VARIoT IoT vulnerabilities database

Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component. Sophos Web Appliance Contains a cross-site scripting vulnerability.By any third party, any Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to Sophos Web Protection Appliance 3.7.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users." URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "spiderman" operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. 2) OS command injection (CVE-2013-2642) Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "spiderman" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: ----------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). <host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" 2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman": POST /index.php?c=diagnostic_tools HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60 The "Local Site List" functionality allows injection of arbitrary OS commands: POST /index.php?c=local_site_list_editor HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205 STYLE=<valid session id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1). If a customized template for the "Block page" uses the variable "%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the following URL: https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities: https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker. Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM). Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory. More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013

Advanced Media Technologie is a company that provides CATV equipment and broadband products. Multiple Advanced Media Technologie products have a sensitive information disclosure issue that allows an attacker to submit /index.zhtml requests directly to obtain the device's internal IP address information.

Advanced Media Technologie is a company that provides CATV equipment and broadband products. Multiple Advanced Media Technologie products have a denial of service issue that allows unverified attackers to submit /advanced.zhtml requests directly, reboot the device, or reset the device to factory settings.

Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 do not ensure the correctness of the address bar during history navigation, which allows remote attackers to conduct cross-site scripting (XSS) attacks or phishing attacks by leveraging control over navigation timing. Mozilla Firefox, SeaMonkey, and Thunderbird are prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Note: This issue was previously discussed in BID 58818 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-30 through -40 Multiple Vulnerabilities), but has been moved to its own record to better document it. The issue is fixed in: Firefox 20.0 Firefox ESR 17.0.5 Thunderbird 17.0.5 Thunderbird ESR 17.0.5 SeaMonkey 2.17. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2699-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff June 02, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-0773 CVE-2013-0775 CVE-2013-0776 CVE-2013-0780 CVE-2013-0782 CVE-2013-0783 CVE-2013-0787 CVE-2013-0788 CVE-2013-0793 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800 CVE-2013-0801 CVE-2013-1670 CVE-2013-1674 CVE-2013-1675 CVE-2013-1676 CVE-2013-1677 CVE-2013-1678 CVE-2013-1679 CVE-2013-1680 CVE-2013-1681 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, missing input sanitising vulnerabilities, use-after-free vulnerabilities, buffer overflows and other programming errors may lead to the execution of arbitrary code, privilege escalation, information leaks or cross-site-scripting. We're changing the approach for security updates for Iceweasel, Icedove and Iceape in stable-security: Instead of backporting security fixes, we now provide releases based on the Extended Support Release branch. As such, this update introduces packages based on Firefox 17 and at some point in the future we will switch to the next ESR branch once ESR 17 has reached it's end of life. Some Xul extensions currently packaged in the Debian archive are not compatible with the new browser engine. Up-to-date and compatible versions can be retrieved from http://addons.mozilla.org as a short term solution. A solution to keep packaged extensions compatible with the Mozilla releases is still being sorted out. We don't have the resources to backport security fixes to the Iceweasel release in oldstable-security any longer. If you're up to the task and want to help, please get in touch with team@security.debian.org. Otherwise, we'll announce the end of security support for Iceweasel, Icedove and Iceape in Squeeze in the next update round. For the stable distribution (wheezy), these problems have been fixed in version 17.0.6esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.6esr-1. We recommend that you upgrade your iceweasel packages. ============================================================================ Ubuntu Security Notice USN-1786-2 April 04, 2013 unity-firefox-extension update ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 Summary: This update provides a compatible version of Unity Firefox Extension for Firefox 20. Software Description: - unity-firefox-extension: Unity Integration for Firefox Details: USN-1786-1 fixed vulnerabilities in Firefox. (CVE-2013-0788, CVE-2013-0789) Ambroz Bizjak discovered an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) libary when decoding certain certificates. An attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2013-0791) Tobias Schula discovered an information leak in Firefox when the gfx.color_management.enablev4 preference is enabled. If the user were tricked into opening a specially crafted image, an attacker could potentially exploit this to steal confidential data. By default, the gfx.color_management.enablev4 preference is not enabled in Ubuntu. (CVE-2013-0792) Mariusz Mlynski discovered that timed history navigations could be used to load arbitrary websites with the wrong URL displayed in the addressbar. (CVE-2013-0793) It was discovered that the origin indication on tab-modal dialog boxes could be removed, which could allow an attacker's dialog to be displayed over another sites content. An attacker could exploit this to conduct phishing attacks. (CVE-2013-0794) Cody Crews discovered that the cloneNode method could be used to bypass System Only Wrappers (SOW) to clone a protected node and bypass same-origin policy checks. (CVE-2013-0795) A crash in WebGL rendering was discovered in Firefox. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 mail-client/thunderbird < 17.0.9 >= 17.0.9 2 www-client/firefox < 17.0.9 >= 17.0.9 3 www-client/seamonkey < 2.21 >= 2.21 4 mail-client/thunderbird-bin < 17.0.9 >= 17.0.9 5 www-client/firefox-bin < 17.0.9 >= 17.0.9 6 www-client/seamonkey-bin < 2.21 >= 2.21 ------------------------------------------------------------------- 6 affected packages Description =========== Multiple vulnerabilities have been discovered in Mozilla Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. Further, a remote attacker could conduct XSS attacks, spoof URLs, bypass address space layout randomization, conduct clickjacking attacks, obtain potentially sensitive information, bypass access restrictions, modify the local filesystem, or conduct other unspecified attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-17.0.9" All users of the Mozilla Firefox binary package should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-17.0.9" All Mozilla Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-17.0.9"= All users of the Mozilla Thunderbird binary package should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-17.0.9" All SeaMonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.21" All users of the Mozilla SeaMonkey binary package should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-2.21" References ========== [ 1 ] CVE-2013-0744 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0744 [ 2 ] CVE-2013-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0745 [ 3 ] CVE-2013-0746 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0746 [ 4 ] CVE-2013-0747 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0747 [ 5 ] CVE-2013-0748 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0748 [ 6 ] CVE-2013-0749 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0749 [ 7 ] CVE-2013-0750 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0750 [ 8 ] CVE-2013-0751 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0751 [ 9 ] CVE-2013-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0752 [ 10 ] CVE-2013-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0753 [ 11 ] CVE-2013-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0754 [ 12 ] CVE-2013-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0755 [ 13 ] CVE-2013-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0756 [ 14 ] CVE-2013-0757 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0757 [ 15 ] CVE-2013-0758 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0758 [ 16 ] CVE-2013-0759 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0759 [ 17 ] CVE-2013-0760 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0760 [ 18 ] CVE-2013-0761 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0761 [ 19 ] CVE-2013-0762 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0762 [ 20 ] CVE-2013-0763 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0763 [ 21 ] CVE-2013-0764 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0764 [ 22 ] CVE-2013-0765 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0765 [ 23 ] CVE-2013-0766 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0766 [ 24 ] CVE-2013-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0767 [ 25 ] CVE-2013-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0768 [ 26 ] CVE-2013-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0769 [ 27 ] CVE-2013-0770 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0770 [ 28 ] CVE-2013-0771 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0771 [ 29 ] CVE-2013-0772 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0772 [ 30 ] CVE-2013-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0773 [ 31 ] CVE-2013-0774 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0774 [ 32 ] CVE-2013-0775 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0775 [ 33 ] CVE-2013-0776 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0776 [ 34 ] CVE-2013-0777 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0777 [ 35 ] CVE-2013-0778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0778 [ 36 ] CVE-2013-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0779 [ 37 ] CVE-2013-0780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0780 [ 38 ] CVE-2013-0781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0781 [ 39 ] CVE-2013-0782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0782 [ 40 ] CVE-2013-0783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0783 [ 41 ] CVE-2013-0784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0784 [ 42 ] CVE-2013-0787 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0787 [ 43 ] CVE-2013-0788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0788 [ 44 ] CVE-2013-0789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0789 [ 45 ] CVE-2013-0791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0791 [ 46 ] CVE-2013-0792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0792 [ 47 ] CVE-2013-0793 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0793 [ 48 ] CVE-2013-0794 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0794 [ 49 ] CVE-2013-0795 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0795 [ 50 ] CVE-2013-0796 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0796 [ 51 ] CVE-2013-0797 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0797 [ 52 ] CVE-2013-0799 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0799 [ 53 ] CVE-2013-0800 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0800 [ 54 ] CVE-2013-0801 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0801 [ 55 ] CVE-2013-1670 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1670 [ 56 ] CVE-2013-1671 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1671 [ 57 ] CVE-2013-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1674 [ 58 ] CVE-2013-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1675 [ 59 ] CVE-2013-1676 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1676 [ 60 ] CVE-2013-1677 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1677 [ 61 ] CVE-2013-1678 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1678 [ 62 ] CVE-2013-1679 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1679 [ 63 ] CVE-2013-1680 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1680 [ 64 ] CVE-2013-1681 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1681 [ 65 ] CVE-2013-1682 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1682 [ 66 ] CVE-2013-1684 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1684 [ 67 ] CVE-2013-1687 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1687 [ 68 ] CVE-2013-1690 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1690 [ 69 ] CVE-2013-1692 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1692 [ 70 ] CVE-2013-1693 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1693 [ 71 ] CVE-2013-1694 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1694 [ 72 ] CVE-2013-1697 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1697 [ 73 ] CVE-2013-1701 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1701 [ 74 ] CVE-2013-1702 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1702 [ 75 ] CVE-2013-1704 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1704 [ 76 ] CVE-2013-1705 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1705 [ 77 ] CVE-2013-1707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1707 [ 78 ] CVE-2013-1708 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1708 [ 79 ] CVE-2013-1709 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1709 [ 80 ] CVE-2013-1710 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1710 [ 81 ] CVE-2013-1711 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1711 [ 82 ] CVE-2013-1712 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1712 [ 83 ] CVE-2013-1713 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1713 [ 84 ] CVE-2013-1714 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1714 [ 85 ] CVE-2013-1717 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1717 [ 86 ] CVE-2013-1718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1718 [ 87 ] CVE-2013-1719 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1719 [ 88 ] CVE-2013-1720 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1720 [ 89 ] CVE-2013-1722 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1722 [ 90 ] CVE-2013-1723 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1723 [ 91 ] CVE-2013-1724 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1724 [ 92 ] CVE-2013-1725 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1725 [ 93 ] CVE-2013-1726 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1726 [ 94 ] CVE-2013-1728 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1728 [ 95 ] CVE-2013-1730 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1730 [ 96 ] CVE-2013-1732 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1732 [ 97 ] CVE-2013-1735 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1735 [ 98 ] CVE-2013-1736 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1736 [ 99 ] CVE-2013-1737 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1737 [ 100 ] CVE-2013-1738 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1738 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201309-23.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2013:0696-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0696.html Issue date: 2013-04-02 CVE Names: CVE-2013-0788 CVE-2013-0793 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-0788) A flaw was found in the way Same Origin Wrappers were implemented in Firefox. (CVE-2013-0795) A flaw was found in the embedded WebGL library in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. Note: This issue only affected systems using the Intel Mesa graphics drivers. (CVE-2013-0796) An out-of-bounds write flaw was found in the embedded Cairo library in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-0800) A flaw was found in the way Firefox handled the JavaScript history functions. A malicious site could cause a web page to be displayed that has a baseURI pointing to a different site, allowing cross-site scripting (XSS) and phishing attacks. (CVE-2013-0793) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian Holler, Milan Sreckovic, Joe Drew, Cody Crews, miaubiz, Abhishek Arya, and Mariusz Mlynski as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 17.0.5 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 17.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 946927 - CVE-2013-0788 Mozilla: Miscellaneous memory safety hazards (rv:17.0.5) (MFSA 2013-30) 946929 - CVE-2013-0800 Mozilla: Out-of-bounds write in Cairo library (MFSA 2013-31) 946931 - CVE-2013-0796 Mozilla: WebGL crash with Mesa graphics driver on Linux (MFSA 2013-35) 946932 - CVE-2013-0795 Mozilla: Bypass of SOW protections allows cloning of protected nodes (MFSA 2013-36) 946935 - CVE-2013-0793 Mozilla: Cross-site scripting (XSS) using timed history navigations (MFSA 2013-38) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm i386: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm x86_64: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.x86_64.rpm xulrunner-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.x86_64.rpm xulrunner-devel-17.0.5-1.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm i386: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm ia64: firefox-17.0.5-1.el5_9.ia64.rpm firefox-17.0.5-1.el5_9.ia64.rpm firefox-debuginfo-17.0.5-1.el5_9.ia64.rpm firefox-debuginfo-17.0.5-1.el5_9.ia64.rpm xulrunner-17.0.5-1.el5_9.ia64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ia64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ia64.rpm xulrunner-devel-17.0.5-1.el5_9.ia64.rpm xulrunner-devel-17.0.5-1.el5_9.ia64.rpm ppc: firefox-17.0.5-1.el5_9.ppc.rpm firefox-17.0.5-1.el5_9.ppc.rpm firefox-debuginfo-17.0.5-1.el5_9.ppc.rpm firefox-debuginfo-17.0.5-1.el5_9.ppc.rpm xulrunner-17.0.5-1.el5_9.ppc.rpm xulrunner-17.0.5-1.el5_9.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc64.rpm xulrunner-devel-17.0.5-1.el5_9.ppc.rpm xulrunner-devel-17.0.5-1.el5_9.ppc64.rpm s390x: firefox-17.0.5-1.el5_9.s390.rpm firefox-17.0.5-1.el5_9.s390.rpm firefox-17.0.5-1.el5_9.s390x.rpm firefox-17.0.5-1.el5_9.s390x.rpm firefox-debuginfo-17.0.5-1.el5_9.s390.rpm firefox-debuginfo-17.0.5-1.el5_9.s390.rpm firefox-debuginfo-17.0.5-1.el5_9.s390x.rpm firefox-debuginfo-17.0.5-1.el5_9.s390x.rpm xulrunner-17.0.5-1.el5_9.s390.rpm xulrunner-17.0.5-1.el5_9.s390x.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390x.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390x.rpm xulrunner-devel-17.0.5-1.el5_9.s390.rpm xulrunner-devel-17.0.5-1.el5_9.s390x.rpm x86_64: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm ppc64: firefox-17.0.5-1.el6_4.ppc.rpm firefox-17.0.5-1.el6_4.ppc.rpm firefox-17.0.5-1.el6_4.ppc64.rpm firefox-17.0.5-1.el6_4.ppc64.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc64.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-17.0.5-1.el6_4.ppc.rpm xulrunner-17.0.5-1.el6_4.ppc.rpm xulrunner-17.0.5-1.el6_4.ppc64.rpm xulrunner-17.0.5-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm s390x: firefox-17.0.5-1.el6_4.s390.rpm firefox-17.0.5-1.el6_4.s390.rpm firefox-17.0.5-1.el6_4.s390x.rpm firefox-17.0.5-1.el6_4.s390x.rpm firefox-debuginfo-17.0.5-1.el6_4.s390.rpm firefox-debuginfo-17.0.5-1.el6_4.s390.rpm firefox-debuginfo-17.0.5-1.el6_4.s390x.rpm firefox-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-17.0.5-1.el6_4.s390.rpm xulrunner-17.0.5-1.el6_4.s390.rpm xulrunner-17.0.5-1.el6_4.s390x.rpm xulrunner-17.0.5-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm ppc64: xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-devel-17.0.5-1.el6_4.ppc.rpm xulrunner-devel-17.0.5-1.el6_4.ppc.rpm xulrunner-devel-17.0.5-1.el6_4.ppc64.rpm xulrunner-devel-17.0.5-1.el6_4.ppc64.rpm s390x: xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-devel-17.0.5-1.el6_4.s390.rpm xulrunner-devel-17.0.5-1.el6_4.s390.rpm xulrunner-devel-17.0.5-1.el6_4.s390x.rpm xulrunner-devel-17.0.5-1.el6_4.s390x.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0788.html https://www.redhat.com/security/data/cve/CVE-2013-0793.html https://www.redhat.com/security/data/cve/CVE-2013-0795.html https://www.redhat.com/security/data/cve/CVE-2013-0796.html https://www.redhat.com/security/data/cve/CVE-2013-0800.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRWzt5XlSAg2UNWIIRAobXAJ9/uirvEeOiGpegRbi/Fdtv9BRXUACeMYpK taMjOQZpo7Ea1JPyhBWhy7M= =2sCd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Note: All issues except CVE-2013-0800 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed

Clorius Controls ICS SCADA fails to properly restrict access to the /html/info.html URL, allowing remote attackers to exploit the vulnerability to directly submit requests for internal IP addresses, MAC addresses, and firmware version information. Clorius Controls ICS SCADA is an industrial control system software. An information disclosure vulnerability exists in Clorius Controls ICS SCADA. Attackers use this vulnerability to gain potentially sensitive information

Multiple SQL injection vulnerabilities in the device-management implementation in Cisco Connected Grid Network Management System (CG-NMS) allow remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug IDs CSCue14553 and CSCue38746. Vendors have confirmed this vulnerability Bug ID CSCue14553 , CSCue38746 It is released as.By any third party SQL The command may be executed. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database

Multiple cross-site scripting (XSS) vulnerabilities in the element-list implementation in Cisco Connected Grid Network Management System (CG-NMS) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCue14517, CSCue38914, CSCue38884, CSCue38882, CSCue38881, CSCue38872, CSCue38868, CSCue38866, CSCue38853, and CSCue14540. Vendors have addressed this vulnerability Bug ID CSCue14517 , CSCue38914 , CSCue38884 , CSCue38882 , CSCue38881 , CSCue38872 , CSCue38868 , CSCue38866 , CSCue38853 , CSCue14540 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues are being tracked by Cisco Bug IDs CSCue14517, CSCue38914, CSCue38884, CSCue38882, CSCue38881, CSCue38872, CSCue38868, CSCue38866, CSCue38853, and CSCue14540

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. UDP protocols such as NTP can be abused to amplify denial-of-service attack traffic. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected. Multiple broadband routers contain an issue where they may behave as open resolvers. A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver. Multiple broadband routers may contain an issue where they may behave as open resolvers. This issue was confirmed by JPCERT/CC and IPA that it affected multiple developers and was coordinated by JPCERT/CC. In addition, Yasuhiro Orange Morishita of Japan Registry Services Co., Ltd. (JPRS) reported this vulnerability to JPCERT/CC under the Information Security Early Warning Partnership.The device may be used in a DNS amplification attack and unknowingly become a part of a DDoS attack. NTP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users. The net-misc/ntp package contains the official reference implementation by the NTP Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/ntp < 4.2.6_p5-r10 >= 4.2.6_p5-r10 Description =========== ntpd is susceptible to a reflected Denial of Service attack. Please review the CVE identifiers and references below for details. Workaround ========== We modified the default ntp configuration in =net-misc/ntp-4.2.6_p5-r10 and added "noquery" to the default restriction which disallows anyone to query the ntpd status, including "monlist". If you use a non-default configuration, and provide a ntp service to untrusted networks, we highly recommend you to revise your configuration to disable mode 6 and 7 queries for any untrusted (public) network. You can always enable these queries for specific trusted networks. For more details please see the "Access Control Support" chapter in the ntp.conf(5) man page. Resolution ========== All NTP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.6_p5-r10" Note that the updated package contains a modified default configuration only. References ========== [ 1 ] CVE-2013-5211 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5211 [ 2 ] VU#348126 http://www.kb.cert.org/vuls/id/348126 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201401-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Awareness System TA13-088A: DNS Amplification Attacks Original release date: March 29, 2013 Systems Affected * Domain Name System (DNS) servers Overview A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. Description A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victims address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack. Impact A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack. Solution DETECTION Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers. The query interface allows network administrators to enter IP ranges in CIDR format [1]. The Measurement Factory http://dns.measurement-factory.com Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2]. In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion. This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3]. Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4]. DNSInspect http://www.dnsinspect.com Another freely available, web-based tool for testing DNS resolvers is DNSInspect. This site is similar to The Measurement Factorys ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5]. Indicators In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21]. The specification does not allow for unsolicited responses. In a DNS amplification attack, the key indicator is a query response without a matching request. MITIGATION Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack. While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately 25 million pose a significant threat of being used in an attack [1]. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole. Where possible, configuration links have been provided to assist administrators with making the recommended changes. The configuration information has been limited to BIND9 and Microsofts DNS Server, which are two widely deployed DNS servers. If you are running a different DNS server, please see your vendors documentation for configuration details. Source IP Verification Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victims system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to deny any DNS traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force released a Best Current Practice document in May 2000 that describes how an Internet Service Provider can filter network traffic on their network to drop packets with source addresses not reachable via the actual packets path [7]. This configuration change would considerably reduce the potential for most current types of DDoS attacks. Disabling Recursion on Authoritative Name Servers Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain. These systems do not need to support resolution of other domains on behalf of a client, and therefore should be configured with recursion disabled. Bind9 Add the following to the global options [8]: options { allow-query-cache { none; }; recursion no; }; Microsoft DNS Server In the Microsoft DNS console tool [9]: * Right-click the DNS server and click Properties. * Click the Advanced tab. * In Server options, select the Disable recursion check box, and then click OK. Limiting Recursion to Authorized Clients For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients. These requests should typically only come from clients within the organizations network address range. BIND9 In the global options, add the following [10]: acl corpnets { 192.168.1.0/24; 192.168.2.0/24; }; options { allow-query { corpnets; }; allow-recursion { corpnets; }; }; Microsoft DNS Server It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server. The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11]. Rate Limiting Response of Recursive Name Servers There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to restrict the number of responses per second being sent from the name server [12]. This is intended to reduce the effectiveness of DNS amplification attacks by reducing the volume of traffic coming from any single resolver. BIND9 On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]: rate-limit { responses-per-second 5; window 5; }; Microsoft DNS Server This option is currently not available for Microsoft DNS Server. References * [1] Open DNS Resolver Project * [2] The Measurement Factory, "List Open Resolvers on Your Network" * [3] The Measurement Factory, "Open Resolver Test" * [4] The Measurement Factory, "Open Resolvers for Each Autonomous System" * [5] "DNSInspect," DNSInspect.com * [6] RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES * [7] BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing * [8] Chapter 3. Name Server Configuration * [9] Disable recursion on the DNS server * [10] Chapter 7. BIND 9 Security Considerations * [11] Configure a DNS Server to Use Forwarders * [12] DNS Response Rate Limiting (DNS RRL) * [13] Response Rate Limiting in the Domain Name System (DNS RRL) Revision History * March 29, 2013: Initial release Relevant URL(s): <http://openresolverproject.org/> <http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl> <http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl> <http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html> <http://www.dnsinspect.com/> <http://tools.ietf.org/html/rfc1034> <http://tools.ietf.org/html/bcp38> <http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch03.html#id2567992> <http://technet.microsoft.com/en-us/library/cc787602.aspx> <http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch07.html#Access_Control_Lists> <http://technet.microsoft.com/en-us/library/cc754941.aspx> <http://ss.vix.su/~vixie/isc-tn-2012-1.txt> <http://www.redbarn.org/dns/ratelimits> ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to this Notification: http://www.us-cert.gov/privacy/notification/ Privacy & Use policy: http://www.us-cert.gov/privacy/ This document can also be found at http://www.us-cert.gov/ncas/alerts/TA13-088A For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/mailing-lists-and-feeds/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBUVXuq3dnhE8Qi3ZhAQIBXAf+LICtxQHGu5j7x8NAFG+tTSWrjducZ37v oWhQuSsXp9XjwAN1RdXOZRpX2Sbp5b1bVZ+FfjdPljoRVpoRksuBu5qOfzathZEP 3aRA7O0Kffuk2ofCsn8I9nWOas7bZa9gO8hGan4ORjEJLt4OWFtPW+2aWfDKY72x lcky1Ms6Z1TGkCTgJLuoUXXmGg8JQJqvRfkc7VAY4ttpJV1/DtpMIZyf2Hbr4inp ClnGYi64ukzu38kYkQ33u3oPKjYX8bwWKAZRnpQAcHO8ddswKre7Cz2Ar5tTNluY 0/nzEAx6BVAKgntp5NUJ8y55ej+RyEQiCpBAkhE8xImmxAUPJ7AiMw== =FVTl -----END PGP SIGNATURE----- . Release Date: 2015-09-09 Last Updated: 2015-09-09 Potential Security Impact: Remote denial of service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the TCP/IP Services for OpenVMS running NTP. References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2013-5211 SSRT102239 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. TCP/IP Services for OpenVMS V5.7 ECO5 running NTP BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-5211 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following patch kits available to resolve the vulnerabilities with TCP/IP Services for OpenVMS running NTP. Platform Patch Kit Name Alpha IA64 V8.4 75-117-380_2015-08-24.BCK NOTE: Please contact OpenVMS Technical Support to request these patch kits. HISTORY Version:1 (rev.1) - 9 September 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1) 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2013-5211 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ntpd(8) daemon supports a query 'monlist' which provides a history of recent NTP clients without any authentication. III. Impact An attacker can send 'monlist' queries and use that as an amplification of a reflection attack. IV. This can be done by adding the following lines to /etc/ntp.conf: restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 And restart the ntpd(8) daemon. Time service is not affected and the administrator can still perform queries from local host. 2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can access ntpd(8). 3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or newer) V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc # gpg --verify ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd(8) daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Note that the patch would disable monitoring features of ntpd(8) daemon by default. If the feature is desirable, the administrator can choose to enable it and firewall access to ntpd(8) service. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260641 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260641 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/ r260639 releng/10.0/ r260641 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0002 Synopsis: VMware vSphere updates to third party libraries Issue date: 2014-03-11 Updated on: 2014-03-11 (initial advisory) CVE numbers: --NTP --- CVE-2013-5211 --glibc (service console) --- CVE-2013-4332 --JRE-- See references - ----------------------------------------------------------------------- 1. Summary VMware has updated vSphere third party libraries. 2. Relevant releases vCenter Server Appliance 5.5 prior to 5.5 Update 1 VMware vCenter Server 5.5 prior 5.5 Update 1 VMware Update Manager 5.5 prior 5.5 Update 1 VMware ESXi 5.5 without patch ESXi550-201403101-SG 3. Problem Description a. An attacker may send a forged request to a vulnerable NTP server resulting in an amplified response to the intended target of the DDoS attack. Mitigation Mitigation for this issue is documented in VMware Knowledge Base article 2070193. This article also documents when vSphere products are affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5211 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= VCSA 5.5 Linux 5.5 Update 1 VCSA 5.1 Linux patch pending VCSA 5.0 Linux patch pending ESXi 5.5 ESXi ESXi550-201403101-SG ESXi 5.1 ESXi patch pending ESXi 5.0 ESXi patch pending ESXi 4.1 ESXi patch pending ESXi 4.0 ESXi patch pending ESX 4.1 ESX patch pending ESX 4.0 ESX patch pending b. Update to ESXi glibc package The ESXi glibc package is updated to version glibc-2.5-118.el5_10.2 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-4332 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= ESXi 5.5 ESXi ESXi550-201403101-SG ESXi 5.1 ESXi patch pending ESXi 5.0 ESXi patch pending ESXi 4.1 ESXi no patch planned ESXi 4.0 ESXi no patch planned ESX 4.1 ESX not applicable ESX 4.0 ESX not applicable c. vCenter and Update Manager, Oracle JRE 1.7 Update 45 Oracle JRE is updated to version JRE 1.7 Update 45, which addresses multiple security issues that existed in earlier releases of Oracle JRE. Oracle has documented the CVE identifiers that are addressed in JRE 1.7.0 update 45 in the Oracle Java SE Critical Patch Update Advisory of October 2013. The References section provides a link to this advisory. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 Any 5.5 Update 1 vCenter Server 5.1 Any not applicable ** vCenter Server 5.0 Any not applicable ** vCenter Server 4.1 Windows not applicable ** vCenter Server 4.0 Windows not applicable * Update Manager 5.5 Windows 5.5 Update 1 Update Manager 5.1 Windows not applicable ** Update Manager 5.0 Windows not applicable ** Update Manager 4.1 Windows not applicable * Update Manager 4.0 Windows not applicable * ESXi any ESXi not applicable ESX 4.1 ESX not applicable ** ESX 4.0 ESX not applicable * * this product uses the Oracle JRE 1.5.0 family ** this product uses the Oracle JRE 1.6.0 family 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 5.5 -------------------------- Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/5_5 Release Notes: https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-55u1-rel ease-notes.html ESXi 5.5 ----------------- File: update-from-esxi5.5-5.5_update01.zip md5sum:5773844efc7d8e43135de46801d6ea25 sha1sum:6518355d260e81b562c66c5016781db9f077161f http://kb.vmware.com/kb/2065826 update-from-esxi5.5-5.5_update01 contains ESXi550-201403101-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332 --------- jre --------- Oracle Java SE Critical Patch Update Advisory of October 2013 http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html VMware Knowledge Base article 2070193 http://kb.vmware.com/kb/2070193 - ----------------------------------------------------------------------- 6. Change log 2014-03-11 VMSA-2014-0002 Initial security advisory in conjunction with the release of vSphere 5.5 Update 1 on 2014-03-11 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.6p5-i486-5_slack14.1.txz: Rebuilt. By default, Slackware is not vulnerable since it includes "noquery" as a default restriction. However, it is vulnerable if this restriction is removed. To help mitigate this flaw, "disable monitor" has been added to the default ntp.conf (which will disable the monlist command even if other queries are allowed), and the default restrictions have been extended to IPv6 as well. All users of the NTP daemon should make sure that their ntp.conf contains "disable monitor" to prevent misuse of the NTP service. The new ntp.conf file will be installed as /etc/ntp.conf.new with a package upgrade, but the changes will need to be merged into any existing ntp.conf file by the admin. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 http://www.kb.cert.org/vuls/id/348126 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Please do not reply to this email address

The OMRON OpenWnn application before 1.3.6 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. OpenWnn for Android contains an issue in the access permissions for certain files. OpenWnn provided by OMRON SOFTWARE Co., Ltd. is a Japanese Input Method Editor (IME). OpenWnn for Android contains an issue in the access permissions for certain files. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. OpenWnn for Android is prone to an information-disclosure vulnerability. Successful exploits allow an attacker to gain access to sensitive information. Information obtained may aid in further attacks. OpenWnn for Android 1.3.5 and prior are vulnerable

The vulnerability is that the WEB server skips the authentication detection for certain URLs, such as the URL containing the string \".jpg\" at the end, so the attacker submits a request similar to the following to get the current device configuration: http://<target- Ip-address>/NETGEAR_fwpt.cfg?.jpg. NetGear WNR1000 is a wireless router. There is a remote authentication bypass vulnerability in NetGear WNR1000 router versions prior to 1.0.2.60. A remote attacker could use this vulnerability to bypass the authentication mechanism and gain unauthorized access

Rosewill RSVA11001/RSVA12001 is a camera device. Rosewill RSVA11001/RSVA12001 has a security vulnerability that allows remote attackers to exploit vulnerabilities by setting up NTP hosts to execute arbitrary commands.

The Smart Install client functionality in Cisco IOS 12.2 and 15.0 through 15.3 on Catalyst switches allows remote attackers to cause a denial of service (device reload) via crafted image list parameters in Smart Install packets, aka Bug ID CSCub55790. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco IOS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Smart Install client. A specially crafted packet can be sent to the SMI IBC server to instruct it to download the IOS config file and IOS image file(s). The attacker can specify a user account with highest access in the config file, allowing them to take complete control of the switch. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCub55790. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

Race condition in the VRF-aware NAT feature in Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 allows remote attackers to cause a denial of service (memory consumption) via IPv4 packets, aka Bug IDs CSCtg47129 and CSCtz96745. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtg47129. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The RSVP protocol implementation in Cisco IOS 12.2 and 15.0 through 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S, when MPLS-TE is enabled, allows remote attackers to cause a denial of service (incorrect memory access and device reload) via a traffic engineering PATH message in an RSVP packet, aka Bug ID CSCtg39957. Attackers can exploit this issue to cause a reload of the affected devices, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtg39957.http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtg39957http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtg39957. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

Memory leak in the IKEv1 implementation in Cisco IOS 15.1 allows remote attackers to cause a denial of service (memory consumption) via unspecified (1) IPv4 or (2) IPv6 IKE packets, aka Bug ID CSCth81055. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCth81055. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsq24002. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

Memory leak in Cisco IOS 12.2, 12.4, 15.0, and 15.1, when Zone-Based Policy Firewall SIP application layer gateway inspection is enabled, allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed SIP messages, aka Bug ID CSCtl99174. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtl99174. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The Protocol Translation (PT) functionality in Cisco IOS 12.3 through 12.4 and 15.0 through 15.3, when one-step port-23 translation or a Telnet-to-PAD ruleset is configured, does not properly validate TCP connection information, which allows remote attackers to cause a denial of service (device reload) via an attempted connection to a PT resource, aka Bug ID CSCtz35999. Cisco IOS is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to reload affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtz35999. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The General Responder implementation in the IP Service Level Agreement (SLA) feature in Cisco IOS 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S allows remote attackers to cause a denial of service (device reload) via crafted (1) IPv4 or (2) IPv6 IP SLA packets on UDP port 1167, aka Bug ID CSCuc72594. Cisco IOS is prone to a remote denial-of-service vulnerability. Successful exploit of this issue could allow the attacker to cause the targeted device to reload, resulting in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuc72594. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The PowerHawk 6320 meter is a smart meter device. The PowerHawk 6320 meter incorrectly restricts access to web-based UIs, allowing remote attackers to exploit the vulnerability to request serial numbers, MAC addresses, and firmware versions. Successful exploits may allow an attacker to obtain sensitive information that may aid in launching further attacks. PowerHawk 6320 Smart Meter running firmware 1.12 is vulnerable; other versions may also be affected

The XML parser in the Cisco Jabber IM application for Android allows remote authenticated users to cause a denial of service (blocked connection) by leveraging an entry on a Buddy list and sending a crafted XMPP presence update message, aka Bug ID CSCue38383. Successful exploits will allow authenticated attackers to prevent the client to connect, causing a denial of service condition. This issue is being tracked by the Cisco Bug ID CSCue38383