ID

VAR-200801-0561

CVE

CVE-2007-6388

TITLE

Apache HTTP Server of mod_status Vulnerable to cross-site scripting

DESCRIPTION

Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39, when the server-status page is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. A cross-site scripting vulnerability has been found with the Status Information Display function of Hitachi Web Server.An attacker could execute a cross-site scripting attack by sending a request that contains malicious scripts. The vulnerability does not affect the products if the Status Information Display function is being disabled. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Reportedly, attackers can also use this issue to redirect users' browsers to arbitrary locations, which may aid in phishing attacks. The issue affects versions prior to Apache 2.2.7-dev, 2.0.62-dev, and 1.3.40-dev. A flaw found in the mod_proxy_ftp module could lead to a cross-site scripting attack against web browsers which do not correctly derive the response character set following the rules in RFC 2616, on sites where the mod_proxy_ftp module was enabled (CVE-2008-0005). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005 _______________________________________________________________________ Updated Packages: Corporate 3.0: e0fabb0a832dc1204854ed23627c9071 corporate/3.0/i586/apache2-2.0.48-6.17.C30mdk.i586.rpm 2d99e3d8fcd7056dd0233dbc147e37e7 corporate/3.0/i586/apache2-common-2.0.48-6.17.C30mdk.i586.rpm 7bf8862eb0fff56e54a5e90e9933679b corporate/3.0/i586/apache2-devel-2.0.48-6.17.C30mdk.i586.rpm 1297ae9bf0bba4b2783641ba6ac576ee corporate/3.0/i586/apache2-manual-2.0.48-6.17.C30mdk.i586.rpm 3a418eec92eca0b9770c8197a8f80f07 corporate/3.0/i586/apache2-mod_cache-2.0.48-6.17.C30mdk.i586.rpm 67f3a6a03a4726eb573c2155aaefdb76 corporate/3.0/i586/apache2-mod_dav-2.0.48-6.17.C30mdk.i586.rpm 0b5cd07f4aa2ff89ed4c3fae36c5ca2b corporate/3.0/i586/apache2-mod_deflate-2.0.48-6.17.C30mdk.i586.rpm 61b4e239c6cba376a4a62a52d7582158 corporate/3.0/i586/apache2-mod_disk_cache-2.0.48-6.17.C30mdk.i586.rpm a6080f99a53ca66a9fcd56ee9ac09e21 corporate/3.0/i586/apache2-mod_file_cache-2.0.48-6.17.C30mdk.i586.rpm 9652c8a568641754e49b971d79c8e52c corporate/3.0/i586/apache2-mod_ldap-2.0.48-6.17.C30mdk.i586.rpm b3886d86008a0f46c9791d331938c11a corporate/3.0/i586/apache2-mod_mem_cache-2.0.48-6.17.C30mdk.i586.rpm 3d1b7594ce0bee796de8d2937223f382 corporate/3.0/i586/apache2-mod_proxy-2.0.48-6.17.C30mdk.i586.rpm 3fd1abda5d04c8342288fd37fbbbd362 corporate/3.0/i586/apache2-mod_ssl-2.0.48-6.17.C30mdk.i586.rpm e8e643e3e779a8cc07399fb4ad1f6c15 corporate/3.0/i586/apache2-modules-2.0.48-6.17.C30mdk.i586.rpm e4b634876a9e7845ecf3679075c84ce1 corporate/3.0/i586/apache2-source-2.0.48-6.17.C30mdk.i586.rpm b3d0f3e54d76055f233caa5540a62036 corporate/3.0/i586/libapr0-2.0.48-6.17.C30mdk.i586.rpm 660176a97677746d6417ca0cf3351518 corporate/3.0/SRPMS/apache2-2.0.48-6.17.C30mdk.src.rpm Corporate 3.0/X86_64: e616f6ca90aaed6b7877c8e84ce61a6c corporate/3.0/x86_64/apache2-2.0.48-6.17.C30mdk.x86_64.rpm 9e5731c7d1635e92fdb026785a35e1fc corporate/3.0/x86_64/apache2-common-2.0.48-6.17.C30mdk.x86_64.rpm 3b7456191eb49e6aed0b239338890d50 corporate/3.0/x86_64/apache2-devel-2.0.48-6.17.C30mdk.x86_64.rpm ccfdfa7286c3be4e37b763eb8c56d9af corporate/3.0/x86_64/apache2-manual-2.0.48-6.17.C30mdk.x86_64.rpm 72ca899935c0b83b71e143d94cdc66f0 corporate/3.0/x86_64/apache2-mod_cache-2.0.48-6.17.C30mdk.x86_64.rpm 5455176128af28271ceccac00947414b corporate/3.0/x86_64/apache2-mod_dav-2.0.48-6.17.C30mdk.x86_64.rpm f82082e4458ffdcf5f905af8da6fad68 corporate/3.0/x86_64/apache2-mod_deflate-2.0.48-6.17.C30mdk.x86_64.rpm a76d5d5aa57817d48c244d1a19db386a corporate/3.0/x86_64/apache2-mod_disk_cache-2.0.48-6.17.C30mdk.x86_64.rpm 38bff396839955a9b2a52679b8e9730f corporate/3.0/x86_64/apache2-mod_file_cache-2.0.48-6.17.C30mdk.x86_64.rpm 8064518036a784af67f787edfd38b429 corporate/3.0/x86_64/apache2-mod_ldap-2.0.48-6.17.C30mdk.x86_64.rpm 5d780cd9a1448870ef2fb712a87e3b18 corporate/3.0/x86_64/apache2-mod_mem_cache-2.0.48-6.17.C30mdk.x86_64.rpm 0eb257d14aa0b920f0b8fed66fcb0758 corporate/3.0/x86_64/apache2-mod_proxy-2.0.48-6.17.C30mdk.x86_64.rpm a04aa093320e9c2c3b0d288a442c5821 corporate/3.0/x86_64/apache2-mod_ssl-2.0.48-6.17.C30mdk.x86_64.rpm 59b737044482d22b2299a32d6651fb8b corporate/3.0/x86_64/apache2-modules-2.0.48-6.17.C30mdk.x86_64.rpm 6745332fed3a6cd7cf6ec6a3ea2ab52e corporate/3.0/x86_64/apache2-source-2.0.48-6.17.C30mdk.x86_64.rpm 36a6313cf1bf1425e03d904a5f527831 corporate/3.0/x86_64/lib64apr0-2.0.48-6.17.C30mdk.x86_64.rpm 660176a97677746d6417ca0cf3351518 corporate/3.0/SRPMS/apache2-2.0.48-6.17.C30mdk.src.rpm Multi Network Firewall 2.0: 0d7296bc37c70931a79d5981c292b82f mnf/2.0/i586/apache2-2.0.48-6.17.M20mdk.i586.rpm e3db0e869074f6fbc15cbcdf66806c3e mnf/2.0/i586/apache2-common-2.0.48-6.17.M20mdk.i586.rpm 4a49046ee1c2e5bb3417783051caa28a mnf/2.0/i586/apache2-devel-2.0.48-6.17.M20mdk.i586.rpm 68838daa22fe4e47dd399d281e946b3f mnf/2.0/i586/apache2-manual-2.0.48-6.17.M20mdk.i586.rpm f51d2cc5178d9eb235681d0aeeea339c mnf/2.0/i586/apache2-mod_cache-2.0.48-6.17.M20mdk.i586.rpm e69c01851c2d17962479701d335f6d2a mnf/2.0/i586/apache2-mod_dav-2.0.48-6.17.M20mdk.i586.rpm 8294205320ee4047018adaacf79792f1 mnf/2.0/i586/apache2-mod_deflate-2.0.48-6.17.M20mdk.i586.rpm 66da17f8628f646f51b1f45a90eeb874 mnf/2.0/i586/apache2-mod_disk_cache-2.0.48-6.17.M20mdk.i586.rpm 631223e65b60be8067a7204e30ee5694 mnf/2.0/i586/apache2-mod_file_cache-2.0.48-6.17.M20mdk.i586.rpm 8362b6016b1b2c6c3d6e4d6e450fec23 mnf/2.0/i586/apache2-mod_ldap-2.0.48-6.17.M20mdk.i586.rpm 44d23d4a8ba891c35b77c90a183df588 mnf/2.0/i586/apache2-mod_mem_cache-2.0.48-6.17.M20mdk.i586.rpm 086599e69c35f1836d37a17086d28ec2 mnf/2.0/i586/apache2-mod_proxy-2.0.48-6.17.M20mdk.i586.rpm 20edb85556832d8d50b9320a8ea5ae53 mnf/2.0/i586/apache2-mod_ssl-2.0.48-6.17.M20mdk.i586.rpm 4e3eff355f26f4c441ad176a661ef483 mnf/2.0/i586/apache2-modules-2.0.48-6.17.M20mdk.i586.rpm de7fb4b98c0ae60caaf9e77bc8e4edf8 mnf/2.0/i586/apache2-source-2.0.48-6.17.M20mdk.i586.rpm 35a34eeb8b961d7813286955ba593f76 mnf/2.0/i586/libapr0-2.0.48-6.17.M20mdk.i586.rpm 705f99d354c34a20a6dd66421316096e mnf/2.0/SRPMS/apache2-2.0.48-6.17.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) iD8DBQFHjloPmqjQ0CJFipgRAsbpAKCb8ORrZQhVKCr66fR0RkPWZ1og6gCdG4L1 /0us5LoRpUVY43LbjUwmweE= =HDyE -----END PGP SIGNATURE----- . The HP Business Availability Center v8.02 kit is available on the HP Software Support Online portal at: http://support.openview.hp.com/support.jsp . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2009-0010 Synopsis: VMware Hosted products update libpng and Apache HTTP Server Issue date: 2009-08-20 Updated on: 2009-08-20 (initial release of advisory) CVE numbers: CVE-2009-0040 CVE-2007-3847 CVE-2007-1863 CVE-2006-5752 CVE-2007-3304 CVE-2007-6388 CVE-2007-5000 CVE-2008-0005 - ------------------------------------------------------------------------ 1. Summary Updated VMware Hosted products address security issues in libpng and the Apace HTTP Server. 2. Relevant releases VMware Workstation 6.5.2 and earlier, VMware Player 2.5.2 and earlier, VMware ACE 2.5.2 and earlier 3. Problem Description a. Third Party Library libpng Updated to 1.2.35 Several flaws were discovered in the way third party library libpng handled uninitialized pointers. An attacker could create a PNG image file in such a way, that when loaded by an application linked to libpng, it could cause the application to crash or execute arbitrary code at the privilege level of the user that runs the application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0040 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.5.x any 6.5.3 build 185404 or later Player 2.5.x any 2.5.3 build 185404 or later ACE 2.5.x any 2.5.3 build 185404 or later Server 2.x any patch pending Server 1.x any patch pending Fusion 2.x Mac OS/X not affected Fusion 1.x Mac OS/X not affected ESXi 4.0 ESXi not affected ESXi 3.5 ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected * * The libpng update for the Service Console of ESX 2.5.5 is documented in VMSA-2009-0007. b. Apache HTTP Server updated to 2.0.63 The new version of ACE updates the Apache HTTP Server on Windows hosts to version 2.0.63 which addresses multiple security issues that existed in the previous versions of this server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-3847, CVE-2007-1863, CVE-2006-5752, CVE-2007-3304, CVE-2007-6388, CVE-2007-5000, CVE-2008-0005 to the issues that have been addressed by this update. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 6.5.x any not affected Player 2.5.x any not affected ACE 2.5.x Windows 2.5.3 build 185404 or later ACE 2.5.x Linux update Apache on host system * Server 2.x any not affected Server 1.x any not affected Fusion 2.x Mac OS/X not affected Fusion 1.x Mac OS/X not affected ESXi 4.0 ESXi not affected ESXi 3.5 ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 3.0.2 ESX not affected ESX 2.5.5 ESX not affected * The Apache HTTP Server is not part of an ACE install on a Linux host. Update the Apache HTTP Server on the host system to version 2.0.63 in order to remediate the vulnerabilities listed above. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file. VMware Workstation 6.5.3 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html For Windows Workstation for Windows 32-bit and 64-bit Windows 32-bit and 64-bit .exe md5sum: 7565d16b7d7e0173b90c3b76ca4656bc sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1 For Linux Workstation for Linux 32-bit Linux 32-bit .rpm md5sum: 4d55c491bd008ded0ea19f373d1d1fd4 sha1sum: 1f43131c960e76a530390d3b6984c78dfc2da23e Workstation for Linux 32-bit Linux 32-bit .bundle md5sum: d4a721c1918c0e8a87c6fa4bad49ad35 sha1sum: c0c6f9b56e70bd3ffdb5467ee176110e283a69e5 Workstation for Linux 64-bit Linux 64-bit .rpm md5sum: 72adfdb03de4959f044fcb983412ae7c sha1sum: ba16163c8d9b5aa572526b34a7b63dc6e68f9bbb Workstation for Linux 64-bit Linux 64-bit .bundle md5sum: 83e1f0c94d6974286256c4d3b559e854 sha1sum: 8763f250a3ac5fc4698bd26319b93fecb498d542 VMware Player 2.5.3 ------------------- http://www.vmware.com/download/player/ Release notes: http://www.vmware.com/support/player25/doc/releasenotes_player253.html Player for Windows binary http://download3.vmware.com/software/vmplayer/VMware-player-2.5.3-185404.exe md5sum: fe28f193374c9457752ee16cd6cad4e7 sha1sum: 13bd3ff93c04fa272544d3ef6de5ae746708af04 Player for Linux (.rpm) http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i386.rpm md5sum: c99cd65f19fdfc7651bcb7f328b73bc2 sha1sum: a33231b26e2358a72d16e1b4e2656a5873fe637e Player for Linux (.bundle) http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i386.bundle md5sum: 210f4cb5615bd3b2171bc054b9b2bac5 sha1sum: 2f6497890b17b37480165bab9f430e8645edae9b Player for Linux - 64-bit (.rpm) http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x86_64.rpm md5sum: f91576ef90b322d83225117ae9335968 sha1sum: f492fa9cf26ee2818f164aac04cde1680c25d974 Player for Linux - 64-bit (.bundle) http://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x86_64.bundle md5sum: 595d44d7945c129b1aeb679d2f001b05 sha1sum: acd69fcb0c6bc49fd4af748c65c7fb730ab1e8c4 VMware ACE 2.5.3 ---------------- http://www.vmware.com/download/ace/ Release notes: http://www.vmware.com/support/ace25/doc/releasenotes_ace253.html ACE Management Server Virtual Appliance AMS Virtual Appliance .zip md5sum: 44cc7b86353047f02cf6ea0653e38418 sha1sum: 9f44b15e6681a6e58dd20784f829c68091a62cd1 VMware ACE for Windows 32-bit and 64-bit Windows 32-bit and 64-bit .exe md5sum: 0779da73408c5e649e0fd1c62d23820f sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef ACE Management Server for Windows Windows .exe md5sum: 0779da73408c5e649e0fd1c62d23820f sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef ACE Management Server for SUSE Enterprise Linux 9 SLES 9 .rpm md5sum: a4fc92d7197f0d569361cdf4b8cca642 sha1sum: af8a135cca398cacaa82c8c3c325011c6cd3ed75 ACE Management Server for Red Hat Enterprise Linux 4 RHEL 4 .rpm md5sum: 841005151338c8b954f08d035815fd58 sha1sum: 67e48624dba20e6be9e41ec9a5aba407dd8cc01e 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3304 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5000 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005 - ------------------------------------------------------------------------ 6. Change log 2009-08-20 VMSA-2009-0010 Initial security advisory after release of Workstation 6.5.3, Player 2.5.3, and ACE 2.5.3 on 2009-08-20. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2009 VMware Inc. All rights reserved. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. HP Secure Web Server (SWS) for OpenVMS (based on Apache) V2.1-1 and earlier. Kit Name Location HP SWS V2.2 for OpenVMS Alpha and OpenVMS Integrity servers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01607570 Version: 1 HPSBMA02388 SSRT080059 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Cross Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-11-19 Last Updated: 2008-11-19 Potential Security Impact: Remote cross site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to allow cross site scripting (XSS). References: CVE-2007-6388, CVE-2007-5000 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, and Solaris BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2007-6388 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2007-5000 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has made patches available to resolve the vulnerabilities. The patches are available from http://itrc.hp.com OV NNM v7.53 =========== Operating_System - HP-UX (IA) Resolved in Patch - PHSS_38148 or subsequent Operating_System - HP-UX (PA) Resolved in Patch - PHSS_38147 or subsequent Operating_System - Linux RedHatAS2.1 Resolved in Patch - LXOV_00085 or subsequent Operating_System - Linux RedHat4AS-x86_64 Resolved in Patch - LXOV_00086 or subsequent Operating_System - Solaris Resolved in Patch - PSOV_03514 or subsequent OV NNM v7.51 =========== Upgrade to NNM v7.53 and install the patches listed above. OV NNM v7.01 =========== Operating_System - HP-UX (PA) Resolved in Patch - PHSS_38761 or subsequent Operating_System - Solaris Resolved in Patch - PSOV_03516 or subsequent MANUAL ACTIONS: Yes - NonUpdate Apply the appropriate file as described in the Resolution. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) For HP-UX OV NNM 7.53 HP-UX B.11.31 HP-UX B.11.23 (IA) ============= OVNNMgr.OVNNM-RUN action: install PHSS_38148 or subsequent URL: http://itrc.hp.com HP-UX B.11.23 (PA) HP-UX B.11.11 ============= OVNNMgr.OVNNM-RUN action: install PHSS_38147 or subsequent URL: http://itrc.hp.com For HP-UX OV NNM 7.51 HP-UX B.11.31 HP-UX B.11.23 HP-UX B.11.11 ============= OVNNMgr.OVNNM-RUN action: upgrade NNM v7.51 to NNM v7.53 and apply the appropriate patches For HP-UX OV NNM 7.01 HP-UX B.11.00 HP-UX B.11.11 ============= OVNNMgr.OVNNM-RUN action: install PHSS_38761 or subsequent URL: http://itrc.hp.com END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 19 November 2008 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2008 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSSQhVOAfOvwtKn1ZEQIlVQCg4n4fABzC24c9qQ5gz68oPLMVKI0AoMbs A2UIaH3YB7z+o42Tm7Eg7ahn =lskD -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

CONFIGURATIONS

PATCH

EXTERNAL IDS