VARIoT IoT vulnerabilities database

PHP remote file inclusion vulnerability in SAPID CMS 123 rc3 allows remote attackers to execute arbitrary PHP code via a URL in the (1) root_path parameter in usr/extensions/get_infochannel.inc.php and the (2) GLOBALS["root_path"] parameter in usr/extensions/get_tree.inc.php. (1) usr/extensions/get_infochannel.inc.php of root_path Parameters (2) usr/extensions/get_tree.inc.php of GLOBALS["root_path"] Parameters. Multiple SAPID applications are prone to multiple remote file-include vulnerabilities. These may facilitate a compromise of the application and the underlying system; other attacks are also possible. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: SAPID CMS "root_path" File Inclusion Vulnerability SECUNIA ADVISORY ID: SA21410 VERIFY ADVISORY: http://secunia.com/advisories/21410/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: SAPID CMS 1.x http://secunia.com/product/6323/ DESCRIPTION: Simo64 has discovered some vulnerabilities in SAPID CMS, which can be exploited by malicious people to compromise a vulnerable system. Input passed to the "root_path" parameter in usr/extensions/get_infochannel.inc.php and usr/extensions/get_tree.inc.php is not properly verified before being used to include files. Successful exploitation requires that "register_globals" is enabled. The vulnerabilities have been confirmed in version 1.2.3 Stable and 1.2.3 RC3. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly verified. PROVIDED AND/OR DISCOVERED BY: Simo64 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Microsoft Internet Explorer allows remote attackers to cause a denial of service (crash) via an IFRAME with a certain XML file and XSL stylesheet that triggers a crash in mshtml.dll when a refresh is called, probably a null pointer dereference. Microsoft Internet Explorer is prone to a denial-of-service vulnerability when handling malicious HTML files. Successfully exploiting this issue allows attackers to consume excessive CPU resources in the affected browser and eventually cause Internet Explorer to crash, causing a denial-of-service

Linksys WRT54g firmware 1.00.9 does not require credentials when making configuration changes, which allows remote attackers to modify arbitrary configurations via a direct request to Security.tri, as demonstrated using the SecurityMode and layout parameters, a different issue than CVE-2006-2559. Linksys WRT54G routers do not properly validate user credentials before allowing configuration changes. This vulnerability CVE-2006-2559 Is a different vulnerability.By a third party Security.tri Any setting may be changed through a direct request to. Linksys WRT54GS is prone to an authentication-bypass vulnerability. Reportedly, the device permits changes in its configuration settings without requring authentication. Linksys WRT54GS is prone to an authentication-bypass vulnerability. The problem presents itself when a victim user visits a specially crafted web page on an attacker-controlled site. An attacker can exploit this vulnerability to bypass authentication and modify the configuration settings of the device. This issue is reported to affect firmware version 1.00.9; other firmware versions may also be affected. Linksys WRT54GS is a wireless router device that combines several functions. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Linksys WRT54G Configuration Manipulation and Request Forgery SECUNIA ADVISORY ID: SA21372 VERIFY ADVISORY: http://secunia.com/advisories/21372/ CRITICAL: Less critical IMPACT: Hijacking, Manipulation of data WHERE: >From remote OPERATING SYSTEM: Linksys WRT54G Wireless-G Broadband Router http://secunia.com/product/3523/ DESCRIPTION: Ginsu Rabbit has reported a vulnerability and a security issue in Linksys WRT54G, which can be exploited by malicious people to conduct cross-site request forgery attacks and manipulate the configuration. disable wireless security). 2) An error exists in the web interface caused due to the device allowing users to change the router configuration via HTTP requests without performing any validity checks to verify the user's request. SOLUTION: Filter traffic to affected devices and do not visit untrusted web sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Ginsu Rabbit ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048495.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco PIX 500 Series Security Appliances allows remote attackers to send arbitrary UDP packets to intranet devices via unspecified vectors involving Session Initiation Protocol (SIP) fixup commands, a different issue than CVE-2006-4032. NOTE: the vendor, after working with the researcher, has been unable to reproduce the issue. Cisco PIX is reportedly prone to an unauthorized UDP port-forwarding vulnerability. Attackers may exploit this issue to forward UDP datagrams to arbitrary hosts protected by affected firewall devices, potentially bypassing firewall rules. This may aid attackers in further attacks against computers protected by affected firewall devices. This BID will be updated as further information becomes available

Barracuda Spam Firewall (BSF), possibly 3.3.03.053, contains a hardcoded password for the admin account for logins from 127.0.0.1 (localhost), which allows local users to gain privileges. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. Using a hardware-encoded password for the administrator account when logging in locally could allow an attacker to gain access. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. Prior versions may also be affected. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Safari on the Apple iPod touch (aka iTouch) and iPhone 1.1.1 allows user-assisted remote attackers to cause a denial of service (application crash), and enable filesystem browsing by the local user, via a certain TIFF file. Safari is prone to a denial-of-service vulnerability. The iPod touch (also known as iTouch) is an MP4 player released by Apple, and the iPhone is a smartphone released by it. There is a vulnerability in the Safari browser of iPod touch when processing malformed TIFF images. Attackers may use this vulnerability to control the user's system. If a user is tricked into viewing a specially crafted TIFF graphic using the Safari browser embedded in the above product, it may trigger a buffer overflow, resulting in denial of service or execution of arbitrary commands. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,700 different Windows applications. Request your account, the Secunia Network Software Inspector (NSI): http://secunia.com/network_software_inspector/ ---------------------------------------------------------------------- TITLE: Apple iPod touch / iPhone TIFF Image Processing Vulnerability SECUNIA ADVISORY ID: SA27213 VERIFY ADVISORY: http://secunia.com/advisories/27213/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ Apple iPod touch 1.x http://secunia.com/product/16074/ DESCRIPTION: A vulnerability has been reported in Apple iPod touch and Apple iPhone, which potentially can be exploited by malicious people to compromise a vulnerable device. The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari web browser. The vulnerability is reported in iPod touch version 1.1.1 and iPhone version 1.1.1. Other versions may also be affected. This may be related to: SA21304 SOLUTION: Do not browse untrusted web sites and do not open untrusted TIFF images. PROVIDED AND/OR DISCOVERED BY: Niacin ORIGINAL ADVISORY: http://www.toc2rta.com/?q=node/22 OTHER REFERENCES: SA21304: http://secunia.com/advisories/21304/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. Successful exploitation allows crashing applications linked against libTIFF and may also allow execution of arbitrary code. PROVIDED AND/OR DISCOVERED BY: Tavis Ormandy, Google Security Team. For more information: SA21304 SOLUTION: Apply updated packages

Unspecified vulnerability in Cisco IOS CallManager Express (CME) allows remote attackers to gain sensitive information (user names) from the Session Initiation Protocol (SIP) user directory via certain SIP messages, aka bug CSCse92417. Cisco CallManager Express is prone to an information-disclosure vulnerability because the application fails to protect sensitive data from an attacker. An attacker could exploit this issue to retrieve potentially sensitive information that may aid in further attacks. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Cisco CallManager Express SIP User Directory Disclosure SECUNIA ADVISORY ID: SA21335 VERIFY ADVISORY: http://secunia.com/advisories/21335/ CRITICAL: Not critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: Cisco CallManager Express 3.x http://secunia.com/product/11230/ DESCRIPTION: A weakness has been reported in Cisco CallManager Express, which can be exploited by malicious people to disclose potentially sensitive information. This can be exploited to disclose the names of the users in the SIP user database by sending specially crafted SIP messages. SOLUTION: The vendor recommends implementing the VoIP (Voice over Internet Protocol) infrastructure and data devices on separate VLANs according to best security practices. PROVIDED AND/OR DISCOVERED BY: The vendor credits Dave Endler and Mark Collier. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sr-20060802-sip.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Intel 2100 PRO/Wireless Network Connection driver PROSet before 7.1.4.6 allows local users to corrupt memory and execute code via "requests for capabilities from higher-level protocol drivers or user-level applications" involving crafted frames, a different issue than CVE-2006-3992. Microsoft Windows drivers for Intel 2100 PRO/Wireless Network Connection Hardware contain a memory corruption vulnerability. This vulnerability may allow an attacker to execute arbitrary code on a vulnerable system. Intel PRO/Wireless 2100 versions prior to 7.1.4.6 with driver version 1.2.4.37 for Windows are vulnerable

Unspecified vulnerability in the Centrino (1) w22n50.sys, (2) w22n51.sys, (3) w29n50.sys, and (4) w29n51.sys Microsoft Windows drivers for Intel 2200BG and 2915ABG PRO/Wireless Network Connection before 10.5 with driver 9.0.4.16 allows remote attackers to execute arbitrary code via certain frames that trigger memory corruption. Microsoft Windows drivers for Intel Centrino wireless adapters fail to properly handle malformed frames. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges. A successful attack can result in a complete compromise of the affected computer. Intel PRO/Wireless 2200BG and 2915ABG versions prior to 10.5 with driver version 9.0.4.16 for Windows are vulnerable

Hewlett-Packard (HP) ProCurve 3500yl, 6200yl, and 5400zl switches with software before K.11.33 allow remote attackers to cause a denial of service (possibly memory leak or system crash) via unknown vectors. ProCurve is prone to an unspecified remote denial-of-service vulnerability. This issue is most likely due to a failure in the device to properly sanitize user-supplied input. An attacker can exploit this issue to crash an affected device, effectively denying service to legitimate users. This issue affects ProCurve switches running software prior to K.11.33. Remote attackers can cause the switch to deny service by sending specially crafted packets. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: HP ProCurve Switch Denial of Service Vulnerability SECUNIA ADVISORY ID: SA21316 VERIFY ADVISORY: http://secunia.com/advisories/21316/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: HP ProCurve Switch 3500yl series http://secunia.com/product/11225/ HP ProCurve Switch 5400zl series http://secunia.com/product/11226/ HP ProCurve Switch 6200yl series http://secunia.com/product/11227/ DESCRIPTION: A vulnerability has been reported in HP ProCurve Switch, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability has been reported in the following products: * ProCurve Switch 3500yl series * ProCurve Switch 6200yl series * ProCurve Switch 5400zl series SOLUTION: Update switch software to version K.11.33 or later. http://www.hp.com/rnd/software/switches.htm PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HPSBGN02136 SSRT061173: http://itrc.hp.com/service/cki/docDisplay.do?docId=c00732233 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee Security Center 6.0.23 for Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller, AntiSpyware, and QuickClean allows remote user-assisted attackers to execute arbitrary commands via long string parameters, which are later used in vsprintf. McAfee SecurityCenter is prone to a stack-based buffer-overflow vulnerability. This vulnerability requires a certain amount of user-interaction for an attack to occur, such as visiting a malicious website. A successful exploit would let a remote attacker execute code with the privileges of the currently logged in user. This issue is reported to affect versions 4.3 through 6.0.22. Please see the affected packages section for a list of McAfee consumer products that ship with vulnerable versions of the McAfee SecurityCenter. McAfee Subscription Manager (McAfee Subscription Manager) is a component released together with many McAfee products to manage product permissions. It is an ActiveX control, through which manufacturers can check the legality of product use. McSubMgr.dll, the implementation module of the product inspection manager, does not check the length of the incoming parameters. Remote attackers can lure users to visit malicious websites, and transmit data exceeding 3000 bytes to McSubMgr.dll in web scripts, resulting in stack overflow. to execute arbitrary commands. Link: http://www.securityfocus.com/archive/1/442495/30/0/threaded. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. The vulnerability is caused due to an unspecified error and allows execution of arbitrary code. No more information is currently available. SOLUTION: Sufficient information about the vulnerability is not available to suggest a proper workaround. PROVIDED AND/OR DISCOVERED BY: eEye Digital Security ORIGINAL ADVISORY: eEye Digital Security: http://www.eeye.com/html/research/upcoming/20060719.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in cgi-bin/preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. Although the guest account has only limited access, the following information can be obtained: * System configuration, including IP address, administrator IP ACL; * Email message log (but not the content of the message); * Spam/antivirus definition version information and system firmware version. There is also a file disclosure vulnerability in Barracuda's preview_email.cgi script. This script was used to retrieve messages from Barracuda's local message database, but did not properly filter the file parameter passed through GET to limit file retrieval to the message database directory, resulting in access to any Web Server user accessible files from the web interface. In addition, it is possible to execute arbitrary commands using the pipe symbol (|). Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote attackers to execute commands via shell metacharacters ("|" pipe symbol) in the file parameter. NOTE: the attack can be extended to arbitrary commands by the presence of CVE-2006-4000. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Barracuda Spam Firewall (BSF) of preview_email.cgi Contains a command execution vulnerability. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Although the guest account has only limited access, the following information can be obtained: * System configuration, including IP address, administrator IP ACL; * Email message log (but not the content of the message); * Spam/antivirus definition version information and system firmware version. Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Login.pm in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 contains a hard-coded password for the guest account, which allows remote attackers to read sensitive information such as e-mail logs, and possibly e-mail contents and the admin password. Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have default login credentials that can not be modified by an administrator. Spam Firewall is prone to multiple vulnerabilities, including a directory-traversal issue, access-validation issue, and a remote command-execution issue. A remote attacker can exploit these issues to gain access to potentially sensitive information and execute commands in the context of the affected application. Versions 3.3.01.001 to 3.3.03.055 are vulnerable to these issues. Barracuda Spam Firewall is an integrated hardware and software spam solution for protecting mail servers. There is also a file disclosure vulnerability in Barracuda's preview_email.cgi script. This script was used to retrieve messages from Barracuda's local message database, but did not properly filter the file parameter passed through GET to limit file retrieval to the message database directory, resulting in access to any Web Server user accessible files from the web interface. In addition, it is possible to execute arbitrary commands using the pipe symbol (|). Although this script requires a valid user login, this restriction can be easily bypassed by combining the guest password vulnerability described above. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Barracuda Spam Firewall Information Disclosure and Default Account SECUNIA ADVISORY ID: SA21258 VERIFY ADVISORY: http://secunia.com/advisories/21258/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of system information, Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Barracuda Spam Firewall http://secunia.com/product/4639/ DESCRIPTION: Greg Sinclair has reported a vulnerability and a security issue in Barracuda Spam Firewall, which can be exploited by malicious people to bypass certain security restrictions and disclose various information. 1) Input passed to the "file" parameter in preview_email.cgi is not properly verified, before it is used to view files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks (e.g. message logs). Example: https://[host]/cgi-bin/preview_email.cgi?file=/mail/mlog/../[file] Successful exploitation requires that the user has been authenticated. 2) A default guest account with a hard-coded password exists in Login.pm. This can be exploited to disclose various configuration and version information. A combination of the two issues can be exploited by a malicious person to disclose the contents of arbitrary files. The vulnerability and the security issue have been reported in firmware versions 3.3.01.001 through 3.3.03.053. SOLUTION: Update to firmware version 3.3.0.54. PROVIDED AND/OR DISCOVERED BY: Greg Sinclair ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebCore in Apple Mac OS X 10.3.9 and 10.4 through 10.4.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted HTML that triggers a "memory management error" in WebKit, possibly due to a buffer overflow, as originally reported for the KHTMLParser::popOneBlock function in Apple Safari 2.0.4 using Javascript that changes document.body.innerHTML within a DIV tag. Apple Workgroup Manager fails to properly enable ShadowHash passwords in a NetInfo parent. Workgroup Manager may appear to use ShadowHash passwords when crypt is used. A vulnerability exists in how Apple OS X handles PICT images. If successfully exploited, this vulnerability may allow a remote attacker to execute arbitrary code, or create a denial-of-service condition. This vulnerability may allow remote users with a valid network account to bypass LoginWindow service access controls. Adobe Flash Player fails to properly handle malformed strings. Safari is prone to a buffer-overflow vulnerability. This issue is triggered when an attacker entices a victim user to visit a malicious website or to open a malicious HTML file. Failed exploit attempts result in crashing the application, effectively denying service to legitimate users. Possible buffer overflow. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. The vulnerability is caused due to an error in the "KHTMLParser::popOneBlock()" function. This can be exploited to cause a memory corruption via a script element in a div element redefining the document body. The vulnerability has been confirmed in version 2.0.4 (419.3). Other versions may also be affected. SOLUTION: Disable JavaScript support. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA22187 VERIFY ADVISORY: http://secunia.com/advisories/22187/ CRITICAL: Highly critical IMPACT: Security Bypass, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) An error in the CFNetwork component may allow a malicious SSL site to pose as a trusted SLL site to CFNetwork clients (e.g. Safari). 4) An error in the kernel's error handling mechanism known as Mach exception ports can be exploited by malicious, local users to execute arbitrary code in privileged applications. 5) An unchecked error condition in the LoginWindow component may result in Kerberos tickets being accessible to other local users after an unsuccessful attempt to log in. 6) Another error in the LoginWindow component during the handling of "Fast User Switching" may result in Kerberos tickets being accessible to other local users. 8) An error makes it possible for an account to manage WebObjects applications after the "Admin" privileges have been revoked. 9) A memory corruption error in QuickDraw Manager when processing PICT images can potentially be exploited via a specially crafted PICT image to execute arbitrary code. 10) An error in SASL can be exploited by malicious people to cause a DoS (Denial of Service) against the IMAP service. For more information: SA19618 11) A memory management error in WebKit's handling of certain HTML can be exploited by malicious people to compromise a user's system. SOLUTION: Update to version 10.4.8 or apply Security Update 2006-006. 3) The vendor credits Tom Saxton, Idle Loop Software Design. 4) The vendor credits Dino Dai Zovi, Matasano Security. 5) The vendor credits Patrick Gallagher, Digital Peaks Corporation. 6) The vendor credits Ragnar Sundblad, Royal Institute of Technology. 8) The vendor credits Phillip Tejada, Fruit Bat Software. 12) The vendor credits Chris Pepper, The Rockefeller University. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=304460 OTHER REFERENCES: SA19618: http://secunia.com/advisories/19618/ SA20971: http://secunia.com/advisories/20971/ SA21271: http://secunia.com/advisories/21271/ SA21865: http://secunia.com/advisories/21865/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . visiting a malicious website. 2) An unspecified error can be exploited to bypass the "allowScriptAccess" option. 3) Unspecified errors exist in the way the ActiveX control is invoked by Microsoft Office products on Windows. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Stuart Pearson, Computer Terrorism UK Ltd, for reporting one of the vulnerabilities. 2) Reported by the vendor. 3) Reported by the vendor

Cross-site scripting (XSS) vulnerability in the Forms/rpSysAdmin script on the Zyxel Prestige 660H-61 ADSL Router running firmware 3.40(PT.0)b32 allows remote attackers to inject arbitrary web script or HTML via hex-encoded values in the a parameter. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: ZyXEL Prestige 660H-61 Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA21225 VERIFY ADVISORY: http://secunia.com/advisories/21225/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: ZyXEL Prestige 660H-61 http://secunia.com/product/11155/ DESCRIPTION: Jos\xe9 Ram\xf3n Palanco has reported a vulnerability in ZyXEL Prestige 660H-61, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "a" parameter in the rpSysAdmin script is not properly sanitised before being returned to the user. The vulnerability was reported for routers with firmware version V3.40(PT.0)b32. Other versions may also be affected. SOLUTION: Do not visit other web sites while accessing the router interface. PROVIDED AND/OR DISCOVERED BY: Jos\xe9 Ram\xf3n Palanco ORIGINAL ADVISORY: http://www.eazel.es/media/advisory004-Zyxel-Prestige-660H-61-Cross-Site-Scripting.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Internet Key Exchange (IKE) version 1 protocol, as implemented on Cisco IOS, VPN 3000 Concentrators, and PIX firewalls, allows remote attackers to cause a denial of service (resource exhaustion) via a flood of IKE Phase-1 packets that exceed the session expiration rate. NOTE: it has been argued that this is due to a design weakness of the IKE version 1 protocol, in which case other vendors and implementations would also be affected. Cisco IOS , PIX Firewall Implement IKE version 1 The protocol has a new IKE After receiving a session request, a new one again before the session expires IKE If you receive a request repeatedly, IKE A vulnerability exists that consumes excessive resources to establish a session.By legitimate users IKE SA ( Security Association ) May be disrupted. Cisco Internet Key Exchange (IKE) is prone to a denial-of-service vulnerability that affects devices implementing IKE 1. The issue is caused by resource exhaustion when handling a high rate of IKE requests. An attacker can exploit this issue through continuous attacks to deplete available resources. This will cause the device to deny future connections and to block current connections that are re-keyed. Cisco VPN 3000 Series Hubs allow secure, encrypted access to VPN networks. Cisco VPN 3000 has a problem when processing a large number of IKE session request packets. Remote attackers may use this vulnerability to perform denial of service attacks on the device. If an attacker can initiate new IKE sessions faster than they can expire in the queue, it is possible to exhaust the IKE resources on the remote VPN hub. Tests have shown that the target hub is affected if the sending rate reaches 2 packets per second, and becomes unusable if it reaches 10 packets per second. Main Mode messages are a minimum of 112 bytes, so 10 messages per second equates to approximately 9,000 bits per second. If this speed is reached, the attacker's packets will fill the hub queue, making it impossible to process valid IKE requests. Since the vulnerability occurs before the authentication stage, no valid credentials are required for the attack

The SMB Mailslot parsing functionality in PAM in multiple ISS products with XPU (24.39/1.78/epj/x.x.x.1780), including Proventia A, G, M, Server, and Desktop, BlackICE PC and Server Protection 3.6, and RealSecure 7.0, allows remote attackers to cause a denial of service (infinite loop) via a crafted SMB packet that is not properly handled by the SMB_Mailslot_Heap_Overflow decode. ISS The product includes 2006 Year 7 Monthly release XPU include "SMB_MailSlot_Heap_Overflow" Defect in decoding, certain legitimate SMB Mailslot When analyzing traffic, Protocol Analysis Module (PAM) Engine stops responding to subsequent traffic and disrupts service operation (DoS) There is a vulnerability that becomes a condition.ISS Protection product interferes with service operation (DoS) It may be in a state. The Internet Security Systems implementation of SMB/TCP Mailslot is prone to a denial-of-service vulnerability. This issue is due to a design error when dealing with certain legitimate SMB Mailslot traffic. An attacker can exploit this issue to crash the affected service, effectively denying service to legitimate users. ISS is an internationally renowned security vendor that provides a variety of firewalls and intrusion detection devices. An attacker only needs to send a single packet to trigger this vulnerability without actually establishing an SMB session. ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. Successful exploitation causes the application or system to stop responding. SOLUTION: Update to a fixed version (see vendor advisory for details). ORIGINAL ADVISORY: ISS: http://xforce.iss.net/xforce/alerts/id/230 https://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=3630 NSFocus: http://www.nsfocus.com/english/homepage/research/0607.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . NSFOCUS Security Advisory (SA2006-07) ISS RealSecure/BlackICE MailSlot Heap Overflow Detection Remote DoS Vulnerability Release Date: 2006-07-27 CVE ID: CVE-2006-3840 http://www.nsfocus.com/english/homepage/research/0607.htm Affected systems & software =================== RealSecure Network Sensor 7.0 Proventia A Series Proventia G Series Proventia M Series RealSecure Server Sensor 7.0 Proventia Server RealSecure Desktop 7.0 Proventia Desktop BlackICE PC Protection 3.6 BlackICE Server Protection 3.6 Unaffected systems & software =================== Summary ========= NSFocus Security Team discovered a remote DoS vulnerability in ISS RealSecure/ BlackICE products lines' detection of MailSlot Heap Overflow (MS06-035). By sending a specific SMB MailSlot packet it's possible to cause DoS in ISS protection products. Description ============ There is a DoS vulnerability in ISS protection products' detection of SMB_MailSlot_Heap_Overflow (MS06-035/KB917159). By sending a specific SMB MailSlot packet it's possible to cause an infinite loop to occur in the detection code, and the ISS product or even the operating system will stop to respond. For example, for BlackICE the vulnerability might cause the inerruption of the network traffic, and an approximately 100% CPU utilization. STOP BlackICE engine will not restore normal operation. Instead OS restart is required. This vulnerability can be triggered by a single packet. The establishment of a real SMB session is not required. Workaround ============= Block ports TCP/445 and TCP/139 at the firewall. Vendor Status ============== 2006.07.24 Informed the vendor 2006.07.25 Vendor confirmed the vulnerability 2006.07.26 ISS has released a security alert and related patches. For more details about the security alert, please refer to: http://xforce.iss.net/xforce/alerts/id/230 ISS has released the following XPUs to fix this vulnerability: RealSecure Network 7.0, XPU 24.40 Proventia A Series, XPU 24.40 Proventia G Series, XPU 24.40/1.79 Proventia M Series, XPU 1.79 RealSecure Server Sensor 7.0, XPU 24.40 Proventia Server 1.0.914.1880 RealSecure Desktop 7.0 epk Proventia Desktop 8.0.812.1790/8.0.675.1790 BlackICE PC Protection 3.6 cpk BlackICE Server Protection 3.6 cpk Additional Information ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-3840 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment =============== Chen Qing of NSFocus Security Team found the vulnerability. DISCLAIMS ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2006 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <security@nsfocus.com> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

Mozilla Firefox 1.5 before 1.5.0.5 and SeaMonkey before 1.0.3 allows remote attackers to execute arbitrary code by changing certain properties of the window navigator object (window.navigator) that are accessed when Java starts up, which causes a crash that leads to code execution. Mozilla products fail to properly release memory. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.The flaw exists when assigning specific values to the window.navigator object. A lack of checking on assignment causes user supplied data to be later used in the creation of other objects leading to eventual code execution. The Mozilla Foundation has released thirteen security advisories specifying vulnerabilities in Mozilla Firefox, SeaMonkey, and Thunderbird. Other attacks may also be possible. The issues described here will be split into individual BIDs as more information becomes available. These issues are fixed in: - Mozilla Firefox 1.5.0.5 - Mozilla Thunderbird 1.5.0.5 - Mozilla SeaMonkey 1.0.3. Mozilla Firefox is prone to a remote code-execution vulnerability because the application fails to properly sanitize user-supplied input before using it to create new JavaScript objects. This issue was previously discussed in BID 19181 (Mozilla Multiple Products Remote Vulnerabilities). =========================================================== Ubuntu Security Notice USN-327-1 July 27, 2006 firefox vulnerabilities CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.5-0ubuntu6.06 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also affected by these problems. Updates for these Ubuntu releases will be delayed due to upstream dropping support for this Firefox version. We strongly advise that you disable JavaScript to disable the attack vectors for most vulnerabilities if you use one of these Ubuntu versions. (CVE-2006-3113, CVE-2006-3677, CVE-2006-3801, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3811, CVE-2006-3812) cross-site scripting vulnerabilities were found in the XPCNativeWrapper() function and native DOM method handlers. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-3802, CVE-2006-3810) A bug was found in the script handler for automatic proxy configuration. (CVE-2006-3808) Please see http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox for technical details of these vulnerabilities. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06.diff.gz Size/MD5: 174602 7be6f5862219ac4cf44f05733f372f2b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06.dsc Size/MD5: 1109 252d6acf45b009008a6bc88166e2632f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5.orig.tar.gz Size/MD5: 44067762 749933c002e158576ec15782fc451e43 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_all.deb Size/MD5: 49190 850dd650e7f876dd539e605d9b3026c8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_all.deb Size/MD5: 50078 c1fa4a40187d9c5b58bd049edb00ce54 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 47269292 167aadc3f03b4e1b7cb9ed826e672983 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 2796768 b54592d0bd736f6ee12a90987771bc59 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 216136 79fa6c69ffb0dd6037e56d1ba538ff64 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 82358 e2e026d582a7b5352cee4453cef0fe45 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 9400544 a9d0b804a4374dc636bb79968a2bce5c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 218822 a09476caea7d8d73d6a2f534bd494493 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 161876 0e0e65348dba8167b4891b173baa8f0d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 235746 064fc1434a315f857ee92f60fd49d772 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_amd64.deb Size/MD5: 757458 bd6a5e28e05a04a5deca731ab29f70e4 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 43837610 a7e4a535262f8a5d5cb0ace7ed785237 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 2796700 4509dbf62e3fd2cda7168c20aa65ba4f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 209546 50e174c1c7290fca51f9e1ee71ebb56c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 74732 25ba86caeeb1a88da4493875178a3636 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 7916536 40ebfe4330af25c2359f8b25b039ed5e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 218822 6066f59acbce1b4de2dc284b5801efc5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 146570 c1a5c5cc4371b228093d03d9ed7ad607 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 235754 0e9a1a89f63a9869b875ee6a50547c2b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_i386.deb Size/MD5: 669556 d537a4771b80e5c06f18b2c5d7e5d384 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 48648192 479d29e08ff2b9cef89a6da3285c0aad http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 2796790 60b97738bfc3b8b32914487bb4aba239 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 212982 a396e119a32303afc024d513b997c84e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 77894 ef7841bb2ab8de0e0c44e59c893b1622 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 9019132 ed3927484eea5fccf84a2840640febf3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 218826 a2338c3c8064a304deb752bf32a291f8 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 159112 7d5d6100727ceb894695b219cec11e43 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 235754 69085beb145222fea07d2d6c19158a2d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_powerpc.deb Size/MD5: 768332 8dc6cc8c54185d57af14bab3bee39f9d sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 45235424 f5a07188af5802fffbd3cfdd64b109cf http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 2796756 cb13c7ea0e3b7af2f1e12db1f8dc38a2 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 210488 17f7723b697110c8f132422bc059d447 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 76340 c38ccb8b71b9c3783a1c9816ecd9cf5d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 8411310 4b3865b2df3924d094e0b18f207bf33d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 218814 a0e67d0d425cea2cd5835e2c2faa930f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 149018 73108368f0ef745188ebd1c48ea10c88 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 235746 695a6122710fb30201daaa239ba6d48d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.5-0ubuntu6.06_sparc.deb Size/MD5: 681612 896721beb3cdcea12bab98223c0796c2 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-208A Mozilla Products Contain Multiple Vulnerabilities Original release date: July 27, 2006 Last revised: -- Source: US-CERT Systems Affected * Mozilla SeaMonkey * Mozilla Firefox * Mozilla Thunderbird Any products based on Mozilla components, specifically Gecko, may also be affected. I. (CVE-2006-3805) VU#655892 - Mozilla JavaScript engine contains multiple integer overflows The Mozilla JavaScript engine contains multiple integer overflows. (CVE-2006-3811) II. III. Disable JavaScript and Java These vulnerabilities can be mitigated by disabling JavaScript and Java in all affected products. Instructions for disabling Java in Firefox can be found in the "Securing Your Web Browser" document. Appendix A. Please send email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History Jul 27, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0 SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX 5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA 9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA== =HwuK -----END PGP SIGNATURE----- . Background ========== The Mozilla SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as "Mozilla Application Suite". The goal is to produce a cross-platform stand-alone browser application. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/mozilla-firefox < 1.5.0.5 >= 1.5.0.5 2 www-client/mozilla-firefox-bin < 1.5.0.5 >= 1.5.0.5 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. * Developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients. * "shutdown" reports that cross-site scripting (XSS) attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which created a function that appeared to belong to the window in question even after it had been navigated to the target site. * "shutdown" reports that scripts granting the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context. * "moz_bug_r_a4" reports that A malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox. * "moz_bug_r_a4" discovered that Named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior). * Igor Bukanov and shutdown found additional places where an untimely garbage collection could delete a temporary object that was in active use. * Georgi Guninski found potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments. * H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. * A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page. This leads to use of a deleted timer object. * An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up. * Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away. Impact ====== A user can be enticed to open specially crafted URLs, visit webpages containing malicious JavaScript or execute a specially crafted script. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Firefox users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.5.0.5" Users of the binary package should upgrade as well: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.5.0.5" References ========== [ 1 ] CVE-2006-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 [ 2 ] CVE-2006-3677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 [ 3 ] CVE-2006-3801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 [ 4 ] CVE-2006-3802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802 [ 5 ] CVE-2006-3803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 [ 6 ] CVE-2006-3805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 [ 7 ] CVE-2006-3806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 [ 8 ] CVE-2006-3807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 [ 9 ] CVE-2006-3808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808 [ 10 ] CVE-2006-3809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809 [ 11 ] CVE-2006-3810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810 [ 12 ] CVE-2006-3811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 [ 13 ] CVE-2006-3812 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200608-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Hardcore Disassembler / Reverse Engineer Wanted! Want to work with IDA and BinDiff? Want to write PoC's and Exploits? Your nationality is not important. We will get you a work permit, find an apartment, and offer a relocation compensation package. For more information, see vulnerabilities #1, #3, #4, #5, #6, #7, #9, #10, and #11: SA19783 Successful exploitation of these vulnerabilities requires that JavaScript is enabled in mails (not default setting). A boundary error has also been reported in the handling of VCard attachments. This can be exploited to cause a heap-based buffer overflow via a malicious VCard with a specially crafted base64 field that causes a crash and may allow execution of arbitrary code. SOLUTION: Update to version 1.5.0.5. PROVIDED AND/OR DISCOVERED BY: Daniel Veditz, Mozilla. ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2006/mfsa2006-49.html OTHER REFERENCES: SA19783: http://secunia.com/advisories/19873/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Previous updates to Firefox were patch fixes to Firefox 1.0.6 that brought it in sync with 1.0.8 in terms of security fixes. In this update, Mozilla Firefox 1.5.0.6 is being provided which corrects a number of vulnerabilities that were previously unpatched, as well as providing new and enhanced features. The following CVE names have been corrected with this update: CVE-2006-2613, CVE-2006-2894, CVE-2006-2775, CVE-2006-2776, CVE-2006-2777, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2782, CVE-2006-2783, CVE-2006-2784, CVE-2006-2785, CVE-2006-2786, CVE-2006-2787, CVE-2006-2788, CVE-2006-3677, CVE-2006-3803, CVE-2006-3804, CVE-2006-3806, CVE-2006-3807, CVE-2006-3113, CVE-2006-3801, CVE-2006-3802, CVE-2006-3805, CVE-2006-3808, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2613 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2894 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2782 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2784 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2785 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2786 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2788 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812 http://www.mozilla.org/security/announce/2006/mfsa2006-31.html http://www.mozilla.org/security/announce/2006/mfsa2006-32.html http://www.mozilla.org/security/announce/2006/mfsa2006-33.html http://www.mozilla.org/security/announce/2006/mfsa2006-34.html http://www.mozilla.org/security/announce/2006/mfsa2006-35.html http://www.mozilla.org/security/announce/2006/mfsa2006-36.html http://www.mozilla.org/security/announce/2006/mfsa2006-37.html http://www.mozilla.org/security/announce/2006/mfsa2006-38.html http://www.mozilla.org/security/announce/2006/mfsa2006-39.html http://www.mozilla.org/security/announce/2006/mfsa2006-41.html http://www.mozilla.org/security/announce/2006/mfsa2006-42.html http://www.mozilla.org/security/announce/2006/mfsa2006-43.html http://www.mozilla.org/security/announce/2006/mfsa2006-44.html http://www.mozilla.org/security/announce/2006/mfsa2006-45.html http://www.mozilla.org/security/announce/2006/mfsa2006-46.html http://www.mozilla.org/security/announce/2006/mfsa2006-47.html http://www.mozilla.org/security/announce/2006/mfsa2006-48.html http://www.mozilla.org/security/announce/2006/mfsa2006-50.html http://www.mozilla.org/security/announce/2006/mfsa2006-51.html http://www.mozilla.org/security/announce/2006/mfsa2006-52.html http://www.mozilla.org/security/announce/2006/mfsa2006-53.html http://www.mozilla.org/security/announce/2006/mfsa2006-54.html http://www.mozilla.org/security/announce/2006/mfsa2006-55.html http://www.mozilla.org/security/announce/2006/mfsa2006-56.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 76ef1a2e7338c08e485ab2c19a1ce691 2006.0/RPMS/devhelp-0.10-7.1.20060mdk.i586.rpm d44f02b82df9f404f899ad8bc4bdd6a2 2006.0/RPMS/epiphany-1.8.5-4.1.20060mdk.i586.rpm 29efc065aeb4a53a105b2c27be816758 2006.0/RPMS/epiphany-devel-1.8.5-4.1.20060mdk.i586.rpm caad34c0d4c16a50ec4b05820e6d01db 2006.0/RPMS/galeon-2.0.1-1.1.20060mdk.i586.rpm d0e75938f4e129936351f015bd90a37a 2006.0/RPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.noarch.rpm 652044ff7d9c3170df845011ec696393 2006.0/RPMS/libdevhelp-1_0-0.10-7.1.20060mdk.i586.rpm bf6dcf87f409d06b42234dbca387b922 2006.0/RPMS/libdevhelp-1_0-devel-0.10-7.1.20060mdk.i586.rpm e9aaff3090a4459b57367f4903b0458a 2006.0/RPMS/libnspr4-1.5.0.6-1.4.20060mdk.i586.rpm fa99cbc159722cc0ff9e5710f24ca599 2006.0/RPMS/libnspr4-devel-1.5.0.6-1.4.20060mdk.i586.rpm d4d45b797ca2f2347c0409d9f956ff25 2006.0/RPMS/libnspr4-static-devel-1.5.0.6-1.4.20060mdk.i586.rpm 8d33e72703090a911f7fd171ad9dd719 2006.0/RPMS/libnss3-1.5.0.6-1.4.20060mdk.i586.rpm 23afd287c042c5492c210255554a6893 2006.0/RPMS/libnss3-devel-1.5.0.6-1.4.20060mdk.i586.rpm 4a188f54230b943ea9c8930eb2e0cfe1 2006.0/RPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.i586.rpm 5bec4690547fd733ca97cb2933ebe427 2006.0/RPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.i586.rpm 55836595e5cba3828a9a5a27e5aa1825 2006.0/RPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.i586.rpm 0faf5ee7022ee0b70915d2c845865cae 2006.0/RPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.i586.rpm 312a89317692b3bd86060a1995365d86 2006.0/RPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.i586.rpm 38215dccbee8a169bcbac2af2897c2f7 2006.0/RPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.i586.rpm aaba2fa72f8de960a3a757b3010027d3 2006.0/RPMS/mozilla-firefox-devel-1.5.0.6-1.4.20060mdk.i586.rpm d8d59a55974f6fa20d99fb30f126638f 2006.0/RPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.i586.rpm 946e6a76c71dbbee3340f1a96ae25a1d 2006.0/RPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.i586.rpm 9a14c31a41c2bac3942caa3d1fb5daee 2006.0/RPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.i586.rpm b5074c27d1cb719bf9f8fabe8aebf628 2006.0/RPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.i586.rpm 7a225cdfdf0c17c0f4a72ad27907fc07 2006.0/RPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.i586.rpm 06526a054d108d3c9b5f66313151ecc2 2006.0/RPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.i586.rpm 8f721bd3914c31e04359def6272db929 2006.0/RPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.i586.rpm a704ed726e6db4ba59592563cd2c48b0 2006.0/RPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.i586.rpm 0ef6729b05e013a364e847e4a1b7b3e3 2006.0/RPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.i586.rpm 570b19872de676414b399ff970024b78 2006.0/RPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.i586.rpm dee38f0bbe3870d3bd8ad02ea968c57a 2006.0/RPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.i586.rpm 92916e155ec38b5078234728593d72a2 2006.0/RPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.i586.rpm c808f2f32fc9e514ffb097eeeb226a96 2006.0/RPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.i586.rpm 6dda5771d062eae75f8f04b7dab8d6cc 2006.0/RPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.i586.rpm c4ac8441170504cc5ec05cf5c8e6e9f9 2006.0/RPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.i586.rpm 2765008afd4c0ba1d702eda9627a7690 2006.0/RPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.i586.rpm 15b600977b07651f1c3568f4d7f1f9ac 2006.0/RPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.i586.rpm 6f1fae6befe608fc841fcc71e15852c0 2006.0/RPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.i586.rpm 81f412da40ea14bcc23d420d7a5724f9 2006.0/RPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.i586.rpm 76e0ece3c0b6f507340871a168a57e36 2006.0/RPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.i586.rpm 6ded58e85ed113718cfb3484ae420bb9 2006.0/RPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.i586.rpm c76f6648e88de4a63991eac66c3fba04 2006.0/RPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.i586.rpm 1c7ab93275bcdcf30ed9ec2ddb4893df 2006.0/RPMS/yelp-2.10.0-6.1.20060mdk.i586.rpm 60279919aa5f17c2ecd9f64db87cb952 2006.0/SRPMS/devhelp-0.10-7.1.20060mdk.src.rpm c446c046409b6697a863868fe5c64222 2006.0/SRPMS/epiphany-1.8.5-4.1.20060mdk.src.rpm e726300336f737c8952f664bf1866d6f 2006.0/SRPMS/galeon-2.0.1-1.1.20060mdk.src.rpm e9e30596eceb0bc9a03f7880cd7d14ea 2006.0/SRPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.src.rpm 4168c73cba97276fa4868b4ac2c7eb19 2006.0/SRPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.src.rpm 6a7df29f5af703d10d7ea1fee160ac00 2006.0/SRPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.src.rpm e56e14c28051ec4332cbde8dbee7bb6a 2006.0/SRPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.src.rpm 1a144c86fd8db39e2801117296e15d2b 2006.0/SRPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.src.rpm f4889d2ee6e07c0141b57ab9aaccae64 2006.0/SRPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.src.rpm dee0f7bc91c797e880fff19e1cb05a63 2006.0/SRPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.src.rpm 45724f6ceed66701392bd131feaf1f6d 2006.0/SRPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.src.rpm cc680cac7fea3f7f8a48a5daf86db088 2006.0/SRPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.src.rpm 69b04335c21313262af4253863109cc8 2006.0/SRPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.src.rpm 2aab89244a535afcbc25271df5d6b33f 2006.0/SRPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.src.rpm f1c7f71d5484c5047b1b38fc16888ae3 2006.0/SRPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.src.rpm 3963e3c3a2c38c41d9d3bc5250b124a6 2006.0/SRPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.src.rpm bb54aed17a126a9e8568d49866db99ea 2006.0/SRPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.src.rpm 2a1b11f2c8944bc1fc0d313d54a903cf 2006.0/SRPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.src.rpm 783c5b3c0fb9916e07f220110155476d 2006.0/SRPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.src.rpm 895e315731fa0b453045cc39da4f5358 2006.0/SRPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.src.rpm daa0a127d2a1a3641d4e97bfb95f1647 2006.0/SRPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.src.rpm 0c778b0738b11dfd5d68be48fa6316ed 2006.0/SRPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.src.rpm 7025d0118cf29e39117bd87c586e84a3 2006.0/SRPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.src.rpm 5d8b8e869f588c0f5751e9ce7addba45 2006.0/SRPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.src.rpm c5148674a8c7dd1f88c5729293f899ba 2006.0/SRPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.src.rpm 91d490c075473e2443e383201b961cb8 2006.0/SRPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.src.rpm 622ae4619d151bb1634113e50b30fbac 2006.0/SRPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.src.rpm e6d64c14929d299e2fb52e334ae6641a 2006.0/SRPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.src.rpm 20f64c6dfd6aa1450cba5002d42f53d8 2006.0/SRPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.src.rpm b93a6b548bb1cf0f8cc46dec133e81a3 2006.0/SRPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.src.rpm f5603b65b3d10fa5083934e08d2d4560 2006.0/SRPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.src.rpm c0e978ea92b4a8f3aa75dad5ab7588b9 2006.0/SRPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.src.rpm 93cb0acaeddb095d13b37aeb0ab4dd49 2006.0/SRPMS/yelp-2.10.0-6.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: d52f4955f15f99137dd9a0b2f360c8b2 x86_64/2006.0/RPMS/devhelp-0.10-7.1.20060mdk.x86_64.rpm 369457b4a09c07ba18ee5bb18fb2ffa1 x86_64/2006.0/RPMS/epiphany-1.8.5-4.1.20060mdk.x86_64.rpm 76735684f3ff493770e374a90fd359c7 x86_64/2006.0/RPMS/epiphany-devel-1.8.5-4.1.20060mdk.x86_64.rpm 5da75ab6624f8c8f0c212ce2299d645f x86_64/2006.0/RPMS/galeon-2.0.1-1.1.20060mdk.x86_64.rpm 945059b9456c9ff2ccd40ff4a6d8ae70 x86_64/2006.0/RPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.noarch.rpm 193f97760bb46e16051ba7b6b968f340 x86_64/2006.0/RPMS/lib64devhelp-1_0-0.10-7.1.20060mdk.x86_64.rpm 1b67733b0450cd6572c9879c0eb38640 x86_64/2006.0/RPMS/lib64devhelp-1_0-devel-0.10-7.1.20060mdk.x86_64.rpm 115fcbc6c99bf063cd1768d2b08e9d89 x86_64/2006.0/RPMS/lib64nspr4-1.5.0.6-1.4.20060mdk.x86_64.rpm 686404fa32e2625f23b19e11c548bbe5 x86_64/2006.0/RPMS/lib64nspr4-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm f0886b330d3f5af566af6cf5572ca671 x86_64/2006.0/RPMS/lib64nspr4-static-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm 10e9abdcb3f952c4db35c85fe58ad8ad x86_64/2006.0/RPMS/lib64nss3-1.5.0.6-1.4.20060mdk.x86_64.rpm 202bab2742f162d1cbd6d36720e6f7fb x86_64/2006.0/RPMS/lib64nss3-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm e9aaff3090a4459b57367f4903b0458a x86_64/2006.0/RPMS/libnspr4-1.5.0.6-1.4.20060mdk.i586.rpm fa99cbc159722cc0ff9e5710f24ca599 x86_64/2006.0/RPMS/libnspr4-devel-1.5.0.6-1.4.20060mdk.i586.rpm d4d45b797ca2f2347c0409d9f956ff25 x86_64/2006.0/RPMS/libnspr4-static-devel-1.5.0.6-1.4.20060mdk.i586.rpm 8d33e72703090a911f7fd171ad9dd719 x86_64/2006.0/RPMS/libnss3-1.5.0.6-1.4.20060mdk.i586.rpm 23afd287c042c5492c210255554a6893 x86_64/2006.0/RPMS/libnss3-devel-1.5.0.6-1.4.20060mdk.i586.rpm 74811077c91dde3bc8c8bae45e5862a7 x86_64/2006.0/RPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.x86_64.rpm 75711988a67bf3f36fc08823561bb2b7 x86_64/2006.0/RPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.x86_64.rpm 5bd9ad43769390549ab3c4549c971db7 x86_64/2006.0/RPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.x86_64.rpm dfdd808e2ec0866c15db5f1ea6a5b5bd x86_64/2006.0/RPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.x86_64.rpm 1fad19f458ce0aa50e86710ed3b7fe04 x86_64/2006.0/RPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.x86_64.rpm 743e8d4f009ab2d2fc2e8c131244fb57 x86_64/2006.0/RPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.x86_64.rpm 476ee9a87f650a0ef3523a9619f9f611 x86_64/2006.0/RPMS/mozilla-firefox-devel-1.5.0.6-1.4.20060mdk.x86_64.rpm be48721cbc6e5634b50ce5b6cfe4a951 x86_64/2006.0/RPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.x86_64.rpm e56ce18466e20db3189e035329c606ce x86_64/2006.0/RPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.x86_64.rpm 489e5940c9ac9573842888ff07436e4c x86_64/2006.0/RPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.x86_64.rpm 73d2eb2fc6ec99a1d3eeb94d9ddff36e x86_64/2006.0/RPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.x86_64.rpm acbd3cd5f82b47a6c6cb03ebd6ca25ae x86_64/2006.0/RPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.x86_64.rpm 362807f9da1130dd8da606b9ded06311 x86_64/2006.0/RPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.x86_64.rpm e48c991fa555d22d1f382baa83dfcae9 x86_64/2006.0/RPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.x86_64.rpm 0d954f47de6d2cc58e36cd2c9ddae09c x86_64/2006.0/RPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.x86_64.rpm 8f615598d04985a0d60a3469ea3044ed x86_64/2006.0/RPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.x86_64.rpm f4810510feb31e6195358c5ddd87252f x86_64/2006.0/RPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.x86_64.rpm 537d53b7805ac84009f2ff99e3282b91 x86_64/2006.0/RPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.x86_64.rpm afbc9ee04902213758bbf262b732de21 x86_64/2006.0/RPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.x86_64.rpm dcef8c7676529394e5fbd4168f8e2cd6 x86_64/2006.0/RPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.x86_64.rpm f4ee0e7ecba430fd3ce5e8ebeda9b5c1 x86_64/2006.0/RPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.x86_64.rpm 778261355184ca73cbf1aab1ce56644d x86_64/2006.0/RPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.x86_64.rpm 10ca4e7f4cf10c380849ced0bf83e08b x86_64/2006.0/RPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.x86_64.rpm 427cabc08ec66e1a45bc27e5625f49bb x86_64/2006.0/RPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.x86_64.rpm de4e61d4fce7cd286bb4a3778cb8499f x86_64/2006.0/RPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.x86_64.rpm 86e9af4c42b59e32d4e5ac0a8d1afe30 x86_64/2006.0/RPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.x86_64.rpm 126b1e0826330986fbf485eabade949d x86_64/2006.0/RPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.x86_64.rpm d2e6da2db277b7f5dabed3e95d4b818b x86_64/2006.0/RPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.x86_64.rpm a83edee07d2465cf55024ed1b7aa779f x86_64/2006.0/RPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.x86_64.rpm 9e33e2a0c3d4a92a0b420c417fcd3469 x86_64/2006.0/RPMS/yelp-2.10.0-6.1.20060mdk.x86_64.rpm 60279919aa5f17c2ecd9f64db87cb952 x86_64/2006.0/SRPMS/devhelp-0.10-7.1.20060mdk.src.rpm c446c046409b6697a863868fe5c64222 x86_64/2006.0/SRPMS/epiphany-1.8.5-4.1.20060mdk.src.rpm e726300336f737c8952f664bf1866d6f x86_64/2006.0/SRPMS/galeon-2.0.1-1.1.20060mdk.src.rpm e9e30596eceb0bc9a03f7880cd7d14ea x86_64/2006.0/SRPMS/gnome-doc-utils-0.4.4-2.1.20060mdk.src.rpm 4168c73cba97276fa4868b4ac2c7eb19 x86_64/2006.0/SRPMS/mozilla-firefox-1.5.0.6-1.4.20060mdk.src.rpm 6a7df29f5af703d10d7ea1fee160ac00 x86_64/2006.0/SRPMS/mozilla-firefox-br-1.5.0.6-0.1.20060mdk.src.rpm e56e14c28051ec4332cbde8dbee7bb6a x86_64/2006.0/SRPMS/mozilla-firefox-ca-1.5.0.6-0.1.20060mdk.src.rpm 1a144c86fd8db39e2801117296e15d2b x86_64/2006.0/SRPMS/mozilla-firefox-cs-1.5.0.6-0.1.20060mdk.src.rpm f4889d2ee6e07c0141b57ab9aaccae64 x86_64/2006.0/SRPMS/mozilla-firefox-da-1.5.0.6-0.1.20060mdk.src.rpm dee0f7bc91c797e880fff19e1cb05a63 x86_64/2006.0/SRPMS/mozilla-firefox-de-1.5.0.6-0.1.20060mdk.src.rpm 45724f6ceed66701392bd131feaf1f6d x86_64/2006.0/SRPMS/mozilla-firefox-el-1.5.0.6-0.1.20060mdk.src.rpm cc680cac7fea3f7f8a48a5daf86db088 x86_64/2006.0/SRPMS/mozilla-firefox-es-1.5.0.6-0.1.20060mdk.src.rpm 69b04335c21313262af4253863109cc8 x86_64/2006.0/SRPMS/mozilla-firefox-fi-1.5.0.6-0.1.20060mdk.src.rpm 2aab89244a535afcbc25271df5d6b33f x86_64/2006.0/SRPMS/mozilla-firefox-fr-1.5.0.6-0.1.20060mdk.src.rpm f1c7f71d5484c5047b1b38fc16888ae3 x86_64/2006.0/SRPMS/mozilla-firefox-ga-1.5.0.6-0.1.20060mdk.src.rpm 3963e3c3a2c38c41d9d3bc5250b124a6 x86_64/2006.0/SRPMS/mozilla-firefox-he-1.5.0.6-0.1.20060mdk.src.rpm bb54aed17a126a9e8568d49866db99ea x86_64/2006.0/SRPMS/mozilla-firefox-hu-1.5.0.6-0.1.20060mdk.src.rpm 2a1b11f2c8944bc1fc0d313d54a903cf x86_64/2006.0/SRPMS/mozilla-firefox-it-1.5.0.6-0.1.20060mdk.src.rpm 783c5b3c0fb9916e07f220110155476d x86_64/2006.0/SRPMS/mozilla-firefox-ja-1.5.0.6-0.1.20060mdk.src.rpm 895e315731fa0b453045cc39da4f5358 x86_64/2006.0/SRPMS/mozilla-firefox-ko-1.5.0.6-0.1.20060mdk.src.rpm daa0a127d2a1a3641d4e97bfb95f1647 x86_64/2006.0/SRPMS/mozilla-firefox-nb-1.5.0.6-0.1.20060mdk.src.rpm 0c778b0738b11dfd5d68be48fa6316ed x86_64/2006.0/SRPMS/mozilla-firefox-nl-1.5.0.6-0.1.20060mdk.src.rpm 7025d0118cf29e39117bd87c586e84a3 x86_64/2006.0/SRPMS/mozilla-firefox-pl-1.5.0.6-0.1.20060mdk.src.rpm 5d8b8e869f588c0f5751e9ce7addba45 x86_64/2006.0/SRPMS/mozilla-firefox-pt_BR-1.5.0.6-0.1.20060mdk.src.rpm c5148674a8c7dd1f88c5729293f899ba x86_64/2006.0/SRPMS/mozilla-firefox-ro-1.5.0.6-0.1.20060mdk.src.rpm 91d490c075473e2443e383201b961cb8 x86_64/2006.0/SRPMS/mozilla-firefox-ru-1.5.0.6-0.1.20060mdk.src.rpm 622ae4619d151bb1634113e50b30fbac x86_64/2006.0/SRPMS/mozilla-firefox-sk-1.5.0.6-0.1.20060mdk.src.rpm e6d64c14929d299e2fb52e334ae6641a x86_64/2006.0/SRPMS/mozilla-firefox-sl-1.5.0.6-0.1.20060mdk.src.rpm 20f64c6dfd6aa1450cba5002d42f53d8 x86_64/2006.0/SRPMS/mozilla-firefox-sv-1.5.0.6-0.1.20060mdk.src.rpm b93a6b548bb1cf0f8cc46dec133e81a3 x86_64/2006.0/SRPMS/mozilla-firefox-tr-1.5.0.6-0.1.20060mdk.src.rpm f5603b65b3d10fa5083934e08d2d4560 x86_64/2006.0/SRPMS/mozilla-firefox-zh_CN-1.5.0.6-0.1.20060mdk.src.rpm c0e978ea92b4a8f3aa75dad5ab7588b9 x86_64/2006.0/SRPMS/mozilla-firefox-zh_TW-1.5.0.6-0.1.20060mdk.src.rpm 93cb0acaeddb095d13b37aeb0ab4dd49 x86_64/2006.0/SRPMS/yelp-2.10.0-6.1.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFE41l0mqjQ0CJFipgRAu1DAJ90MqoteYoIfAj0Gqim5fxrvOw7BACg0xq5 L8QZWCg0xY3ZRacFzNTgusw= =gl6u -----END PGP SIGNATURE----- . ZDI-06-025: Mozilla Firefox Javascript navigator Object Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-025.html July 26, 2006 -- CVE ID: CVE-2006-3677 -- Affected Vendor: Mozilla -- Affected Products: Firefox 1.5.0 - 1.5.0.4 SeaMonkey 1.0 - 1.0.2 -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 26, 2006 by Digital Vaccine protection filter ID 4326. More information is detailed in MFSA2006-45: http://www.mozilla.org/security/announce/2006/mfsa2006-45.html -- Disclosure Timeline: 2006.06.16 - Vulnerability reported to vendor 2006.07.25 - Vulnerability information provided to ZDI security partners 2006.07.26 - Digital Vaccine released to TippingPoint customers 2006.07.26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by an anonymous researcher. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe). The eIQnetworks Enterprise Security Analyzer Syslog server contains a buffer overflow vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. During the processing of long arguments to the LICMGR_ADDLICENSE command a classic stack based buffer overflow occurs. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port. eIQnetworks Enterprise Security Analyzer (ESA) is an enterprise-level security management platform.  A buffer overflow vulnerability exists in syslogserver.exe in eIQnetworks ESA. The following commands are known to be affected by this vulnerability:  DELTAINTERVAL  LOGFOLDER  DELETELOGS  FWASERVER  SYSLOGPUBLICIP  GETFWAIMPORTLOG  GETFWADELTA  DELETERDEPDEVICE  COMPRESSRAWLOGFILE  GETSYSLOGFIREWALLS  ADDPOLICY  EDITPOLICY. OEM vendors' versions prior to 4.6 are also vulnerable. TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities http://www.tippingpoint.com/security/advisories/TSRT-06-07.html August 8, 2006 -- CVE ID: CVE-2006-3838 -- Affected Vendor: eIQnetworks -- Affected Products: Enterprise Security Analyzer -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 31, 2006 by Digital Vaccine protection filter ID 4386. Authentication is not required to exploit these vulnerabilities. Upon connecting to this port the user is immediately prompted for a password. A custom string comparison loop is used to validate the supplied password against the hard-coded value "eiq2esa?", where the question mark represents any alpha-numeric character. Issuing the command "HELP" reveals a number of documented commands: --------------------------------------------------------- Usage: QUERYMONITOR: to fetch events for a particular monitor QUERYMONITOR&<user>&<monid>&timer QUERYEVENTCOUNT or QEC: to get latest event counts RESETEVENTCOUNT or REC: to reset event counts REC&[ALL] or REC&dev1,dev2, STATUS: Display the running status of all the threads TRACE: TRACE&ip or hostname&. TRACE&OFF& will turn off the trace FLUSH: reset monitors as though the hour has changed ALRT-OFF and ALRT-ON: toggle the life of alerts-thread. RECV-OFF and RECV-ON: toggle the life of event-collection thread. EM-OFF and EM-ON toggle event manager DMON-OFF and DMON-ON toggle device event monitoring HMON-OFF and HMON-ON toggle host event monitoring NFMON-OFF and NFMON-ON toggle netflow event monitoring HPMON-OFF and HPMON-ON toggle host perf monitoring X or EXIT: to close the session --------------------------------------------------------- Supplying a long string to the TRACE command results in an overflow of the global variable at 0x004B1788. A neighboring global variable, 116 bytes after the overflowed variable, contains a file output stream pointer that is written to every 30 seconds by a garbage collection thread. The log message can be influenced and therefore this is a valid exploit vector, albeit complicated. A trivial exploit vector exists within the parsing of the actual command at the following equivalent API call: sscanf(socket_data, "%[^&]&%[^&]&", 60_byte_stack_var, global_var); Because no explicit check is made for the exact command "TRACE", an attacker can abuse this call to sscanf by passing a long suffix to the TRACE command that is free of the field terminating character, '&'. This vector is trivial to exploit. The service will accept up to approximately 16K of data from unauthenticated clients which is later parsed, in a similar fashion to above, in search of the delimiting character '&'. Various trivial vectors of exploitation exist, for example, through the QUERYMONITOR command. -- Vendor Response: eIQnetworks has issued an update to correct this vulnerability. More details can be found at: http://www.eiqnetworks.com/products/enterprisesecurity/ EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf -- Disclosure Timeline: 2006.05.10 - Vulnerability reported to vendor 2006.07.31 - Digital Vaccine released to TippingPoint customers 2006.08.08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Pedram Amini, TippingPoint Security Research Team. -- About the TippingPoint Security Research Team (TSRT): The TippingPoint Security Research Team (TSRT) consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in our daily operations. More information about the team is available at: http://www.tippingpoint.com/security The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to our customers' intrusion prevention systems through the Digital Vaccine(R) service. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/