VARIoT IoT vulnerabilities database

The Presence Engine (PE) service in Cisco Unified Presence 6.x before 6.0(7) and 7.x before 7.0(8) does not properly handle an erroneous Contact field in the header of a SIP SUBSCRIBE message, which allows remote attackers to cause a denial of service (process failure) via a malformed message, aka Bug ID CSCtd39629. Cisco Unified Presence is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a disruption in presence services, denying service to legitimate users. This issue is being tracked by Cisco BugID CSCtd39629. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20100825-cup Revision 1.0 For Public Release 2010 August 25 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco Unified Presence contains two denial of service (DoS) vulnerabilities that affect the processing of Session Initiation Protocol (SIP) messages. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cup.shtml Affected Products ================= Vulnerable Products +------------------ The following products are affected: * Cisco Unified Presence 6.0 versions prior to 6.0(7) * Cisco Unified Presence 7.0 versions prior to 7.0(8) Note: Cisco Unified Presence version 8.0(1) shipped with software fixes for all the vulnerabilities described in this advisory. The software version can be determined by running the command "show version active" using the command line interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Presence contains two DoS vulnerabilities that involve the processing of SIP messages. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco bug ID CSCtd14474 and has been assigned the CVE identifier CVE-2010-2839. The second SIP DoS vulnerability is documented in Cisco bug ID CSCtd39629 and has been assigned the CVE identifier CVE-2010-2840. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd14474 - SIPD Coredumps due to Possible Stack Corruption During Fuzzing CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd39629 - PE Coredump On Subscribe Message with Contact Field Error CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Cisco Unified Presence will restart the affected processes, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and permitting access to TCP ports 5060 and 5061 and to UDP ports 5060 and 5061 only from networks that require SIP access to Cisco Unified Communications Manager servers. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100825-cucm-cup.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities described in this advisory were discovered as a result of internal testing conducted by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cup.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-25 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMdTQQ86n/Gc8U/uARApXmAJ9y90DCyAqXTXRM2tutg4b7i2Xl9gCfe+pa +dZWj+EDOmZ+50IcJlI1q58= =H2k/ -----END PGP SIGNATURE-----

SIPD in Cisco Unified Presence 6.x before 6.0(7) and 7.x before 7.0(8) allows remote attackers to cause a denial of service (stack memory corruption and process failure) via a malformed SIP message, aka Bug ID CSCtd14474. Cisco Unified Presence is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause an interrupt in presence services, denying service to legitimate users. This issue is being tracked by Cisco BugID CSCtd14474. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cup.shtml Affected Products ================= Vulnerable Products +------------------ The following products are affected: * Cisco Unified Presence 6.0 versions prior to 6.0(7) * Cisco Unified Presence 7.0 versions prior to 7.0(8) Note: Cisco Unified Presence version 8.0(1) shipped with software fixes for all the vulnerabilities described in this advisory. The software version can be determined by running the command "show version active" using the command line interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Presence contains two DoS vulnerabilities that involve the processing of SIP messages. All SIP ports (TCP ports 5060 and 5061, UDP ports 5060 and 5061) are affected. The first SIP DoS vulnerability is documented in Cisco bug ID CSCtd14474 and has been assigned the CVE identifier CVE-2010-2839. The second SIP DoS vulnerability is documented in Cisco bug ID CSCtd39629 and has been assigned the CVE identifier CVE-2010-2840. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd14474 - SIPD Coredumps due to Possible Stack Corruption During Fuzzing CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd39629 - PE Coredump On Subscribe Message with Contact Field Error CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Cisco Unified Presence will restart the affected processes, but repeated attacks may result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. It is possible to mitigate these vulnerabilities by implementing filtering on screening devices and permitting access to TCP ports 5060 and 5061 and to UDP ports 5060 and 5061 only from networks that require SIP access to Cisco Unified Communications Manager servers. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100825-cucm-cup.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities described in this advisory were discovered as a result of internal testing conducted by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100825-cup.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-August-25 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMdTQQ86n/Gc8U/uARApXmAJ9y90DCyAqXTXRM2tutg4b7i2Xl9gCfe+pa +dZWj+EDOmZ+50IcJlI1q58= =H2k/ -----END PGP SIGNATURE-----

The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the UfPBCtrl.dll ActiveX control. The extSetOwner function accepts a parameter and assumes it is an initialized pointer. By specifying an invalid address, an attacker can force the process to call into a controlled memory region. This can be exploited to execute remote code under the context of the user invoking the browser. An attacker can exploit this issue by enticing an unsuspecting user to view a malicious webpage. ---------------------------------------------------------------------- List of products vulnerable to insecure library loading vulnerabilities: http://secunia.com/_%22insecure%20library%20loading%22 The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Trend Micro Internet Security Pro 2010 ActiveX Control Vulnerability SECUNIA ADVISORY ID: SA41140 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41140/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41140 RELEASE DATE: 2010-08-27 DISCUSS ADVISORY: http://secunia.com/advisories/41140/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41140/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41140 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Trend Micro Internet Security Pro 2010, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the "extSetOwner()" method of the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) not validating the value passed via the "varOwner" argument and using it as a pointer. Successful exploitation may allow execution of arbitrary code. SOLUTION: Apply hotfix (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Andrea Micalizzi aka rgod, reported via ZDI. ORIGINAL ADVISORY: ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-165/ Trend Micro: http://esupport.trendmicro.com/pages/Hot-Fix-UfPBCtrldll-is-vulnerable-to-remote-attackers.aspx OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -- Vendor Response: Trend Micro has issued an update to correct this vulnerability. More details can be found at: http://esupport.trendmicro.com/pages/Hot-Fix-UfPBCtrldll-is-vulnerable-to-remote-attackers.aspx -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-08-25 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

The IPv6 Unicast Reverse Path Forwarding (RPF) implementation on the SEIL/X1, SEIL/X2, and SEIL/B1 routers with firmware 1.00 through 2.73, when strict mode is used, does not properly drop packets, which might allow remote attackers to bypass intended access restrictions via a spoofed IP address. SEIL/X Series and SEIL/B1 are routers. Only IPv6 Unicast RPF in strict mode is vulnerable. According to the developer, IPv6 Unicast RPF in loose mode and IPv4 Unicast RPF are not affected by this vulnerability.Packets that should be discarded, such as when an IP address is spoofed, may be transferred without being discarded. Seil/x2 Firmware is prone to a security bypass vulnerability. ---------------------------------------------------------------------- Secunia receives 'Frost & Sullivan's Global 2010 Customer Value Enhancement Award Secunia outshines its competitors and receives the Frost & Sullivan’s Global 2010 Customer Value Enhancement Award. Based on its recent analysis of the vulnerability research market, Frost & Sullivan concluded: "Secunia provides tremendous value for their customers, end-users, and to other security vendors." Read more: http://secunia.com/blog/117/ ---------------------------------------------------------------------- TITLE: SEIL Routers IPv6 Unicast RPF Spoofing Vulnerability SECUNIA ADVISORY ID: SA41088 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41088/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41088 RELEASE DATE: 2010-08-26 DISCUSS ADVISORY: http://secunia.com/advisories/41088/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41088/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41088 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in SEIL routers, which can be exploited by malicious people to conduct spoofing attacks. The vulnerability is reported in the following products: * SEIL/X1 firmware version 1.00 through 2.73 * SEIL/X2 firmware version 1.00 through 2.73 * SEIL/B1 firmware version 1.00 through 2.73 SOLUTION: Upgrade to firmware version 2.74. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SEIL: http://www.seil.jp/seilseries/security/2010/a00875.php OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability.". Some applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result, these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location. dwmapi.dll It may be possible to get permission through the file. Windows Program DLL There is an attackable vulnerability in reading. Dynamic link Library (DLL) Is a software component that is loaded at run time, not at program compile time. The program is LoadLibrary() And LoadLibraryEx() Using DLL Is read. Read DLL If no path is specified, specific directories are searched in order and found first. DLL Is loaded. Since this directory group includes the current directory of the process, the directory that can be operated by the attacker is set as the current directory. LoadLibrary() If is called, attack code may be executed. This issue can occur when browsing files located in directories that an attacker can manipulate. Read DLL The name depends on the program. DLL Read Windows The entire program may be affected. " Opera Software "and" Adobe Vulnerability information on " : Mitsui Bussan Secure Direction Co., Ltd. Takashi Yoshikawa MrA remote attacker could execute arbitrary code with the authority to execute the program. Attacker crafted DLL The USB Placing it on a drive or network drive may cause an attack. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. Microsoft ATL/MFC Trace Tool build 10.0.30319.1 is vulnerable; other versions may also be affected. Microsoft Visual Studio is a series of development tool suite products of Microsoft (Microsoft), and it is also a basically complete set of development tools. It includes most of the tools needed throughout the software lifecycle. A remote attacker could exploit this vulnerability to take complete control of an affected system and subsequently install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured with fewer system user rights are less affected than users with administrative user rights. ---------------------------------------------------------------------- Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei. Read more: http://conference.first.org/ ---------------------------------------------------------------------- TITLE: Attachmate Reflection for Secure IT Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44906 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44906/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44906 RELEASE DATE: 2011-06-10 DISCUSS ADVISORY: http://secunia.com/advisories/44906/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44906/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44906 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Attachmate has acknowledged multiple vulnerabilities in Reflection for Secure IT, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a user's system. For more information: SA36093 (vulnerability #2) SA44905 The vulnerabilities are reported in version 7.2 prior to SP1 in the following components: * Reflection for Secure IT Windows Server. * Reflection for Secure IT UNIX Client. * Reflection for Secure IT UNIX Server. SOLUTION: Update to version 7.2 SP1. ORIGINAL ADVISORY: Attachmate: http://support.attachmate.com/techdocs/2560.html http://support.attachmate.com/techdocs/2564.html http://support.attachmate.com/techdocs/2565.html http://support.attachmate.com/techdocs/2566.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-09-16-3 iTunes 12.3 iTunes 12.3 is now available and addresses the following: iTunes Available for: Windows 7 and later Impact: Applications that use CoreText may be vulnerable to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of text files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-1157 : Apple CVE-2015-3686 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3687 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-3688 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team CVE-2015-5874 : John Villamil (@day6reak), Yahoo Pentest Team iTunes Available for: Windows 7 and later Impact: Applications that use ICU may be vulnerable to unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of unicode strings. These issues were addressed by updating ICU to version 55. CVE-ID CVE-2014-8146 CVE-2015-1205 iTunes Available for: Windows 7 and later Impact: Opening a media file may lead to arbitrary code execution Description: A security issue existed in Microsoft Foundation Class's handling of library loading. This issue was addressed by updating to the latest version of the Microsoft Visual C++ Redistributable Package. CVE-ID CVE-2010-3190 : Stefan Kanthak iTunes Available for: Windows 7 and later Impact: A man-in-the-middle attack while browsing the iTunes Store via iTunes may result in unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2015-1152 : Apple CVE-2015-1153 : Apple CVE-2015-3730 : Apple CVE-2015-3731 : Apple CVE-2015-3733 : Apple CVE-2015-3734 : Apple CVE-2015-3735 : Apple CVE-2015-3736 : Apple CVE-2015-3737 : Apple CVE-2015-3738 : Apple CVE-2015-3739 : Apple CVE-2015-3740 : Apple CVE-2015-3741 : Apple CVE-2015-3742 : Apple CVE-2015-3743 : Apple CVE-2015-3744 : Apple CVE-2015-3745 : Apple CVE-2015-3746 : Apple CVE-2015-3747 : Apple CVE-2015-3748 : Apple CVE-2015-3749 : Apple CVE-2015-5789 : Apple CVE-2015-5790 : Apple CVE-2015-5791 : Apple CVE-2015-5792 : Apple CVE-2015-5793 : Apple CVE-2015-5794 : Apple CVE-2015-5795 : Apple CVE-2015-5796 : Apple CVE-2015-5797 : Apple CVE-2015-5798 : Apple CVE-2015-5799 : Apple CVE-2015-5800 : Apple CVE-2015-5801 : Apple CVE-2015-5802 : Apple CVE-2015-5803 : Apple CVE-2015-5804 : Apple CVE-2015-5805 CVE-2015-5806 : Apple CVE-2015-5807 : Apple CVE-2015-5808 : Joe Vennix CVE-2015-5809 : Apple CVE-2015-5810 : Apple CVE-2015-5811 : Apple CVE-2015-5812 : Apple CVE-2015-5813 : Apple CVE-2015-5814 : Apple CVE-2015-5815 : Apple CVE-2015-5816 : Apple CVE-2015-5817 : Apple CVE-2015-5818 : Apple CVE-2015-5819 : Apple CVE-2015-5821 : Apple CVE-2015-5822 : Mark S. Miller of Google CVE-2015-5823 : Apple Software Update Impact: An attacker in a privileged network position may be able to obtain encrypted SMB credentials Description: A redirection issue existed in the handling of certain network connections. This issue was addressed through improved resource validation. CVE-ID CVE-2015-5920 : Cylance iTunes 12.3 may be obtained from: http://www.apple.com/itunes/download/ You may also update to the latest version of iTunes via Apple Software Update, which can be found in the Start menu. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJV+axbAAoJEBcWfLTuOo7tLSYP/1NCYHZeWYxqLnLgHgCcNRF/ iqZ7hq9UgxomXxoDVknvvWc61Z+UW6VIgGzEfzSlO9APIGC7ia1tdKl66oMEYSal aGt5AJc9c55RuuvgF/IxgICRsuXjHsAmlQb5FPqwe2gSJYxggCfhObdQ/ShbP2kp mV8sYiJJiKkYZqFDH17fvtAWV3GZ7CtXfneWDHlerJunbuUzWLpjWcYwbaiD/1C2 5CTohgHbTMtG2MGRacFXeYAXFhbnr6mXcxy+7Zee3B6x33/ypA/Q+KaIxPv4bssr 7XXzYin8bdMHlW6MWuCmyzJd2P/4opKvzNeyoZb1BM02k0Fb7SWDMwFA9UVovsX5 yCNKn0rg1nMhbXLjpob7G0GYfHNeGOy5PqKu3PXF++R4H5kGr9v2CZH+8dIU5+J7 LFyDSBZ4vlMsCYTRfI1PEUM6w3d+whrBl9vagVeJZG5gkSrZXftALjZsQXUhgqZH mKDcSj/leCTbbbHMPq/NngQuUXzVRe+SJwVtSJEfQSg2yGCdBGTsjqftcOeDgVUL vHR0KkZ4lVx5Aq48XFfXXvn5d3g+kP5pTeVbGdWFmf7XNDp3Vap5ATlTF5UF4EKt jHPGMzWZwvEkdzDryynsTzrMR3TjTb7dDtXH6LEoKfOwIyxnH6+g8K1DbgdXgiJo dL48EUi+MBq820BzP1fp =cz5N -----END PGP SIGNATURE-----

Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow. Ghostscript of TrueType bytecode interpreter Vulnerabilities exist. Ghostscript is a program for displaying PostScript files or printing files to non-PostScript printers. An attacker can exploit this issue to execute arbitrary code. Failed exploit attempts will likely cause denial-of-service conditions. Versions prior to Ghostscript 8.71 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GPL Ghostscript: Multiple vulnerabilities Date: December 13, 2014 Bugs: #264594, #300192, #332061, #437654 ID: 201412-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in GPL Ghostscript, the worst of which may allow execution of arbitrary code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/ghostscript-gpl < 9.10-r2 >= 9.10-r2 Description =========== Multiple vulnerabilities have been discovered in GPL Ghostscript. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All GPL Ghostscript users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-text/ghostscript-gpl-9.10-r2" References ========== [ 1 ] CVE-2009-0196 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0196 [ 2 ] CVE-2009-0792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0792 [ 3 ] CVE-2009-3743 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3743 [ 4 ] CVE-2009-4270 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4270 [ 5 ] CVE-2009-4897 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4897 [ 6 ] CVE-2010-1628 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1628 [ 7 ] CVE-2010-2055 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2055 [ 8 ] CVE-2010-4054 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4054 [ 9 ] CVE-2012-4405 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4405 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-17.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ghostscript security update Advisory ID: RHSA-2012:0095-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0095.html Issue date: 2012-02-02 CVE Names: CVE-2009-3743 CVE-2010-2055 CVE-2010-4054 CVE-2010-4820 ===================================================================== 1. Summary: Updated ghostscript packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the Ghostscript library, which implements the graphics capabilities in the PostScript language) and an interpreter for Portable Document Format (PDF) files. An attacker could create a specially-crafted PostScript or PDF file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2009-3743) It was found that Ghostscript always tried to read Ghostscript system initialization files from the current working directory before checking other directories, even if a search path that did not contain the current working directory was specified with the "-I" option, or the "-P-" option was used (to prevent the current working directory being searched first). (CVE-2010-2055) Ghostscript included the current working directory in its library search path by default. If a user ran Ghostscript without the "-P-" option in an attacker-controlled directory containing a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary PostScript code. With this update, Ghostscript no longer searches the current working directory for library files by default. (CVE-2010-4820) Note: The fix for CVE-2010-4820 could possibly break existing configurations. To use the previous, vulnerable behavior, run Ghostscript with the "-P" option (to always search the current working directory first). An attacker could create a specially-crafted PostScript Type 1 or PostScript Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially, execute arbitrary code. (CVE-2010-4054) Users of Ghostscript are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 599564 - CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P- 627902 - CVE-2009-3743 ghostscript: TrueType bytecode intepreter integer overflow or wraparound 646086 - CVE-2010-4054 ghostscript: glyph data access improper input validation 771853 - CVE-2010-4820 ghostscript: CWD included in the default library search path 6. Package List: Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.70-6.el5_7.6.src.rpm i386: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-gtk-8.70-6.el5_7.6.i386.rpm x86_64: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-8.70-6.el5_7.6.x86_64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.x86_64.rpm ghostscript-gtk-8.70-6.el5_7.6.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/ghostscript-8.70-6.el5_7.6.src.rpm i386: ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm x86_64: ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.x86_64.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/ghostscript-8.70-6.el5_7.6.src.rpm i386: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm ghostscript-gtk-8.70-6.el5_7.6.i386.rpm ia64: ghostscript-8.70-6.el5_7.6.ia64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.ia64.rpm ghostscript-devel-8.70-6.el5_7.6.ia64.rpm ghostscript-gtk-8.70-6.el5_7.6.ia64.rpm ppc: ghostscript-8.70-6.el5_7.6.ppc.rpm ghostscript-8.70-6.el5_7.6.ppc64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.ppc.rpm ghostscript-debuginfo-8.70-6.el5_7.6.ppc64.rpm ghostscript-devel-8.70-6.el5_7.6.ppc.rpm ghostscript-devel-8.70-6.el5_7.6.ppc64.rpm ghostscript-gtk-8.70-6.el5_7.6.ppc.rpm s390x: ghostscript-8.70-6.el5_7.6.s390.rpm ghostscript-8.70-6.el5_7.6.s390x.rpm ghostscript-debuginfo-8.70-6.el5_7.6.s390.rpm ghostscript-debuginfo-8.70-6.el5_7.6.s390x.rpm ghostscript-devel-8.70-6.el5_7.6.s390.rpm ghostscript-devel-8.70-6.el5_7.6.s390x.rpm ghostscript-gtk-8.70-6.el5_7.6.s390x.rpm x86_64: ghostscript-8.70-6.el5_7.6.i386.rpm ghostscript-8.70-6.el5_7.6.x86_64.rpm ghostscript-debuginfo-8.70-6.el5_7.6.i386.rpm ghostscript-debuginfo-8.70-6.el5_7.6.x86_64.rpm ghostscript-devel-8.70-6.el5_7.6.i386.rpm ghostscript-devel-8.70-6.el5_7.6.x86_64.rpm ghostscript-gtk-8.70-6.el5_7.6.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-doc-8.70-11.el6_2.6.i686.rpm ghostscript-gtk-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ppc64: ghostscript-8.70-11.el6_2.6.ppc.rpm ghostscript-8.70-11.el6_2.6.ppc64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.ppc.rpm ghostscript-debuginfo-8.70-11.el6_2.6.ppc64.rpm s390x: ghostscript-8.70-11.el6_2.6.s390.rpm ghostscript-8.70-11.el6_2.6.s390x.rpm ghostscript-debuginfo-8.70-11.el6_2.6.s390.rpm ghostscript-debuginfo-8.70-11.el6_2.6.s390x.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-doc-8.70-11.el6_2.6.i686.rpm ghostscript-gtk-8.70-11.el6_2.6.i686.rpm ppc64: ghostscript-debuginfo-8.70-11.el6_2.6.ppc.rpm ghostscript-debuginfo-8.70-11.el6_2.6.ppc64.rpm ghostscript-devel-8.70-11.el6_2.6.ppc.rpm ghostscript-devel-8.70-11.el6_2.6.ppc64.rpm ghostscript-doc-8.70-11.el6_2.6.ppc64.rpm ghostscript-gtk-8.70-11.el6_2.6.ppc64.rpm s390x: ghostscript-debuginfo-8.70-11.el6_2.6.s390.rpm ghostscript-debuginfo-8.70-11.el6_2.6.s390x.rpm ghostscript-devel-8.70-11.el6_2.6.s390.rpm ghostscript-devel-8.70-11.el6_2.6.s390x.rpm ghostscript-doc-8.70-11.el6_2.6.s390x.rpm ghostscript-gtk-8.70-11.el6_2.6.s390x.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-8.70-11.el6_2.6.i686.rpm ghostscript-8.70-11.el6_2.6.x86_64.rpm ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/ghostscript-8.70-11.el6_2.6.src.rpm i386: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-doc-8.70-11.el6_2.6.i686.rpm ghostscript-gtk-8.70-11.el6_2.6.i686.rpm x86_64: ghostscript-debuginfo-8.70-11.el6_2.6.i686.rpm ghostscript-debuginfo-8.70-11.el6_2.6.x86_64.rpm ghostscript-devel-8.70-11.el6_2.6.i686.rpm ghostscript-devel-8.70-11.el6_2.6.x86_64.rpm ghostscript-doc-8.70-11.el6_2.6.x86_64.rpm ghostscript-gtk-8.70-11.el6_2.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2009-3743.html https://www.redhat.com/security/data/cve/CVE-2010-2055.html https://www.redhat.com/security/data/cve/CVE-2010-4054.html https://www.redhat.com/security/data/cve/CVE-2010-4820.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD4DBQFPKxQeXlSAg2UNWIIRArqLAJYndAdU+gEQ5Ki//vi/wh7KgAtYAJ9NwToi Ov6GX/QA+l4EOfr9Yj/1Qg== =6sZd -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-1317-1 January 04, 2012 ghostscript vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Ghostscript could be made to crash or run programs as your login if it opened a specially crafted file. Software Description: - ghostscript: The GPL Ghostscript PostScript/PDF interpreter Details: It was discovered that Ghostscript did not correctly handle memory allocation when parsing certain malformed JPEG-2000 images. (CVE-2008-3520) It was discovered that Ghostscript did not correctly handle certain formatting operations when parsing JPEG-2000 images. (CVE-2008-3522) It was discovered that Ghostscript incorrectly handled certain malformed TrueType fonts. This issue only affected Ubuntu 8.04 LTS. (CVE-2009-3743) It was discovered that Ghostscript incorrectly handled certain malformed Type 2 fonts. This issue only affected Ubuntu 8.04 LTS. (CVE-2010-4054) Jonathan Foote discovered that Ghostscript incorrectly handled certain malformed JPEG-2000 image files. (CVE-2011-4516, CVE-2011-4517) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: libgs8 8.71.dfsg.2-0ubuntu7.1 Ubuntu 10.04 LTS: libgs8 8.71.dfsg.1-0ubuntu5.4 Ubuntu 8.04 LTS: libgs8 8.61.dfsg.1-1ubuntu3.4 In general, a standard system update will make all the necessary changes. --[ Vulnerability details: memove() is defined in string.h and has the following prototype: void *memmove(void *dest, const void *src, size_t n); It is worth noticing that size_t is a signed integer. In ghostscript-8.70.dfsg.1/base/ttinterp.c we can find the following code snippet: /*******************************************/ /* MINDEX[] : move indexed element */ /* CodeRange : $26 */ static void Ins_MINDEX( INS_ARG ) { Long L, K; [0] L = args[0]; [1] if ( L<0 || L > CUR.args ) [2] { CUR.error = TT_Err_Invalid_Reference; return; } K = CUR.stack[CUR.args - L]; [3] memmove( (&CUR.stack[CUR.args - L ]), [4] (&CUR.stack[CUR.args - L + 1]), (L - 1) * sizeof ( Long ) ); CUR.stack[ CUR.args-1 ] = K; } [0] L is actually an unsigned long on x86. [1] L is user controled. [2] what if L is null then ? [3] will work fine with L null... [4] if L was null, then the sized passed to memmove is casted from an unsigned long to a signed integer (size_t) worthing 111111111111111111111111111111 in binary, or 0x3fffffff. Let's now consider the third argument passed to memmove in [4]. This value is used as a counter in register ecx, resulting in the copy of a very large chunk of memory (0x3fffffff ~= 1Gb). At this time, the destination being somewhere in the heap, the appliation will eventually fill the heap segment with (unexpected) data, and the copy will fail when trying to write to the first non mapped address after the heap in the address space, generating a segmentation fault. Experimentally, reaching this codepath has shown to be possible. The values of the registers (in particular ecx and edi) at crash time are coherent with our expectations and the explaination above : Program received signal SIGSEGV, Segmentation fault. -------------------------------------------------------------------------[ regs eax:FFFFFFFC ebx:405B6FF4 ecx:3FF85061 edx:0807C844 eflags:00010216 esi:0826A000 edi:08269FFC esp:BFFFDD18 ebp:BFFFDD58 eip:408EFA83 cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t s z A P c [007B:BFFFDD18]---------------------------------------------------------[stack] BFFFDD48 : E0 13 F9 FF F4 6F 5B 40 - 44 C8 07 08 00 00 00 00 .....o[@D....... BFFFDD38 : 00 00 00 00 00 00 00 00 - 01 00 00 00 0D 00 00 00 ................ BFFFDD28 : FC FF FF FF AE 42 0F 40 - 44 C8 07 08 34 CA 07 08 .....B.@D...4... BFFFDD18 : 26 00 00 00 09 69 0F 40 - 84 E1 07 08 88 E1 07 08 &....i.@........ [007B:0826A000]---------------------------------------------------------[ data] <memmove+35>: rep movs DWORD PTR es:[edi],DWORD PTR ds:[esi] Arbitrary code execution would require to corrupt the heap with a bit more than 1Gb of copied data without writting to invalid memory. Having the heap allocate so much data is not belived to be possible in the current situation under x86 GNU/linux. endrazine@blackbox:~/gs/ghostscript-8.70.dfsg.1$ ldd /bin/* /sbin/* \ /usr/sbin/* /usr/local/bin/* \ /usr/local/sbin/* /usr/bin/* 2>/dev/null |grep "libgs.so\|:"|grep "libgs" -B 1 /usr/sbin/lpdomatic: libgs.so.8 => /usr/lib/libgs.so.8 (0xb7785000) -- /usr/bin/directomatic: libgs.so.8 => /usr/lib/libgs.so.8 (0xb7785000) -- /usr/bin/foomatic-rip: libgs.so.8 => /usr/lib/libgs.so.8 (0xb7785000) -- /usr/bin/ghostscript: libgs.so.8 => /usr/lib/libgs.so.8 (0xb7785000) -- /usr/bin/gs: libgs.so.8 => /usr/lib/libgs.so.8 (0xb7785000) endrazine@blackbox:~/gs/ghostscript-8.70.dfsg.1$ Third party applications linking to this library may also be vulnerable. --[ Patch: This off by one can be mitigated by applying the following patch in ghostscript-8.70.dfsg.1/base/ttinterp.c : - if ( L<0 || L > CUR.args ) + if ( L<=0 || L > CUR.args ) The patch that has actually been merged to Ghostscript is strictly equivalent. --[ Disclosure timeline: * 19/10/2009: Contact Vendor. * 19/10/2009: Vendor replies to our mail asking for details. * 26/10/2009: Recontact vendor, ask for a valid pgp key. * 05/11/2009: Recontact vendor who failed at providing a valid pgp key. * 15/11/2009: Receive a valid pgp key from vendor. Provide details, including two PoCs to the Vendor. * 16/12/2009: Recontact the vendor who doesn't get back to us. * 05/01/2010: Vendor asks for more details including a complete bug analysis and patches. * 06/01/2010: Provide full analysis and patches to the vendor. * 06/01/2010: Vendor claims to have silently patched the vulnerability in their development branch. * 01/03/2010: Ping vendor, who remains silent... * 22/03/2010: Ping vendor, who remains silent... * 20/07/2010: Inform the CERT about the vulnearbility. * 20/07/2010: Recontact CERT about this vulnerability. * 03/08/2010: CERT gets back to us asking for details. * 09/08/2010: Send available information to the CERT. * 13/08/2010: The CERT compares our patch and the applied patch in addition to the material we provided and concludes the vendor actually did fix the vulnerability as we suggested, but silently, denying us any kind of credit. * 14/08/2010: The CERT assigns CVE number CVE-2009-3743 to this vulnerability. * 25/11/2010: Public disclosure. Note: The vendor claims to follow a bounty program for coders fixing bugs in their software. From our experience, they do not practice such a thing but silently patch reported bugs instead. We hope this was merely an exception. --[ Credits: This vulnerability was discovered by Jonathan Brossard from Toucan System. --[ About Toucan System:

Stack-based buffer overflow in the bgp_route_refresh_receive function in bgp_packet.c in bgpd in Quagga before 0.99.17 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a malformed Outbound Route Filtering (ORF) record in a BGP ROUTE-REFRESH (RR) message. Quagga is a routing software suite that implements multiple routing protocols on Unix platforms. Quagga's bgpd daemon has a stack overflow vulnerability when parsing Route-Refresh messages. Quagga is prone to a stack-based buffer-overflow vulnerability. Successful exploits will allow attackers to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to Quagga 0.99.17 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Quagga: Multiple vulnerabilities Date: February 21, 2012 Bugs: #334303, #359903, #384651 ID: 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Quagga, the worst of which leading to remote execution of arbitrary code. Background ========== Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and BGP. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.99.20 >= 0.99.20 Description =========== Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.20 " References ========== [ 1 ] CVE-2010-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1674 [ 2 ] CVE-2010-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1675 [ 3 ] CVE-2010-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2948 [ 4 ] CVE-2010-2949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2949 [ 5 ] CVE-2011-3323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323 [ 6 ] CVE-2011-3324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324 [ 7 ] CVE-2011-3325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325 [ 8 ] CVE-2011-3326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326 [ 9 ] CVE-2011-3327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201202-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2104-1 security@debian.org http://www.debian.org/security/ Florian Weimer September 06, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : quagga Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-2948 CVE-2010-2949 Debian Bug : 594262 Several remote vulnerabilities have been discovered in the BGP implementation of Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-2948 When processing a crafted Route Refresh message received from a configured, authenticated BGP neighbor, Quagga may crash, leading to a denial of service. CVE-2010-2949 When processing certain crafted AS paths, Quagga would crash with a NULL pointer dereference, leading to a denial of service. In some configurations, such crafted AS paths could be relayed by intermediate BGP routers. In addition, this update contains a reliability fix: Quagga will no longer advertise confederation-related AS paths to non-confederation peers, and reject unexpected confederation-related AS paths by resetting the session with the BGP peer which is advertising them. (Previously, such AS paths would trigger resets of unrelated BGP sessions.) For the stable distribution (lenny), these problems have been fixed in version 0.99.10-1lenny3. For the unstable distribution (sid) and the testing distribution (squeeze), these problems have been fixed in version 0.99.17-1. We recommend that you upgrade your quagga package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10.orig.tar.gz Size/MD5 checksum: 2424191 c7a2d92e1c42214afef9b2e1cd4b5d06 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz Size/MD5 checksum: 42826 100dbb936b3b0f0d4fb4947bf384d369 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.dsc Size/MD5 checksum: 1651 f5b9c26538e9d32008ad0256fe4ad0ed Architecture independent packages: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.10-1lenny3_all.deb Size/MD5 checksum: 661354 f843c6f765a48f7e071a52d3c7834d2f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_alpha.deb Size/MD5 checksum: 1902990 0f85c30d5f719f9c104f5a8977a5d1a0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_amd64.deb Size/MD5 checksum: 1749952 89a53689c4daf3f0695ea2c21aa93254 arm architecture (ARM) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_arm.deb Size/MD5 checksum: 1449792 3c53e06e4d27ef8cf391533824668b19 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_armel.deb Size/MD5 checksum: 1457202 e52ae364e20ff137c5e0e5f75bfc1ec1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_hppa.deb Size/MD5 checksum: 1683924 c8172ed22b010569949977f407c282b6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_i386.deb Size/MD5 checksum: 1608678 e7b5fbd36e4466cdecaca46f1f96642b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_ia64.deb Size/MD5 checksum: 2256144 75ebe4e12a3e22ef79e5e3dab2d457bf mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mips.deb Size/MD5 checksum: 1605990 f33ef3d9b31f0da900aba6a20bdd188d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mipsel.deb Size/MD5 checksum: 1601240 68ff751ff9c022cc06db8d0d66895a6e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_powerpc.deb Size/MD5 checksum: 1717802 931505a31bdcc1a7732a9a2e9f295a01 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_s390.deb Size/MD5 checksum: 1794990 7d52667f3f37553256e87b77450dc309 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_sparc.deb Size/MD5 checksum: 1671232 3706818c39b51bb45c58a0cf8fdba202 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJMhUEPAAoJEL97/wQC1SS+dwMH/2tsjv3eQBHu3jvm+jMB7Dr1 6uRIi/1/DgaaRmVSD41quWSYoww374pkwZ5xjUVZqOQY1N6Y34avnwjN7FsSg8no H0Os4uioep8/IKzhse0EyeDZcmm2j8E41j3UZ+aANqWOssGa0MNddj846K3NDw2j dRuKUUy4JK8iRSwBLUaXqydAPI2ZjdXVH0Yy/3l51f2Aerm7N565f1ifUh38C6Y0 IR5BdiA1C6jzV+826VrZaj10cKAPg/Qm31mrNiZMBcVpi2sBJ+zQ8P/G3j7CpEdr sITi5UiULGAp+3cGvtPzZDtBxfkLLpVIpNgRPiSHhA+PTjG60HHvPK43OZkPdSY= =HP/T -----END PGP SIGNATURE----- . Updated packages are available that bring Quagga to version 0.99.17 which provides numerous bugfixes over the previous 0.99.12 version, and also corrects these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2949 _______________________________________________________________________ Updated Packages: Corporate 4.0: 982061c8bac57d5878a2dbd9747234f4 corporate/4.0/i586/libquagga0-0.99.17-0.1.20060mlcs4.i586.rpm 53b1e909e046539dcfd55f9b1f62e7ea corporate/4.0/i586/libquagga0-devel-0.99.17-0.1.20060mlcs4.i586.rpm 796ef3f10f793f6546ce6a0525082fa5 corporate/4.0/i586/quagga-0.99.17-0.1.20060mlcs4.i586.rpm 423c4032225687b252ddb3887db1f226 corporate/4.0/i586/quagga-contrib-0.99.17-0.1.20060mlcs4.i586.rpm 9f63365fc185a7bdf930a80cb6615c7d corporate/4.0/SRPMS/quagga-0.99.17-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 9b36814efd0751aa81e38baec0d2bae6 corporate/4.0/x86_64/lib64quagga0-0.99.17-0.1.20060mlcs4.x86_64.rpm 64ab6ba845a97236ffd2898e0aef892d corporate/4.0/x86_64/lib64quagga0-devel-0.99.17-0.1.20060mlcs4.x86_64.rpm 7d259ae75e30e1d172e340cc232d1ff2 corporate/4.0/x86_64/quagga-0.99.17-0.1.20060mlcs4.x86_64.rpm 2f3390db2bae0e0d505ec759e0a15232 corporate/4.0/x86_64/quagga-contrib-0.99.17-0.1.20060mlcs4.x86_64.rpm 9f63365fc185a7bdf930a80cb6615c7d corporate/4.0/SRPMS/quagga-0.99.17-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMi592mqjQ0CJFipgRAoHFAJ0XDJVqB+SJmOHZ0hrPlMgjTMYeNgCgwxRw AMo+uyGwHeG+uyLmOzKKMOs= =ahfH -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . =========================================================== Ubuntu Security Notice USN-1027-1 December 07, 2010 quagga vulnerabilities CVE-2010-2948, CVE-2010-2949 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.7 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.4 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.1 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly handled certain Outbound Route Filtering (ORF) records. The default compiler options for Ubuntu 8.04 LTS and later should reduce the vulnerability to a denial of service. (CVE-2010-2948) It was discovered that Quagga incorrectly parsed certain AS paths

bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message. Quagga is a routing software suite that implements multiple routing protocols on Unix platforms. Quagga's bgpd daemon has a null pointer reference vulnerability when parsing the AS path. The configured BGP peer can send a BGP update request with an unknown AS type causing the daemon to crash. Quagga is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference in the Border Gateway Protocol daemon (bgpd). Versions prior to Quagga 0.99.17 are vulnerable. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Quagga: Multiple vulnerabilities Date: February 21, 2012 Bugs: #334303, #359903, #384651 ID: 201202-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Quagga, the worst of which leading to remote execution of arbitrary code. Background ========== Quagga is a free routing daemon replacing Zebra supporting RIP, OSPF and BGP. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.99.20 >= 0.99.20 Description =========== Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.99.20 " References ========== [ 1 ] CVE-2010-1674 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1674 [ 2 ] CVE-2010-1675 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1675 [ 3 ] CVE-2010-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2948 [ 4 ] CVE-2010-2949 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2949 [ 5 ] CVE-2011-3323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3323 [ 6 ] CVE-2011-3324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3324 [ 7 ] CVE-2011-3325 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3325 [ 8 ] CVE-2011-3326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3326 [ 9 ] CVE-2011-3327 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3327 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201202-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2104-1 security@debian.org http://www.debian.org/security/ Florian Weimer September 06, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : quagga Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-2948 CVE-2010-2949 Debian Bug : 594262 Several remote vulnerabilities have been discovered in the BGP implementation of Quagga, a routing daemon. In some configurations, such crafted AS paths could be relayed by intermediate BGP routers. In addition, this update contains a reliability fix: Quagga will no longer advertise confederation-related AS paths to non-confederation peers, and reject unexpected confederation-related AS paths by resetting the session with the BGP peer which is advertising them. (Previously, such AS paths would trigger resets of unrelated BGP sessions.) For the stable distribution (lenny), these problems have been fixed in version 0.99.10-1lenny3. For the unstable distribution (sid) and the testing distribution (squeeze), these problems have been fixed in version 0.99.17-1. We recommend that you upgrade your quagga package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10.orig.tar.gz Size/MD5 checksum: 2424191 c7a2d92e1c42214afef9b2e1cd4b5d06 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.diff.gz Size/MD5 checksum: 42826 100dbb936b3b0f0d4fb4947bf384d369 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3.dsc Size/MD5 checksum: 1651 f5b9c26538e9d32008ad0256fe4ad0ed Architecture independent packages: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.10-1lenny3_all.deb Size/MD5 checksum: 661354 f843c6f765a48f7e071a52d3c7834d2f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_alpha.deb Size/MD5 checksum: 1902990 0f85c30d5f719f9c104f5a8977a5d1a0 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_amd64.deb Size/MD5 checksum: 1749952 89a53689c4daf3f0695ea2c21aa93254 arm architecture (ARM) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_arm.deb Size/MD5 checksum: 1449792 3c53e06e4d27ef8cf391533824668b19 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_armel.deb Size/MD5 checksum: 1457202 e52ae364e20ff137c5e0e5f75bfc1ec1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_hppa.deb Size/MD5 checksum: 1683924 c8172ed22b010569949977f407c282b6 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_i386.deb Size/MD5 checksum: 1608678 e7b5fbd36e4466cdecaca46f1f96642b ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_ia64.deb Size/MD5 checksum: 2256144 75ebe4e12a3e22ef79e5e3dab2d457bf mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mips.deb Size/MD5 checksum: 1605990 f33ef3d9b31f0da900aba6a20bdd188d mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_mipsel.deb Size/MD5 checksum: 1601240 68ff751ff9c022cc06db8d0d66895a6e powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_powerpc.deb Size/MD5 checksum: 1717802 931505a31bdcc1a7732a9a2e9f295a01 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_s390.deb Size/MD5 checksum: 1794990 7d52667f3f37553256e87b77450dc309 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.10-1lenny3_sparc.deb Size/MD5 checksum: 1671232 3706818c39b51bb45c58a0cf8fdba202 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJMhUEPAAoJEL97/wQC1SS+dwMH/2tsjv3eQBHu3jvm+jMB7Dr1 6uRIi/1/DgaaRmVSD41quWSYoww374pkwZ5xjUVZqOQY1N6Y34avnwjN7FsSg8no H0Os4uioep8/IKzhse0EyeDZcmm2j8E41j3UZ+aANqWOssGa0MNddj846K3NDw2j dRuKUUy4JK8iRSwBLUaXqydAPI2ZjdXVH0Yy/3l51f2Aerm7N565f1ifUh38C6Y0 IR5BdiA1C6jzV+826VrZaj10cKAPg/Qm31mrNiZMBcVpi2sBJ+zQ8P/G3j7CpEdr sITi5UiULGAp+3cGvtPzZDtBxfkLLpVIpNgRPiSHhA+PTjG60HHvPK43OZkPdSY= =HP/T -----END PGP SIGNATURE----- . Updated packages are available that bring Quagga to version 0.99.17 which provides numerous bugfixes over the previous 0.99.12 version, and also corrects these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2948 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2949 _______________________________________________________________________ Updated Packages: Corporate 4.0: 982061c8bac57d5878a2dbd9747234f4 corporate/4.0/i586/libquagga0-0.99.17-0.1.20060mlcs4.i586.rpm 53b1e909e046539dcfd55f9b1f62e7ea corporate/4.0/i586/libquagga0-devel-0.99.17-0.1.20060mlcs4.i586.rpm 796ef3f10f793f6546ce6a0525082fa5 corporate/4.0/i586/quagga-0.99.17-0.1.20060mlcs4.i586.rpm 423c4032225687b252ddb3887db1f226 corporate/4.0/i586/quagga-contrib-0.99.17-0.1.20060mlcs4.i586.rpm 9f63365fc185a7bdf930a80cb6615c7d corporate/4.0/SRPMS/quagga-0.99.17-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 9b36814efd0751aa81e38baec0d2bae6 corporate/4.0/x86_64/lib64quagga0-0.99.17-0.1.20060mlcs4.x86_64.rpm 64ab6ba845a97236ffd2898e0aef892d corporate/4.0/x86_64/lib64quagga0-devel-0.99.17-0.1.20060mlcs4.x86_64.rpm 7d259ae75e30e1d172e340cc232d1ff2 corporate/4.0/x86_64/quagga-0.99.17-0.1.20060mlcs4.x86_64.rpm 2f3390db2bae0e0d505ec759e0a15232 corporate/4.0/x86_64/quagga-contrib-0.99.17-0.1.20060mlcs4.x86_64.rpm 9f63365fc185a7bdf930a80cb6615c7d corporate/4.0/SRPMS/quagga-0.99.17-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMi592mqjQ0CJFipgRAoHFAJ0XDJVqB+SJmOHZ0hrPlMgjTMYeNgCgwxRw AMo+uyGwHeG+uyLmOzKKMOs= =ahfH -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . =========================================================== Ubuntu Security Notice USN-1027-1 December 07, 2010 quagga vulnerabilities CVE-2010-2948, CVE-2010-2949 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.7 Ubuntu 8.04 LTS: quagga 0.99.9-2ubuntu1.4 Ubuntu 9.10: quagga 0.99.13-1ubuntu0.1 Ubuntu 10.04 LTS: quagga 0.99.15-1ubuntu0.1 In general, a standard system update will make all the necessary changes. Details follow: It was discovered that Quagga incorrectly handled certain Outbound Route Filtering (ORF) records. The default compiler options for Ubuntu 8.04 LTS and later should reduce the vulnerability to a denial of service. (CVE-2010-2948) It was discovered that Quagga incorrectly parsed certain AS paths

libsecurity in Apple Mac OS X 10.5.8 and 10.6.4 does not properly perform comparisons to domain-name strings in X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a certificate associated with a similar domain name, as demonstrated by use of a www.example.con certificate to spoof www.example.com. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. This issue affects the following: Mac OS X 10.5.8 and 10.6.4 Mac OS X Server 10.5.8 and 10.6.4

Heap-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file. Apple Mac OS X is prone to a heap-based buffer-overflow vulnerability that affects 'Preview.app' in the CoreGraphics component. Successfully exploiting this issue may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition. This issue affects the following: Mac OS X 10.5.8 Mac OS X Server 10.5.8 Mac OS X 10.6.4 Mac OS X Server 10.6.4. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Apple CoreGraphics (Preview) Memory Corruption when parsing PDF files CVE-2010-1801 INTRODUCTION Apple Preview.app is the default application used in Apple MacOS systems in order to visualize PDF files and does not properly parse PDF files, which leads to memory corruption when opening a malformed file with an invalid size on JBIG2 structure at offset 0x2C1 as in PoC Repro1.pdf or offset 0x2C5 as in PoC Repro2.pdf (both values trigger the same vulnerability). This problem was confirmed in the following versions of Apple Preview and MacOS, other versions may be also affected. The problem is triggered by PoCs available to interested parts which causes invalid memory access in all the refered versions. DETAILS Changing offset 0x2C1: 0xdee8600 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3764>: xor %esi,%esi 0xdee8602 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3766>: mov -0x7c(%ebp),%edx 0xdee8605 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3769>: mov -0x118(%ebp),%eax 0xdee860b <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3775>: mov -0x7c(%ebp),%ecx 0xdee860e <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3778>: inc %edx 0xdee860f <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3779>: cmp 0x8(%eax),%ecx 0xdee8612 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3782>: jae 0xdee861a <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3790> 0xdee8614 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3784>: mov 0xc(%eax),%eax 0xdee8617 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+3787>: mov %esi,(%eax,%edi,1) <----- Crash (gdb) i r $esi $eax $edi esi 0xc79e860 209315936 eax 0x0 0 edi 0x0 0 (gdb) bt #0 0x0dee8617 in JBIG2Stream::readSymbolDictSeg () #1 0x0dee4f0f in JBIG2Stream::readSegments () #2 0x0dee4b5e in JBIG2Stream::reset () #3 0x0dee499b in read_bytes () #4 0x96d33f32 in jbig2_filter_refill () #5 0x96a4b56c in CGPDFSourceRefill () #6 0x96a4b402 in CGPDFSourceRead () Changing offset 0x2C5: 0xdeb52dc <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2960>: inc %esp 0xdeb52dd <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2961>: and $0x4,%al 0xdeb52df <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2963>: add %al,(%eax) 0xdeb52e1 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2965>: add %al,(%eax) 0xdeb52e3 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2967>: mov %edx,(%esp) 0xdeb52e6 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2970>: call 0xdeb2a96 <_ZN11JBIG2Stream17readGenericBitmapEiiiiiiP11JBIG2BitmapPiS2_i> 0xdeb52eb <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2975>: mov -0x94(%ebp),%ecx 0xdeb52f1 <_ZN11JBIG2Stream17readSymbolDictSegEjjPjj+2981>: mov %eax,(%ecx) <----- Crash (gdb) i r $eax $ecx eax 0xc79b640 209303104 ecx 0x0 0 (gdb) bt #0 0x0deb52f1 in JBIG2Stream::readSymbolDictSeg () #1 0x0deb1f0f in JBIG2Stream::readSegments () #2 0x0deb1b5e in JBIG2Stream::reset () #3 0x0deb199b in read_bytes () #4 0x96d33f32 in jbig2_filter_refill () #5 0x96a4b56c in CGPDFSourceRefill () #6 0x96a4b402 in CGPDFSourceRead () #7 0x96aa3c8f in CGAccessSessionGetChunks () CREDITS This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). Best Regards, Rodrigo. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies

CFNetwork in Apple Mac OS X 10.6.3 and 10.6.4 supports anonymous SSL and TLS connections, which allows man-in-the-middle attackers to redirect a connection and obtain sensitive information via crafted responses. Apple Mac OS X is prone to an information-disclosure vulnerability that exists in the CFNetwork component. An attacker can exploit this issue to redirect connections and intercept user credentials or other sensitive information. This may lead to other attacks. This issue does not affect the Apple Mail application. Mac OS X 10.6.4, Mac OS X Server 10.6.4 and prior are vulnerable

Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded font in a document. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The following versions are vulnerable. Mac OS X v10.5.8 Mac OS X Server v10.5.8 Mac OS X v10.6.4 Mac OS X Server v10.6.4

Unspecified vulnerability in the HP MagCloud app before 1.0.5 for the iPad allows remote attackers to read and modify MagCloud application data via unknown vectors. HP MagCloud is prone to an unspecified security-bypass vulnerability because it fails to properly restrict access. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This issue affects HP MagCloud versions prior to 1.0.5. MagCloud is a print-on-demand platform that leverages HP's powerful network of print service providers based on HP Indigo printing technology. ---------------------------------------------------------------------- Secunia receives 'Frost & Sullivan's Global 2010 Customer Value Enhancement Award Secunia outshines its competitors and receives the Frost & Sullivan’s Global 2010 Customer Value Enhancement Award. Based on its recent analysis of the vulnerability research market, Frost & Sullivan concluded: "Secunia provides tremendous value for their customers, end-users, and to other security vendors." Read more: http://secunia.com/blog/117/ ---------------------------------------------------------------------- TITLE: HP MagCloud Unauthorised Application Data Access Vulnerability SECUNIA ADVISORY ID: SA41062 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41062/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41062 RELEASE DATE: 2010-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/41062/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41062/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41062 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in HP MagCloud, which can be exploited by malicious people to bypass certain security restrictions. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HPSBGN02569 SSRT100200: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02478639 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02478639 Version: 1 HPSBGN02569 SSRT100200 rev.1 - HP MagCloud iPad App, Remote Unauthorized Access to Data NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. References: CVE-2010-2711 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP MagCloud iPad App before v1.0.5 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-2711 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software update available to resolve this vulnerability. HP MagCloud v.1.0.5 The update is available from the Apple App Store. PRODUCT SPECIFIC INFORMATION None HISTORY: Version: 1 (rev.1) 23 August 2010 Initial release. Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkxyhfMACgkQ4B86/C0qfVnvfgCg+TpGKUj4HQUxh/jKVjddr4qC XosAn0DoJMIZ8gRodRbUuJo6w3O+eb/h =/IwL -----END PGP SIGNATURE-----

Multiple use-after-free vulnerabilities in WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3, Google Chrome before 5.0.375.127, and webkitgtk before 1.2.6, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to improper handling of MIME types by plug-ins. WebKit is prone to a remote memory-corruption vulnerability. Successful exploits may allow the attacker to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. NOTE: This issue was previously covered in BID 42571 (Google Chrome prior to 5.0.375.127 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:039 http://www.mandriva.com/security/ _______________________________________________________________________ Package : webkit Date : March 2, 2011 Affected: 2010.1 _______________________________________________________________________ Problem Description: Multiple cross-site scripting, denial of service and arbitrary code execution security flaws were discovered in webkit. Please consult the CVE web links for further information. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0046 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0047 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0314 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0651 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1395 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1405 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1408 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1410 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1417 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1770 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2264 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2648 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3257 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3259 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4206 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 141f3cd181b875d1bb40b67a507b6db1 2010.1/i586/libwebkitgtk1.0_2-1.2.7-0.1mdv2010.2.i586.rpm 054886a3c645b3ce710b9b9daec1d5f9 2010.1/i586/libwebkitgtk1.0-devel-1.2.7-0.1mdv2010.2.i586.rpm bef556ca3f281f6ef4086292c3b658d2 2010.1/i586/webkit1.0-1.2.7-0.1mdv2010.2.i586.rpm a1ff7ac638646aeb64e3bbdca9bc945d 2010.1/i586/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.i586.rpm 3f40e3ebc62bad67097a9e102e0e79c2 2010.1/i586/webkit-1.2.7-0.1mdv2010.2.i586.rpm 50875cf1bc8718cedce1a45dc509b44b 2010.1/i586/webkit-gtklauncher-1.2.7-0.1mdv2010.2.i586.rpm 625d27780d1cc9edb935d4ac3521ae16 2010.1/i586/webkit-jsc-1.2.7-0.1mdv2010.2.i586.rpm 8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 5ce57cd6ab823f8084030033c7c230d7 2010.1/x86_64/lib64webkitgtk1.0_2-1.2.7-0.1mdv2010.2.x86_64.rpm 690d8718a97af93f58de3bb2357fbe9b 2010.1/x86_64/lib64webkitgtk1.0-devel-1.2.7-0.1mdv2010.2.x86_64.rpm 7cc1d4aa77e1901ccc92f27faf85c9ea 2010.1/x86_64/webkit1.0-1.2.7-0.1mdv2010.2.x86_64.rpm 2b77a77159529c55f64343aba98c15d9 2010.1/x86_64/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.x86_64.rpm 475cf83c5ddd8f6809c2c73a1f5a71d1 2010.1/x86_64/webkit-1.2.7-0.1mdv2010.2.x86_64.rpm b0f1c76107c3d54241daa7e61bfb29a9 2010.1/x86_64/webkit-gtklauncher-1.2.7-0.1mdv2010.2.x86_64.rpm 97deff5e94a625a79842b4c240b0b00d 2010.1/x86_64/webkit-jsc-1.2.7-0.1mdv2010.2.x86_64.rpm 8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNbgbemqjQ0CJFipgRAs9YAJ92z2WSC2ijj34b/wr42OIYLtv65gCg7XgL Yv/ButpYAcXsmnJWUG4ayxQ= =GRM6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . For more information: SA40257 SA41328 SA42151 SA42312 SOLUTION: Upgrade to iOS 4.2 (downloadable and installable via iTunes). ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Ubuntu update for webkit SECUNIA ADVISORY ID: SA41856 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41856/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41856 RELEASE DATE: 2010-10-21 DISCUSS ADVISORY: http://secunia.com/advisories/41856/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41856/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41856 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ubuntu has issued an update for webkit. This fixes multiple vulnerabilities, some of which have an unknown impact while others can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct spoofing or cross-site scripting attacks, and potentially compromise a user's system. For more information: SA36677 SA37346 SA37769 SA37931 SA38545 SA38932 SA39091 SA39651 SA40105 SA40196 SA40479 SA40664 SA41014 SA41085 SA41242 SA41328 SOLUTION: Apply updated packages. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ORIGINAL ADVISORY: USN-1006-1: http://www.ubuntu.com/usn/usn-1006-1 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM)

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists during the parsing of strings defined within the ARF file format. Strings are typically prefixed by their valid length. By supplying a string much longer than the defined length a heap overflow will occur which can be further leveraged to execute arbitrary code under the context of the current user. WebEx is the world's largest provider of network communication services, providing carrier-grade network conferencing solutions. WebEx has been acquired by Cisco. Cisco WebEx is prone to a remote code-execution vulnerability because the software fails to perform adequate boundary checks on user-supplied data. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Secunia receives 'Frost & Sullivan's Global 2010 Customer Value Enhancement Award Secunia outshines its competitors and receives the Frost & Sullivan’s Global 2010 Customer Value Enhancement Award. Based on its recent analysis of the vulnerability research market, Frost & Sullivan concluded: "Secunia provides tremendous value for their customers, end-users, and to other security vendors." Read more: http://secunia.com/blog/117/ ---------------------------------------------------------------------- TITLE: Cisco WebEx Player ARF Parsing Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA41039 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41039/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41039 RELEASE DATE: 2010-08-24 DISCUSS ADVISORY: http://secunia.com/advisories/41039/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41039/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41039 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco WebEx Player, which can be exploited by malicious people to compromise a user's system. Successful exploitation may allow execution of arbitrary code. SOLUTION: Reportedly fixed in version T27FR14. Contact the vendor for further information. PROVIDED AND/OR DISCOVERED BY: Gabriel Menezes Nunes, reported via ZDI. ORIGINAL ADVISORY: http://www.zerodayinitiative.com/advisories/ZDI-10-155/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-10-155: Cisco WebEx Player ARF String Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-155 August 23, 2010 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Cisco -- Affected Products: Cisco WebEx -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9936. -- Vendor Response: Cisco states: This issue has been resolved in T27FR14, deployed to WebEx customers in April. -- Disclosure Timeline: 2010-01-06 - Vulnerability reported to vendor 2010-08-23 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Gabriel Menezes Nunes -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

loader/DocumentThreadableLoader.cpp in the XMLHttpRequest implementation in WebCore in WebKit before r58409 does not properly handle credentials during a cross-origin synchronous request, which has unspecified impact and remote attack vectors, aka rdar problem 7905150. WebKit is prone to an unspecified security vulnerability. Very little information is known about this issue. We will update this BID as soon as more information becomes available. Webkit versions prior to 1.2.3 are affected. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:039 http://www.mandriva.com/security/ _______________________________________________________________________ Package : webkit Date : March 2, 2011 Affected: 2010.1 _______________________________________________________________________ Problem Description: Multiple cross-site scripting, denial of service and arbitrary code execution security flaws were discovered in webkit. Please consult the CVE web links for further information. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2797 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2841 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0046 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0047 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0048 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0049 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0050 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0051 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0053 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0314 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0650 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0651 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1390 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1391 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1392 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1393 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1394 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1395 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1396 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1400 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1401 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1402 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1403 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1404 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1405 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1408 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1410 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1412 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1415 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1416 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1417 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1418 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1422 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1665 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1770 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1771 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1773 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1774 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1790 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1792 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1814 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1815 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2264 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2647 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2648 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3119 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3257 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3259 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3813 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4040 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4206 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 141f3cd181b875d1bb40b67a507b6db1 2010.1/i586/libwebkitgtk1.0_2-1.2.7-0.1mdv2010.2.i586.rpm 054886a3c645b3ce710b9b9daec1d5f9 2010.1/i586/libwebkitgtk1.0-devel-1.2.7-0.1mdv2010.2.i586.rpm bef556ca3f281f6ef4086292c3b658d2 2010.1/i586/webkit1.0-1.2.7-0.1mdv2010.2.i586.rpm a1ff7ac638646aeb64e3bbdca9bc945d 2010.1/i586/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.i586.rpm 3f40e3ebc62bad67097a9e102e0e79c2 2010.1/i586/webkit-1.2.7-0.1mdv2010.2.i586.rpm 50875cf1bc8718cedce1a45dc509b44b 2010.1/i586/webkit-gtklauncher-1.2.7-0.1mdv2010.2.i586.rpm 625d27780d1cc9edb935d4ac3521ae16 2010.1/i586/webkit-jsc-1.2.7-0.1mdv2010.2.i586.rpm 8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 5ce57cd6ab823f8084030033c7c230d7 2010.1/x86_64/lib64webkitgtk1.0_2-1.2.7-0.1mdv2010.2.x86_64.rpm 690d8718a97af93f58de3bb2357fbe9b 2010.1/x86_64/lib64webkitgtk1.0-devel-1.2.7-0.1mdv2010.2.x86_64.rpm 7cc1d4aa77e1901ccc92f27faf85c9ea 2010.1/x86_64/webkit1.0-1.2.7-0.1mdv2010.2.x86_64.rpm 2b77a77159529c55f64343aba98c15d9 2010.1/x86_64/webkit1.0-webinspector-1.2.7-0.1mdv2010.2.x86_64.rpm 475cf83c5ddd8f6809c2c73a1f5a71d1 2010.1/x86_64/webkit-1.2.7-0.1mdv2010.2.x86_64.rpm b0f1c76107c3d54241daa7e61bfb29a9 2010.1/x86_64/webkit-gtklauncher-1.2.7-0.1mdv2010.2.x86_64.rpm 97deff5e94a625a79842b4c240b0b00d 2010.1/x86_64/webkit-jsc-1.2.7-0.1mdv2010.2.x86_64.rpm 8d02c28d8f21a022130be4c49f9d27be 2010.1/SRPMS/webkit-1.2.7-0.1mdv2010.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNbgbemqjQ0CJFipgRAs9YAJ92z2WSC2ijj34b/wr42OIYLtv65gCg7XgL Yv/ButpYAcXsmnJWUG4ayxQ= =GRM6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Ubuntu update for webkit SECUNIA ADVISORY ID: SA41856 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41856/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41856 RELEASE DATE: 2010-10-21 DISCUSS ADVISORY: http://secunia.com/advisories/41856/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41856/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41856 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ubuntu has issued an update for webkit. This fixes multiple vulnerabilities, some of which have an unknown impact while others can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct spoofing or cross-site scripting attacks, and potentially compromise a user's system. For more information: SA36677 SA37346 SA37769 SA37931 SA38545 SA38932 SA39091 SA39651 SA40105 SA40196 SA40479 SA40664 SA41014 SA41085 SA41242 SA41328 SOLUTION: Apply updated packages. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ORIGINAL ADVISORY: USN-1006-1: http://www.ubuntu.com/usn/usn-1006-1 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM)

Blue Coat ProxySG is a proxy device platform that helps organizations accelerate and protect applications in distributed networks. An administrator limit value with only read permissions allows a small number of commands to be run, the ProxySG configuration cannot be changed, and the commands entered in the management console and CLI are restricted in the ProxySG. An attacker can send commands through an HTTPS URL, bypassing permission restrictions, and allowing administrators with only read permissions to execute all administrator commands. Blue Coat ProxySG is prone to a remote security-bypass vulnerability. A successful attack will result in the complete compromise of an affected appliance. This issue affects the following versions: Blue Coat ProxySG 5.5 Blue Coat ProxySG 5.4 Blue Coat ProxySG 5.3 Blue Coat ProxySG 4.3 Blue Coat ProxySG 4.2

ServletExec is a JSP and Java Servlet engine that is used as a plugin for popular web servers like Apache, IIS, Netscape, and more. ServletExec has multiple security vulnerabilities that allow malicious users to obtain sensitive information or bypass security restrictions. - The input to the \"page\" parameter passed to servlet/pagecompile._admin._help._helpContent_xjsp is missing validation when used to display the file, and an attacker can obtain arbitrary file content through directory traversal. - Missing validation of precompiled JSP pages in the management interface, direct access to precompiled pages in the \"Servlet Exec Admin\" package bypasses administrator authentication (eg servlet/pagecompile._admin._userMgt_xjsp). ServletExec is prone to a directory-traversal vulnerability and multiple authentication-bypass vulnerabilities because the application fails to sufficiently sanitize user-supplied input. Versions prior to ServletExec 6.0.0.2_39 are vulnerable

Cisco IOS 15.1(2)T allows remote attackers to cause a denial of service (resource consumption and TCP outage) via spoofed TCP packets, related to embryonic TCP connections that remain in the SYN_RCVD or SYN_SENT state, aka Bug ID CSCti18193. Cisco IOS of TCP For connection, SYN_RCVD Or SYN_SENT Service operation disruption due to deficiencies (DoS) There is a vulnerability that becomes a condition. Cisco IOS is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the affected device to remain in the SYNRCVD or SYNSENT state. Successful exploiting this issue will allow attackers to consume system resources and prevent the affected device from initiating new TCP connection, denying service to legitimate users. This issue is tracked by Cisco Bug ID CSCti18193. ---------------------------------------------------------------------- Get tweets from Secunia http://twitter.com/secunia ---------------------------------------------------------------------- TITLE: Cisco IOS TCP Connection Handling Denial of Service SECUNIA ADVISORY ID: SA40958 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/40958/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=40958 RELEASE DATE: 2010-08-14 DISCUSS ADVISORY: http://secunia.com/advisories/40958/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/40958/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=40958 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability exists due to an error in the handling of TCP packets during the establishment phase. Successful exploitation does not require a full TCP three-way handshake and is possible e.g. via spoofed TCP packets. PROVIDED AND/OR DISCOVERED BY: Reported to the vendor by a customer. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. No authentication is required to exploit this vulnerability. An attacker does not need to complete a three-way handshake to trigger this vulnerability; therefore, this this vunerability can be exploited using spoofed packets. This vulnerability may be triggered by normal network traffic. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml. To determine the Cisco IOS Software Release that is running on a Cisco product, administrators can log in to the device and issue the "show version" command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software Release name. Other Cisco devices do not have the "show version" command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 15.1(2)T with an installed image name of C2800NM-ENTSERVICES-M: Router#show version Cisco IOS Software, 2800 Software (C2800NM-ENTSERVICES-M), Version 15.1(2)T, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Mon 19-Jul-10 16:38 by prod_rel_team <output truncated> Additional information about Cisco IOS Software Release naming conventions is available in the White Paper: Cisco IOS Reference Guide. No other Cisco products are currently known to be affected by this vulnerability. Details ======= TCP provides reliable data transmission services in packet-switched network environments. TCP corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides are stream data transfer, reliability, efficient flow control, full-duplex operation, and multiplexing. All allocated TCBs, associated TCP port numbers, and the TCP state are displayed in the output of the "show tcp brief all" command-line interface (CLI) command. Examining the output of the "show tcp brief all" command multiple times will indicate if TCP sessions remain in one of these states. This vulnerability is triggered only by TCP traffic that is terminated by or originated from the device. Transit traffic will not trigger this vulnerability. Both connections to and from the router could trigger this vulnerability. An example of a connection to the router is that you may still be able to ping the device, but fail to establish a TELNET or SSH connection to the device. For example, an administrator may still be able to ping the device but fail to establish a Telnet or SSH connection to the device. Administrators who attempt a Telnet or a SSH connection to a remote device from the CLI prompt will encounter a hung session and the "Trying <ip address|hostname> ..." prompt. The connection that is initiated or terminated by the router can be removed from the socket table by clearing the associated TCB with the "clear tcp tcb 0x<address>" command. Devices could be vulnerable if examining the output of the CLI command "debug ip tcp transactions", displays the error messages "connection queue limit reached: port <port number>" or "No wild listener: port <port number>". Devices could also be vulnerable if output from repetitive show tcp brief all CLI commands indicates many TCBs in the state SYNRCVD or SYNSENT. The following example shows a device that has several HTTP, SSH, and Telnet sessions in the TCP SYNRCVD state: Example#show tcp brief all TCB Local Address Foreign Address (state) 07C2D6C8 192.168.0.2.443 192.168.0.5.11660 SYNRCVD 07C38128 192.168.0.2.23 192.168.0.5.35018 SYNRCVD 07C2DD60 192.168.0.2.443 192.168.0.5.19316 SYNRCVD 07C2A8A0 192.168.0.2.80 192.168.0.5.13818 SYNRCVD <output truncated> Any TCP sessions can be cleared by clearing the associated TCB with "clear tcp tcb 0x<address>". Alternatively Administrators can clear all TCBs at once by issuing "clear tcp tcb *". Note: This will clear all active and hung TCP connections. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2827. Some TCP application specific information is provided in the following sections: Telnet and SSH +------------- Telnet can not be explicitly disabled on a Cisco IOS device. Configuring "transport input none" on the vty lines of a vulnerable device will prevent it from being exploited on TCP port 23. However, if the Cisco IOS SSH server feature is configured on the device, "transport input none" will not prevent the device from being exploited on TCP port 22. Configuration of vty access control lists can partially mitigate this vulnerability because the vulnerability can be exploited using spoofed IP source addresses. Border Gateway Protocol +---------------------- Routers that are configured with Border Gateway Protocol (BGP) can be protected further by using the Generalized Time to Live (TTL) Security Mechanism (GTSM) feature. GTSM allows users to configure the expected TTL of a packet between a source and destination address. Packets that fail the GTSM check will be dropped before TCP processing occurs, which prevents an attacker from exploiting this vulnerability through BGP. GTSM is implemented with the command "ttl-security hops". Further information on protecting BGP can be found in "Protecting Border Gateway Protocol for the Enterprise" (http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7). TCP MD5 Authentication for BGP does not prevent this vulnerability from being exploited. Vulnerability Scoring Details ============================= Cisco has provided a score for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCti18193 ("TCP connections never timeout in IOS 15.1(2)T") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may prevent some TCP applications on Cisco IOS Software from accepting any new connections. Exploitation could also prevent remote access to the affected system via the vtys. Remote access to the affected device via out-of-band connectivity to the console port should still be available. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +---------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+--------------------------| | Affected | | | 12.x-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 12.0 - | 12.0 through 12.4 based | | 12.4 | releases are not | | | affected | |------------+--------------------------| | Affected | | | 15.0-Based | First Fixed Release | | Releases | | |------------+--------------------------| | 15.0 | There are no affected | | | 15.0 based releases | |------------+--------------------------| | Affected | | | 15.1-Based | First Fixed Release | | Releases | | |------------+--------------------------| | | 15.1(2)T0a | | | | | | 15.1(2)T1; available on | | | 20-AUG-2010 | | 15.1T | | | | Releases prior to 15.1 | | | (2)T are not vulnerable. | | | The vulnerability is | | | first fixed in release | | | 15.1(2)T0a. | +---------------------------------------+ Workarounds =========== The only complete workaround to mitigate this vulnerability is to disable the specific features that make a device vulnerable, if this action is feasible. Allowing only legitimate devices to connect to affected devices will help limit exposure to this vulnerability. Refer to the following Control Plane Policing and Configuring Infrastructure Access Lists subsections for further details. Because a TCP three-way handshake is not required, the mitigation must be combined with anti-spoofing measures on the network edge to increase effectiveness. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100812-tcp.shtml Cisco Guide to Harden Cisco IOS Devices +-------------------------------------- The Cisco Guide to Harden Cisco IOS Devices provides examples of many useful techniques to mitigate TCP state manipulation vulnerabilities. These include: * Infrastructure Access Control Lists (iACL) * Receive Access Control Lists (rACL) * Transit Access Control Lists (tACL) * vty Access Control Lists * Control Plane Policing (CoPP) * Control Plane Protection (CPPr) For more information on these topics, consult "Cisco Guide to Harden Cisco IOS Devices" (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml). CoPP +--- For devices that need to offer TCP services, administrators can use CoPP to block TCP traffic from untrusted sources that is destined to the affected device. CoPP may be configured on a device to protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. The following example can be adapted to specific network configurations: ! !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit), !-- then traffic will be dropped. If the access list does not !-- match (deny), then traffic will be processed by the router. !-- Note that TCP ports 22 and 23 are examples; this !-- configuration needs to be expanded to include all used !-- TCP ports. ! access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 22 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 23 access-list 100 deny tcp host 172.16.1.1 any eq 22 access-list 100 deny tcp host 172.16.1.1 any eq 23 access-list 100 permit tcp any any ! !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. !-- Create a class map for traffic that will be policed by !-- the CoPP feature. ! class-map match-all drop-tcp-class match access-group 100 ! !-- Create a policy map that will be applied to the !-- Control Plane of the device, and add the "drop-tcp-traffic" !-- class map. ! policy-map control-plane-policy class drop-tcp-class drop ! !-- Apply the policy map to the control plane of the !-- device. ! control-plane service-policy input control-plane-policy Warning: Because a TCP three-way handshake is not required to exploit this vulnerability, it is possible to spoof the IP address of the sender, which could defeat access control lists (ACLs) that permit communication to these ports from trusted IP addresses. In the preceding CoPP example, the access control entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Additional information on the configuration and use of the CoPP feature can be found at "Control Plane Policing Implementation Best Practices" (http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html) and "Control Plane Policing" (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html). Configuring iACLs +---------------- Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" (http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml) presents guidelines and recommended deployment techniques for infrastructure protection ACLs. BGP Considerations +---------------- GTSM can help prevent exploitation of this vulnerability by means of the BGP port because packets that originate from devices that do not pass the TTL check configured by GTSM are dropped before any TCP processing occurs. For information on GTSM refer to "BGP Support for TTL Security Check" (http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html) and "BGP Time To Live Security Check" (http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7). Embedded Event Manager (EEM) +--------------------------- A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl) can be used on vulnerable Cisco IOS devices to identify and detect a hung, extended, or indefinite TCP connection that is caused by this vulnerability. When Cisco IOS EEM detects potential exploitation of this vulnerability, the policy can trigger a response by sending a syslog message or a Simple Network Management Protocol (SNMP) trap to clear the TCP connection. The example policy provided in this document is based on a Tcl script that monitors and parses the output from two commands at defined intervals, produces a syslog message when the monitor threshold reaches its configured value, and can reset the TCP connection. The Tcl script is available for download at the "Cisco Beyond: Embedded Event Manager (EEM) Scripting Community" (http://www.cisco.com/go/ciscobeyond) at the following link http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2041, and the device sample configuration is provided below. ! !-- Location where the Tcl script will be stored ! event manager directory user policy disk0:/eem ! !-- Define variable and set the monitoring interval !-- as an integer (expressed in seconds) ! event manager environment EEM_MONITOR_INTERVAL 60 ! !-- Define variable and set the threshold value as !-- an integer for the number of retransmissions !-- that determine if the TCP connection is hung !-- (a recommended value to use is 15) ! event manager environment EEM_MONITOR_THRESHOLD 15 ! !-- Define variable and set the value to "yes" to !-- enable the clearing of hung TCP connections ! event manager environment EEM_MONITOR_CLEAR yes ! !-- Define variable and set to the TCP connection !-- state or states that script will monitor, which !-- can be a single state or a space-separated list !-- of states ! event manager environment EEM_MONITOR_STATES SYNRCVD SYNSENT ! !-- Register the script as a Cisco EEM policy ! event manager policy monitor-sockets.tcl Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100812-tcp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-August-12 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Aug 12, 2010 Document ID: 112099 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkxkdOsACgkQ86n/Gc8U/uApYwCfeZAQ3FcneSd+MEaIn+qMV2zb bYgAn2Zg6rcHlDyLaPepO/C0hwINLk2v =5Pfg -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Untrusted search path vulnerability in Apple iTunes before 9.1, when running on Windows 7, Vista, and XP, allows local users and possibly remote attackers to gain privileges via a Trojan horse DLL in the current working directory. Apple iTunes is prone to a vulnerability that lets attackers execute arbitrary code. An attacker can exploit this issue by enticing a legitimate user into using iTunes to open a media file from a network share location that contains a specially crafted Dynamic Linked Library (DLL) file. This issue affects iTunes 9 running on Microsoft Windows platforms. iTunes is an Apple player software for iPod and mp3 files