VARIoT IoT vulnerabilities database

RuggedCom is a provider of communication network solutions. The RuggedCom Rugged Operating System has an SSL private key reuse vulnerability that allows an attacker to exploit and exploit encrypted traffic. ---------------------------------------------------------------------- The new Secunia CSI 6.0 is now available in beta! Seamless integration with your existing security solutions Sign-up to become a Beta tester: http://secunia.com/csi6beta ---------------------------------------------------------------------- TITLE: RuggedCom Rugged Operating System SSL Private Key Reuse Vulnerability SECUNIA ADVISORY ID: SA50364 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50364/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50364 RELEASE DATE: 2012-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/50364/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50364/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50364 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in RuggedCom Rugged Operating System, which can be exploited by malicious people to conduct spoofing attacks. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: Justin W. Clarke ORIGINAL ADVISORY: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in monitor/m_overview.ink in Websense Content Gateway before 7.7.3 allow remote attackers to inject arbitrary web script or HTML via the (1) menu or (2) item parameter. As a result, denial of service ( DoS ) Attacks, information leaks, privilege escalation, etc. may occur. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- The new Secunia CSI 6.0 is now available in beta! Seamless integration with your existing security solutions Sign-up to become a Beta tester: http://secunia.com/csi6beta ---------------------------------------------------------------------- TITLE: Websense Content Gateway "menu" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA50368 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50368/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50368 RELEASE DATE: 2012-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/50368/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50368/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50368 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Websense Content Gateway, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "menu" parameter to monitor/m_overview.ink is not properly sanitised before being returned to the user. The vulnerability is reported in versions prior to 7.7.3. SOLUTION: No official solution is currently available. Reportedly the vendor is planning the release of a fixed version 7.7.3 in December 2012. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Steven Sim Kok Leong. ORIGINAL ADVISORY: US-CERT: http://www.kb.cert.org/vuls/id/318779 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the Authoritative DNS - DNS Zones page in Barracuda Link Balancer 330 Firmware 1.3.2.005 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) zoneid or (2) scope parameter. Barracuda Link Balancer Series Firmware is prone to a cross-site scripting vulnerability

The Investigative Reports web interface in the TRITON management console in Websense Web Security 7.1 before Hotfix 109, 7.1.1 before Hotfix 06, 7.5 before Hotfix 78, 7.5.1 before Hotfix 12, 7.6 before Hotfix 24, and 7.6.2 before Hotfix 12; Web Filter; Web Security Gateway; and Web Security Gateway Anywhere allows remote attackers to execute commands via unspecified vectors. A remote attacker could exploit this vulnerability to execute arbitrary commands through an unknown vector

The default configuration of the SMTP component in Websense Email Security 6.1 through 7.3 enables weak SSL ciphers in the "SurfControl plc\SuperScout Email Filter\SMTP" registry key, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and then conducting a brute-force attack against encrypted session data. Websense Email Security is an email security solution. Remote attackers can exploit this issue to gain access to sensitive information that may aid in further attacks

Cross-site scripting (XSS) vulnerability in McAfee Email and Web Security (EWS) 5.5 through Patch 6 and 5.6 through Patch 3, and McAfee Email Gateway (MEG) 7.0.0 and 7.0.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to the McAfee Security Appliance Management Console/Dashboard. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to download arbitrary files in the context of the affected application. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- The new Secunia CSI 6.0 is now available in beta! Seamless integration with your existing security solutions Sign-up to become a Beta tester: http://secunia.com/csi6beta ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50408 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50408/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50408 RELEASE DATE: 2012-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/50408/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50408/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50408 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and Email Gateway, which can be exploited by malicious users to disclose certain sensitive information and by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks. 1) An unspecified error within the authentication mechanism can be exploited to gain administrative privileges. 2) Certain input passed to the web interface is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 3) Certain unspecified input is not properly sanitised before being returned to the user. The vulnerabilities are reported in the following products: * McAfee Email Gateway (MEG) versions 7.0.0 and 7.0.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits Tenable Network Security. ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10026 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in McAfee Email Gateway (MEG) 7.0.0 and 7.0.1 allows remote authenticated users to bypass intended access restrictions and download arbitrary files via a crafted URL. McAfee Email and Web Security Appliance and Email Gateway are prone to a cross-site scripting vulnerability, a directory-traversal vulnerability, and a security-bypass vulnerability. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to download arbitrary files in the context of the affected application. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- The new Secunia CSI 6.0 is now available in beta! Seamless integration with your existing security solutions Sign-up to become a Beta tester: http://secunia.com/csi6beta ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50408 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50408/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50408 RELEASE DATE: 2012-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/50408/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50408/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50408 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and Email Gateway, which can be exploited by malicious users to disclose certain sensitive information and by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks. 1) An unspecified error within the authentication mechanism can be exploited to gain administrative privileges. 2) Certain input passed to the web interface is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 3) Certain unspecified input is not properly sanitised before being returned to the user. The vulnerabilities are reported in the following products: * McAfee Email Gateway (MEG) versions 7.0.0 and 7.0.1. * McAfee Email and Web Security (EWS) versions 5.6 Patch 3 and prior * McAfee Email and Web Security (EWS) versions 5.5 Patch 6 and prior SOLUTION: Apply patches if available (please see the vendor's advisory for more information). PROVIDED AND/OR DISCOVERED BY: The vendor credits Tenable Network Security. ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10026 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

McAfee Email and Web Security (EWS) 5.5 through Patch 6 and 5.6 through Patch 3, and McAfee Email Gateway (MEG) 7.0.0 and 7.0.1, allows remote attackers to bypass authentication and obtain an admin session ID via unspecified vectors. A remote attacker could leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Exploiting the security-bypass vulnerability allows attackers to bypass security restrictions and obtain sensitive information or perform unauthorized actions. Exploiting the directory-traversal issue allows attackers to use directory-traversal strings to download arbitrary files in the context of the affected application. The solution offers incoming threat protection, outgoing encryption, data loss prevention, and more. ---------------------------------------------------------------------- The new Secunia CSI 6.0 is now available in beta! Seamless integration with your existing security solutions Sign-up to become a Beta tester: http://secunia.com/csi6beta ---------------------------------------------------------------------- TITLE: McAfee Email and Web Security Appliance and Email Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA50408 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50408/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50408 RELEASE DATE: 2012-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/50408/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50408/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50408 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in McAfee Email and Web Security Appliance and Email Gateway, which can be exploited by malicious users to disclose certain sensitive information and by malicious people to bypass certain security restrictions and conduct cross-site scripting attacks. 1) An unspecified error within the authentication mechanism can be exploited to gain administrative privileges. 2) Certain input passed to the web interface is not properly verified before being used to download files. This can be exploited to download arbitrary files from local resources via directory traversal sequences. 3) Certain unspecified input is not properly sanitised before being returned to the user. The vulnerabilities are reported in the following products: * McAfee Email Gateway (MEG) versions 7.0.0 and 7.0.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits Tenable Network Security. ORIGINAL ADVISORY: https://kc.mcafee.com/corporate/index?page=content&id=SB10026 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Linux firmware image on (1) Korenix Jetport 5600 series serial-device servers and (2) ORing Industrial DIN-Rail serial-device servers has a hardcoded password of "password" for the root account, which allows remote attackers to obtain administrative access via an SSH session. The Korenix JetPort Series is an intelligent RS-232 or RS-/422/485 serial to Ethernet device networking server. ORing Industrial DIN-Rail serial-device servers are also similar to such devices. Korenix Jetport 5600 series products are prone to a remote authentication-bypass vulnerability. Successful exploits will result in the complete compromise of the affected device. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: JetPort 5600 Hardcoded Credentials Security Issue SECUNIA ADVISORY ID: SA51083 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51083/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51083 RELEASE DATE: 2012-10-24 DISCUSS ADVISORY: http://secunia.com/advisories/51083/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51083/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51083 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in JetPort 5600, which can be exploited by malicious people to compromise a vulnerable device. The security issue is reported in versions prior to 2.01. SOLUTION: Update to version 2.01. PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Reid Wightman, Digital Bond. ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-297-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in the XML Server in IOServer before 1.0.19.0, when the Root Directory pathname lacks a trailing \ (backslash) character, allows remote attackers to read arbitrary files or list arbitrary directories via a .. (dot dot) in a URI. ( Dot dot ) including URI Any file may be read through, or any directory may be listed. IOServer is an industrial control software running on windows. The WEB interface contained in the IOServer fails to properly filter the URL submitted by the user. To successfully exploit the vulnerability you need to enable \"XML Server\". ---------------------------------------------------------------------- The new Secunia CSI 6.0 is now available in beta! Seamless integration with your existing security solutions Sign-up to become a Beta tester: http://secunia.com/csi6beta ---------------------------------------------------------------------- TITLE: IOServer Web Interface Directory Traversal Vulnerability SECUNIA ADVISORY ID: SA50297 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50297/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50297 RELEASE DATE: 2012-08-21 DISCUSS ADVISORY: http://secunia.com/advisories/50297/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50297/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50297 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: hinge has reported a vulnerability in IOServer, which can be exploited by malicious people to disclose certain sensitive information. Input appended to the URL is not properly sanitised before being used to display files. The vulnerability is reported in versions prior to 1.0.19.0. SOLUTION: Update to version 1.0.19.0. PROVIDED AND/OR DISCOVERED BY: hinge ORIGINAL ADVISORY: http://www.foofus.net/?page_id=616 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on Windows and Mac OS X, before 10.3.183.23 and 11.x before 11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before 11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK before 3.4.0.2540 allows attackers to execute arbitrary code via unspecified vectors. Adobe Flash Player and AIR are prone to a remote integer-overflow vulnerability. NOTE: This issue was previously covered in BID 55136 (Adobe Flash Player and AIR APSB12-19 Multiple Remote Vulnerabilities) but has been assigned its own record for better documentation. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:1203-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1203.html Issue date: 2012-08-23 CVE Names: CVE-2012-1535 CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 CVE-2012-4168 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 848180 - CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18) 850528 - flash-plugin: multiple code execution flaws (APSB12-19) 850529 - CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1535.html https://www.redhat.com/security/data/cve/CVE-2012-4163.html https://www.redhat.com/security/data/cve/CVE-2012-4164.html https://www.redhat.com/security/data/cve/CVE-2012-4165.html https://www.redhat.com/security/data/cve/CVE-2012-4166.html https://www.redhat.com/security/data/cve/CVE-2012-4167.html https://www.redhat.com/security/data/cve/CVE-2012-4168.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-18.html http://www.adobe.com/support/security/bulletins/apsb12-19.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQNmAUXlSAg2UNWIIRAourAJ4tMQhcFeDncAU0C/fbNbaxGMRyagCgsq2j ct6jiyuGVLQQctxa3ujpthE= =RTPh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04039150 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04039150 Version: 1 HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-03-10 Last Updated: 2014-03-10 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Systems Insight Manager (SIM) running on Linux and Windows. The vulnerabilities could be exploited remotely resulting in execution of arbitrary code, Denial of Service (DoS), or disclosure of information. HP Systems Insight Manager (SIM) prior to v7.3 for Linux and Windows (CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375, CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555) HP Systems Insight Manager (SIM) prior to v7.2 for Linux and Windows (CVE-2012-4168, CVE-2012-4167, CVE-2012-4165, CVE-2012-4164, CVE-2012-4163, CVE-2012-1535) BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2012-1535 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2012-4163 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4164 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4165 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4167 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4168 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-0646 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-0650 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1371 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1375 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1378 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1379 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1380 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2555 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made Systems Insight Manager (SIM) v7.3 available for Linux and Windows to resolve the vulnerabilities. Information and downloads for HP SIM can be found at the following locations: http://h18013.www1.hp.com/products/servers/management/hpsim/download.html Insight Management DVD: http://h18013.www1.hp.com/products/servers/management/fpdownload.html HISTORY Version:1 (rev.1) - 10 March 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.238" References ========== [ 1 ] CVE-2012-1535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1535 [ 2 ] CVE-2012-4163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4163 [ 3 ] CVE-2012-4164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4164 [ 4 ] CVE-2012-4165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4165 [ 5 ] CVE-2012-4166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4166 [ 6 ] CVE-2012-4167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4167 [ 7 ] CVE-2012-4168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4168 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on Windows and Mac OS X, before 10.3.183.23 and 11.x before 11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before 11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK before 3.4.0.2540 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-4164 and CVE-2012-4165. Adobe Flash Player Any code that could be executed or service disruption ( Memory corruption ) There is a vulnerability that becomes a condition. This vulnerability CVE-2012-4164 and CVE-2012-4165 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Other attacks are also possible. NOTE: This issue was previously covered in BID 55136 (Adobe Flash Player and AIR APSB12-19 Multiple Remote Vulnerabilities) but has been assigned its own record for better documentation. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:1203-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1203.html Issue date: 2012-08-23 CVE Names: CVE-2012-1535 CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 CVE-2012-4168 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 848180 - CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18) 850528 - flash-plugin: multiple code execution flaws (APSB12-19) 850529 - CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1535.html https://www.redhat.com/security/data/cve/CVE-2012-4163.html https://www.redhat.com/security/data/cve/CVE-2012-4164.html https://www.redhat.com/security/data/cve/CVE-2012-4165.html https://www.redhat.com/security/data/cve/CVE-2012-4166.html https://www.redhat.com/security/data/cve/CVE-2012-4167.html https://www.redhat.com/security/data/cve/CVE-2012-4168.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-18.html http://www.adobe.com/support/security/bulletins/apsb12-19.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQNmAUXlSAg2UNWIIRAourAJ4tMQhcFeDncAU0C/fbNbaxGMRyagCgsq2j ct6jiyuGVLQQctxa3ujpthE= =RTPh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04039150 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04039150 Version: 1 HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-03-10 Last Updated: 2014-03-10 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Systems Insight Manager (SIM) running on Linux and Windows. HP Systems Insight Manager (SIM) prior to v7.3 for Linux and Windows (CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375, CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555) HP Systems Insight Manager (SIM) prior to v7.2 for Linux and Windows (CVE-2012-4168, CVE-2012-4167, CVE-2012-4165, CVE-2012-4164, CVE-2012-4163, CVE-2012-1535) BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2012-1535 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2012-4163 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4164 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4165 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4167 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4168 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-0646 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-0650 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1371 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1375 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1378 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1379 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1380 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2555 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made Systems Insight Manager (SIM) v7.3 available for Linux and Windows to resolve the vulnerabilities. Information and downloads for HP SIM can be found at the following locations: http://h18013.www1.hp.com/products/servers/management/hpsim/download.html Insight Management DVD: http://h18013.www1.hp.com/products/servers/management/fpdownload.html HISTORY Version:1 (rev.1) - 10 March 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.238" References ========== [ 1 ] CVE-2012-1535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1535 [ 2 ] CVE-2012-4163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4163 [ 3 ] CVE-2012-4164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4164 [ 4 ] CVE-2012-4165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4165 [ 5 ] CVE-2012-4166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4166 [ 6 ] CVE-2012-4167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4167 [ 7 ] CVE-2012-4168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4168 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Adobe Flash Player before 10.3.183.23 and 11.x before 11.4.402.265 on Windows and Mac OS X, before 10.3.183.23 and 11.x before 11.2.202.238 on Linux, before 11.1.111.16 on Android 2.x and 3.x, and before 11.1.115.17 on Android 4.x; Adobe AIR before 3.4.0.2540; and Adobe AIR SDK before 3.4.0.2540 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-4163 and CVE-2012-4164. This vulnerability is CVE-2012-4163 and CVE-2012-4164 This is a different vulnerability.Arbitrary code execution or denial of service by an attacker ( Memory corruption ) May be in a state. Adobe Flash Player and AIR are prone to a remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code, cause denial-of-service conditions, or gain access to sensitive information. Other attacks are also possible. NOTE: This issue was previously covered in BID 55136 (Adobe Flash Player and AIR APSB12-19 Multiple Remote Vulnerabilities) but has been assigned its own record for better documentation. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:1203-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1203.html Issue date: 2012-08-23 CVE Names: CVE-2012-1535 CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 CVE-2012-4168 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 848180 - CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18) 850528 - flash-plugin: multiple code execution flaws (APSB12-19) 850529 - CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1535.html https://www.redhat.com/security/data/cve/CVE-2012-4163.html https://www.redhat.com/security/data/cve/CVE-2012-4164.html https://www.redhat.com/security/data/cve/CVE-2012-4165.html https://www.redhat.com/security/data/cve/CVE-2012-4166.html https://www.redhat.com/security/data/cve/CVE-2012-4167.html https://www.redhat.com/security/data/cve/CVE-2012-4168.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-18.html http://www.adobe.com/support/security/bulletins/apsb12-19.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQNmAUXlSAg2UNWIIRAourAJ4tMQhcFeDncAU0C/fbNbaxGMRyagCgsq2j ct6jiyuGVLQQctxa3ujpthE= =RTPh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04039150 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04039150 Version: 1 HPSBMU02948 rev.1 - HP Systems Insight Manager (SIM) Running on Linux and Windows, Remote Execution of Arbitrary Code, Denial of Service (DoS), Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-03-10 Last Updated: 2014-03-10 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS), disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Systems Insight Manager (SIM) running on Linux and Windows. HP Systems Insight Manager (SIM) prior to v7.3 for Linux and Windows (CVE-2013-0646, CVE-2013-0650, CVE-2013-1371, CVE-2013-1375, CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555) HP Systems Insight Manager (SIM) prior to v7.2 for Linux and Windows (CVE-2012-4168, CVE-2012-4167, CVE-2012-4165, CVE-2012-4164, CVE-2012-4163, CVE-2012-1535) BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2012-1535 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2012-4163 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4164 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4165 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4167 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-4168 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2013-0646 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-0650 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1371 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1375 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1378 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1379 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-1380 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-2555 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made Systems Insight Manager (SIM) v7.3 available for Linux and Windows to resolve the vulnerabilities. Information and downloads for HP SIM can be found at the following locations: http://h18013.www1.hp.com/products/servers/management/hpsim/download.html Insight Management DVD: http://h18013.www1.hp.com/products/servers/management/fpdownload.html HISTORY Version:1 (rev.1) - 10 March 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.238" References ========== [ 1 ] CVE-2012-1535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1535 [ 2 ] CVE-2012-4163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4163 [ 3 ] CVE-2012-4164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4164 [ 4 ] CVE-2012-4165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4165 [ 5 ] CVE-2012-4166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4166 [ 6 ] CVE-2012-4167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4167 [ 7 ] CVE-2012-4168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4168 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow remote attackers to cause a denial of service (daemon crash) via vectors related to failed DNS requests. Tor (The Onion Router) is an implementation of the second generation of onion routing, which allows users to communicate anonymously over the Internet. Tor has a remote vulnerability in its implementation. Multiple denial-of-service vulnerabilities. 2. An information-disclosure vulnerability. 3. An out-of-bounds memory-access vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:132 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tor Date : April 10, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tor package fixes security vulnerabilities: Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected (CVE-2011-2768). Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within an OR connection that it initiated, which allows remote relays to enumerate bridges by using these values (CVE-2011-2769). routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-list iteration depending on which relay is chosen, which might allow remote attackers to obtain sensitive information about relay selection via a timing side-channel attack (CVE-2012-3519). Tor before 0.2.2.39, when waiting for a client to renegotiate, allowed it to add bytes to the input buffer, allowing a crash to be caused remotely (tor-5934, tor-6007). The version of Tor shipped in MBS1 did not have correctly formed systemd unit and thus failed to start. This updated version corrects this problem and restores working behaviour. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2768 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3518 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5573 https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0184 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0276 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0356 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 8cadc920e4452cd2a3551a3cb01d9fcf mbs1/x86_64/tor-0.2.2.39-1.mbs1.x86_64.rpm 7cbba7170bc4f9e6ee8409398437570c mbs1/SRPMS/tor-0.2.2.39-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRZVsDmqjQ0CJFipgRAm9IAJ9tYUVrI7u2V+7yJGNLn2OVMdOzcACgyrhf PUIroe88x4NDpj7AUyd2YP8= =x4YG -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201301-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Tor: Multiple vulnerabilities Date: January 08, 2013 Bugs: #432188, #434882, #444804 ID: 201301-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Tor, allowing attackers to cause Denial of Service or obtain sensitive information. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.3.25" References ========== [ 1 ] CVE-2012-3517 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3517 [ 2 ] CVE-2012-3518 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3518 [ 3 ] CVE-2012-3519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3519 [ 4 ] CVE-2012-4419 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4419 [ 5 ] CVE-2012-4922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4922 [ 6 ] CVE-2012-5573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5573 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201301-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Siemens RuggedCom Rugged Operating System (ROS) before 3.12, ROX I OS through 1.14.5, ROX II OS through 2.3.0, and RuggedMax OS through 4.2.1.4621.22 use hardcoded private keys for SSL and SSH communication, which makes it easier for man-in-the-middle attackers to spoof servers and decrypt network traffic by leveraging the availability of these keys within ROS files at all customer installations. plural Siemens Since the product uses a hard-coded private key, there are vulnerabilities that allow the server to be impersonated and network traffic to be decrypted.Man-in-the-middle attacks (man-in-the-middle attack) Is installed in the user's environment ROS By using the private key in the file, the server can be spoofed and network traffic can be decrypted. According to the report, SSL keys can be extracted from ROS binary files using publicly available software. RuggedCom Inc is the world's leading manufacturer of high-performance network and communications equipment for industrial environments. The Rugged operating system has a hard-coded RSA private key for SSL / TLS communication. The POC code for this vulnerability has been released by Justin W. Clarke of Cylance Inc. According to a report, this vulnerability can be used for SSL between end users and RuggedCom network devices The communication is decrypted. Rugged Operating System is prone to an information-disclosure vulnerability. There is a vulnerability in Siemens RuggedCom Rugged Operating System (ROS) before 3.12, ROX I OS before 1.14.5, ROX II OS before 2.3.0, and RuggedMax OS before 4.2.1.4621.22

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-4165. Reason: This candidate is a duplicate of CVE-2012-4165. Notes: All CVE users should reference CVE-2012-4165 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** Delete ** This project is CVE-2012-4165 Has been removed because it was found to be a duplicate of the content. CVE-2012-4165 Please refer to. Adobe Flash Player Executed any code or denial of service ( Memory corruption ) There are vulnerabilities that cause a condition. This vulnerability is CVE-2012-4163 , CVE-2012-4164 ,and CVE-2012-4165 This is a different vulnerability.Arbitrary code execution or denial of service by an attacker ( Memory corruption ) May be in a state. Adobe Flash Player and AIR are prone to a remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code, cause denial-of-service conditions, or gain access to sensitive information. Other attacks are also possible. NOTE: This issue was previously covered in BID 55136 (Adobe Flash Player and AIR APSB12-19 Multiple Remote Vulnerabilities) but has been assigned its own record for better documentation. The product enables viewing of applications, content and video across screens and browsers. Adobe Flash Player versions earlier than 11.4.402.265 based on Windows and Mac OS X systems, versions earlier than 11.2.202.238 based on Linux systems, versions earlier than 11.1.111.16 based on Android 2.x and 3.x versions, based on Android 4 Vulnerabilities exist in .x versions prior to 11.1.115.17, Adobe AIR prior to 3.4.0.2540, and Adobe AIR SDK prior to 3.4.0.2540. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: flash-plugin security update Advisory ID: RHSA-2012:1203-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1203.html Issue date: 2012-08-23 CVE Names: CVE-2012-1535 CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 CVE-2012-4168 ===================================================================== 1. Summary: An updated Adobe Flash Player package that fixes several security issues is now available for Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 3. Description: The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. These vulnerabilities are detailed on the Adobe security pages APSB12-18 and APSB12-19, listed in the References section. Specially-crafted SWF content could cause flash-plugin to crash or, potentially, execute arbitrary code when a victim loads a page containing the malicious SWF content. (CVE-2012-1535, CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166, CVE-2012-4167) A flaw in flash-plugin could allow an attacker to obtain sensitive information if a victim were tricked into visiting a specially-crafted web page. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 848180 - CVE-2012-1535 flash-plugin: code execution flaw (APSB12-18) 850528 - flash-plugin: multiple code execution flaws (APSB12-19) 850529 - CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: flash-plugin-11.2.202.238-1.el5.i386.rpm x86_64: flash-plugin-11.2.202.238-1.el5.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-1535.html https://www.redhat.com/security/data/cve/CVE-2012-4163.html https://www.redhat.com/security/data/cve/CVE-2012-4164.html https://www.redhat.com/security/data/cve/CVE-2012-4165.html https://www.redhat.com/security/data/cve/CVE-2012-4166.html https://www.redhat.com/security/data/cve/CVE-2012-4167.html https://www.redhat.com/security/data/cve/CVE-2012-4168.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-18.html http://www.adobe.com/support/security/bulletins/apsb12-19.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQNmAUXlSAg2UNWIIRAourAJ4tMQhcFeDncAU0C/fbNbaxGMRyagCgsq2j ct6jiyuGVLQQctxa3ujpthE= =RTPh -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open specially crafted SWF content, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Flash Player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-plugins/adobe-flash-11.2.202.238" References ========== [ 1 ] CVE-2012-1535 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1535 [ 2 ] CVE-2012-4163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4163 [ 3 ] CVE-2012-4164 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4164 [ 4 ] CVE-2012-4165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4165 [ 5 ] CVE-2012-4166 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4166 [ 6 ] CVE-2012-4167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4167 [ 7 ] CVE-2012-4168 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4168 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-01.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

The proxy functionality in (1) mod_proxy_ajp.c in the mod_proxy_ajp module and (2) mod_proxy_http.c in the mod_proxy_http module in the Apache HTTP Server 2.4.x before 2.4.3 does not properly determine the situations that require closing a back-end connection, which allows remote attackers to obtain sensitive information in opportunistic circumstances by reading a response that was intended for a different client. (1) mod_proxy_ajp Module mod_proxy_ajp.c (2) mod_proxy_http Module mod_proxy_http.cA third party may be able to retrieve important information by reading responses to different clients. Apache HTTP Server is prone to an HTML-injection vulnerability and an information disclosure vulnerability. Attackers may leverage these issues to obtain potentially sensitive session information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Hitachi Multiple Products Apache HTTP Server Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA51458 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51458/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51458 RELEASE DATE: 2012-11-30 DISCUSS ADVISORY: http://secunia.com/advisories/51458/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51458/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51458 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged some vulnerabilities in multiple Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks. For more information see vulnerability #2 in: SA50363 See the vendor's advisory for a list of affected products and versions. SOLUTION: As a workaround the vendor recommends to disable the mod_negotiation module or remove "MultiViews" from the "Options" lines in the Directory specifications. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS12-028/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-list iteration depending on which relay is chosen, which might allow remote attackers to obtain sensitive information about relay selection via a timing side-channel attack. Tor (The Onion Router) is an implementation of the second generation of onion routing, which allows users to communicate anonymously over the Internet. Tor has a remote vulnerability in its implementation. Attackers can exploit vulnerabilities to obtain sensitive information. Multiple denial-of-service vulnerabilities. 2. An information-disclosure vulnerability. 3. An out-of-bounds memory-access vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:132 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tor Date : April 10, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tor package fixes security vulnerabilities: Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected (CVE-2011-2768). Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within an OR connection that it initiated, which allows remote relays to enumerate bridges by using these values (CVE-2011-2769). Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow remote attackers to cause a denial of service (daemon crash) via vectors related to failed DNS requests (CVE-2012-3517). The networkstatus_parse_vote_from_string function in routerparse.c in Tor before 0.2.2.38 does not properly handle an invalid flavor name, which allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted (1) vote document or (2) consensus document (CVE-2012-3518). The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a zero-valued port field that is not properly handled during policy comparison (CVE-2012-4419). Tor before 0.2.2.39, when waiting for a client to renegotiate, allowed it to add bytes to the input buffer, allowing a crash to be caused remotely (tor-5934, tor-6007). Denial of Service vulnerability in Tor before 0.2.3.25, due to an error when handling SENDME cells and can be exploited to cause excessive consumption of memory resources within an entry node (SA51329, CVE-2012-5573). The version of Tor shipped in MBS1 did not have correctly formed systemd unit and thus failed to start. This updated version corrects this problem and restores working behaviour. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2768 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3518 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5573 https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0184 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0276 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0356 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 8cadc920e4452cd2a3551a3cb01d9fcf mbs1/x86_64/tor-0.2.2.39-1.mbs1.x86_64.rpm 7cbba7170bc4f9e6ee8409398437570c mbs1/SRPMS/tor-0.2.2.39-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRZVsDmqjQ0CJFipgRAm9IAJ9tYUVrI7u2V+7yJGNLn2OVMdOzcACgyrhf PUIroe88x4NDpj7AUyd2YP8= =x4YG -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201301-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Tor: Multiple vulnerabilities Date: January 08, 2013 Bugs: #432188, #434882, #444804 ID: 201301-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Tor, allowing attackers to cause Denial of Service or obtain sensitive information. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.3.25" References ========== [ 1 ] CVE-2012-3517 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3517 [ 2 ] CVE-2012-3518 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3518 [ 3 ] CVE-2012-3519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3519 [ 4 ] CVE-2012-4419 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4419 [ 5 ] CVE-2012-4922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4922 [ 6 ] CVE-2012-5573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5573 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201301-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . CVE-2012-3518 Avoid an uninitialised memory read when reading a vote or consensus document that has an unrecognized flavour name. CVE-2012-3519 Try to leak less information about what relays a client is choosing to a side-channel attacker. This fixes a potential DoS issue [tor-5934, tor-6007]. For the stable distribution (squeeze), these problems have been fixed in version 0.2.2.39-1. For the unstable distribution, these problems have been fixed in version 0.2.3.22-rc-1. We recommend that you upgrade your tor packages. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Debian update for tor SECUNIA ADVISORY ID: SA50583 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50583/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50583 RELEASE DATE: 2012-09-14 DISCUSS ADVISORY: http://secunia.com/advisories/50583/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50583/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50583 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for tor. ORIGINAL ADVISORY: DSA-2548-1: http://www.debian.org/security/2012/dsa-2548 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The networkstatus_parse_vote_from_string function in routerparse.c in Tor before 0.2.2.38 does not properly handle an invalid flavor name, which allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted (1) vote document or (2) consensus document. Tor is a second generation of onion routing implementation. Allows an attacker to exploit a vulnerability to crash an application. Tor is prone to multiple remote vulnerabilities, including: 1. Multiple denial-of-service vulnerabilities. 2. An information-disclosure vulnerability. 3. An out-of-bounds memory-access vulnerability. Attackers can exploit theses issues to crash the affected application, cause denial-of service conditions, or retrieve potentially sensitive information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:132 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : tor Date : April 10, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated tor package fixes security vulnerabilities: Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected (CVE-2011-2768). Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within an OR connection that it initiated, which allows remote relays to enumerate bridges by using these values (CVE-2011-2769). routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-list iteration depending on which relay is chosen, which might allow remote attackers to obtain sensitive information about relay selection via a timing side-channel attack (CVE-2012-3519). Tor before 0.2.2.39, when waiting for a client to renegotiate, allowed it to add bytes to the input buffer, allowing a crash to be caused remotely (tor-5934, tor-6007). Denial of Service vulnerability in Tor before 0.2.3.25, due to an error when handling SENDME cells and can be exploited to cause excessive consumption of memory resources within an entry node (SA51329, CVE-2012-5573). The version of Tor shipped in MBS1 did not have correctly formed systemd unit and thus failed to start. This updated version corrects this problem and restores working behaviour. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2768 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3518 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3519 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5573 https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0184 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0276 https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0356 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 8cadc920e4452cd2a3551a3cb01d9fcf mbs1/x86_64/tor-0.2.2.39-1.mbs1.x86_64.rpm 7cbba7170bc4f9e6ee8409398437570c mbs1/SRPMS/tor-0.2.2.39-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRZVsDmqjQ0CJFipgRAm9IAJ9tYUVrI7u2V+7yJGNLn2OVMdOzcACgyrhf PUIroe88x4NDpj7AUyd2YP8= =x4YG -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201301-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Tor: Multiple vulnerabilities Date: January 08, 2013 Bugs: #432188, #434882, #444804 ID: 201301-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Tor, allowing attackers to cause Denial of Service or obtain sensitive information. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Tor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.3.25" References ========== [ 1 ] CVE-2012-3517 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3517 [ 2 ] CVE-2012-3518 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3518 [ 3 ] CVE-2012-3519 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3519 [ 4 ] CVE-2012-4419 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4419 [ 5 ] CVE-2012-4922 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4922 [ 6 ] CVE-2012-5573 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5573 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201301-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . CVE-2012-3519 Try to leak less information about what relays a client is choosing to a side-channel attacker. This fixes a potential DoS issue [tor-5934, tor-6007]. For the stable distribution (squeeze), these problems have been fixed in version 0.2.2.39-1. For the unstable distribution, these problems have been fixed in version 0.2.3.22-rc-1. We recommend that you upgrade your tor packages. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Debian update for tor SECUNIA ADVISORY ID: SA50583 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/50583/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=50583 RELEASE DATE: 2012-09-14 DISCUSS ADVISORY: http://secunia.com/advisories/50583/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/50583/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=50583 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for tor. ORIGINAL ADVISORY: DSA-2548-1: http://www.debian.org/security/2012/dsa-2548 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list. Apache HTTP Server is prone to an HTML-injection vulnerability and an information disclosure vulnerability. Attackers may leverage these issues to obtain potentially sensitive session information, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Hitachi Multiple Products Apache HTTP Server Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA51458 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51458/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51458 RELEASE DATE: 2012-11-30 DISCUSS ADVISORY: http://secunia.com/advisories/51458/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51458/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51458 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Hitachi has acknowledged some vulnerabilities in multiple Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks. For more information see vulnerability #2 in: SA50363 See the vendor's advisory for a list of affected products and versions. SOLUTION: As a workaround the vendor recommends to disable the mod_negotiation module or remove "MultiViews" from the "Options" lines in the Directory specifications. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/./vuls/HS12-028/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03734195 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03734195 Version: 1 HPSBUX02866 SSRT101139 rev.1 - HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-04-15 Last Updated: 2013-04-12 Potential Security Impact: Remote Denial of Service (DoS), execution of arbitrary code and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to execute arbitrary code and other vulnerabilities. References: HP-UX Apache: CVE-2007-6750, CVE-2012-2687, CVE-2012-3499, CVE-2012-4557, CVE-2012 -4558, CVE-2012-4929 Tomcat v6.0 and v7.0: CVE-2012-2733, CVE-2012-3546, CVE-2012-4431, CVE-2012-4534, CVE-2012-5885 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.25 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2007-6750 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-2687 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 CVE-2012-2733 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-3499 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-3546 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-4431 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-4534 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6 CVE-2012-4557 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-4558 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-4929 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2012-5885 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerability. The update for B.11.23 and B.11.31 is available for download from ftp://sb_02866:6hq{PM6a@ftp.usa.hp.com Web Server Suite Version Apache Depot Name HP-UX Web Server Suite v.3.26 containing Apache v2.2.15.15 and Tomcat B.5.5.36.01 HP-UX_11.23_HPUXWS22ATW-B326-11-23-64.depot HP-UX_11.23_HPUXWS22ATW-B326-11-23-32.depot HP-UX Web Server Suite v.3.26 containing Apache v2.2.15.15 and Tomcat C.6.0.36.01 HP-UX_11.31_HPUXWS22ATW-B326-11-31-64.depot HP-UX_11.31_HPUXWS22ATW-B326-11-31-32.depot Tomcat D.7.035.01 HP-UX_11.31_hpuxws22Tomcat_D.7.0.35.01_HP-UX_B.11.31_IA_PA.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.26 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.23 HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 action: install revision B.2.2.15.15 or subsequent HP-UX B.11.31 ================== hpuxws22TOMCAT.TOMCAT action: install revision C.6.0.36.01 or subsequent HP-UX B.11.31 ================== hpuxws22TOMCAT.TOMCAT action: install revision D.7.0.35.01 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 15 April 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: JBoss Enterprise Application Platform 6.0.1 update Advisory ID: RHSA-2012:1591-01 Product: JBoss Enterprise Application Platform Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1591.html Issue date: 2012-12-18 CVE Names: CVE-2008-0455 CVE-2012-2378 CVE-2012-2379 CVE-2012-2672 CVE-2012-2687 CVE-2012-3428 CVE-2012-3451 CVE-2012-4549 CVE-2012-4550 ===================================================================== 1. Summary: Updated JBoss Enterprise Application Platform 6.0.1 packages that fix multiple security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: JBoss Enterprise Application Platform 6 for RHEL 5 Server - i386, noarch, x86_64 3. Description: JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release serves as a replacement for JBoss Enterprise Application Platform 6.0.0, and includes bug fixes and enhancements. Refer to the 6.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/knowledge/docs/ This update removes unused signed JARs; unused SHA1 checksums from JAR MANIFEST.MF files to reduce the Server memory footprint; adds MANIFEST.MF to JAR files where it was previously missing; and removes redundant Javadoc files from the main packages. (BZ#853551) Security fixes: Apache CXF checked to ensure XML elements were signed or encrypted by a Supporting Token, but not whether the correct token was used. A remote attacker could transmit confidential information without the appropriate security, and potentially circumvent access controls on web services exposed via Apache CXF. (CVE-2012-2379) When using role-based authorization to configure EJB access, JACC permissions should be used to determine access; however, due to a flaw the configured authorization modules (JACC, XACML, etc.) were not called, and the JACC permissions were not used to determine access to an EJB. (CVE-2012-4550) A flaw in the way Apache CXF enforced child policies of WS-SecurityPolicy 1.1 on the client side could, in certain cases, lead to a client failing to sign or encrypt certain elements as directed by the security policy, leading to information disclosure and insecure information transmission. (CVE-2012-2378) A flaw was found in the way IronJacamar authenticated credentials and returned a valid datasource connection when configured to "allow-multiple-users". A remote attacker, provided the correct subject, could obtain a datasource connection that might belong to a privileged user. (CVE-2012-3428) It was found that Apache CXF was vulnerable to SOAPAction spoofing attacks under certain conditions. Note that WS-Policy validation is performed against the operation being invoked, and an attack must pass validation to be successful. (CVE-2012-3451) When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. It was found that the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty. (CVE-2012-4549) It was found that in Mojarra, the FacesContext that is made available during application startup is held in a ThreadLocal. The reference is not properly cleaned up in all cases. As a result, if a JavaServer Faces (JSF) WAR calls FacesContext.getCurrentInstance() during application startup, another WAR can get access to the leftover context and thus get access to the other WAR's resources. A local attacker could use this flaw to access another WAR's resources using a crafted, deployed application. A remote attacker able to upload or create files with arbitrary names in a directory that has the MultiViews options enabled, could use this flaw to conduct cross-site scripting attacks against users visiting the site. (CVE-2008-0455, CVE-2012-2687) Red Hat would like to thank the Apache CXF project for reporting CVE-2012-2379, CVE-2012-2378, and CVE-2012-3451. The CVE-2012-4550 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team; CVE-2012-3428 and CVE-2012-4549 were discovered by Arun Neelicattu of the Red Hat Security Response Team; and CVE-2012-2672 was discovered by Marek Schmidt and Stan Silvert of Red Hat. Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details. 4. Solution: All users of JBoss Enterprise Application Platform 6.0.0 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. Before applying this update, make sure all previously released errata relevant to your system have been applied. Also, back up any customized JBoss Enterprise Application Platform 6 configuration files. On update, the configuration files that have been locally modified will not be updated. The updated version of such files will be stored as the rpmnew files. Make sure to locate any such files after the update and merge any changes manually. For more details, refer to the Release Notes for JBoss Enterprise Application Platform 6.0.1, available shortly from https://access.redhat.com/knowledge/docs/ This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 826533 - CVE-2012-2378 jbossws-cxf, apache-cxf: Certain child policies of WS-SecurityPolicy 1.1 SupportingToken policy not applied on the client side 826534 - CVE-2012-2379 jbossws-cxf, apache-cxf: Apache CXF does not verify that elements were signed / encrypted by a particular Supporting Token 829560 - CVE-2012-2672 Mojarra: deployed web applications can read FacesContext from other applications under certain conditions 843358 - CVE-2012-3428 JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains 850794 - CVE-2012-2687 CVE-2008-0455 httpd: mod_negotiation XSS via untrusted file names in directories with MultiViews enabled 851896 - CVE-2012-3451 jbossws-cxf, apache-cxf: SOAPAction spoofing on document literal web services 870868 - CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty 870871 - CVE-2012-4550 JBoss JACC: Security constraints configured for EJBs are incorrectly interpreted and not applied 6. Package List: JBoss Enterprise Application Platform 6 for RHEL 5 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/antlr-eap6-2.7.7-15_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-beanutils-1.8.3-10.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-cli-1.2-7.5.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-codec-eap6-1.4-14.redhat_2.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-collections-3.2.1-10.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-collections-eap6-3.2.1-13.redhat_2.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-configuration-1.6-7.2.redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-daemon-jsvc-eap6-1.0.10-3.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-io-eap6-2.1-6.redhat_2.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-lang-2.6-3.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-lang-eap6-2.6-5redhat_2.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-commons-pool-eap6-1.5.6-8.redhat_2.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-cxf-2.4.9-4.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-cxf-xjc-utils-2.4.0-11.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/apache-mime4j-0.6-7.redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/atinject-1-8.2_redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/cal10n-0.7.3-8.redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/codehaus-jackson-1.9.2-6_redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/dom4j-1.6.1-14_redhat_3.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-jaf-1.1.1-16.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-javamail-1.4.4-16.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-jaxb-2.2.5-10_redhat_3.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-jsf-2.1.13-1_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/glassfish-jsf12-1.2_15-9_b01_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/gnu-getopt-1.0.13-1.2_redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/guava-libraries-11.0.2-0.5.redhat_2.ep6.el5.6.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/h2database-1.3.168-2_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate-beanvalidation-api-1.0.0-4.7.GA_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate-jpa-2.0-api-1.0.1-5.Final_redhat_2.1.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate3-commons-annotations-4.0.1-5.Final_redhat_2.1.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate4-4.1.6-3.5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hibernate4-validator-4.2.0-7.Final_redhat_2.1.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hornetq-2.2.23-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/hornetq-native-2.2.21-1.1.Final.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpcomponents-5-4_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpd-2.2.22-14.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/httpserver-1.0.1-3.Final_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/infinispan-5.1.8-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/ironjacamar-1.0.13-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jacorb-jboss-2.3.2-3.redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jandex-1.0.3-7.Final_redhat_2.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/javassist-eap6-3.15.0-5.GA_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jaxbintros-1.0.2-11.GA_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jaxen-1.1.3-8.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jaxws-jboss-httpserver-httpspi-1.0.1-3.GA_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-deployment-1.1.0-2.Final_redhat_3.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-framework-core-1.3.1-3.CR1_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-metadata-2.1.0-2.Final_redhat_3.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-repository-1.2.0-2.Final_redhat_2.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-resolver-2.1.0-2.Final_redhat_3.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-spi-3.1.0-3.Final_redhat_3.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbosgi-vfs-1.1.0-2.Final_redhat_2.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-annotations-api_1.1_spec-1.0.1-3.2.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-appclient-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-cli-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-client-all-7.1.3-4.1.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-clustering-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-cmp-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-configadmin-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-connector-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-console-1.4.2-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-controller-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-controller-client-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-deployment-repository-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-deployment-scanner-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-domain-http-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-domain-management-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-ee-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-ee-deployment-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-ejb3-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-embedded-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-host-controller-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jacorb-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jaxr-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jaxrs-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jdr-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jmx-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jpa-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jsf-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-jsr77-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-logging-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-mail-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-management-client-content-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-messaging-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-modcluster-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-naming-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-network-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-osgi-configadmin-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-osgi-service-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-platform-mbean-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-pojo-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-process-controller-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-protocol-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-remoting-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-sar-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-security-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-server-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-threads-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-transactions-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-web-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-webservices-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-weld-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-as-xts-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-classfilewriter-1.0.3-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-common-beans-1.0.0-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-common-core-2.2.17-10.GA_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-connector-api_1.6_spec-1.0.1-3.3.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-dmr-1.1.1-8.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-ejb-api_3.1_spec-1.0.2-10.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-ejb-client-1.0.11-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-ejb3-ext-api-2.0.0-9.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-el-api_2.2_spec-1.0.2-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-iiop-client-1.0.0-4.Final_redhat_2.1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-interceptors-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-invocation-1.1.1-5.Final_redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-j2eemgmt-api_1.1_spec-1.0.1-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jacc-api_1.4_spec-1.0.2-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jad-api_1.2_spec-1.0.1-6.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jaspi-api_1.0_spec-1.0.1-6.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jaxb-api_2.2_spec-1.0.4-3.Final_redhat_2.1.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jaxr-api_1.0_spec-1.0.2-4.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jaxrpc-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jaxrs-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jaxws-api_2.2_spec-2.0.1-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jms-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jsf-api_2.1_spec-2.0.7-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jsp-api_2.2_spec-1.0.1-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-jstl-api_1.2_spec-1.0.3-3.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-logging-3.1.2-3.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-logmanager-1.3.2-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-marshalling-1.3.15-2.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-metadata-7.0.4-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-modules-1.1.3-2.GA_redhat_1.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-msc-1.0.2-3.GA_redhat_2.2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-osgi-logging-1.0.0-5._redhat_2.1.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remote-naming-1.0.4-2.Final_redhat_1.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting3-3.2.14-1.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-remoting3-jmx-1.0.4-2.Final_redhat_1.ep6.el5.7.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-rmi-api_1.0_spec-1.0.4-9.2.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-saaj-api_1.3_spec-1.0.2-4_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-sasl-1.0.3-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-seam-int-6.0.0-8.GA_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-security-negotiation-2.2.1-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-security-xacml-2.0.8-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-servlet-api_2.5_spec-1.0.1-9.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-servlet-api_3.0_spec-1.0.1-11.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-specs-parent-1.0.0-5.Beta2_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-stdio-1.0.1-7.GA_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-threads-2.0.0-7.GA_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-transaction-api_1.1_spec-1.0.1-5.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-transaction-spi-7.0.0-0.10.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-vfs2-3.1.0-4.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-weld-1.1-api-1.1-6.Final_redhat_2.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jboss-xnio-base-3.0.7-1.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-appclient-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-bundles-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-core-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-domain-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-javadocs-7.1.3-4.Final_redhat_3.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-modules-eap-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-product-eap-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-standalone-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossas-welcome-content-eap-7.1.3-4.Final_redhat_4.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossts-4.16.6-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossweb-7.0.17-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-api-1.0.0-3.GA_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-common-2.0.4-5.GA_redhat_3.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-common-tools-1.0.2-1.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-cxf-4.0.6-2.GA_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-native-4.0.6-1.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossws-spi-2.0.4-3.1.GA_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jbossxb2-2.0.3-13.GA_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jcip-annotations-1.0-2.2.3_redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jdom-eap6-1.1.2-4.GA_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jettison-1.3.1-7_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jgroups-3.0.14-2.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jline-eap6-0.9.94-10.GA_redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/joda-time-1.6.2-5.redhat_3.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jtype-0.1.1-9_redhat_2.3.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/juddi-3.1.3-3_redhat_2.1.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jul-to-slf4j-stub-1.0.0-4.Final_redhat_2.1.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/jython-eap6-2.5.2-5.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/log4j-eap6-1.2.16-11.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/log4j-jboss-logmanager-1.0.1-3.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/mod_cluster-1.2.3-1.Final_redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/mod_cluster-native-1.2.3-3.Final.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/mod_jk-1.2.36-5.1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/netty-3.2.6-2_redhat_2.2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/objectweb-asm-eap6-3.3.1-5_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/org.apache.felix.configadmin-1.2.8-4_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/org.apache.felix.log-1.0.0-5.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/org.osgi-4.2.0-4.redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/picketbox-4.0.14-2.Final_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/picketbox-commons-1.0.0-0.8.final_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/picketlink-federation-2.1.3.1-3.redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/relaxngDatatype-2011.1-0.1_redhat_3.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/resteasy-2.3.4-4.Final_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/rngom-201103-0.5.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/scannotation-1.0.2-8.redhat_2.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/shrinkwrap-1.0.0-16.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/slf4j-eap6-1.6.1-23.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/slf4j-jboss-logmanager-1.0.0-7.GA_redhat_2.3.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/snakeyaml-1.8-8.redhat_2.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/staxmapper-1.1.0-6.Final_redhat_2.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/stilts-0.1.26-6.GA.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/sun-codemodel-2.6-3_redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/sun-istack-commons-2.6.1-9_redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/sun-saaj-1.3-impl-1.3.16-9.redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/sun-txw2-20110809-6_redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/sun-ws-metadata-2.0-api-1.0.MR1-12_MR1_redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/sun-xsom-20110809-5_redhat_3.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/tomcat-native-1.1.24-1.1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/velocity-eap6-1.6.3-7.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/weld-cdi-1.0-api-1.0-6.SP4_redhat_2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/weld-core-1.1.10-2.Final_redhat_1.ep6.el5.1.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/woodstox-core-4.1.1-1.redhat_2.ep6.el5.4.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/ws-commons-XmlSchema-2.0.2-7.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/ws-commons-neethi-3.0.2-5.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/ws-scout-1.2.6-3.redhat_2.2.ep6.el5.5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/wsdl4j-eap6-1.6.2-11.redhat_2.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/wss4j-1.6.7-1.redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/xalan-j2-eap6-2.7.1-6.12.redhat_3.ep6.el5.2.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/xerces-j2-eap6-2.9.1-13_redhat_3.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/xml-commons-resolver-eap6-1.2-10.redhat_2.ep6.el5.3.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/xml-security-1.5.2-2.redhat_1.ep6.el5.src.rpm ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/JBEAP/SRPMS/xom-1.2.7-1._redhat_3.1.ep6.el5.6.src.rpm i386: apache-commons-daemon-jsvc-eap6-1.0.10-3.ep6.el5.i386.rpm apache-commons-daemon-jsvc-eap6-debuginfo-1.0.10-3.ep6.el5.i386.rpm hornetq-native-2.2.21-1.1.Final.ep6.el5.i386.rpm hornetq-native-debuginfo-2.2.21-1.1.Final.ep6.el5.i386.rpm httpd-2.2.22-14.ep6.el5.i386.rpm httpd-debuginfo-2.2.22-14.ep6.el5.i386.rpm httpd-devel-2.2.22-14.ep6.el5.i386.rpm httpd-tools-2.2.22-14.ep6.el5.i386.rpm jbossas-hornetq-native-2.2.21-1.1.Final.ep6.el5.i386.rpm jbossas-jbossweb-native-1.1.24-1.1.ep6.el5.i386.rpm mod_cluster-native-1.2.3-3.Final.ep6.el5.i386.rpm mod_cluster-native-debuginfo-1.2.3-3.Final.ep6.el5.i386.rpm mod_jk-ap22-1.2.36-5.1.ep6.el5.i386.rpm mod_jk-debuginfo-1.2.36-5.1.ep6.el5.i386.rpm mod_ssl-2.2.22-14.ep6.el5.i386.rpm tomcat-native-1.1.24-1.1.ep6.el5.i386.rpm tomcat-native-debuginfo-1.1.24-1.1.ep6.el5.i386.rpm noarch: antlr-eap6-2.7.7-15_redhat_2.ep6.el5.noarch.rpm apache-commons-beanutils-1.8.3-10.redhat_2.ep6.el5.noarch.rpm apache-commons-cli-1.2-7.5.redhat_2.ep6.el5.4.noarch.rpm apache-commons-codec-eap6-1.4-14.redhat_2.ep6.el5.1.noarch.rpm apache-commons-collections-3.2.1-10.redhat_2.ep6.el5.noarch.rpm apache-commons-collections-eap6-3.2.1-13.redhat_2.ep6.el5.1.noarch.rpm apache-commons-configuration-1.6-7.2.redhat_2.ep6.el5.5.noarch.rpm apache-commons-io-eap6-2.1-6.redhat_2.ep6.el5.1.noarch.rpm apache-commons-lang-2.6-3.redhat_2.ep6.el5.noarch.rpm apache-commons-lang-eap6-2.6-5redhat_2.ep6.el5.1.noarch.rpm apache-commons-pool-eap6-1.5.6-8.redhat_2.ep6.el5.1.noarch.rpm apache-cxf-2.4.9-4.redhat_2.ep6.el5.noarch.rpm apache-cxf-xjc-utils-2.4.0-11.redhat_2.ep6.el5.4.noarch.rpm apache-mime4j-0.6-7.redhat_2.ep6.el5.5.noarch.rpm atinject-1-8.2_redhat_2.ep6.el5.5.noarch.rpm cal10n-0.7.3-8.redhat_2.ep6.el5.5.noarch.rpm codehaus-jackson-1.9.2-6_redhat_2.ep6.el5.5.noarch.rpm codehaus-jackson-core-asl-1.9.2-6_redhat_2.ep6.el5.5.noarch.rpm codehaus-jackson-jaxrs-1.9.2-6_redhat_2.ep6.el5.5.noarch.rpm codehaus-jackson-mapper-asl-1.9.2-6_redhat_2.ep6.el5.5.noarch.rpm codehaus-jackson-xc-1.9.2-6_redhat_2.ep6.el5.5.noarch.rpm cxf-xjc-boolean-2.4.0-11.redhat_2.ep6.el5.4.noarch.rpm cxf-xjc-dv-2.4.0-11.redhat_2.ep6.el5.4.noarch.rpm cxf-xjc-ts-2.4.0-11.redhat_2.ep6.el5.4.noarch.rpm dom4j-1.6.1-14_redhat_3.ep6.el5.noarch.rpm glassfish-jaf-1.1.1-16.redhat_2.ep6.el5.noarch.rpm glassfish-javamail-1.4.4-16.redhat_2.ep6.el5.noarch.rpm glassfish-jaxb-2.2.5-10_redhat_3.ep6.el5.noarch.rpm glassfish-jsf-2.1.13-1_redhat_1.ep6.el5.noarch.rpm glassfish-jsf12-1.2_15-9_b01_redhat_2.ep6.el5.noarch.rpm gnu-getopt-1.0.13-1.2_redhat_2.ep6.el5.5.noarch.rpm guava-11.0.2-0.5.redhat_2.ep6.el5.6.noarch.rpm h2database-1.3.168-2_redhat_1.ep6.el5.noarch.rpm hibernate-beanvalidation-api-1.0.0-4.7.GA_redhat_2.ep6.el5.3.noarch.rpm hibernate-jpa-2.0-api-1.0.1-5.Final_redhat_2.1.ep6.el5.4.noarch.rpm hibernate3-commons-annotations-4.0.1-5.Final_redhat_2.1.ep6.el5.3.noarch.rpm hibernate4-4.1.6-3.5.Final_redhat_2.ep6.el5.noarch.rpm hibernate4-core-4.1.6-3.5.Final_redhat_2.ep6.el5.noarch.rpm hibernate4-entitymanager-4.1.6-3.5.Final_redhat_2.ep6.el5.noarch.rpm hibernate4-envers-4.1.6-3.5.Final_redhat_2.ep6.el5.noarch.rpm hibernate4-infinispan-4.1.6-3.5.Final_redhat_2.ep6.el5.noarch.rpm hibernate4-validator-4.2.0-7.Final_redhat_2.1.ep6.el5.4.noarch.rpm hornetq-2.2.23-1.Final_redhat_1.ep6.el5.noarch.rpm httpcomponents-httpclient-4.1.3-4_redhat_2.ep6.el5.noarch.rpm httpcomponents-httpcore-4.1.4-4_redhat_2.ep6.el5.noarch.rpm httpserver-1.0.1-3.Final_redhat_2.ep6.el5.3.noarch.rpm infinispan-5.1.8-1.Final_redhat_1.ep6.el5.noarch.rpm infinispan-cachestore-jdbc-5.1.8-1.Final_redhat_1.ep6.el5.noarch.rpm infinispan-cachestore-remote-5.1.8-1.Final_redhat_1.ep6.el5.noarch.rpm infinispan-client-hotrod-5.1.8-1.Final_redhat_1.ep6.el5.noarch.rpm infinispan-core-5.1.8-1.Final_redhat_1.ep6.el5.noarch.rpm ironjacamar-1.0.13-1.Final_redhat_1.ep6.el5.noarch.rpm jacorb-jboss-2.3.2-3.redhat_2.ep6.el5.3.noarch.rpm jandex-1.0.3-7.Final_redhat_2.ep6.el5.2.noarch.rpm javassist-3.15.0-5.GA_redhat_2.ep6.el5.3.noarch.rpm javassist-eap6-3.15.0-5.GA_redhat_2.ep6.el5.3.noarch.rpm jaxbintros-1.0.2-11.GA_redhat_2.ep6.el5.3.noarch.rpm jaxen-1.1.3-8.redhat_2.ep6.el5.4.noarch.rpm jaxws-jboss-httpserver-httpspi-1.0.1-3.GA_redhat_2.ep6.el5.3.noarch.rpm jbosgi-deployment-1.1.0-2.Final_redhat_3.ep6.el5.3.noarch.rpm jbosgi-framework-core-1.3.1-3.CR1_redhat_1.ep6.el5.noarch.rpm jbosgi-metadata-2.1.0-2.Final_redhat_3.ep6.el5.3.noarch.rpm jbosgi-repository-1.2.0-2.Final_redhat_2.ep6.el5.2.noarch.rpm jbosgi-resolver-2.1.0-2.Final_redhat_3.ep6.el5.3.noarch.rpm jbosgi-spi-3.1.0-3.Final_redhat_3.ep6.el5.noarch.rpm jbosgi-vfs-1.1.0-2.Final_redhat_2.ep6.el5.2.noarch.rpm jboss-annotations-api_1.1_spec-1.0.1-3.2.Final_redhat_2.ep6.el5.noarch.rpm jboss-as-appclient-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-cli-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-client-all-7.1.3-4.1.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-clustering-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-cmp-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-configadmin-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-connector-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-console-1.4.2-1.Final_redhat_1.ep6.el5.noarch.rpm jboss-as-controller-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-controller-client-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-deployment-repository-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-deployment-scanner-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-domain-http-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-domain-management-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-ee-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-ee-deployment-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-ejb3-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-embedded-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-host-controller-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jacorb-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jaxr-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jaxrs-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jdr-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jmx-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jpa-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jsf-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-jsr77-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-logging-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-mail-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-management-client-content-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-messaging-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-modcluster-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-naming-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-network-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-osgi-configadmin-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-osgi-service-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-platform-mbean-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-pojo-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-process-controller-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-protocol-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-remoting-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-sar-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-security-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-server-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-threads-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-transactions-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-web-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-webservices-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-weld-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-as-xts-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jboss-classfilewriter-1.0.3-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-common-beans-1.0.0-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-common-core-2.2.17-10.GA_redhat_2.ep6.el5.noarch.rpm jboss-connector-api_1.6_spec-1.0.1-3.3.Final_redhat_2.ep6.el5.noarch.rpm jboss-dmr-1.1.1-8.Final_redhat_2.ep6.el5.noarch.rpm jboss-ejb-api_3.1_spec-1.0.2-10.Final_redhat_2.ep6.el5.noarch.rpm jboss-ejb-client-1.0.11-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-ejb3-ext-api-2.0.0-9.redhat_2.ep6.el5.noarch.rpm jboss-el-api_2.2_spec-1.0.2-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-iiop-client-1.0.0-4.Final_redhat_2.1.ep6.el5.noarch.rpm jboss-interceptors-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.noarch.rpm jboss-invocation-1.1.1-5.Final_redhat_2.ep6.el5.4.noarch.rpm jboss-j2eemgmt-api_1.1_spec-1.0.1-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-jacc-api_1.4_spec-1.0.2-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-jad-api_1.2_spec-1.0.1-6.Final_redhat_2.ep6.el5.noarch.rpm jboss-jaspi-api_1.0_spec-1.0.1-6.Final_redhat_2.ep6.el5.noarch.rpm jboss-jaxb-api_2.2_spec-1.0.4-3.Final_redhat_2.1.ep6.el5.1.noarch.rpm jboss-jaxr-api_1.0_spec-1.0.2-4.Final_redhat_2.ep6.el5.noarch.rpm jboss-jaxrpc-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.noarch.rpm jboss-jaxrs-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.noarch.rpm jboss-jaxws-api_2.2_spec-2.0.1-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-jms-api_1.1_spec-1.0.1-4.Final_redhat_2.ep6.el5.noarch.rpm jboss-jsf-api_2.1_spec-2.0.7-1.Final_redhat_1.ep6.el5.noarch.rpm jboss-jsp-api_2.2_spec-1.0.1-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-jstl-api_1.2_spec-1.0.3-3.Final_redhat_2.ep6.el5.noarch.rpm jboss-logging-3.1.2-3.GA_redhat_1.ep6.el5.noarch.rpm jboss-logmanager-1.3.2-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-marshalling-1.3.15-2.GA_redhat_1.ep6.el5.noarch.rpm jboss-metadata-7.0.4-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-metadata-appclient-7.0.4-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-metadata-common-7.0.4-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-metadata-ear-7.0.4-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-metadata-ejb-7.0.4-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-metadata-web-7.0.4-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-modules-1.1.3-2.GA_redhat_1.ep6.el5.1.noarch.rpm jboss-msc-1.0.2-3.GA_redhat_2.2.ep6.el5.noarch.rpm jboss-osgi-logging-1.0.0-5._redhat_2.1.ep6.el5.2.noarch.rpm jboss-remote-naming-1.0.4-2.Final_redhat_1.ep6.el5.1.noarch.rpm jboss-remoting3-3.2.14-1.GA_redhat_1.ep6.el5.noarch.rpm jboss-remoting3-jmx-1.0.4-2.Final_redhat_1.ep6.el5.7.noarch.rpm jboss-rmi-api_1.0_spec-1.0.4-9.2.Final_redhat_2.ep6.el5.noarch.rpm jboss-saaj-api_1.3_spec-1.0.2-4_redhat_2.ep6.el5.noarch.rpm jboss-sasl-1.0.3-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-seam-int-6.0.0-8.GA_redhat_2.ep6.el5.noarch.rpm jboss-security-negotiation-2.2.1-2.Final_redhat_1.ep6.el5.noarch.rpm jboss-security-xacml-2.0.8-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-servlet-api_2.5_spec-1.0.1-9.Final_redhat_2.ep6.el5.noarch.rpm jboss-servlet-api_3.0_spec-1.0.1-11.Final_redhat_2.ep6.el5.noarch.rpm jboss-specs-parent-1.0.0-5.Beta2_redhat_2.ep6.el5.noarch.rpm jboss-stdio-1.0.1-7.GA_redhat_2.ep6.el5.noarch.rpm jboss-threads-2.0.0-7.GA_redhat_2.ep6.el5.noarch.rpm jboss-transaction-api_1.1_spec-1.0.1-5.Final_redhat_2.ep6.el5.noarch.rpm jboss-transaction-spi-7.0.0-0.10.Final_redhat_2.ep6.el5.noarch.rpm jboss-vfs2-3.1.0-4.Final_redhat_2.ep6.el5.noarch.rpm jboss-weld-1.1-api-1.1-6.Final_redhat_2.ep6.el5.1.noarch.rpm jboss-xnio-base-3.0.7-1.GA_redhat_1.ep6.el5.noarch.rpm jbossas-appclient-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-bundles-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-core-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-domain-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-javadocs-7.1.3-4.Final_redhat_3.ep6.el5.noarch.rpm jbossas-modules-eap-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-product-eap-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-standalone-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossas-welcome-content-eap-7.1.3-4.Final_redhat_4.ep6.el5.noarch.rpm jbossts-4.16.6-1.Final_redhat_1.ep6.el5.noarch.rpm jbossweb-7.0.17-1.Final_redhat_1.ep6.el5.noarch.rpm jbossweb-lib-7.0.17-1.Final_redhat_1.ep6.el5.noarch.rpm jbossws-api-1.0.0-3.GA_redhat_2.ep6.el5.3.noarch.rpm jbossws-common-2.0.4-5.GA_redhat_3.ep6.el5.5.noarch.rpm jbossws-common-tools-1.0.2-1.GA_redhat_1.ep6.el5.noarch.rpm jbossws-cxf-4.0.6-2.GA_redhat_2.ep6.el5.noarch.rpm jbossws-native-4.0.6-1.GA_redhat_1.ep6.el5.noarch.rpm jbossws-spi-2.0.4-3.1.GA_redhat_1.ep6.el5.noarch.rpm jbossxb2-2.0.3-13.GA_redhat_2.ep6.el5.3.noarch.rpm jcip-annotations-1.0-2.2.3_redhat_2.ep6.el5.5.noarch.rpm jdom-eap6-1.1.2-4.GA_redhat_2.ep6.el5.noarch.rpm jettison-1.3.1-7_redhat_2.ep6.el5.noarch.rpm jgroups-3.0.14-2.Final_redhat_1.ep6.el5.noarch.rpm jline-eap6-0.9.94-10.GA_redhat_2.ep6.el5.4.noarch.rpm joda-time-1.6.2-5.redhat_3.ep6.el5.4.noarch.rpm jtype-0.1.1-9_redhat_2.3.ep6.el5.4.noarch.rpm juddi-3.1.3-3_redhat_2.1.ep6.el5.3.noarch.rpm jul-to-slf4j-stub-1.0.0-4.Final_redhat_2.1.ep6.el5.2.noarch.rpm jython-eap6-2.5.2-5.redhat_2.ep6.el5.4.noarch.rpm log4j-eap6-1.2.16-11.redhat_2.ep6.el5.4.noarch.rpm log4j-jboss-logmanager-1.0.1-3.Final_redhat_2.ep6.el5.noarch.rpm mod_cluster-1.2.3-1.Final_redhat_1.ep6.el5.noarch.rpm mod_cluster-demo-1.2.3-1.Final_redhat_1.ep6.el5.noarch.rpm netty-3.2.6-2_redhat_2.2.ep6.el5.4.noarch.rpm objectweb-asm-eap6-3.3.1-5_redhat_2.ep6.el5.3.noarch.rpm org.apache.felix.configadmin-1.2.8-4_redhat_2.ep6.el5.noarch.rpm org.apache.felix.log-1.0.0-5.redhat_2.ep6.el5.noarch.rpm org.osgi.core-4.2.0-4.redhat_2.ep6.el5.3.noarch.rpm org.osgi.enterprise-4.2.0-4.redhat_2.ep6.el5.3.noarch.rpm picketbox-4.0.14-2.Final_redhat_2.ep6.el5.noarch.rpm picketbox-commons-1.0.0-0.8.final_redhat_2.ep6.el5.3.noarch.rpm picketlink-federation-2.1.3.1-3.redhat_1.ep6.el5.noarch.rpm relaxngDatatype-2011.1-0.1_redhat_3.ep6.el5.4.noarch.rpm resteasy-2.3.4-4.Final_redhat_2.ep6.el5.3.noarch.rpm rngom-201103-0.5.redhat_2.ep6.el5.4.noarch.rpm scannotation-1.0.2-8.redhat_2.ep6.el5.2.noarch.rpm shrinkwrap-1.0.0-16.redhat_2.ep6.el5.noarch.rpm slf4j-1.6.1-23.redhat_2.ep6.el5.noarch.rpm slf4j-eap6-1.6.1-23.redhat_2.ep6.el5.noarch.rpm slf4j-jboss-logmanager-1.0.0-7.GA_redhat_2.3.ep6.el5.2.noarch.rpm snakeyaml-1.8-8.redhat_2.ep6.el5.2.noarch.rpm staxmapper-1.1.0-6.Final_redhat_2.ep6.el5.2.noarch.rpm stilts-0.1.26-6.GA.redhat_2.ep6.el5.4.noarch.rpm sun-codemodel-2.6-3_redhat_2.ep6.el5.3.noarch.rpm sun-istack-commons-2.6.1-9_redhat_2.ep6.el5.noarch.rpm sun-saaj-1.3-impl-1.3.16-9.redhat_2.ep6.el5.3.noarch.rpm sun-txw2-20110809-6_redhat_2.ep6.el5.4.noarch.rpm sun-ws-metadata-2.0-api-1.0.MR1-12_MR1_redhat_2.ep6.el5.4.noarch.rpm sun-xsom-20110809-5_redhat_3.ep6.el5.3.noarch.rpm velocity-eap6-1.6.3-7.redhat_2.ep6.el5.4.noarch.rpm weld-cdi-1.0-api-1.0-6.SP4_redhat_2.ep6.el5.5.noarch.rpm weld-core-1.1.10-2.Final_redhat_1.ep6.el5.1.noarch.rpm woodstox-core-4.1.1-1.redhat_2.ep6.el5.4.noarch.rpm woodstox-stax2-api-3.1.1-1.redhat_2.ep6.el5.4.noarch.rpm ws-commons-XmlSchema-2.0.2-7.redhat_2.ep6.el5.noarch.rpm ws-commons-neethi-3.0.2-5.redhat_2.ep6.el5.noarch.rpm ws-scout-1.2.6-3.redhat_2.2.ep6.el5.5.noarch.rpm wsdl4j-eap6-1.6.2-11.redhat_2.ep6.el5.noarch.rpm wss4j-1.6.7-1.redhat_1.ep6.el5.noarch.rpm xalan-j2-eap6-2.7.1-6.12.redhat_3.ep6.el5.2.noarch.rpm xerces-j2-eap6-2.9.1-13_redhat_3.ep6.el5.noarch.rpm xml-commons-resolver-eap6-1.2-10.redhat_2.ep6.el5.3.noarch.rpm xml-security-1.5.2-2.redhat_1.ep6.el5.noarch.rpm xom-1.2.7-1._redhat_3.1.ep6.el5.6.noarch.rpm x86_64: apache-commons-daemon-jsvc-eap6-1.0.10-3.ep6.el5.x86_64.rpm apache-commons-daemon-jsvc-eap6-debuginfo-1.0.10-3.ep6.el5.x86_64.rpm hornetq-native-2.2.21-1.1.Final.ep6.el5.x86_64.rpm hornetq-native-debuginfo-2.2.21-1.1.Final.ep6.el5.x86_64.rpm httpd-2.2.22-14.ep6.el5.x86_64.rpm httpd-debuginfo-2.2.22-14.ep6.el5.x86_64.rpm httpd-devel-2.2.22-14.ep6.el5.x86_64.rpm httpd-tools-2.2.22-14.ep6.el5.x86_64.rpm jbossas-hornetq-native-2.2.21-1.1.Final.ep6.el5.x86_64.rpm jbossas-jbossweb-native-1.1.24-1.1.ep6.el5.x86_64.rpm mod_cluster-native-1.2.3-3.Final.ep6.el5.x86_64.rpm mod_cluster-native-debuginfo-1.2.3-3.Final.ep6.el5.x86_64.rpm mod_jk-ap22-1.2.36-5.1.ep6.el5.x86_64.rpm mod_jk-debuginfo-1.2.36-5.1.ep6.el5.x86_64.rpm mod_ssl-2.2.22-14.ep6.el5.x86_64.rpm tomcat-native-1.1.24-1.1.ep6.el5.x86_64.rpm tomcat-native-debuginfo-1.1.24-1.1.ep6.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2008-0455.html https://www.redhat.com/security/data/cve/CVE-2012-2378.html https://www.redhat.com/security/data/cve/CVE-2012-2379.html https://www.redhat.com/security/data/cve/CVE-2012-2672.html https://www.redhat.com/security/data/cve/CVE-2012-2687.html https://www.redhat.com/security/data/cve/CVE-2012-3428.html https://www.redhat.com/security/data/cve/CVE-2012-3451.html https://www.redhat.com/security/data/cve/CVE-2012-4549.html https://www.redhat.com/security/data/cve/CVE-2012-4550.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/knowledge/docs/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFQ0PMhXlSAg2UNWIIRAp05AKCWRRYzxM2i+qiJODxVxTCoU/+6rwCgoUE/ kVcDKtPihXQ9GN8L9YNBtJw= =SCsw -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . (CVE-2012-4549) The apachectl script set an insecure library search path. Running apachectl in an attacker-controlled directory containing a malicious library file could cause arbitrary code execution with the privileges of the user running the apachectl script (typically the root user). The References section of this erratum contains a download link (you must log in to download the update). Possible XSS for sites which use mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled (CVE-2012-2687). The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQZWg/mqjQ0CJFipgRAnH7AKCE8P/B3z8Z7c0AKEsKH8YuK/wenACgov5R nQTUKFMMk3mSevCSc4j5hLk= =XvNR -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-1627-1 November 08, 2012 apache2 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Several security issues were fixed in the Apache HTTP server. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. Although this issue had been mitigated on the client with newer web browsers, this update also disables SSL data compression on the server. A new SSLCompression directive for Apache has been backported that may be used to re-enable SSL data compression in certain environments. For more information, please refer to: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcompression (CVE-2012-4929) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.10: apache2.2-common 2.2.22-6ubuntu2.1 Ubuntu 12.04 LTS: apache2.2-common 2.2.22-1ubuntu1.2 Ubuntu 11.10: apache2.2-common 2.2.20-1ubuntu1.3 Ubuntu 10.04 LTS: apache2.2-common 2.2.14-5ubuntu8.10 Ubuntu 8.04 LTS: apache2.2-common 2.2.8-1ubuntu0.24 In general, a standard system update will make all the necessary changes