ravean used suggestions from customers who bought its original Ravean Heated Jacket to add new features to the 2.0 version – including more heating elements, added battery power for charging phones up to four-times on a single jacket charge, double the heating time, heated gloves with heated fingers, a heated hood, more pockets, faux fur option and even improved zippers.

“We’ve taken all of the feedback from crowdfunding backers who ordered our first jacket and literally created the ultimate heated jacket they asked for,” said Ravean Co-founder Bryce Fisher. “Based on the success and popularity of our Ravean 2.0 crowdfunding campaign, we have given consumers exactly what they want in a heated winter jacket.”

The Ravean 2.0 is available in men’s and women’s versions – with the women’s version featuring a stylish, removable faux fur collar and a longer torso for added coverage.

Both jackets include the following features:

  • Back/chest/glove/pocket warmers
  • A new heated hood option
  • Gloves with heated fingers, with self-retractable glove connectors
  • A new controller with head control, body control, and pocket/glove control
  • 10600mAh Battery
  • A new battery-life gauge
  • An added battery pocket and connector for two batteries, offering twice the playing time for phones and other electronic devices
  • New and improved YKK zippers and zipper pulls
  • Breathable underarm flex panels
  • Rip guard outer shell, with DWR water-resistant shell coating
  • Hydrophobic down
  • Reflective inner aluminum coating
  • Outside chest pocket for smartphone or sunglasses
  • interior large mesh stuff pockets

A limited number of super early-bird specials are available for crowdfunding backers during the Indiegogo campaign, with reduced pricing for multiple purchases. For more information or to pre-order, visit the Ravean 2.0 Down Jacket Campaign Page on Indiegogo.

About Ravean
Let’s be real here for a moment; we’re not the first people to come up with the idea of heated jackets or heated gloves. We’re just the first ones to do it right. By doing it right we mean our jackets look good, they’re durable, they’re affordable and they integrate our technology seamlessly and unobtrusively. Finally, there’s a heated jacket you can wear with equal comfort and style from the mountains to the office without missing a beat. Sure, it’s been tried before, but other solutions have been pricey, ugly and the technology was problematic. Ravean has addressed and solved each of these issues to present jackets you can wear anywhere, that are as stylish and durable as they are warm and cozy. For more information, visit ravean.com.

Share article on social media or email:

New Ravean Down 2.0 Heated Jacket Nearly Triples Crowdfunding Campaign Goal, Raising More Than $146,000 with a Month Remaining on Indiegogo

News Image

Based on the success and popularity of our Ravean 2.0 crowdfunding campaign, we have given consumers exactly what they want in a heated winter jacket.

Ravean, the leader in the development of heated jackets, is on pace to soon triple its campaign goal for the new Ravean Down 2.0 Heated Jacket – raising more than $146,000 (and counting) from over 500 backers as crowdfunding enters its final month on Indiegogo.

Ravean used suggestions from customers who bought its original Ravean Heated Jacket to add new features to the 2.0 version – including more heating elements, added battery power for charging phones up to four-times on a single jacket charge, double the heating time, heated gloves with heated fingers, a heated hood, more pockets, faux fur option and even improved zippers.

“We’ve taken all of the feedback from crowdfunding backers who ordered our first jacket and literally created the ultimate heated jacket they asked for,” said Ravean Co-founder Bryce Fisher. “Based on the success and popularity of our Ravean 2.0 crowdfunding campaign, we have given consumers exactly what they want in a heated winter jacket.”

The Ravean 2.0 is available in men’s and women’s versions – with the women’s version featuring a stylish, removable faux fur collar and a longer torso for added coverage.

Both jackets include the following features:

  • Back/chest/glove/pocket warmers
  • A new heated hood option
  • Gloves with heated fingers, with self-retractable glove connectors
  • A new controller with head control, body control, and pocket/glove control
  • 10600mAh Battery
  • A new battery-life gauge
  • An added battery pocket and connector for two batteries, offering twice the playing time for phones and other electronic devices
  • New and improved YKK zippers and zipper pulls
  • Breathable underarm flex panels
  • Rip guard outer shell, with DWR water-resistant shell coating
  • Hydrophobic down
  • Reflective inner aluminum coating
  • Outside chest pocket for smartphone or sunglasses
  • interior large mesh stuff pockets

A limited number of super early-bird specials are available for crowdfunding backers during the Indiegogo campaign, with reduced pricing for multiple purchases. For more information or to pre-order, visit the Ravean 2.0 Down Jacket Campaign Page on Indiegogo.

About Ravean
Let’s be real here for a moment; we’re not the first people to come up with the idea of heated jackets or heated gloves. We’re just the first ones to do it right. By doing it right we mean our jackets look good, they’re durable, they’re affordable and they integrate our technology seamlessly and unobtrusively. Finally, there’s a heated jacket you can wear with equal comfort and style from the mountains to the office without missing a beat. Sure, it’s been tried before, but other solutions have been pricey, ugly and the technology was problematic. Ravean has addressed and solved each of these issues to present jackets you can wear anywhere, that are as stylish and durable as they are warm and cozy. For more information, visit ravean.com.

Share article on social media or email:

Virus inspires new way to deliver cancer drugs

Virus-like nanoparticles are made from structural proteins.

Drugs disguised as viruses are providing new weapons in the battle against cancer, promising greater accuracy and fewer side effects than chemotherapy.

Researchers at The University of Queensland’s Australian Institute for Bioengineering and Nanotechnology (AIBN) have designed a virus-like nanoparticle (VNP) that delivers drugs directly to the cells where they are needed.

The lead author of a paper on the topic, Dr Frank Sainsbury, said the VNP was made from the structural proteins that formed the virus’s protective shell.

 “Viruses have evolved to contain and protect bioactive molecules,” Dr Sainsbury said. “They’ve also evolved smart ways to get into cells and deliver these bioactive molecules.  

“The VNP is an empty shell. It looks like a virus but it’s not infectious. This makes it safe to use as a targeted drug delivery system.”

With infectious viral genes removed, empty shells can be loaded with small molecules or proteins resulting in a stable, well-protected therapeutic package. The outside of the shell then determines where the package will go.

The ability to send drugs directly to their target is a critical goal in the development of safe, effective therapeutics. 

Currently many drugs, including anti-cancer chemotherapies, must be administered at high doses in order to have a therapeutic effect. This can lead to harsh side effects because drugs can damage healthy cells as well as intended targets.

Dr Sainsbury and his colleagues developed a VNP using the Bluetongue virus, which normally infects cows, sheep and other ruminants.

They picked the virus because of its stable shell, made of hundreds of proteins that are known to bind to a molecule found in high levels around many cancer cells. 

Dr Sainsbury teamed up with Dr Michael Landsberg at UQ’s School of Chemistry and Molecular Biosciences and researchers at the Institute for Molecular Bioscience and the UK’s John Innes Centre.

They were able to demonstrate that the porous VNPs could be filled with small molecules for drug delivery and it also was possible to design VNPs to contain larger molecules, such as therapeutic proteins.

Importantly, the researchers showed VNPs were able to bind to breast cancer cells, and then be absorbed.

Dr Sainsbury said the next step was to load the VNPs with anti-cancer drugs and see if they could kill cancer cells without harming healthy cells.

Although VNPs are highly complex and difficult to synthesise, Dr Sainsbury said they could be easily produced in the leaves of Nicotiana benthamiana, a wild relative of tobacco.

By providing plant cells with genetic instructions for making VNPs, the plant was able to assemble virus protein shells without any permanent change to the plant’s own genetic code. 

Dr Sainsbury said one day greenhouses may be able to produce large amounts of the nanoparticles within days.

“This research unlocks a myriad of potential applications in therapeutic delivery,” Dr Sainsbury said.

Because the nanoparticles they have designed are highly stable, the AIBN research team is exploring other biotechnology applications.

The study of precision nanomedicine – including targeted drug delivery – aligns with AIBN’s Five Pillars of Research for improved health outcomes.

The researchers received funding from the Australian Research Council, the UK Biotechnological and Biological Sciences Research Council and the John Innes Foundation.

Media: communications@aibn.uq.edu.au , +61 7 3346 3962, +61 427 148 187; Dr Frank Sainsbury, f.sainsbury@uq.edu.au, +61 7 3346 3179.

Growth Expert and Endurance Athlete Reveals Secret to Growing Business at the Right Pace

News Image

Business is like a body which has real limits like maximum heart rate and imagined limits like how fast we think we can go.

What do Starbucks, Krispy Kreme, Nokia, and Samsung all have in common? They’re all examples of businesses that grew too fast or too slow and as a result experienced a large loss of value and de-motivated employees.

Pacing for Growth,” a new book by Dr. Alison Eyring, an organizational psychologist, growth expert, CEO of global consultancy Organisation Solutions, and endurance athlete, shows businesses how to find the right pace for success. Published by Berrett-Koehler, the book is available in paperback and Kindle editions on Amazon and at all major booksellers.

Technology is changing the world at such a rapid pace that many businesses and their people feel like they can’t keep up. Business models are being eradicated. People are burning the proverbial candle at both ends. And, corporations, consumed by growth and addicted to action are focused on short-term returns for shareholders at the expense of their business’s ability to thrive long-term and the well-being of employees.

But as anyone who has trained for a long-distance race or competed in a triathlon will tell you, the right pace—in training and the race itself—wins. Go too fast and push too hard and you, and your business, can burn out. Go too slow and you get left in the dust.

Eyring, who competes in ultra-marathons and triathlons, says “business is like a body” which has real limits like maximum heart rate and imagined limits like how fast we think we can go.

From her work with clients like American Express, Four Seasons, Shell, Airbnb, and Google (which recently hosted a book launch party at its Singapore headquarters), along with her ultra-racing, Eyring knows it’s important to practice what she’s coined, “Intelligent Restraint”—a philosophy that helps leaders find the right speed for the long-term growth of their business while helping people manage the energy needed to sustain high levels of performance and to develop themselves for the future.

Intelligent Restraint guides leaders to engage entire employees and communities in defining what their maximum capacity looks like, and to identify how best to prepare for and thrive in this future.

“Pacing for Growth” shares the practical tenets of Intelligent Restraint, backed by three decades of experience and scientific research.

Businesses that practice Intelligent Restraint can:

  • Avoid the wasted effort and pain of boom-splat cycles of growth;
  • Conserve, replace and replenish energy the organization needs for long-term performance;
  • Build important growth capabilities faster and cheaper; and
  • Learn how to perform while preparing for the future at a winning pace.

“Pacing for Growth” uniquely weaves in Eyring’s journey as an ultra-athlete using its principles by which people expand a body’s capacity to go faster and farther as a metaphor to expanding the capacity of an organization and build the capabilities for future growth—all while genuinely supporting the people who work so hard to make it happen.

It has already received rave reviews:

  • “A compelling read drawing parallels from sport and applying them to the business world. It provides a no-nonsense approach for leaders wanting to simultaneously build capabilities and capacity for sustained healthy growth.” —Marko Ilincic, SVP & Head of Asia Pacific, The LEGO Group
  • “Delivering growth is a prerogative for almost every business leader. ‘Pacing for Growth’ draws a compelling distinction between simply delivering growth and creating a sustainable advantage in the process of delivering growth. The book reinforces that the ‘how’ matters and provides simple principles that can inspire leaders to accomplish sustained growth.”—Karthik Rao, President, Nielsen
  • “I applaud Alison’s call for intelligent restraint before we blindly dash to the next challenge. Her expert advice and counsel is second-to-none, and I promise your organization will achieve more in the long run if you accept her wise counsel!” —Jim Kouzes, co-author of the bestselling The Leadership Challenge and the Dean’s Executive Fellow of Leadership, Leavey School of Business, Santa Clara University
  • “As CEO, I am constantly faced with the tension of leading a successful company to execute our core business and, at the same time, prepare ourselves for the future. ‘Pacing for Growth’ gives leaders a new approach to solving this inherent paradox.”—Bruce Cleaver, CEO, De Beers Group

More information about Intelligent Restraint can be found on the community’s Facebook page.

Pacing for Growth
By Alison Eyring
Berrett Koehler Publishing
Feb. 6, 2017
192 pages
Paperback, $19.95; Kindle, $9.99
ISBN-10: 1626568170
ISBN-17: 978-1626568174

About Dr. Alison Eyring
Dr. Alison Eyring is a global thought leader on building organizational capacity for growth. Founder and chief executive of Organisation Solutions, as well as an endurance athlete and trained organizational psychologist, Alison has 25 years of experience in large-scale organization design and change and executive development. She works closely with global and regional executives from Fortune/FTSE 500 and some of the world’s most innovative high-growth companies on leadership and growth. She is also Adjunct Associate Professor at the National University of Singapore Business School. For more information about her book, Pacing For Growth, visit the book page.

Share article on social media or email:

Market Size of Pour Point Depressants, Forecast Report 2016-2026

Pour Point Depressants (PPD) are polymers which lowers the temperature to suppress the precipitation of hydrocarbons present in oil. Pour Point Depressants are also known as paraffin inhibitors. Pour point depressants interlocks the waxy materials or paraffin by co-crystallization and modify the shape of crystals to increase the fluidity of oil or fluid. Good quality pour point depressants lowers the pour point up to 400C. However, polymethacrylates and alkylaromatic polymers lower the pour point up to 10-200C. The addition of pour point depressants improve the performance of fluid. Pour point depressants are used widely in oil and gas industry so as to enhance the flow characteristics, which helps in easy handling, transportation and storage of crude oil. Automotive industry is expected to contribute a major share in the global pour point depressants market. Moreover, revenue from the sales of pour point depressants across the globe is expected to increase at a moderate CAGR over the forecast period.
Pour Point Depressants Market: Drivers and Restraints

The competitive edge of pour point depressants over other alternatives with properties such as enhancing the fuel lubricity, reduced viscosity, and performance enhancement of flow of crude oil is expected to be the major demand driving factor for the growth of global pour depressants market. The growth of automobile industry is one of the major factors driving the growth of the global pour point depressant market. Moreover, the rising demand of engine oils, tractor fluids and power transmission fluids is in turn expected to fuel the overall growth of the global pour point depressant market. In addition, increasing refining capacity across the globe and rapid industrialization are some other driving factors boosting the growth of the global pour point depressant market.

Request Report Sample@ www.futuremarketinsights.com/reports/sample/rep-gb-1504

Neat biodiesel with suitable modification is expected to be one of the restraining factors for the growth of global pour point depressant market. Moreover, nanoparticles can be an alternative to challenge the global pour point depressant market. The global economic crises, specifically in China is also expected to be a major threat for the growth of global pour point depressants market.

Pour Point Depressants Market: Segmentation

On the basis of chemistry, the global pour point depressant can be segmented into

Polymethacrylate

Ethylene-co-vinyl-acetate

Alkylaromatic polymers

Styrene esters

Oligomerized alkyl phenols

Phthalic acid esters

Copolymers of alpha- olefins

On the basis of end user application, the global pour point depressant market can be segmented into

Oil and gas industries

Exploration

Production

Refining

Marine industries

Lubricant industries

Automotive industry

Chemicals

Visit For TOC@ www.futuremarketinsights.com/toc/rep-gb-1504

Pour Point Depressants Market: Regional Outlook

On the basis of region the global pour point depressant market is segmented into North America, Latin America, Western Europe, Eastern Europe, Middle East and Africa, Asia Pacific Countries excluding Japan and Japan. Asia pacific is expected to contribute maximum share in terms of value to the revenue generated from the sales of pour point depressants globally. This region is expected to retain its dominance throughout the forecast period. China is estimated to be the fastest growing country in the global pour point depressants market. India and South Korea are also expected to contribute maximum share in the global pour point depressants market over the forecast period.

Pour Point Depressants Market: Major key players

Some of the major players identified in the global pour point depressants market are:

Global Partners LP

BASF SE

Chevron Phillips Chemical Company

Croda International Plc

Messina Chemicals

Evonik Industries AG

Afton Chemical Corporation

Royal Dutch Shell plc

Clariant Corporation

The Lubrizol Corporation

ABOUT US:
Future Market Insights (FMI) is a leading market intelligence and consulting firm. We deliver syndicated research reports, custom research reports and consulting services, which are personalized in nature. FMI delivers a complete packaged solution, which combines current market intelligence, statistical anecdotes, technology inputs, valuable growth insights, an aerial view of the competitive framework, and future market trends.

CONTACT:
616 Corporate Way, Suite 2-9018,
Valley Cottage, NY 10989,
United States
T: +1-347-918-3531
F: +1-845-579-5705
Email: sales@futuremarketinsights.com
Press: press@futuremarketinsights.com
Website: www.futuremarketinsights.com

This release was published on openPR.

Market Size of Pour Point Depressants, Forecast Report 2016-2026

Pour Point Depressants (PPD) are polymers which lowers the temperature to suppress the precipitation of hydrocarbons present in oil. Pour Point Depressants are also known as paraffin inhibitors. Pour point depressants interlocks the waxy materials or paraffin by co-crystallization and modify the shape of crystals to increase the fluidity of oil or fluid. Good quality pour point depressants lowers the pour point up to 400C. However, polymethacrylates and alkylaromatic polymers lower the pour point up to 10-200C. The addition of pour point depressants improve the performance of fluid. Pour point depressants are used widely in oil and gas industry so as to enhance the flow characteristics, which helps in easy handling, transportation and storage of crude oil. Automotive industry is expected to contribute a major share in the global pour point depressants market. Moreover, revenue from the sales of pour point depressants across the globe is expected to increase at a moderate CAGR over the forecast period.
Pour Point Depressants Market: Drivers and Restraints

The competitive edge of pour point depressants over other alternatives with properties such as enhancing the fuel lubricity, reduced viscosity, and performance enhancement of flow of crude oil is expected to be the major demand driving factor for the growth of global pour depressants market. The growth of automobile industry is one of the major factors driving the growth of the global pour point depressant market. Moreover, the rising demand of engine oils, tractor fluids and power transmission fluids is in turn expected to fuel the overall growth of the global pour point depressant market. In addition, increasing refining capacity across the globe and rapid industrialization are some other driving factors boosting the growth of the global pour point depressant market.

Request Report Sample@ www.futuremarketinsights.com/reports/sample/rep-gb-1504

Neat biodiesel with suitable modification is expected to be one of the restraining factors for the growth of global pour point depressant market. Moreover, nanoparticles can be an alternative to challenge the global pour point depressant market. The global economic crises, specifically in China is also expected to be a major threat for the growth of global pour point depressants market.

Pour Point Depressants Market: Segmentation

On the basis of chemistry, the global pour point depressant can be segmented into

Polymethacrylate

Ethylene-co-vinyl-acetate

Alkylaromatic polymers

Styrene esters

Oligomerized alkyl phenols

Phthalic acid esters

Copolymers of alpha- olefins

On the basis of end user application, the global pour point depressant market can be segmented into

Oil and gas industries

Exploration

Production

Refining

Marine industries

Lubricant industries

Automotive industry

Chemicals

Visit For TOC@ www.futuremarketinsights.com/toc/rep-gb-1504

Pour Point Depressants Market: Regional Outlook

On the basis of region the global pour point depressant market is segmented into North America, Latin America, Western Europe, Eastern Europe, Middle East and Africa, Asia Pacific Countries excluding Japan and Japan. Asia pacific is expected to contribute maximum share in terms of value to the revenue generated from the sales of pour point depressants globally. This region is expected to retain its dominance throughout the forecast period. China is estimated to be the fastest growing country in the global pour point depressants market. India and South Korea are also expected to contribute maximum share in the global pour point depressants market over the forecast period.

Pour Point Depressants Market: Major key players

Some of the major players identified in the global pour point depressants market are:

Global Partners LP

BASF SE

Chevron Phillips Chemical Company

Croda International Plc

Messina Chemicals

Evonik Industries AG

Afton Chemical Corporation

Royal Dutch Shell plc

Clariant Corporation

The Lubrizol Corporation

ABOUT US:
Future Market Insights (FMI) is a leading market intelligence and consulting firm. We deliver syndicated research reports, custom research reports and consulting services, which are personalized in nature. FMI delivers a complete packaged solution, which combines current market intelligence, statistical anecdotes, technology inputs, valuable growth insights, an aerial view of the competitive framework, and future market trends.

CONTACT:
616 Corporate Way, Suite 2-9018,
Valley Cottage, NY 10989,
United States
T: +1-347-918-3531
F: +1-845-579-5705
Email: sales@futuremarketinsights.com
Press: press@futuremarketinsights.com
Website: www.futuremarketinsights.com

This release was published on openPR.

Global Mineral Oil Sales Market – Dow Chemical, ExxonMobil, Eastman, Shell, British Petroleum

The Mineral Oil Sales report is offers a clear picture of the current and future trends, developments and opportunities. The report, prepared by a highly seasoned team of analysts and data experts, carries an array of tables and graphs besides qualitative analyses. Starting with a discussion on the current state of the Mineral Oil Sales market, the report goes on to discuss the dynamics affecting each segment within it. The report segments the market to up to three levels and studies each of these in great detail. The result is a set of sharp insights and recommendations that will help companies stay ahead of the next new trend in the Mineral Oil Sales industry.
The report begins with a broad introduction of the Mineral Oil Sales market and then drills deeper into specific segments such as application, regional markets, end-users, policy analysis, value chain structure, and emerging trends. The Mineral Oil Sales market report makes a case for investments in particular regions based on a realistic view of their regulatory environment, manufacturing dynamics and availability of skills and resources. Also, recommendations are made based on regions and market segments that are not poised for appreciable growth in the near future.

Download Sample Report @ www.fiormarkets.com/report-detail/5526/request-sample

The Mineral Oil Sales market and its dynamics are evaluated using industry leading tools and techniques. A qualitative analysis forms a sizeable portion of the research efforts as well. With emerging changes on the horizon, the Mineral Oil Sales market is poised for certain important change. It is imperative that market players gear up for these changes. The report helps companies—both new and established—to identify white spaces and opportunities for growth in the Mineral Oil Sales market.

The leading companies in the Mineral Oil Sales market are profiled to offer a complete overview of their growth strategies, financial standing, product and services pipeline, as well as recent collaborations and developments.

The report’s analysis is based on technical data and industry figures sourced from the most reputable databases. Other aspects that will prove especially beneficial to readers of the report are: investment feasibility analysis, recommendations for growth, investment return analysis, trends analysis, opportunity analysis, and SWOT analyses of competing companies. With the help of inputs and insights from technical and marketing experts, the report presents an objective assessment of the Mineral Oil Sales market.

Access Full Report With TOC @ goo.gl/TzurqU

A detailed segmentation evaluation of the Mineral Oil Sales market has been provided in the report. Detailed information about the key segments of the market and their growth prospects are available in the report. The detailed analysis of their sub-segments is also available in the report. The revenue forecasts and volume shares along with market estimates are available in the report. The competitive landscape of the market presented in the study profiles the most prominent players in the market.

Fior Markets is a leading market intelligence company that sells reports of top publishers in the technology industry.

Our extensive research reports cover detailed market assessments that include major technological improvements in the industry. Fior Markets also specializes in analyzing hi-tech systems and current processing systems in its expertise.

Contact Us

Mark Stone
Sales Manager
Phone: (201) 465-4211
Email: sales@fiormarkets.com
Web: www.fiormarkets.com

This release was published on openPR.

Global Mineral Oil Sales Market – Dow Chemical, ExxonMobil, Eastman, Shell, British Petroleum

The Mineral Oil Sales report is offers a clear picture of the current and future trends, developments and opportunities. The report, prepared by a highly seasoned team of analysts and data experts, carries an array of tables and graphs besides qualitative analyses. Starting with a discussion on the current state of the Mineral Oil Sales market, the report goes on to discuss the dynamics affecting each segment within it. The report segments the market to up to three levels and studies each of these in great detail. The result is a set of sharp insights and recommendations that will help companies stay ahead of the next new trend in the Mineral Oil Sales industry.
The report begins with a broad introduction of the Mineral Oil Sales market and then drills deeper into specific segments such as application, regional markets, end-users, policy analysis, value chain structure, and emerging trends. The Mineral Oil Sales market report makes a case for investments in particular regions based on a realistic view of their regulatory environment, manufacturing dynamics and availability of skills and resources. Also, recommendations are made based on regions and market segments that are not poised for appreciable growth in the near future.

Download Sample Report @ www.fiormarkets.com/report-detail/5526/request-sample

The Mineral Oil Sales market and its dynamics are evaluated using industry leading tools and techniques. A qualitative analysis forms a sizeable portion of the research efforts as well. With emerging changes on the horizon, the Mineral Oil Sales market is poised for certain important change. It is imperative that market players gear up for these changes. The report helps companies—both new and established—to identify white spaces and opportunities for growth in the Mineral Oil Sales market.

The leading companies in the Mineral Oil Sales market are profiled to offer a complete overview of their growth strategies, financial standing, product and services pipeline, as well as recent collaborations and developments.

The report’s analysis is based on technical data and industry figures sourced from the most reputable databases. Other aspects that will prove especially beneficial to readers of the report are: investment feasibility analysis, recommendations for growth, investment return analysis, trends analysis, opportunity analysis, and SWOT analyses of competing companies. With the help of inputs and insights from technical and marketing experts, the report presents an objective assessment of the Mineral Oil Sales market.

Access Full Report With TOC @ goo.gl/TzurqU

A detailed segmentation evaluation of the Mineral Oil Sales market has been provided in the report. Detailed information about the key segments of the market and their growth prospects are available in the report. The detailed analysis of their sub-segments is also available in the report. The revenue forecasts and volume shares along with market estimates are available in the report. The competitive landscape of the market presented in the study profiles the most prominent players in the market.

Fior Markets is a leading market intelligence company that sells reports of top publishers in the technology industry.

Our extensive research reports cover detailed market assessments that include major technological improvements in the industry. Fior Markets also specializes in analyzing hi-tech systems and current processing systems in its expertise.

Contact Us

Mark Stone
Sales Manager
Phone: (201) 465-4211
Email: sales@fiormarkets.com
Web: www.fiormarkets.com

This release was published on openPR.