VARIoT IoT vulnerabilities database

Apple QuickTime before 7.4.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted ftyp atoms in a movie file, which triggers memory corruption. QuickTime Player is prone to a denial-of-service vulnerability. QuickTime is a powerful audio and video player produced by Apple Inc. It also triggers memory corruption

GreenSQL Firewall (greensql-fw), possibly before 0.9.2 or 0.9.4, allows remote attackers to bypass the SQL injection protection mechanism via a WHERE clause containing an expression such as "x=y=z", which is successfully parsed by MySQL. GreenSQL Firewall is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass certain security restrictions. Successfully exploiting this issue may aid in SQL attacks on the underlying application. The vulnerability has been successfully parsed by MySQL

Siemens Gigaset WLAN Camera 1.27 has an insecure default password, which allows remote attackers to conduct unauthorized activities. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Siemens Gigaset WLAN Camera is reported prone to an insecure-default-password vulnerability. A remote attacker with knowledge of the default credentials may exploit this vulnerability to gain unauthorized access to the application

The web management interface in 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point allows remote attackers to cause a denial of service (device crash) via a malformed HTTP POST request. 3Com Wireless 8760 Dual-Radio 11a/b/g PoE Access Point is prone to a denial-of-service vulnerability. Successfully exploiting this issue will allow attackers to crash the affected application, denying service to legitimate users. SOLUTION: Restrict network access to the web management interface. PROVIDED AND/OR DISCOVERED BY: Brandon Shilling and r@b13$, Digital Defense, Inc. Vulnerability Research Team ORIGINAL ADVISORY: DDIVRT-2008-14: http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064226.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple iPhone 2.0.2, in some configurations, allows physically proximate attackers to bypass intended access restrictions, and obtain sensitive information or make arbitrary use of the device, via an Emergency Call tap and a Home double-tap, followed by a tap of any contact's blue arrow. Iphone is prone to a information disclosure vulnerability. Apple Iphone is an epoch-making mobile phone terminal launched by Apple Inc. that supports multi-touch

Plesk is a comprehensive control panel solution for managing sites.  If SHORTNAMES = 1 is enabled for email login in Plesk, QMAIL will accept any base64-encoded username starting with a valid shortname during AUTH LOGIN authentication. This allows an attacker to log in to mail or other services protected by the plesk authentication module and relay spam through the smtp authentication permissions obtained.  You must remove SHORTNAMES = 1 from smtp (s) _psa to fix this problem, just setting it to 0 cannot solve it.

Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM 5.0.4 allow remote attackers to inject arbitrary web script or HTML via (1) the parenttab parameter in an index action to the Products module, as reachable through index.php; (2) the user_password parameter in an Authenticate action to the Users module, as reachable through index.php; or (3) the query_string parameter in a UnifiedSearch action to the Home module, as reachable through index.php. vtiger CRM Contains a cross-site scripting vulnerability.Any third party, through the following parameters, Web Script or HTML May be inserted. vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. vtiger CRM 5.0.4 is vulnerable; other versions may also be affected. There is a cross-site scripting vulnerability in the Activities module of vtiger CRM version 5.0.4. NOTE: The query_string vector has been covered by CVE-2008-3101.3. The application is vulnerable to simple Cross Site Scripting, which can be used for several isues Example Assuming vtigerCRM is installed on http://localhost/vtigercrm/, one can inject JavaScript with: http://localhost/vtigercrm/index.php?module=Products&action=index&parenttab="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Users&action=Authenticate&user_password="><script>alert(1);</script> http://localhost/vtigercrm/index.php?module=Home&action=UnifiedSearch&query_string="><script>alert(1);</script> Workaround/Fix vtiger CRM Security Patch for 5.0.4 [1] Disclosure Timeline 2008-07-28 Vendor contacted 2008-07-28 Vendor fixed issue in test environment 2008-07-30 Vender released patch 2008-07-30 Vendor dev statet they'll release a second patch within days 2008-09-01 published advisory, no second patch from upstream yet CVE Information The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3101 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. Credits and copyright This vulnerability was discovered by Fabian Fingerle [2] (published with help from Hanno Boeck [3]). It's licensed under the creative commons attribution license [4]. Fabian Fingerle, 2008-09-01 [1] http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1[action]=getviewdetailsfordownload&tx_abdownloads_pi1[uid]=128&tx_abdownloads_pi1[category_uid]=5&cHash=e16be773a5 [2] http://www.fabian-fingerle.de [3] http://www.hboeck.de [4] http://creativecommons.org/licenses/by/3.0/de/ -- _GPG_ 3D17 CAC8 1955 1908 65ED 5C51 FDA3 6A09 AB41 AB85 _chaos events near stuttgart_ www.datensalat.eu . Successful exploitation of this vulnerability requires that the target user has valid user credentials. The vulnerabilities are confirmed in version 5.0.4. SOLUTION: Apply the vendor's official patch: http://www.vtiger.de/vtiger-crm/downloads/patches.html?tx_abdownloads_pi1%5Baction%5D=getviewdetailsfordownload&tx_abdownloads_pi1%5Buid%5D=128&tx_abdownloads_pi1%5Bcategory_uid%5D=5&cHash=e16be773a5 PROVIDED AND/OR DISCOVERED BY: Fabian Fingerle ORIGINAL ADVISORY: http://www.datensalat.eu/~fabian/cve/CVE-2008-3101-vtigerCRM.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface in Dreambox DM500C allows remote attackers to cause a denial of service (application hang) via a long URI. The DreamBox DM500 series is an intelligent set-top box device. DreamBox DM500 incorrectly submits a URL request containing a directory traversal character. A remote attacker can exploit the vulnerability to view system file information in the application context. Dreambox is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the affected device, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. Dreambox DM500C is vulnerable; other models may also be affected. DreamBox DM500 products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input. Information harvested may aid in launching further attacks. The Dreambox is a series of Linux-powered DVB satellite, terrestrial and cable digital television receivers (set-top box).Dreambox suffers from a file download vulnerability thru directory traversal with appending the '/' character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.Tested on: Linux Kernel 2.6.9, The Gemini Project, Enigma. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Dreambox DM500 Long Requests Denial of Service Vulnerability SECUNIA ADVISORY ID: SA31650 VERIFY ADVISORY: http://secunia.com/advisories/31650/ CRITICAL: Not critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Dreambox DM500 http://secunia.com/product/19701/ DESCRIPTION: Marc Ruef has reported a vulnerability in Dreambox DM500, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the web interface when processing overly long requests. This can be exploited to cause a DoS by sending malicious requests to a vulnerable device. SOLUTION: Use a firewall or proxy to filter malicious requests. PROVIDED AND/OR DISCOVERED BY: Marc Ruef, scip AG ORIGINAL ADVISORY: http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3807 http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/064115.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

NetBSD 3.0, 3.1, and 4.0, when a pppoe instance exists, does not properly check the length of a PPPoE packet tag, which allows remote attackers to cause a denial of service (system crash) via a crafted PPPoE packet. NetBSD is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected computer, denying service to legitimate users. Given the nature of this issue, remote code execution may be possible, but this has not been confirmed. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: NetBSD PPPoE Packet Processing Tag Length Vulnerability SECUNIA ADVISORY ID: SA31597 VERIFY ADVISORY: http://secunia.com/advisories/31597/ CRITICAL: Less critical IMPACT: DoS, System access WHERE: >From local network OPERATING SYSTEM: NetBSD 3.1 http://secunia.com/product/16089/ DESCRIPTION: A vulnerability has been reported in NetBSD, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vulnerability is caused due incorrect length check when processing tags within a PPPoE packet. This can be exploited to e.g. crash the kernel by sending a specially crafted PPPoE packet to a vulnerable system. Successful exploitation requires that a PPPoE interface has been created (e.g. via ""ifconfig pppoe0 create") and the attacker can send PPPoE packets to the affected system. The vulnerability is reported in NetBSD version 3.0, 3.1, and 4.0. SOLUTION: Fixed in the CVS repository. See vendor advisory for details. PROVIDED AND/OR DISCOVERED BY: The vendor credits Yasuoka Masahiko, Internet Initiative Japan Inc ORIGINAL ADVISORY: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-010.txt.asc ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Intel Desktop and Intel Mobile Boards with BIOS firmware DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, MGM965TW, D945GCPE, and DX38BT allows local administrators with ring 0 privileges to gain additional privileges and modify code that is running in System Management Mode, or access hypervisory memory as demonstrated at Black Hat 2008 by accessing certain remapping registers in Xen 3.3. Intel BIOS is prone to an unspecified privilege-escalation vulnerability. Successfully exploiting this issue will allow programs running with administrative (ring 0) privileges to modify code running in System Management Mode. Currently very few technical details are available. We will update this BID as more information emerges

Buffer overflow in Ipswitch WS_FTP Home client allows remote FTP servers to have an unknown impact via a long "message response.". Ipswitch WS_FTP is prone to a remote buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Ipswitch WS_FTP is an FTP client software. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: WS_FTP Home / Professional Format String Vulnerability SECUNIA ADVISORY ID: SA31504 VERIFY ADVISORY: http://secunia.com/advisories/31504/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Ipswitch WS_FTP Professional 2007 http://secunia.com/product/13838/ Ipswitch WS_FTP Home 2007 http://secunia.com/product/19609/ DESCRIPTION: securfrog has discovered a vulnerability in WS_FTP Home and Professional, which can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to a format string error when processing responses of the FTP server. This can be exploited by e.g. tricking a user into connecting to a malicious FTP server. Successful exploitation may allow the execution of arbitrary code. The vulnerability is confirmed in WS_FTP Home version 2007.0.0.2 and WS_FTP Professional version 2007.1.0.0. Other versions may also be affected. SOLUTION: Connect to trusted servers only. PROVIDED AND/OR DISCOVERED BY: securfrog ORIGINAL ADVISORY: http://milw0rm.com/exploits/6257 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in Ipswitch WS_FTP Home 2007.0.0.2 and WS_FTP Professional 2007.1.0.0 allows remote FTP servers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in a connection greeting (response). Ipswitch WS_FTP client is prone to a format-string vulnerability it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. An attacker may exploit this issue to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects the WS_FTP Home and WS_FTP Professional clients. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: WS_FTP Home / Professional Format String Vulnerability SECUNIA ADVISORY ID: SA31504 VERIFY ADVISORY: http://secunia.com/advisories/31504/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Ipswitch WS_FTP Professional 2007 http://secunia.com/product/13838/ Ipswitch WS_FTP Home 2007 http://secunia.com/product/19609/ DESCRIPTION: securfrog has discovered a vulnerability in WS_FTP Home and Professional, which can be exploited by malicious people to potentially compromise a user's system. This can be exploited by e.g. tricking a user into connecting to a malicious FTP server. Successful exploitation may allow the execution of arbitrary code. Other versions may also be affected. SOLUTION: Connect to trusted servers only. PROVIDED AND/OR DISCOVERED BY: securfrog ORIGINAL ADVISORY: http://milw0rm.com/exploits/6257 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The kmxfw.sys driver in CA Host-Based Intrusion Prevention System (HIPS) r8, as used in CA Internet Security Suite and Personal Firewall, does not properly verify IOCTL requests, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted request. Computer Associates products are prone to two vulnerabilities. Attackers may exploit the first vulnerability locally to execute arbitrary code with SYSTEM-level privileges or cause a system crash. Attackers may exploit the second vulnerability remotely to cause denial-of-service conditions. Successful attacks will completely compromise the computer or cause denial-of-service conditions. CA Host-Based Intrusion Prevention System (HIPS) is CA's host intrusion prevention system software. There is a vulnerability in the kmxfw.sys driver in CA HIPS r8. No special user rights are necessary to exploit the vulnerability. ====================== Technical description: ====================== The IOCTL call 0x85000030 of the KmxFw.sys kernel driver shipped with various CA products accepts user supplied input that doesn't get validated enough. In consequence it is possible to pass arbitrary parameter values to some windows kernel functions (e.g. ExFreePoolWithTag). If these parameters are carefully crafted it is possible to force the windows kernel into performing a memory corruption that leads to full control of the kernel execution flow. Disassembly of KmxFw.sys (version 6.5.5.5): [...] .text:00019800 mov eax, [esp+IOCTLControlCode] <-- (1) .text:00019804 sub esp, 2Ch .text:00019807 push ebx .text:00019808 push esi .text:00019809 push edi .text:0001980A add eax, 7AFFFFFCh .text:0001980F xor edi, edi .text:00019811 xor ebx, ebx .text:00019813 cmp eax, 4Ch ; switch 77 cases .text:00019816 ja loc_19943 ; default [...] .text:0001981C movzx eax, ds:byte_19BA0[eax] <-- (2) .text:00019823 jmp ds:off_19B6C[eax*4] ; switch jump [...] .text:000199E1 loc_199E1: .text:000199E1 cmp [esp+38h+InputBufferSize], 10h <-- (3) .text:000199E6 jb loc_19943 ; default [...] .text:000199EC mov eax, [esp+38h+InputBuffer] <-- (4) .text:000199F0 mov ecx, [eax+8] <-- (5) .text:000199F3 mov edx, [eax] <-- (6) .text:000199F5 push ecx ; BaseAddress <-- (7) .text:000199F6 push edx ; Mdl <-- (8) .text:000199F7 mov ecx, offset off_28600 .text:000199FC call sub_12B70 <-- (9) [...] (1) IOCTL control code is copied into EAX (2) IOCTL control code switch cases (3) Switch case of the vulnerable IOCTL control code 0x85000030. There's also a minor check of the IOCTL input buffer size (must be greater than 0x10). (4) Pointer to user controlled data is copied into EAX (5) Part of the user controlled data is copied into ECX (6) Part of the user controlled data is copied into EDX (7) + (8) The user controlled values of ECX and EDX are used as parameters for the following function (sub_12B70) that gets called (9) The function sub_12B70 gets called [...] .text:00012B70 sub_12B70 proc near .text:00012B70 Mdl_uc = dword ptr 4 .text:00012B70 BaseAddress_uc = dword ptr 8 .text:00012B70 .text:00012B70 push esi .text:00012B71 mov esi, [esp+4+Mdl_uc] <-- (10) .text:00012B75 test esi, esi .text:00012B77 jz short loc_12B90 .text:00012B79 mov eax, [esp+4+BaseAddress_uc] <-- (11) .text:00012B7D test eax, eax .text:00012B7F jz short loc_12B89 .text:00012B81 push esi ; MemoryDescriptorList <-- (12) .text:00012B82 push eax ; BaseAddress <-- (13) .text:00012B83 call ds:MmUnmapLockedPages <-- (14) .text:00012B89 .text:00012B89 loc_12B89: .text:00012B89 push esi ; Mdl <-- (15) .text:00012B8A call ds:IoFreeMdl <-- (16) [...] (10) User controlled data gets copied into ESI (11) User controlled data gets copied into EAX (12) + (13) The user controlled values of ESI and EAX are used as parameters for the windows kernel function MmUnmapLockedPages (14) The windows kernel function MmUnmapLockedPages gets called (15) The user controlled value in ESI is used as a parameter for the windows kernel function IoFreeMdl (16) The windows kernel function IoFreeMdl gets called In the IoFreeMdl function of the windows kernel the ExFreePoolWithTag function gets called with user controlled parameters. Example of the IoFreeMdl function of the Windows 2000 Professional SP4 kernel: [...] .text:0041E700 ; void __stdcall IoFreeMdl(PMDL Mdl) .text:0041E700 public IoFreeMdl .text:0041E700 IoFreeMdl proc near .text:0041E700 .text:0041E700 P = dword ptr 4 .text:0041E700 .text:0041E700 push esi .text:0041E701 mov esi, [esp+4+P] <-- (17) .text:0041E705 test byte ptr [esi+6], 20h .text:0041E709 jz short loc_41E714 [...] .text:0041E714 loc_41E714: .text:0041E714 mov ax, [esi+6] .text:0041E718 test al, 8 .text:0041E71A jz short loc_41E72B [...] .text:0041E72B .text:0041E72B loc_41E72B: .text:0041E72B push esi ; P <-- (18) .text:0041E72C call ExFreePool <-- (19) [...] (17) The user controlled data gets copied into ESI (18) + (19) ESI is used as a parameter for the ExFreePool kernel function that calls ExFreePoolWithTag If the user supplied parameter for ExFreePoolWithTag is carefully crafted it is possible to overwrite an arbitrary memory location with an arbitrary dword value (write4 primitive). This can be exploited to control the kernel execution flow and to execute arbitrary code at the kernel level. ========= Solution: ========= See vendor recommendations described under [1]. ======== History: ======== 2008/03/06 - Vendor notified using vuln@ca.com 2008/03/06 - Vendor response with PGP key 2008/03/08 - Detailed vulnerability information sent to the vendor 2008/03/08 - Vendor acknowledges receipt of the information 2008/08/12 - Coordinated disclosure ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559 [2] http://www.trapkit.de/advisories/TKADV2008-006.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. 2) An unspecified error in the kmxfw.sys driver can be exploited to cause a DoS. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Tobias Klein 2) Elazar Broad ORIGINAL ADVISORY: CA: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36560 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities CA Advisory Date: 2008-08-11 Reported By: CVE-2008-2926 - Tobias Klein CVE-2008-3174 - Elazar Broad Impact: A remote attacker can cause a denial of service or possibly execute arbitrary code. CA has issued updates to address the vulnerabilities. The first vulnerability, CVE-2008-2926, occurs due to insufficient verification of IOCTL requests by the kmxfw.sys driver. The second vulnerability, CVE-2008-3174, occurs due to insufficient validation by the kmxfw.sys driver. An attacker can make a request that can cause a system crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. CA Personal Firewall Engine 1.2.276 and later are not affected. To ensure that the latest automatic update is installed on your computer, customers can view the Help>About screen in their CA Personal Firewall product and confirm that the engine version number is 1.2.276 or higher. For support information, visit http://shop.ca.com/support. How to determine if you are affected: 1. Using Windows Explorer, locate the file "kmxfw.sys". By default, the file is located in the "C:\Windows\system32\drivers\" directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file version is less than indicated in the below table, the installation is vulnerable. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj4DBQFIoduueSWR3+KUGYURAmmKAJ9FWl5gIZrbrGhg5CZ0NKzw0QE8qQCY+Qys ekQdlRjiIYnyp9WEqqGAxQ== =ltU4 -----END PGP SIGNATURE-----

Unspecified vulnerability in the kmxfw.sys driver in CA Host-Based Intrusion Prevention System (HIPS) r8, as used in CA Internet Security Suite and Personal Firewall, allows remote attackers to cause a denial of service via unknown vectors, related to "insufficient validation.". (DoS) There is a vulnerability that becomes a condition.Service disruption by a third party (DoS) There is a possibility of being put into a state. Computer Associates products are prone to two vulnerabilities. Attackers may exploit the first vulnerability locally to execute arbitrary code with SYSTEM-level privileges or cause a system crash. Attackers may exploit the second vulnerability remotely to cause denial-of-service conditions. Successful attacks will completely compromise the computer or cause denial-of-service conditions. There is an unknown vulnerability in the kmxfw.sys driver in CA HIPS r8. 2) An unspecified error in the kmxfw.sys driver can be exploited to cause a DoS. PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Tobias Klein 2) Elazar Broad ORIGINAL ADVISORY: CA: http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36559 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36560 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . CA has issued updates to address the vulnerabilities. The first vulnerability, CVE-2008-2926, occurs due to insufficient verification of IOCTL requests by the kmxfw.sys driver. The second vulnerability, CVE-2008-3174, occurs due to insufficient validation by the kmxfw.sys driver. An attacker can make a request that can cause a system crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. CA Personal Firewall Engine 1.2.276 and later are not affected. To ensure that the latest automatic update is installed on your computer, customers can view the Help>About screen in their CA Personal Firewall product and confirm that the engine version number is 1.2.276 or higher. For support information, visit http://shop.ca.com/support. How to determine if you are affected: 1. Using Windows Explorer, locate the file "kmxfw.sys". By default, the file is located in the "C:\Windows\system32\drivers\" directory. 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file version is less than indicated in the below table, the installation is vulnerable. File Name Version Size (bytes) Date kmxfw.sys 6.5.5.18 115,216 March 14, 2008 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Host-Based Intrusion Prevention System SDK https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=182496 Solution Document Reference APARs: RO00535 CA Security Response Blog posting: CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/08/12.aspx Reported By: Tobias Klein (CVE-2008-2926) http://www.trapkit.de/ Elazar Broad (CVE-2008-3174) CVE References: CVE-2008-2926 - CA HIPS kmxfw.sys IOCTL http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2926 CVE-2008-3174 - CA HIPS kmxfw.sys denial of service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3174 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj4DBQFIoduueSWR3+KUGYURAmmKAJ9FWl5gIZrbrGhg5CZ0NKzw0QE8qQCY+Qys ekQdlRjiIYnyp9WEqqGAxQ== =ltU4 -----END PGP SIGNATURE-----

pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pstopdf.log temporary file, a different vulnerability than CVE-2001-1333. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. Note that under certain circumstances, attackers may be able to write controlled content to arbitrary files, which will likely result in other attacks. CUPS 1.3,8 is vulnerable; other versions may also be affected. Common Unix Printing System (CUPS) is a common Unix printing system and a cross-platform printing solution in the Unix environment. It is based on the Internet Printing Protocol and provides most PostScript and raster printer services. This vulnerability is different from CVE-2001-1333. =========================================================== Ubuntu Security Notice USN-707-1 January 12, 2009 cups, cupsys vulnerabilities CVE-2008-5183, CVE-2008-5184, CVE-2008-5286, CVE-2008-5377 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cupsys 1.2.2-0ubuntu0.6.06.12 Ubuntu 7.10: cupsys 1.3.2-1ubuntu7.9 Ubuntu 8.04 LTS: cupsys 1.3.7-1ubuntu3.3 Ubuntu 8.10: cups 1.3.9-2ubuntu6.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that CUPS didn't properly handle adding a large number of RSS subscriptions. A local user could exploit this and cause CUPS to crash, leading to a denial of service. This issue only applied to Ubuntu 7.10, 8.04 LTS and 8.10. (CVE-2008-5183) It was discovered that CUPS did not authenticate users when adding and cancelling RSS subscriptions. An unprivileged local user could bypass intended restrictions and add a large number of RSS subscriptions. This issue only applied to Ubuntu 7.10 and 8.04 LTS. (CVE-2008-5184) It was discovered that the PNG filter in CUPS did not properly handle certain malformed images. If a user or automated system were tricked into opening a crafted PNG image file, a remote attacker could cause a denial of service or execute arbitrary code with user privileges. In Ubuntu 7.10, 8.04 LTS, and 8.10, attackers would be isolated by the AppArmor CUPS profile. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5377) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12.diff.gz Size/MD5: 100650 effacab03a0a75663148e730badca56e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12.dsc Size/MD5: 1060 e320589ea4731d43a927b6ea986e2ca9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz Size/MD5: 4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.12_all.deb Size/MD5: 996 01d1b0dbc0bf6fed042b103b81d91293 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 36230 ac91b545a2f40de7c165f160928334be http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 81912 f3ec3b95abadf43c3642d422bb1d8d64 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 2286872 779f854a26f5670c1183aac0a9adf15b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 6092 e4f7e6b58bbcf3656487d779ada528d1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 77434 f7789b8cca7ea8f57ca2ca14f4cc1a9b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 25748 e2a92ba2421bafc00df0a6c1f99bcda8 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 130184 6a0808bf1ea2650d8a97fc50ceee0aa6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 34766 ec9c0af53c98f9d904a8241331179a6d http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 77990 c582e927e8d8bbdd29c5c111bc0dd162 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 2254158 f9e7ba99ce5ff49546a8922df47d0005 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 6092 969b76527edef12a2f3c77a77c97480e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 76550 2e653b4dac7063a7d290918bdafd43cf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 25748 cfff840b4e9984245fcd15d845183810 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 122384 ec7ddfb032ee70d393c65d9d90060ea0 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 40466 119cafd93458295da6a6c8c12b35a262 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 89530 bc52672d7f4903f7ec745cbe778e4da2 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 2301402 e3bf63715dbebb29410ce13098b645f1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 6088 68fd62d76fc0a4e2e515f5a644852e60 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 79208 b83506e935ffd0ac4c1311f003424f2b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 25744 cb2ca08057f83b9b40b60960712d8766 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 128150 597300fc1511305508b9c0e62c061660 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 35388 afe7217a6f8ebe6fba8f7668f8a6d5bf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 78722 0f5be23fb63000b5fb2945f4a40ad70a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 2287758 3b8180329fa4c55ece2b828e07d3366c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 6090 aee18e619e301cdd7472d6f6a326655c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 76468 398ecfef9fff03f088e4964ad0e76c71 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 25748 22655777c70067f973fef557c9196bdf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 123876 99879b6877338c254ae31dcd0f4bae29 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9.diff.gz Size/MD5: 129791 3e27f46f569ec5719b5fe13fb78a9f14 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9.dsc Size/MD5: 1226 3a8eb42c55eb55163497543c39f23124 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2.orig.tar.gz Size/MD5: 4848424 9e3e1dee4d872fdff0682041198d3d73 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.2-1ubuntu7.9_all.deb Size/MD5: 1080428 2a130e02392de2ce721ac25a9a71ef0f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 37202 8a68cf9bfa98bda7cf30f6bfba41dd2e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 89510 e721173ffa8c31fc92703b908140e84c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 2034862 f512c15b34be6e169e9f947ca916ca93 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 60018 4f4e8635956b4b882074cc2760ebcb5e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 46878 197a3efe70b9864efe397bb27e455933 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 152008 c05765a56717613f12ca4e47dd751864 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 186748 03cda4eef301db2a8f2cb6f5344c9f02 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 36480 6742a1d19a47e85b583bfc6cc8e5bef1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 86482 33d1e6cc218245db992e2b8337d63fad http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 2018562 6217c3d4a08b575b0fd01a2f0b6d9965 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 58836 228f15292895fb6714cf83ac08376530 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 46256 a2a663a767af4beccac469b36af692b4 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 145696 099603137d153ed2f50e0154fde6811f http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 183548 69d7d5292ed78f5a5dca16d9be7d9ebe lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 36670 2f95875950737fb3b29d8170e0e842be http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 88296 51a1b00b3aa778300d6be240ca814448 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 2021580 ec2e3b013c825e7b1c269778d722c41f http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 59622 38519a455e3dca46fdc55980903ef527 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 47694 2a305b565e33a52d5cfe71bb09d3fbc0 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 142418 b0423e069760ca141c0e73f07b7049fb http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 181750 8e286ae296e7b3fd216d7137a4c21c19 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 46502 a1296168b5d3706b8870d2aca19cfc4a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 107760 d98d3f88cf3706b28ca9706e4f21897e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 2099848 088263da7a0baba49e4b28f000070cdf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 59484 85a44c9e70aadd41bdcb9401af938361 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 51846 4442245f4cf71913bbd642f5185f93a0 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 146944 ca2f12efe3d8b1ef0711019a6f4be4a3 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 192530 47b0cc559fb4548701addb4e389beda1 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 37568 441cbf24d055107a408220ea945357e6 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 89612 42f545e2092863afc31a6beb921ba803 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 2061116 df2be5541017e5a11f265dc0420d1de4 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 58094 4602a5ee17eae8d0769901ffff089eac http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 45560 fce319567830955760626e98a52bd9e0 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 148474 0fa2f0010fbd4b08d91b1c62765ed46e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 182570 ef1eec9c88b499b3cea8742fc31d8edf Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3.diff.gz Size/MD5: 134438 a4a1876673e461e35cfec8952ca054f5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3.dsc Size/MD5: 1441 2ced31d2fde396439410f30e758d7db2 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7.orig.tar.gz Size/MD5: 4700333 383e556d9841475847da6076c88da467 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.7-1ubuntu3.3_all.deb Size/MD5: 1144166 4893a05510da7c9b5434d00fc29e455f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 37532 480443df9d0723c844c0c0f6408169a2 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 89978 0d287573cdcc4701998ce53af56dd3f9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 1880612 2314ea0930f6d00794e0176916b6da35 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 60906 9042974135c36a37171a424b7d4a202d http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 50368 3cd1eb8125943eaa9ee6dde601f4422e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 344934 c5aec8c571564cbd0c895145a875d02a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 177930 36d56cb0664534f425871d13d77e4b1a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 36968 6f01ef27169dfc9aa944c5049acbbe63 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 88402 dd874fead670a6d57e90176ad1facc94 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 1863008 ff961e2dbb46de7be8722d88178a38e6 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 60100 0881e753bb681af3463d6ed8d11c09cf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 49846 07a541a01b7e231c9988e779a3f602d0 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 339346 d5efe383bc97ce56837e36806bfba341 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 174778 a578d4f7a0fe9195167e7a0cafc37974 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 36678 3176e400d418ca744825919b30d1a248 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 88752 998f5ae89f57c5a3874a2bec71f435af http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 1865256 715aafc333b7d070b516950843cdf664 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 60548 39aa25aae6614a78a0b3c29e30d464f9 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 50860 1ba114f3487de2725c3704efbaf6a5c5 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 337010 98f33df59e831f8213370b533c9a6f7b http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 173708 dca1c947f9af44e5d4c6bc2c604aa371 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 46930 5baf8d502a2bdca9954d98a542e92f1b http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 110824 b0aab96be927c4d4924df4c45049f8a0 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 1949124 d53346f89338971030ed9a202726849c http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 59928 0c7f0193cfee10e401ca8304bc6a20bb http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 54930 694817b2babba26327d4b021a36f938a http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 341674 78be76c752899ff02d96f7d9f4c8cbc1 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 183682 2dfb517ad5388b6471fc3f33148110c7 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 38030 018dbd428bea31bff3efe42c650ab930 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 91034 0cdf41119c49465205ec9d85e0fcedcb http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 1897932 265d337f28fada008fdf22034c76d43b http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 57852 5ebf07d4d87d5c0ba46bb52b0cabe6bd http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 48224 ed14b7888ad80c70678b20881c6b9606 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 341382 ed914dcee1d36a7437ebdb46d44fba62 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 173608 98ee538398dcf7c112099d3e398b686e Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1.diff.gz Size/MD5: 328034 b25d444f40ebc1f17984cb538172480c http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1.dsc Size/MD5: 2043 3b36a5cadfe85ed62bf8b28de6ec7591 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9.orig.tar.gz Size/MD5: 4809771 e6f2d90491ed050e5ff2104b617b88ea Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-common_1.3.9-2ubuntu6.1_all.deb Size/MD5: 1162340 88ad6900549400af9f75f927227d45cb http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-bsd_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57652 7a33348b800c156e43a83e9083436bd5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-client_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57660 6c89ff2b1f7fe264b5caaaf986b36d9c http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-dbg_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57652 ee1e3c3d68c190281678d7c1e7adadc9 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57656 2e8d25c423fbc2e265b0d56633ebc67d http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsys2-dev_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57670 b0c0e0f336be70d0c458b45936f98d0d http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-common_1.3.9-2ubuntu6.1_all.deb Size/MD5: 4530 23fb36af369fe018cd11fb3291dcc3cc http://security.ubuntu.com/ubuntu/pool/universe/c/cups/libcupsys2_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57656 46de04530c997f729b7dce967559c8b3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 37318 7c4c4cadb4f9b7f6e2c6080b790e6ee1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 119788 72cab9079aeefee51e09a3b31ae592fa http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 1682518 3180c4e3fa3d5cfe0b2b894898485fdd http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 2172420 d7928f5c71b128511a0864db35ba6fe9 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 352208 ba6478c9d8f3712b0c1e648e48bbb0c3 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 172690 b2f7befc45ccf3bcd176186f9c48ceb1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 61404 a16ecd777aca26b88c24d16b69e5f193 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 52392 7a9f6aabf047ad3225f8ec44d2fb5540 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 36216 b4999abd3bf22b2963db0969b40da8e1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 115352 9ec804831b4557a4ada56602384ecc39 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 1542016 c120e8f977f4b19be21e3b3067ca0df5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 2139174 18db7072b040bc4f3319b3b51361a239 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 345996 53a7bdb95ee0b5d3b0f96c463710dadd http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 169534 efa2f12acaf19bfab23d60478b5586cd http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 60536 ceb4ded5423c0a25ddcc924d29e390f5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 51750 cf8f8190d6281a5881b8cc1922035758 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 36030 95ca36c48f733f3d709e94c2202e97db http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 114514 c44f5a21e630c130008be55aa258cb42 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 1571226 37ce539f88c38ba11a89515ddc188d2c http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 2135890 46cb00e52f60f8adc58496bc550a5ad9 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 342976 e14329c1e782470735f35422c592b473 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 167800 9cbad1fe09d9904ae6e026987d85731a http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 60672 8a5ca81cd3803ad98afe963360242177 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 52440 07bf6935608f398215f2880d5be9fd25 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 43578 6876bb9233cf8352dfbf66bc95ddf7e9 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 138186 b3868a2e0d935a95e9083773859f1cbe http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 1663458 2bf2dae0699cf7dc45889dc678f20fcc http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 2264178 b5b51d8116a46689275f98ea94e946af http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 347972 af66fd54a390946c7b676cf54cb6e22e http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 176964 0605e8b21a449afea97a3f5060af63e1 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 61336 79c4d467e37c334effe0b5ee31238901 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 57492 a6d2f97d74132b1f2a40599398ecd9b1 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 37220 31f862d50b31324596054730ea09f7d3 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 117632 b594a8cb5b194fef18a0393968fe0736 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 1490260 01fcb6d2d1c062dcdfd6cde440ef2a98 http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 2200956 ebfffd46f41befdda3e30e3cb1ab521e http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 344800 6192418a2f2625f81551e9839d1187b4 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 165706 5804589b4f9bcc3bf016e3394f7acb7f http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 57906 34fef3b4e0a01df4a76c92768a8c292e http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 49792 24e09a0af0155fd8a13ca3f1db035c6d

Multiple unspecified vulnerabilities in Sun Java Platform Micro Edition (aka Java ME, J2ME, or mobile Java), as distributed in Sun Wireless Toolkit 2.5.2, allow remote attackers to execute arbitrary code via unknown vectors. NOTE: as of 20080807, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a company led by a well-known researcher, it is being assigned a CVE identifier for tracking purposes. Successful exploits will completely compromise devices running the affected software. We were not told which versions are affected. We will update this BID as more information emerges. There are multiple unidentified vulnerabilities in JavaME

Stack-based buffer overflow in the Agranet-Emweb embedded management web server in Alcatel OmniSwitch OS7000, OS6600, OS6800, OS6850, and OS9000 Series devices with AoS 5.1 before 5.1.6.463.R02, 5.4 before 5.4.1.429.R01, 6.1.3 before 6.1.3.965.R01, 6.1.5 before 6.1.5.595.R01, and 6.3 before 6.3.1.966.R01 allows remote attackers to execute arbitrary code via a long Session cookie. Alcatel-Lucent OmniSwitch products are prone to a remote buffer-overflow vulnerability because they fail to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code within the context of the affected software. Failed exploit attempts will result in a denial-of-service condition. Alcatel-Lucent OmniSwitch is a network switch product of French Alcatel-Lucent (Alcatel-Lucent). If the user sends 2392 bytes of data in the Cookie: Session= header, this overflow can be triggered, resulting in the execution of arbitrary instructions. The number of bytes required to trigger this overflow varies with the AOS version. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Alcatel-Lucent OmniSwitch Series Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA31435 VERIFY ADVISORY: http://secunia.com/advisories/31435/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From local network OPERATING SYSTEM: Alcatel-Lucent OmniSwitch 7000 Series http://secunia.com/product/789/ Alcatel-Lucent OmniSwitch 6600 Series http://secunia.com/product/19553/ Alcatel-Lucent OmniSwitch 6800 Series http://secunia.com/product/19554/ Alcatel-Lucent OmniSwitch 6850 Series http://secunia.com/product/19555/ Alcatel-Lucent OmniSwitch 9000 Series http://secunia.com/product/19556/ DESCRIPTION: Deral Heiland has reported a vulnerability in various OmniSwitch products, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. The vulnerability is reported in the following Alcatel OmniSwitch products: * OS7000 Series * OS6600 Series * OS6800 Series * OS6850 Series * OS9000 Series SOLUTION: Update to the following versions: * 5.4.1.429.R01 or higher * 5.1.6.463.R02 or higher * 6.1.3.965.R01 or higher * 6.1.5.595.R01 or higher * 6.3.1.966.R01 or higher Contact the Alcatel-Lucent Technical Support for availability of other releases. PROVIDED AND/OR DISCOVERED BY: Deral Heiland, Layered Defense Research ORIGINAL ADVISORY: Alcatel-Lucent: http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm Layered Defense Research: http://www.layereddefense.com/alcatel12aug.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the WebexUCFObject ActiveX control in atucfobj.dll in Cisco WebEx Meeting Manager before 20.2008.2606.4919 allows remote attackers to execute arbitrary code via a long argument to the NewObject method. WebEx Meeting Manager is prone to a stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. This issue affects the 'atucfobj.dll' ActiveX control library. Failed attacks will likely cause denial-of-service conditions. 'atucfobj.dll' 20.2008.2601.4928 is vulnerable; other versions may also be affected. The vulnerable versions of the ActiveX control are hosted by WebEx meeting service servers running WBS 23, 25, and 26 prior to 26.49.9.2838. WebEx is Cisco's web conferencing solution. WebEx Meeting Manager versions earlier than 20.2008.2606.4919 have a stack overflow vulnerability. The WebexUCFObject control in Atucfobj.dll does not properly validate input parameters to the NewObject() method. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Webex Meeting Manager WebexUCFObject ActiveX Control Buffer Overflow SECUNIA ADVISORY ID: SA31397 VERIFY ADVISORY: http://secunia.com/advisories/31397/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: WebEx Meeting Manager http://secunia.com/product/3003/ DESCRIPTION: Elazar Broad has discovered a vulnerability in Webex Meeting Manager, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the WebexUCFObject ActiveX control (atucfobj.dll) when handling arguments passed to the "NewObject()" method. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 20.2008.2601.4928. SOLUTION: The vendor has reportedly fixed the vulnerability in version 20.2008.2606.4919. PROVIDED AND/OR DISCOVERED BY: Elazar Broad ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-August/063692.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. This issue is reported to affect Apache 2.0.63 and 2.2.9; other versions may also be affected. BUGTRAQ ID: CVE ID: CVE-2008-2939 CNCVE ID: CNCVE-20082939 IBM HTTP Server is an HTTP service program. There is an input validation issue in IBM HTTP Server "mod_proxy_ftp", remote attackers can use the vulnerability to conduct cross-site scripting attacks and obtain sensitive information. IBM HTTP Server 6.0.x vendor solutions can refer to the following security bulletin to obtain patch information: <a href=http://www-01.ibm.com/support/docview.wss?uid=swg27007033 target=_blank rel=external nofollow >http://www-01.ibm.com/support/docview.wss?uid=swg27007033</a>. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01650939 Version: 1 HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-02-02 Last Updated: 2009-02-02 Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following upgrades to resolve these vulnerabilities. The upgrades are available from the following location: URL: http://software.hp.com Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01 HP-UX Release - B.11.23 and B.11.31 PA-32 Apache Depot name - HPUXWSATW-B302-32.depot HP-UX Release - B.11.23 and B.11.31 IA-64 Apache Depot name - HPUXWSATW-B302-64.depot HP-UX Release - B.11.11 PA-32 Apache Depot name - HPUXWSATW-B222-1111.depot MANUAL ACTIONS: Yes - Update Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY hpuxwsTOMCAT.TOMCAT hpuxwsWEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 2 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSYhX8+AfOvwtKn1ZEQJxcACeJa8lt5TkhV5qnaGRTaBh4kqHutgAoJbH XCe08aGCzEZj/q4n91JQnhq6 =XImF -----END PGP SIGNATURE----- . The updated packages have been patched to prevent these issues. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:124-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : apache Date : July 8, 2009 Affected: 2008.1 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been found and corrected in apache: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm (CVE-2008-1678). Note that this security issue does not really apply as zlib compression is not enabled in the openssl build provided by Mandriva, but apache is patched to address this issue anyway (conserns 2008.1 only). Note that this security issue was initially addressed with MDVSA-2008:195 but the patch fixing the issue was added but not applied in 2009.0. The Apache HTTP Server 2.2.11 and earlier 2.2 versions does not properly handle Options=IncludesNOEXEC in the AllowOverride directive, which allows local users to gain privileges by configuring (1) Options Includes, (2) Options +Includes, or (3) Options +IncludesNOEXEC in a .htaccess file, and then inserting an exec element in a .shtml file (CVE-2009-1195). This update provides fixes for these vulnerabilities. Update: The patch for fixing CVE-2009-1195 for Mandriva Linux 2008.1 was incomplete, this update addresses the problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1195 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: d7522600c193783ccb5f41447175a331 2008.1/i586/apache-base-2.2.8-6.4mdv2008.1.i586.rpm 9ca131724b9fd905f7ac864d4511b459 2008.1/i586/apache-devel-2.2.8-6.4mdv2008.1.i586.rpm e7750b82d83fdd68225f663679ac4460 2008.1/i586/apache-htcacheclean-2.2.8-6.4mdv2008.1.i586.rpm e28b73346363d5183bf43b9a894703eb 2008.1/i586/apache-mod_authn_dbd-2.2.8-6.4mdv2008.1.i586.rpm 03d7b234afa3a83f04fd2dd951359961 2008.1/i586/apache-mod_cache-2.2.8-6.4mdv2008.1.i586.rpm 506e31a2a592818cb6b9ca9417902562 2008.1/i586/apache-mod_dav-2.2.8-6.4mdv2008.1.i586.rpm 1f79c942c9f477eb7af43fa0bbf7f75d 2008.1/i586/apache-mod_dbd-2.2.8-6.4mdv2008.1.i586.rpm 942abf88d6fa0b73b587c3cf2920c55b 2008.1/i586/apache-mod_deflate-2.2.8-6.4mdv2008.1.i586.rpm d3b92574868f79d02a5189fdcd6df425 2008.1/i586/apache-mod_disk_cache-2.2.8-6.4mdv2008.1.i586.rpm cf6ce38ae0f100a35e39fb3b09be7507 2008.1/i586/apache-mod_file_cache-2.2.8-6.4mdv2008.1.i586.rpm c5ed7754beb38dd51b68bbd6604a0ca9 2008.1/i586/apache-mod_ldap-2.2.8-6.4mdv2008.1.i586.rpm 9d29c79f0b889aeca78c7b426073cd3e 2008.1/i586/apache-mod_mem_cache-2.2.8-6.4mdv2008.1.i586.rpm 84a1b51f4d8be06ab763bb95b572909f 2008.1/i586/apache-mod_proxy-2.2.8-6.4mdv2008.1.i586.rpm 78723bd3586753bcb37ac83a9f8449f7 2008.1/i586/apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1.i586.rpm 5418461f01217d6567ce4cc27e8b95bf 2008.1/i586/apache-mod_ssl-2.2.8-6.4mdv2008.1.i586.rpm 439787696a120705c0b79ac7f8a5c538 2008.1/i586/apache-modules-2.2.8-6.4mdv2008.1.i586.rpm 8275595502f0ad78166b8d060e2d9b3c 2008.1/i586/apache-mod_userdir-2.2.8-6.4mdv2008.1.i586.rpm 0b3edd8559484552cdad948faef19203 2008.1/i586/apache-mpm-event-2.2.8-6.4mdv2008.1.i586.rpm 1fa2b3101a3b34c2d0f9fc817bc1a1df 2008.1/i586/apache-mpm-itk-2.2.8-6.4mdv2008.1.i586.rpm 2b6e72b32712a335b1678f492842d2fc 2008.1/i586/apache-mpm-prefork-2.2.8-6.4mdv2008.1.i586.rpm 3c1e840a0fa813e1057effba641959b7 2008.1/i586/apache-mpm-worker-2.2.8-6.4mdv2008.1.i586.rpm 043d5127cea48a3eeab8faa4875cf084 2008.1/i586/apache-source-2.2.8-6.4mdv2008.1.i586.rpm da999274b381e43a575829d178c8bf6d 2008.1/SRPMS/apache-2.2.8-6.4mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 30fbbec5b54767fb1163d24a85caa017 2008.1/x86_64/apache-base-2.2.8-6.4mdv2008.1.x86_64.rpm 8998a37f170228812f7335a6d1c137ed 2008.1/x86_64/apache-devel-2.2.8-6.4mdv2008.1.x86_64.rpm e0a8fbfe76fa2c8cb16ef4726155bf0b 2008.1/x86_64/apache-htcacheclean-2.2.8-6.4mdv2008.1.x86_64.rpm a8bfb98f0354d15b1e5b33df2a06079a 2008.1/x86_64/apache-mod_authn_dbd-2.2.8-6.4mdv2008.1.x86_64.rpm 97ce6d10fea3d251f0a1a6038dcc04e3 2008.1/x86_64/apache-mod_cache-2.2.8-6.4mdv2008.1.x86_64.rpm efe82f8b6e60ab89bb6a043bebd47973 2008.1/x86_64/apache-mod_dav-2.2.8-6.4mdv2008.1.x86_64.rpm 7acf0e9e13cd0a442c32dc33427569e5 2008.1/x86_64/apache-mod_dbd-2.2.8-6.4mdv2008.1.x86_64.rpm 71a503f117bebfda8db53b929499b6d8 2008.1/x86_64/apache-mod_deflate-2.2.8-6.4mdv2008.1.x86_64.rpm 098266a9b737c0aa974e9818bc843531 2008.1/x86_64/apache-mod_disk_cache-2.2.8-6.4mdv2008.1.x86_64.rpm 2d90465f7a75a794bf333129b8e105c7 2008.1/x86_64/apache-mod_file_cache-2.2.8-6.4mdv2008.1.x86_64.rpm 6778a8746ba0b543dc3aebdab9fc6f08 2008.1/x86_64/apache-mod_ldap-2.2.8-6.4mdv2008.1.x86_64.rpm 2a9d64c016f1beb2ccbbd5c5b9e0b8df 2008.1/x86_64/apache-mod_mem_cache-2.2.8-6.4mdv2008.1.x86_64.rpm 3777616f0f0771c96921b83af29c9fa8 2008.1/x86_64/apache-mod_proxy-2.2.8-6.4mdv2008.1.x86_64.rpm 657dfd4b249cb59834957373acca4f89 2008.1/x86_64/apache-mod_proxy_ajp-2.2.8-6.4mdv2008.1.x86_64.rpm e05f1450a507379bd4f394f739e0fc60 2008.1/x86_64/apache-mod_ssl-2.2.8-6.4mdv2008.1.x86_64.rpm 1832c96d6d0a1bff8bc84f7463f92ccf 2008.1/x86_64/apache-modules-2.2.8-6.4mdv2008.1.x86_64.rpm ef96e999154ac771c47e760a7a978460 2008.1/x86_64/apache-mod_userdir-2.2.8-6.4mdv2008.1.x86_64.rpm 0312ba63abb5816f8077a14b201ee989 2008.1/x86_64/apache-mpm-event-2.2.8-6.4mdv2008.1.x86_64.rpm 0fc10dbdcc127018954280312e6ddd2b 2008.1/x86_64/apache-mpm-itk-2.2.8-6.4mdv2008.1.x86_64.rpm 1178cf5ee9c13d0320f8d334707240f7 2008.1/x86_64/apache-mpm-prefork-2.2.8-6.4mdv2008.1.x86_64.rpm b52a6d91a14cfda1080af5fe16cbb479 2008.1/x86_64/apache-mpm-worker-2.2.8-6.4mdv2008.1.x86_64.rpm 909f1aeafcf101c0af655c13809731d6 2008.1/x86_64/apache-source-2.2.8-6.4mdv2008.1.x86_64.rpm da999274b381e43a575829d178c8bf6d 2008.1/SRPMS/apache-2.2.8-6.4mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKU9d5mqjQ0CJFipgRAlzsAJ0Zpu0rH8JBOfgOJFqA9Tl3H1eJTwCfeA+M +JKiXIAM+zbCDRymCVguXjo= =66R9 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . =========================================================== Ubuntu Security Notice USN-731-1 March 10, 2009 apache2 vulnerabilities CVE-2007-6203, CVE-2007-6420, CVE-2008-1678, CVE-2008-2168, CVE-2008-2364, CVE-2008-2939 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: apache2-common 2.0.55-4ubuntu2.4 apache2-mpm-perchild 2.0.55-4ubuntu2.4 apache2-mpm-prefork 2.0.55-4ubuntu2.4 apache2-mpm-worker 2.0.55-4ubuntu2.4 Ubuntu 7.10: apache2-mpm-event 2.2.4-3ubuntu0.2 apache2-mpm-perchild 2.2.4-3ubuntu0.2 apache2-mpm-prefork 2.2.4-3ubuntu0.2 apache2-mpm-worker 2.2.4-3ubuntu0.2 apache2.2-common 2.2.4-3ubuntu0.2 Ubuntu 8.04 LTS: apache2-mpm-event 2.2.8-1ubuntu0.4 apache2-mpm-perchild 2.2.8-1ubuntu0.4 apache2-mpm-prefork 2.2.8-1ubuntu0.4 apache2-mpm-worker 2.2.8-1ubuntu0.4 apache2.2-common 2.2.8-1ubuntu0.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Apache did not sanitize the method specifier header from an HTTP request when it is returned in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2007-6203) It was discovered that Apache was vulnerable to a cross-site request forgery (CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands that could modify the balancer manager configuration. (CVE-2007-6420) It was discovered that Apache had a memory leak when using mod_ssl with compression. A remote attacker could exploit this to exhaust server memory, leading to a denial of service. (CVE-2008-1678) It was discovered that in certain conditions, Apache did not specify a default character set when returning certain error messages containing UTF-7 encoded data, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2168) It was discovered that when configured as a proxy server, Apache did not limit the number of forwarded interim responses. A malicious remote server could send a large number of interim responses and cause a denial of service via memory exhaustion. (CVE-2008-2364) It was discovered that mod_proxy_ftp did not sanitize wildcard pathnames when they are returned in directory listings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2939) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4.diff.gz Size/MD5: 123478 7a5b444231dc27ee60c1bd63f42420c6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4.dsc Size/MD5: 1156 4f9a0f31d136914cf7d6e1a92656a47b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.4_all.deb Size/MD5: 2124948 5153435633998e4190b54eb101afd271 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 833336 d5b9ecf82467eb04a94957321c4a95a2 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 228588 f4b9b82016eb22a60da83ae716fd028a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 223600 2cf77e3daaadcc4e07da5e19ecac2867 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 228216 60ff106ddefe9b68c055825bcd6ec52f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 171724 bae5e3d30111e97d34b25594993ad488 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 172508 77bdf00092378c89ae8be7f5139963e0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 94562 f3a168c57db1f5be11cfdba0bdc20062 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 36618 a7f34da28f7bae0cffb3fdb73da70143 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 286028 a5b380d9c6a651fe043ad2358ef61143 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 144590 9a4031c258cfa264fb8baf305bc0cea6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 786528 353ed1839a8201d0211ede114565e60d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 203256 7b0caa06fd47a28a8a92d1b69c0b4667 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 199114 6a77314579722ca085726e4220be4e9f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 202654 ffad2838e3c8c79ecd7e21f79aa78216 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 171716 771492b2b238424e33e3e7853185c0ca http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 172498 b5f7a4ed03ebafa4c4ff75c05ebf53b7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 92520 787a673994d746b4ad3788c16516832a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 36620 4d5f0f18c3035f41cb8234af3cc1092c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 262082 d6a7111b9f2ed61e1aeb2f18f8713873 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 132518 5a335222829c066cb9a0ddcaeee8a0da powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 859446 cf555341c1a8b4a39808b8a3bd76e03a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 220622 85b902b9eecf3d40577d9e1e8bf61467 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 216314 146e689e30c6e1681048f6cf1dd659e3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 220128 10f65b3961a164e070d2f18d610df67b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 171726 9e341f225cb19d5c44f343cc68c0bba5 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 172512 331dff8d3de7cd694d8e115417bed4f8 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 104284 7ab80f14cd9072d23389e27f934079f3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 36620 713bfffcca8ec4e9531c635069f1cd0d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 281600 ad1671807965e2291b5568c7b4e95e14 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 141744 6b04155aa1dbf6f657dbfa27d6086617 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 803706 f14be1535acf528f89d301c8ec092015 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 211028 28b74d86e10301276cadef208b460658 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 206566 6d6b2e1e3e0bbf8fc0a0bcca60a33339 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 210280 45690384f2e7e0a2168d7867283f9145 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 171732 6595a330344087593a9443b9cdf5e4ba http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 172498 f1ac3a442b21db9d2733e8221b218e25 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 93606 f229d1c258363d2d0dfb3688ec96638e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 36616 6f470e2e17dfc6d587fbe2bf861bfb06 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 268178 5a853d01127853405a677c53dc2bf254 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 130456 a0a51bb9405224948b88903779347427 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2.diff.gz Size/MD5: 125080 c5c1b91f6918d42a75d23e95799b3707 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2.dsc Size/MD5: 1333 b028e602b998a666681d1aa73b980c06 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4.orig.tar.gz Size/MD5: 6365535 3add41e0b924d4bb53c2dee55a38c09e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.4-3ubuntu0.2_all.deb Size/MD5: 2211750 9dc3a7e0431fe603bbd82bf647d2d1f5 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.4-3ubuntu0.2_all.deb Size/MD5: 278670 985dd1538d0d2c6bb74c458eaada1cb7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.4-3ubuntu0.2_all.deb Size/MD5: 6702036 3cdb5e1a9d22d7172adfd066dd42d71a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2_all.deb Size/MD5: 42846 ba7b0cbf7f33ac3b6321c132bc2fec71 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 457286 b37825dc4bb0215284181aa5dfc9dd44 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 453094 380ea917048a64c2c9bc12d768ac2ffa http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 456804 b075ef4e563a55c7977af4d82d90e493 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 410658 6dff5030f33af340b2100e8591598d9d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 411244 9c79a2c0a2d4d8a88fae1b3f10d0e27c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 348256 ef1e159b64fe2524dc94b6ab9e22cefb http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 992256 0e9bac368bc57637079f839bcce8ebbc i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 440388 bdb2ced3ca782cda345fcfb109e8b02a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 436030 44d372ff590a6e42a83bcd1fb5e546fe http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 439732 5119be595fb6ac6f9dd94d01353da257 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 410656 01be0eca15fe252bbcab7562462af5ca http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 411250 10d8929e9d37050488f2906fde13b2fd http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 347322 d229c56720ae5f1f83645f66e1bfbdf1 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 947460 3dc120127b16134b42e0124a1fdfa4ab lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 439896 8e856643ebeed84ffbeb6150f6e917c5 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 435524 ce18d9e09185526c93c6af6db7a6b5cf http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 439180 9622bf2dfee7941533faedd2e2d4ebbd http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 410674 684ad4367bc9250468351b5807dee424 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 411258 17f53e8d3898607ce155dc333237690c http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 347664 1197aa4145372ae6db497fb157cb0da1 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 939924 470a7163e2834781b2db0689750ce0f2 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 458848 4efbbcc96f05a03301a13448f9cb3c01 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 454226 1fe4c7712fd4597ed37730a27df95113 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 458134 5786d901931cecd340cc1879e27bcef7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 410676 9fc94d5b21a8b0f7f8aab9dc60339abf http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 411266 c44cde12a002910f9df02c10cdd26b0c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 367392 612ddcebee145f765163a0b30124393a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 1094288 72fd7d87f4876648d1e14a5022c61b00 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 441650 28e5a2c2d18239c0810b6de3584af221 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 437796 3ee7408c58fbdf8de6bf681970c1c9ad http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 441114 b1b1bb871fe0385ea4418d533f0669aa http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 410676 cf7bed097f63e3c24337813621866498 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 411252 5a30177f7039f52783576e126cf042d0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 350468 ce216a4e9739966cd2aca4262ba0ea4e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 959090 98ad8ee7328f25e1e81e110bbfce10c2 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4.diff.gz Size/MD5: 132376 1a3c4e93f08a23c3a3323cb02f5963b6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4.dsc Size/MD5: 1379 ed1a1e5de71b0e35100f60b21f959db4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.4_all.deb Size/MD5: 1928164 86b52d997fe3e4baf9712be0562eed2d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.4_all.deb Size/MD5: 72176 1f4efe37abf317c3c42c4c0a79a4f232 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.4_all.deb Size/MD5: 6254152 fe271b0e4aa0cf80e99b866c23707b6a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4_all.deb Size/MD5: 45090 3f44651df13cfd495d7c33dda1c709ea amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 252272 3d27b0311303e7c5912538fb7d4fc37c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 247850 1ce7ff6190c21da119d98b7568f2e5d0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 251658 ac7bc78b449cf8d28d4c10478c6f1409 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 204658 66e95c370f2662082f3ec41e4a033877 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 205336 6b1e7e0ab97b7dd4470c153275f1109c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 140940 cad14e08ab48ca8eb06480c0db686779 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 801764 3759103e3417d44bea8866399ba34a66 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 235194 dddbc62f458d9f1935087a072e1c6f67 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 230748 db0a1dc277de5886655ad7b1cc5b0f1a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 234542 0e4997e9ed55d6086c439948cf1347ff http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 204672 1f58383838b3b9f066e855af9f4e47e0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 205348 fa032fc136c5b26ccf364289a93a1cda http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 139904 b503316d420ccb7efae5082368b95e01 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 754788 140fddccc1a6d3dc743d37ab422438c2 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 234752 bc06d67259257109fe8fc17204bc9950 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 230424 9421376c8f6d64e5c87af4f484b8aacf http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 233908 179236460d7b7b71dff5e1d1ac9f0509 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 204664 764d773d28d032767d697eec6c6fd50a http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 205342 2891770939b51b1ca6b8ac8ca9142db1 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 140478 4a062088427f1d8b731e06d64eb7e2ea http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 748672 b66dbda7126616894cf97eb93a959af9 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 253368 bad43203ed4615216bf28f6da7feb81b http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 248800 aa757fd46cd79543a020dcd3c6aa1b26 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 252904 682a940b7f3d14333037c80f7f01c793 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 204678 30af6c826869b647bc60ed2d99cc30f7 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 205376 cd02ca263703a6049a6fe7e11f72c98a http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 157662 df6cdceecb8ae9d25bbd614142da0151 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 904904 34581d1b3c448a5de72a06393557dd48 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 236418 2eda543f97646f966f5678e2f2a0ba90 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 232386 69e2419f27867b77d94a652a83478ad7 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 235788 414a49286d9e8dd7b343bd9207dc727b http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 204668 f7d099cd9d3ebc0baccbdd896c94a88f http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 205352 0a5cb5dfd823b4e6708a9bcc633a90cd http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 143108 ad78ead4ac992aec97983704b1a3877f http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 763946 0d40a8ebecfef8c1a099f2170fcddb73 . References: CVE-2006-3918, CVE-2007-4465, CVE-2007-6203, CVE-2008-0005, CVE-2008-0599, CVE-2008-2168, CVE-2008-2364, CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829, CVE-2008-2939, CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5498, CVE-2008-5557, CVE-2008-5624, CVE-2008-5625, CVE-2008-5658

Stack-based buffer overflow in the libbecompat library in Ingres 2.6, Ingres 2006 release 1 (aka 9.0.4), and Ingres 2006 release 2 (aka 9.1.0) on Linux and HP-UX allows local users to gain privileges by setting a long value of an environment variable before running (1) verifydb, (2) iimerge, or (3) csreport. Ingres Database is prone to multiple local vulnerabilities: - Multiple local privilege-escalation vulnerabilities - A vulnerability that may allow attackers to overwrite arbitrary files. Local attackers can exploit these issues to gain elevated privileges on the affected computer, execute arbitrary code with superuser privileges, and overwrite arbitrary files owned by 'Ingres' user. iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service use thes Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. The vulnerability exists within the "libbecompat" library that is used by several of the set-uid "ingres" utilities included with Ingres. When copying a user supplied environment variable into a fixed-size stack buffer, the library fails to check the length of the source string. III. By itself, this vulnerability does not have very serious consequences. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3389 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Title: CA Products That Embed Ingres Multiple Vulnerabilities CA Advisory Date: 2008-08-01 Reported By: iDefense Labs Impact: A remote attacker can execute arbitrary code, gain privileges, or cause a denial of service condition. Summary: CA products that embed Ingres contain multiple vulnerabilities that can allow a remote attacker to execute arbitrary code, gain privileges, or cause a denial of service condition. These vulnerabilities exist in the products and on the platforms listed below. These vulnerabilities do not impact any Windows-based Ingres installation. The first vulnerability, CVE-2008-3356, allows an unauthenticated attacker to potentially set the user and/or group ownership of a verifydb log file to be Ingres allowing read/write permissions to both. The third vulnerability, CVE-2008-3389, allows an unauthenticated attacker to obtain ingres user privileges. However, when combined with the unsecured directory privileges vulnerability (CVE–2008-3357), root privileges can be obtained. Mitigating Factors: These vulnerabilities do not impact any Windows-based Ingres installation. Severity: CA has given these vulnerabilities a High risk rating. Affected Products: Admin r8.1 SP2 Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3 CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 CleverPath Aion BPM r10.1, r10.2 EEM 8.1, 8.2, 8.2.1 eTrust Audit/SCC 8.0 sp2 Identity Manager r12 NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11 Unicenter Asset Management r11.1, r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r2.2, r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2 Unicenter Software Delivery r11.1, r11.2 Unicenter Workload Control Center r11 Affected Platforms: 1. Ingres verifydb file create permission override (CVE-2008-3356) This vulnerability impacts all platforms except Windows. 2. Ingres un-secure directory privileges with utility ingvalidpw (CVE - 2008-3357) This vulnerability impacts only Linux and HP platforms. 3. Ingres verifydb, iimerge, csreport buffer overflow (CVE-2008-3389) This vulnerability impacts only Linux and HP platforms. Status and Recommendation: The most prudent course of action for affected customers is to download and apply the corrective maintenance. However, updates are provided only for the following releases: 2.6 and r3 Important: Customers using products that embed an earlier version of Ingres r3 should upgrade Ingres to the release that is currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX platforms) before applying the maintenance updates. Please contact your product's Technical Support team for more information. For these products: Admin r8.1 SP2 CA ARCserve Backup for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 Apply the update below that is listed for your platform (note that URLs may wrap): AIX [3.0.3 (r64.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12833-r64-us5.tar.z HP-UX Itanium [3.0.3 (i64.hpu/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12831-i64-hpu.tar.z HP-UX RISC [3.0.3 (hp2.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12830-hp2-us5.tar.z Linux AMD [3.0.3 (a64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12835-a64-lnx.tar.z Linux Intel 32bit [3.0.3 (int.lnx/103)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.103.12836-int-lnx.tar.z Linux Itanium [3.0.3 (i64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12838-i64-lnx.tar.z Solaris SPARC [3.0.3 (su9.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12834-su9-us5.tar.z Solaris x64/x86 [3.0.3 (a64.sol/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12832-a64-sol.tar.z Ingres r3 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the installation owner account and make sure the environment is set up correctly: 1. II_SYSTEM must be set to the Ingres system files 2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility directories. 2. Change directory to the root directory of the Ingres installation or use a previously created directory. cd $II_SYSTEM/ingres or cd <patch_directory> 3. Copy the download maintenance update file in to the current directory and uncompress 4. Read in the update file with the following commands: umask 022 tar xf [update_file] This will create the directory: $II_SYSTEM/ingres/patchXXXXX or <patch_directory>/patchXXXXX Note: ‘XXXXX' in patchXXXXX refers to the update number 5. Stop all Ingres processes with the ‘ingstop' utility: ingstop 6. Change directory to the patch directory: cd patchXXXXX 7. Within the patch directory run the following command: ./utility/iiinstaller Please check the $II_SYSTEM/ingres/files/patch.log file to make sure the patch was applied successfully. Also check the $II_SYSTEM/ingres/version.rel to make sure the patch is referenced. Note: The patch can also be installed silently using the ‘-m' flag with iiinstaller: ./utility/iiinstaller -m 8. Once the patch install has been complete, re-link the iimerge binary with the following command: iilink 9. Ingres can then be restarted with the ‘ingstart' utility: ingstart For these products: Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 ARCserve for Linux r11.5 GA/SP1 CleverPath Aion BPM r10.1 CleverPath Aion BPM r10.2 Apply the build below that is listed for your platform (note that URLs may wrap): AIX ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12833-r64-us5.tar HP-UX Itanium ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12831-i64-hpu.tar HP-UX RISC ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12830-hp2-us5.tar Linux AMD EI build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-EI-linux-x86_64.tar.gz Linux AMD II build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-linux-x86_64.tgz Linux Intel EI build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-103-EI-linux-i386.tgz Linux Intel II build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-103-pc-linux-i386.tgz Linux Itanium EI build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-EI-linux-ia64.tar.gz Linux Itanium II build ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/ingres-3.0.3-211-linux-ia64.tgz Solaris SPARC ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12834-su9-us5.tar Solaris x64/x86 ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/install-3.0.3.211.12832-a64-sol.tar Ingres r3 Build Install Steps (August 1, 2008) Important: Prior to installing the build, a full operating system backup of the $II_SYSTEM/ingres directory on Unix/Linux and %II_SYSTEM%\ingres directory on Windows must be taken with Ingres completely shut down. Also, a backup of any other DATA locations that you may have must be taken, again with Ingres shut down. In case there is a problem with the update install, this allows Ingres to be restored from the backup. Unix: 1. Log in to the system as the installation owner and make sure the environment is set up correctly: 1. II_SYSTEM must be set to the Ingres home directory 2. PATH must include $II_SYSTEM/ingres/bin and $II_SYSTEM/ingres/utility directories 3. Add $II_SYSTEM/ingres/lib to the shared library path 4. Set TERM to ‘vt100' and TERM_INGRES to ‘vt100fx' 2. Copy the downloaded update file to the /tmp directory and uncompress 3. Read in the update file with the following commands: umask 022 tar xf [update_file] This creates a directory containing the distribution and other files. 4. Stop all applications that may be connected to or using any of the files in the Ingres instance. 5. Stop all Ingres processes with the ‘ingstop' utility: ingstop 6. Important: Take an operating system backup of the $II_SYSTEM/ingres directory and other DATA locations that you may have elsewhere. Also, copy the $II_SYSTEM/ingres/files/config.dat and $II_SYSTEM/ingres/files/symbol.tbl files to a safe location to ensure that the configuration can be restored. 7. From the root directory of the Ingres installation ($II_SYSTEM/ingres), run the following command: tar xf /tmp/<update_directory>/ingres.tar install 8. Run the following command: install/ingbuild 9. The initial install screen appears. 10. In the Distribution medium enter the full path to the ‘ingres.tar' file (including the file) (See step 4). 11. Choose PackageInstall from the list of installation options and then choose ‘Stand alone DBMS Server' from the list of packages. Then choose ExpressInstall. 12. Choose Yes in the pop-up screen and press Enter key. The install utility verifies that each component was transferred properly from the distribution medium. When this is finished (without errors), another pop-up screen for setting up the components comes up. 13. Select Yes and press Enter key to go to the Setup program. 14. Once the installation is complete, check the $II_SYSTEM/ingres/files/install.log for any errors. Also, check the $II_SYSTEM/ingres/version.rel file to verify the new build is referenced; this should show 3.0.3 for the build. 15. If there are no errors, then restore the $II_SYSTEM/ingres/files/config.dat and $II_SYSTEM/ingres/files/symbol.tbl files from the copies made in step 6 to replace the existing files. 16. Start Ingres using the ‘ingstart' utility: ingstart 17. Upgrade the databases in the installation to the new release level: upgradedb -all Linux: 1. Log on to the machine as ‘root'. 2. Copy the downloaded build update file and to a previously chosen directory and uncompress. 3. Read in the update file with the following command: tar xf [update file] This creates a directory containing rpm packages for all of the Ingres tools. 4. Shut down any non-Ingres application(s) that may be connected to or using any of the files in the specified Ingres instance. 5. Stop all Ingres processes with the ‘ingstop' utility: ingstop 6. Important: Take an operating system backup of the $II_SYSTEM/ingres directory and other DATA locations that you may have elsewhere. 7. From the directory that was created in step 3, install the update rpms with the following command: rpm –Uvh *.rpm If the following error is seen for either the ‘ca-ingres-documentation-3.0.3-103', the ‘ca-ingres-CATOSL-3.0.3-103' or the ‘ca-cs-utils-11.0.04348-0000' (or all of them) packages, remove them from the directory containing the rpms and re-run the above command: package <package-name> is already installed 8. If the installation finishes successfully, then log on as ‘ingres' to the machine and start Ingres using the ‘ingstart' utility: ingstart 9. Upgrade ‘mdb' database with the following command: upgradedb -all For these products: CA ARCserve Backup for Unix r11.1 CA ARCserve Backup for Unix r11.5 GA/SP1/SP2 CA ARCserve Backup for Unix r11.5 SP3 CA ARCserve Backup for Linux r11.1 EEM 8.1 eTrust Audit/SCC 8.0 sp2 NSM 3.0 0305 NSM 3.1 0403 NSM r3.1 SP1 0703 Unicenter Service Catalog r2.2 Unicenter ServicePlus Service Desk 6.0 Apply the update below that is listed for your platform (note that URLs may wrap): AIX 32bit [2.6/xxxx (rs4.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12718.tar.Z AIX 64bit [2.6/xxxx (r64.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12798.tar.Z HP-UX with ARCserve 11.1 or 11.5/GA/SP1/SP2/SP3 https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&actionID=3 HP-UX Itanium [2.6/xxxx (i64.hpu/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12748.tar.Z HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12742.tar.Z HP-UX RISC 32bit [2.6/xxxx (hpb.us5/00)DBL] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12888.tar.Z HP-UX RISC 64bit [2.6/xxxx (hp2.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12749.tar.Z HP Tru64 UNIX [2.6/xxxx (axp.osf/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12676.tar.Z Linux AMD64 [2.6/xxxx (a64.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12809.tar.Z Linux Intel 32bit [2.6/xxxx (int.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12645.tar.Z Linux Intel 32bit [2.6/xxxx (int.lnx/00)DBL] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12647.tar.Z Linux Intel 32bit [2.6/xxxx (int.lnx/00)LFS] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12646.tar.Z Linux Itanium [2.6/xxxx (i64.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12648.tar.Z Linux S/390 [2.6/xxxx (ibm.lnx/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12877.tar.Z Solaris SPARC 32bit [2.6/xxxx (su4.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12713.tar.Z Solaris SPARC 32bit double [2.6/xxxx (su4.us5/00)DBL] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12879.tar.Z Solaris SPARC 64bit [2.6/xxxx (su9.us5/00)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/2.6/p12751.tar.Z Ingres 2.6 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the installation owner account and make sure the environment is set up correctly: 1. II_SYSTEM must be set to the Ingres system files 2. PATH must include $II_SYSTEM/bin and $II_SYSTEM/utility directories. 2. Change directory to the root directory of the Ingres installation or use a previously created directory. cd $II_SYSTEM/ingres or cd <patch_directory> 3. Copy the download maintenance update file in to the current directory and uncompress 4. Read in the update file with the following commands: umask 022 tar xf [update_file] This will create the directory: $II_SYSTEM/ingres/patchXXXXX or <patch_directory>/patchXXXXX Note: ‘XXXXX' in patchXXXXX refers to the update number 5. Stop all Ingres processes with the ‘ingstop' utility: ingstop 6. Change directory to the patch directory: cd patchXXXXX 7. Within the patch directory run the following command: ./utility/iiinstaller Please check the $II_SYSTEM/ingres/files/patch.log file to make sure the patch was applied successfully. Also check the $II_SYSTEM/ingres/version.rel to make sure the patch is referenced. Note: The patch can also be installed silently using the ‘-m' flag with iiinstaller: ./utility/iiinstaller -m 8. Once the patch install has been complete, re-link the iimerge binary with the following command: iilink 9. Ingres can then be restarted with the ‘ingstart' utility: ingstart How to determine if you are affected: For these products: Admin r8.1 SP2 ARCserve for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 The Ingres release information is maintained in %II_SYSTEM%\ingres\version.rel: UNIX or Linux: cat version.rel The release identifier will be as follows: Operating System Release identifier HP Sparc 32/64bit II 3.0.3 (hp2.us5/211) HP Itanium II 3.0.3 (i64.hpu/211) Intel Solaris 32/64bit II 3.0.3 (a64.sol/211) AIX 32/64bit II 3.0.3 (r64.us5/211) Solaris 32/64bit II 3.0.3 (su9.us5/211) AMD Linux II 3.0.3 (a64.lnx/211) Intel Linux II 3.0.3 (int.lnx/103) Itanium Linux II 3.0.3 (i64.lnx/211) Notes: 1. You would need to install the Ingres build instead of the patch if either of the following is true: 1. If the Ingres release for your platform is not 3.0.3 in the release identifier or 2. The Ingres release is 3.0.3 but the build level is not 103 for Linux and 211 for all the Unix platforms. If either of the above is true then download and apply the latest build for your operating system(s). 2. If the OS platform you are running Ingres on is not listed, please contact Technical Support. For these products: Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 ARCserve for Linux r11.5 GA/SP1 CleverPath Aion BPM r10.1 CleverPath Aion BPM r10.2 The maintenance updates are provided for the latest r3 builds supported by CA which are 3.0.3/103 (Linux) and 3.03/211 (UNIX platforms). If the build embedded is earlier than 3.0.3, it has to be upgraded to 3.0.3 to fix the vulnerabilities. The Ingres release information is maintained in %II_SYSTEM%\ingres\version.rel: UNIX or Linux: cat version.rel The release identifier will be as follows: Operating System Release identifier HP Sparc 32/64bit II 3.0.3 (hp2.us5/211) HP Itanium II 3.0.3 (i64.hpu/211) Intel Solaris 32/64bit II 3.0.3 (a64.sol/211) AIX 32/64bit II 3.0.3 (r64.us5/211) Solaris 32/64bit II 3.0.3 (su9.us5/211) AMD Linux II 3.0.3 (a64.lnx/211) Intel Linux II 3.0.3 (int.lnx/103) Itanium Linux II 3.0.3 (i64.lnx/211) Important: For Linux (AMD, Intel and Itanium) platforms, after applying the build provided on this page, please download and apply the maintenance update. For the other platforms, the builds are patched to the latest maintenance update. Note: 1. If the release you are using is already 3.0.3 build 103 on Linux and 3.0.3 build 211 on Unix, then download and install the maintenance update. 2. If the OS platform you are running Ingres on is not listed, please contact Technical Support. For these products: CA ARCserve Backup for Unix r11.1 CA ARCserve Backup for Unix r11.5 GA/SP1/SP2 CA ARCserve Backup for Unix r11.5 SP3 CA ARCserve Backup for Linux r11.1 EEM 8.1 eTrust Audit/SCC 8.0 sp2 NSM 3.0 0305 NSM 3.1 0403 NSM r3.1 SP1 0703 Unicenter Service Catalog r2.2 Unicenter ServicePlus Service Desk 6.0 The Ingres release information is maintained in %II_SYSTEM%\ingres\version.rel: UNIX or Linux: cat version.rel The release identifier will be as follows: Operating System Release identifier AIX 32bit II 2.6/xxxx (rs4.us5/00) AIX 64bit II 2.6/xxxx (r64.us5/00) HP-UX Itanium II 2.6/xxxx (i64.hpu/00) HP-UX RISC 32bit II 2.6/xxxx (hpb.us5/00) HP-UX RISC 32bit II 2.6/xxxx (hpb.us5/00)DBL HP-UX RISC 64bit II 2.6/xxxx (hp2.us5/00) HP Tru64 UNIX II 2.6/xxxx (axp.osf/00) Linux AMD64 II 2.6/xxxx (a64.lnx/00) Linux Intel 32bit II 2.6/xxxx (int.lnx/00) Linux Intel 32bit II 2.6/xxxx (int.lnx/00)DBL Linux Intel 32bit II 2.6/xxxx (int.lnx/00)LFS Linux Itanium II 2.6/xxxx (i64.lnx/00) Linux S/390 II 2.6/xxxx (ibm.lnx/00) Solaris SPARC 32bit II 2.6/xxxx (su4.us5/00) Solaris SPARC 32bit double II 2.6/xxxx (su4.us5/00)DBL Solaris SPARC 64bit II 2.6/xxxx (su9.us5/00) Note: 1. If the Ingres release embedded in your product is not 2.6, please get the appropriate update here. 2. If the OS platform you are running Ingres on is not listed, please contact Technical Support. 3. For HP-UX platform with CA ARCserve Backup 11.1 or 11.5/GA/SP1/SP2/SP3, download the published ARCserve fix, RO01277: https://support.ca.com/irj/portal/anonymous/solndtls?aparNo=RO01277&os=HP&actionID=3 and follow the enclosed instructions to install the security patch. Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA Products That Embed Ingres https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181989 Solution Document Reference APARs: RO01277 (ARCserve only) CA Security Response Blog posting: CA Products That Embed Ingres Multiple Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2008/08/06.aspx Reported By: iDefense Labs Ingres Database for Linux verifydb Insecure File Permissions Modification Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731 Ingres Database for Linux libbecompat Stack Based Buffer Overflow Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=732 Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=733 Ingres Security Vulnerability Announcement as of August 01, 2008 http://www.ingres.com/support/security-alert-080108.php CVE References: CVE-2008-3356 - Ingres verifydb file create permission override. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3356 CVE-2008-3357 - Ingres un-secure directory privileges with utility ingvalidpw. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3357 CVE-2008-3389 - Ingres verifydb, iimerge, csreport buffer overflow. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3389 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to our product security response team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2008 CA. All rights reserved. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Ingres Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31357 VERIFY ADVISORY: http://secunia.com/advisories/31357/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Ingres 2.x http://secunia.com/product/14576/ Ingres 2006 (9.x) http://secunia.com/product/14574/ DESCRIPTION: Some vulnerabilities have been reported in Ingres, which can be exploited by malicious, local users to gain escalated privileges. 1) An error exists in the "verifydb" utility due to improperly changing permissions on files and having the setuid-bit set (owned by the "ingres" user). via a specially crafted environmental variable. 3) An error exists within the "ingvalidpw" utility due to being setuid "root" and loading shared libraries from a directory owned by the "ingres" user. SOLUTION: The vendor has issued fixes. Please see the knowledge base document (customer login required). http://servicedesk.ingres.com/CAisd/pdmweb.ingres?OP=SHOW_DETAIL+PERSID=KD:416012+HTMPL=kt_document_view.htmpl PROVIDED AND/OR DISCOVERED BY: An anonymous researcher, reported via iDefense. ORIGINAL ADVISORY: Ingres: http://www.ingres.com/support/security-alert-080108.php iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=731 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=732 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=733 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor