VARIoT IoT vulnerabilities database

Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (aka ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623. ASUS Remote Console is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. ASUS Remote Console 2.0.0.19 is vulnerable; other versions may also be affected. There is a buffer overflow vulnerability in the ARC service when processing ultra-long user requests, and remote attackers may use this vulnerability to control the server. The main component of the ARC service is a telnet server named DpcProxy that listens on port 623 and provides an IPMI interface. The function stores the received data into a stack buffer of about 1024 bytes, and then checks for the end of the line separator (carriage return). If the user submits super-long data, it can trigger a stack overflow, resulting in the execution of arbitrary instructions. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: ASUS Remote Console DPC Proxy Service Buffer Overflow SECUNIA ADVISORY ID: SA29402 VERIFY ADVISORY: http://secunia.com/advisories/29402/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: ASUS Remote Console 2.x http://secunia.com/product/18006/ DESCRIPTION: Luigi Auriemma has discovered a vulnerability in ASUS Remote Console, which can be exploited by malicious people to compromise a vulnerable system. sending an overly long string to default port 623/TCP. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 2.0.0.19 and reported in version 2.0.0.24. SOLUTION: Restrict network access to the service. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/asuxdpc-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web interface to the Belkin Wireless G router and ADSL2 modem F5D7632-4V6 with firmware 6.01.08 allows remote attackers to bypass authentication and gain administrator privileges via a direct request to (1) statusprocess.exe, (2) system_all.exe, or (3) restore.exe in cgi-bin/. NOTE: the setup_dns.exe vector is already covered by CVE-2008-1244. The Belkin F5D7632-4V6 Wireless G Router is prone to multiple vulnerabilities because of a lack of authentication. Attackers can exploit these issues to perform administrative functions without authorization. Belkin F5D7632-4V6 running firmware 6.01.08 is vulnerable; other devices and firmware versions may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Belkin Wireless G Router Security Bypass and Denial of Service SECUNIA ADVISORY ID: SA29345 VERIFY ADVISORY: http://secunia.com/advisories/29345/ CRITICAL: Less critical IMPACT: Security Bypass, DoS WHERE: >From local network OPERATING SYSTEM: Belkin Wireless G Router http://secunia.com/product/6130/ DESCRIPTION: Some security issues and a vulnerability have been reported in the Belkin Wireless G Router, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service). 1) An error in the implementation of authenticated sessions can be exploited to gain access to the router's control panel by establishing a session from a previously authenticated IP address. 2) An error exists within the enforcing of permissions in cgi-bin/setup_dns.exe. This can be exploited to perform restricted administrative actions by directly accessing the vulnerable script. 3) An error exists in the cgi-bin/setup_virtualserver.exe script when processing HTTP POST data. This can be exploited to deny further administrative access to an affected device via specially a crafted HTTP POST request with a "Connection: Keep-Alive" header. The security issues and the vulnerability are reported in model F5D7230-4, firmware version 9.01.10. SOLUTION: Restrict network access to the router's web interface. PROVIDED AND/OR DISCOVERED BY: loftgaia ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

GE Fanuc iFIX 5.0 and earlier relies on client-side authentication involving a weakly encrypted local password file, which allows remote attackers to bypass intended access restrictions and start privileged server login sessions by recovering a password or by using a modified program module. Vulnerabilities in the way GE Fanuc iFIX handles authentication could allow a remote attacker to log on to the system with elevated privileges. Microsoft Windows fails to properly handle the NoDriveTypeAutoRun registry value, which may prevent Windows from effectively disabling AutoRun and AutoPlay features. GE Fanuc iFIX Is Human Machine Interface With components, Microsoft Windows CE , NT , 2000 , Server 2003 , XP and Vista Work on SCADA client / Server software. iFIX Vulnerabilities exist in authentication. The user name and password are stored in a local file on the client side, and the password is encrypted with a low-strength algorithm. GE Fanuc according to: Attackers can gain copies of this file in two ways. The first way requires that an attacker have an interactive session with the computer containing the file, such as a direct login, or through a remote terminal session, VNC, or some other remote session providing access to a command shell. Using the shell, the attacker can simply copy the file and extract the passwords at some later point. Another way an attacker can gain access to this file is by intercepting the file over the network. This can occur if the file is shared between two computers using Microsoft WindowsR network sharing. In this case, an attacker may be able to recreate the file by using a network sniffer to monitor network traffic between them. iFIX Since authentication is performed within the client, an attacker could tamper and replace the authentication module. GE Fanuc according to: Authentication and authorization of users are implemented through certain program modules. These modules can be modified at the binary level to bypass user authentication. To exploit this type of attack, an attacker needs to be able to launch unauthorized applications from an interactive shell. Also, iFIX Is Technical Cyber Security Alert TA09-020A Published on “Microsoft Windows Notes on disabling the auto-execution function ” There is a possibility of being affected. Any code executed using the auto-execution function iFIX Enviroment Protection May result in the authentication module being tampered with and replaced.An attacker could gain access to a file containing authentication information or intercept network traffic. As a result, by the attacker iFIX Unauthorized access to the system is possible. GE Fanuc iFIX 5.0 are earlier are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-020A Microsoft Windows Does Not Disable AutoRun Properly Original release date: January 20, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows Overview Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability. I. Description Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations: * A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or Firewire device, or mapping a network drive. This connection can result in code execution without any additional user interaction. * A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive's contents, this action can cause code execution. * The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected. Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. II. Impact By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer. III. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround. IV. References * The Dangers of Windows AutoRun - <http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html> * US-CERT Vulnerability Note VU#889747 - <http://www.kb.cert.org/vuls/id/889747> * Nick Brown's blog: Memory stick worms - <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms> * TR08-004 Disabling Autorun - <http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx> * How to Enable or Disable Automatically Running CD-ROMs - <http://support.microsoft.com/kb/155217> * NoDriveTypeAutoRun - <http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx> * Autorun.inf Entries - <http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx> * W32.Downadup - <http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99> * MS08-067 Worm, Downadup/Conflicker - <http://www.f-secure.com/weblog/archives/00001576.html> * Social Engineering Autoplay and Windows 7 - <http://www.f-secure.com/weblog/archives/00001586.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-020A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-020A Feedback VU#889747" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 20, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXYqQnIHljM+H4irAQL9EAgAwE5XWd+83CTwTl1vAbDW3sNfCaucmj79 VmXJ+GktQorbcp29fktYaQxXZ2A6qBREJ1FfwlM5BT0WftvGppLoQcQO3vbbwEQF M0VG5xZhTOi8tf4nedBDgDj0ENJBgh6C73G5uZfVatQdFi79TFkf9SVe6xn5BkQm 5kKsly0d/CX/te15zZLd05AJVEVilbZcECUeDVAYDvWcQSkx2OsJFb+WkuWI9Loh zkB7uOeZFY9bgrC04nr9DPHpaPFd8KCXegsxjqN1nIraaCabfvNamriqyUFHwAhK sk/DFSjdI6xJ4fXjDQ77wfgLYyTeYQ/b2U/1sqkbOTdCgXqSop5RrA== =6/cp -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Windows Vista "NoDriveTypeAutoRun" Security Issue SECUNIA ADVISORY ID: SA29458 VERIFY ADVISORY: http://secunia.com/advisories/29458/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: Local system OPERATING SYSTEM: Microsoft Windows Vista http://secunia.com/product/13223/ DESCRIPTION: CERT/CC has reported a security issue in Windows Vista, which can be exploited by malicious people to bypass certain security settings. AutoPlay is a feature designed to immediately begin reading from a drive (e.g. run a setup file) when a media is inserted. Successful exploitation may result in execution of arbitrary code, but requires physical access to a vulnerable system or that a user is tricked into inserting a malicious media (e.g. USB device). SOLUTION: Restrict access to affected systems. Do not insert any untrusted media even with the registry key value set to disable AutoPlay for all drives. PROVIDED AND/OR DISCOVERED BY: Will Dormann and Jeff Gennari, CERT/CC. ORIGINAL ADVISORY: US-CERT VU#889747: http://www.kb.cert.org/vuls/id/889747 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . This can be exploited to gain knowledge of user names and passwords by obtaining (e.g. by modifying certain used modules. 3) It is possible to bypass the run-time Environment Protection via the Autoplay feature by attaching an external storage device containing an automatically launched script. Use in a trusted network environment only. Description The presence of a Conficker infection may be detected if a user is unable to surf to the following websites: * http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm * http://www.mcafee.com If a user is unable to reach either of these websites, a Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in http://support.microsoft.com/kb/962007. Solution US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Miscrosoft in October 2008), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software

Unspecified vulnerability in Apple AirPort Extreme Base Station Firmware 7.3.1 allows remote attackers to cause a denial of service (file sharing hang) via a crafted AFP request, related to "input validation.". Apple AirPort Extreme Base Station is a small wireless access solution.  Apple AirPort Extreme Base Station has a vulnerability in processing malformed requests. If a special AFP request is sent to the device, file sharing will become unresponsive. AirPort Extreme running firmware versions prior to 7.3.1 are affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. SOLUTION: Update to one of the following firmware versions: * AirPort Extreme with 802.11n (Fast Ethernet) 7.3.1 * AirPort Extreme with 802.11n (Gigabit Ethernet) 7.3.1 PROVIDED AND/OR DISCOVERED BY: The vendor credits Alex deVries. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT1226 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free. Vulnerabilities in the MIT Kerberos Key Distribution Center server could allow a remote attacker to compromise the key database, gain access to sensitive information, or cause a denial of service. It adopts a client/server structure, and both the client and the server can authenticate each other (that is, double verification), which can prevent eavesdropping and replay attack, etc. MIT Kerberos 5 (also known as krb5) is a set of network authentication protocols developed by the Massachusetts Institute of Technology (MIT). ), which can prevent eavesdropping, prevent replay attacks, etc. If the KDC receives a malformed Kerberos 4 message, and there was no previous Kerberos 4 communication, a null pointer dereference will be triggered, causing the KDC to crash. If there is valid Kerberos 4 communication, messages sent to the client are locked using a null pointer; the pointer may resend a previously generated response, send some arbitrary block of process memory (which may contain key data), or due to an attempt to Accessing an invalid address crashes the process. If the process does not crash, a random address is passed to free(), which may corrupt the release pool, causing a crash, data corruption, or a jump to an arbitrary address in process memory. A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4 protocol packets. This issue only affects krb5kdc when it has Kerberos v4 protocol compatibility enabled, which is a compiled-in default in all Kerberos versions that Mandriva Linux ships prior to Mandriva Linux 2008.0. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: ef17fea5e296992fb34b0d00540b4190 2007.0/i586/ftp-client-krb5-1.4.3-7.4mdv2007.0.i586.rpm dbc47795968f03dff7eb50ff34a63b8d 2007.0/i586/ftp-server-krb5-1.4.3-7.4mdv2007.0.i586.rpm 36f5b4160b9dc7d4393b8bc5f4f0b6fb 2007.0/i586/krb5-server-1.4.3-7.4mdv2007.0.i586.rpm f76121f223836939aef1f77164a7224d 2007.0/i586/krb5-workstation-1.4.3-7.4mdv2007.0.i586.rpm 65c052a4916406626b3289abdb43e0a6 2007.0/i586/libkrb53-1.4.3-7.4mdv2007.0.i586.rpm e50117c585a8560813bc93704562e726 2007.0/i586/libkrb53-devel-1.4.3-7.4mdv2007.0.i586.rpm 1f99498d879f9343510479f2791245ac 2007.0/i586/telnet-client-krb5-1.4.3-7.4mdv2007.0.i586.rpm 9ed009750d2bcf738ceefce2e4c69512 2007.0/i586/telnet-server-krb5-1.4.3-7.4mdv2007.0.i586.rpm 9e63ac2d698d562ead71d5dd8c7ae315 2007.0/SRPMS/krb5-1.4.3-7.4mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 029aad278f01c2baef9f93b86b0bc20d 2007.0/x86_64/ftp-client-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm dae016ff39d8e4d9f517b3197eefd926 2007.0/x86_64/ftp-server-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm 8b3fac7b20798715efdad0d0db6b4472 2007.0/x86_64/krb5-server-1.4.3-7.4mdv2007.0.x86_64.rpm 81f6c05a73c175b581790532aa8572f1 2007.0/x86_64/krb5-workstation-1.4.3-7.4mdv2007.0.x86_64.rpm 41e10d5f06e05ea4cf455a0c3420d09f 2007.0/x86_64/lib64krb53-1.4.3-7.4mdv2007.0.x86_64.rpm eeebf59564375187f01f628be3ac5132 2007.0/x86_64/lib64krb53-devel-1.4.3-7.4mdv2007.0.x86_64.rpm cff3b7303e5d157e4ef246867ba396e8 2007.0/x86_64/telnet-client-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm ee55c784f89a1190efb9ce619ba34227 2007.0/x86_64/telnet-server-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm 9e63ac2d698d562ead71d5dd8c7ae315 2007.0/SRPMS/krb5-1.4.3-7.4mdv2007.0.src.rpm Corporate 4.0: d4dcc40949ba7e72823de561b2b5b050 corporate/4.0/i586/ftp-client-krb5-1.4.3-5.6.20060mlcs4.i586.rpm 5e8b8cf4c051f235f2b4a3cc2a8c967c corporate/4.0/i586/ftp-server-krb5-1.4.3-5.6.20060mlcs4.i586.rpm 3c5812da62cc9a0cea89306877386ef7 corporate/4.0/i586/krb5-server-1.4.3-5.6.20060mlcs4.i586.rpm 40b114f22d7109a125cdf5243160c5f1 corporate/4.0/i586/krb5-workstation-1.4.3-5.6.20060mlcs4.i586.rpm db7506751e5178556652b74d81b06c6d corporate/4.0/i586/libkrb53-1.4.3-5.6.20060mlcs4.i586.rpm 59ec6c3b207538656f2645eb3c0adf6a corporate/4.0/i586/libkrb53-devel-1.4.3-5.6.20060mlcs4.i586.rpm fe234b5f259def09b88fba24869eba83 corporate/4.0/i586/telnet-client-krb5-1.4.3-5.6.20060mlcs4.i586.rpm e2b51de61c9a91686e98a05ea98ec05f corporate/4.0/i586/telnet-server-krb5-1.4.3-5.6.20060mlcs4.i586.rpm 6a739594760cabeb536550168eefb333 corporate/4.0/SRPMS/krb5-1.4.3-5.6.20060mlcs4.src.rpm Corporate 4.0/X86_64: 0b23f077db4f274b061f34eb50f47634 corporate/4.0/x86_64/ftp-client-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm c70ca9de25fa8c9f7504f344b5be613a corporate/4.0/x86_64/ftp-server-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm ca075a30dfeb617f808d616bbf420c63 corporate/4.0/x86_64/krb5-server-1.4.3-5.6.20060mlcs4.x86_64.rpm 76ec4cd64c814c9cdf44e7c734f66cd9 corporate/4.0/x86_64/krb5-workstation-1.4.3-5.6.20060mlcs4.x86_64.rpm 8eb62cc682d40a65a4b94aedb326cfc0 corporate/4.0/x86_64/lib64krb53-1.4.3-5.6.20060mlcs4.x86_64.rpm 538eb51b88db5d5a368bdbdf74607501 corporate/4.0/x86_64/lib64krb53-devel-1.4.3-5.6.20060mlcs4.x86_64.rpm c22a1ac95f1a15fb65ee0eec60472936 corporate/4.0/x86_64/telnet-client-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm b64f38875ba0dbf2441b1fd78dbf585d corporate/4.0/x86_64/telnet-server-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm 6a739594760cabeb536550168eefb333 corporate/4.0/SRPMS/krb5-1.4.3-5.6.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) iD8DBQFH4WLsmqjQ0CJFipgRAqPPAKDOpukZQTnwRrBaWSnGspor0gG/LwCg6fPB /jGRkhAI24wO20EBKKpdYF0= =Z6Kl -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1524-1 security@debian.org http://www.debian.org/security/ Noah Meyerhans March 18, 2008 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : krb5 Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0062 CVE-2008-0063 CVE-2008-0947 Several remote vulnerabilities have been discovered in the kdc component of the krb5, a system for authenticating users and services on a network. It is theoretically possible for the exposed information to include secret key data on some platforms. For the stable distribution (etch), these problems have been fixed in version 1.4.4-7etch5. For the old stable distribution (sarge), these problems have been fixed in version krb5 1.3.6-2sarge6. We recommend that you upgrade your krb5 packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian 3.1 (oldstable) - ---------------------- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz Size/MD5 checksum: 6526510 7974d0fc413802712998d5fc5eec2919 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge6.diff.gz Size/MD5 checksum: 673705 93382126a3c73ac44ed7daa7d85f166d http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge6.dsc Size/MD5 checksum: 782 0391aaf485ef1636ef18c6ba183c3fbe Architecture independent packages: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge6_all.deb Size/MD5 checksum: 718916 ca2fb37b53a19207f1e1f1de90c4c1f3 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 137834 d43e9d3f3ef65fe8c8cbbb7b5dcbd144 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 177730 947fb82dd795f9272935ea4cb027e543 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 124864 4f1d0aa9d18013023f4a9f2b9a10db65 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 104886 15037693de0d9dc27460d713b547872a http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 63606 c4cfe2b01bfe0b579b216210817c4fa3 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 369420 c8d1eaf98400880ff82f727fe20f90cd http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 82806 30230dfe2605b88fdeac8811d408acdb http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 57048 741292984684fddae11e130dcd388161 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 652378 d8f3493f4354e0b3717ffc72d6592b88 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_amd64.deb Size/MD5 checksum: 216990 0df13c59411cf57b86bd94e250cf458e arm architecture (ARM) http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 115684 ef39b71c5ecf4187e24d27c1111c9a54 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 633330 08566aa29ab8d56e26070137a16731a4 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 158874 4f60129aa092ea3d750deb168299abe7 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 54134 e23173f4ad3a59af03fbab0369a714a9 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 58252 255394fcc06d13b6dabc2e87c91dac02 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 198848 aaba0529c817ff11728515f5a116f71b http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 126814 85d31333aa01c4ab1f7b14ffaaa4c08b http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 74940 706b7cbfb01d66cbdb371a9019b3f725 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 329190 a661364db9bd2d5c5340a0c6a5c939f4 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_arm.deb Size/MD5 checksum: 93938 04dc96993c79d0113a0626a4439c8cbf hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 125154 afd4a9608fff5b1b3e793881bb2c9c2c http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 64286 b85cf8b5680c12c093ff34150623a3a0 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 59368 3df43bbb40e060d0522495ff3e78412d http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 669644 50027bd1d314e911c4a91647989fad1e http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 104948 a013d1818ed8d6dd7d75a8ac11e795f9 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 187304 401a8e21722c104f3d3aae86cf3640e9 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 383876 d50afad26c9a0416fe47dfdf5ff649f4 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 81992 b6c84f121f66616f578b13a3f0c654ca http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 139202 4972377b638f980ad757128f14132874 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_hppa.deb Size/MD5 checksum: 224154 8a8436e210dd8892487ea482a1de6522 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 116324 445bced4eb764a78e51b68e4d7558363 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 574784 40fa136876b3219e55de089340c0c85e http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 52890 a6ae74be5b338ab7f215d0846353833e http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 165726 4b2485d3b8a50cd61ffcd2e0748d70fe http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 349416 2f33d4592484a2adf276fd29cfe9d728 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 127878 7232e14b8bc1d78fa4346b4ed393a3b9 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 95656 00f7666dac13adf2a7bfc81c9d801f2f http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 191526 d8613e5a3d87838ee7155f54c1c12f3d http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 57762 2baa509aad5f6b837753e5a3e65e63f1 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_i386.deb Size/MD5 checksum: 75890 5e52830c36794bb8ed2cdd14611ec690 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 134332 473be671406f747295c4a94d3f2ca3c5 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 289396 c95c79f18a2a8cb78131a35073c09ebe http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 890018 a9ca82650f5f96ac66d2b4436b0d1345 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 167350 f448dced91316668c1d33d6a0776eb2c http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 240384 5dc95c9ea35a7b052041e177114c5acf http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 79982 8980a39a06eeca5ef5adb623786742a2 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 73692 039a88dc8793fa4de6e461408cde62bd http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 105008 273a9dbaf7a4882f39ebd9de527f76fb http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 502382 97f1d32991c1778752bad887f4029990 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_ia64.deb Size/MD5 checksum: 165288 7d2e3c354cc50db22fc34a396902690f m68k architecture (Motorola Mc680x0) http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 71116 2f35c57d9f24856b013e27b0eef24a25 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 516020 203205bb2e6f66161c2aa98746687190 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 49768 39d4529ec4e27e2fdc75de762c5643fa http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 107660 0659ab018fbf062504348fc63ef97cc6 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 147864 b86ebef3ec1541aeabc20be31e503049 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 305872 1fc4f6385b5196c1c892731eac06f5b3 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 122106 c60b71edc9196adda91d40c4b84a908e http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 174180 6d750c072a8d641bd661ea5c688199f3 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 53478 74055ea66e27e24d79c824691da8fe0f http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_m68k.deb Size/MD5 checksum: 88692 074a5c747c652e7ce8d911077ca5586c mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 145108 f432457761497dcfd8e1ba6fe7ac43fa http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 164386 512e3b183ffc5f121f82981f32235377 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 57750 d827cf9980ed4eba196dedf93e7d9b5d http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 680860 b4718176172f14d54d2a4662ae28e534 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 128738 a9592a522e7cc0f6db4c121ac04db438 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 65060 9b5613121aff8f341cb2dc3786b28d78 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 103404 eb3ca8cddb900bd4dfdb10b67ca9622c http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 225708 d09d386a5705b48584ffd51b0127883d http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 355178 359ca6a220b6a9e7af7b949e7a64fb5d http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_mips.deb Size/MD5 checksum: 80956 407fec89580608afebb4ff89d95bdf72 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 146678 76f8820a81a1c068ab60348f1302d087 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 103808 db8b0c06f58646093ca80554061cc0d1 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 65266 c27b18832cafb60109ba97e529706a53 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 226540 0ddfa3be4f63eeb0066682928c193996 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 82060 2479f67cadc3533fb499507fc1977b5d http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 355120 d1644230bb4cc0788a04f5f0c8eb961c http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 58164 5dcd7db602701983272b2fbb0db88864 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 130098 472042e34a7ac48352205df510767ddd http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 165632 3074194d27a16bd4e737a9462d6a217a http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_mipsel.deb Size/MD5 checksum: 682776 b0046283d8860fc6c8fe968b335ff463 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 61758 9496fefe85772ad549b84ae523c56e77 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 217812 c5aa73b8513a3698002cc3cedfeff012 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 105320 3677c003bd4c271bbe3daef5cf8f52df http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 143838 61244dbf640bd19ee1cc738ee7b44b34 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 57018 9afa2ba534be545b9d76d1f69c8e5468 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 165746 74c29add119101782727226dc9200db0 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 634906 93dd67378ead6cb763cc304516cbf632 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 353104 c5b16a1f26d01435b2bcb540b5b97730 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 82702 f728717a6a25b233526ad69934e376f4 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_powerpc.deb Size/MD5 checksum: 126246 da0e3adca803929ae44fad884949cbe2 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 214176 9c4b2684ce790d6544d078efde32f5d3 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 132996 1ed627f09d5b25bb3eaaaa4148207d7f http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 63428 332d6f0c94eabdca1df666a3ec0c6184 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 57214 f518a8dd4336c3916bb8c533bd8b6301 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 624898 27ed5f1406b97c3a429ed6cc41a5421a http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 99652 0e49258823390960faaf06522ab8f1cc http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 376188 ec0fdc218fbe9c53fa5aaec87667b5a7 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 82370 3a26a1e22c24add8b16498a641444a77 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 180336 34967e4eb80a75b18a23a9f3bf05bb5f http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_s390.deb Size/MD5 checksum: 121318 883136f99bce1a8f9f413dc3d68f5762 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 576786 3c142ce93bd9b408ea9a6d6046e3d067 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 58950 91be8dfc1160f334f0ed514eaeddb3c4 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 53520 89ceeef920ad596b129365a1f6876818 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 73596 cca4a24557097c3be9dc611d686d0688 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 93348 0a954f5b7f637eeaea3b656699314b99 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 114068 e7a1986874465f458987516f27a705d1 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 157712 2c8a0b75fc4982ee9265d2dd8cab2cc4 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 126780 d6faa238b06d1ff65c6b20b54c7b4fac http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 194584 39322280b333988d5cce973c7c00cdad http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge6_sparc.deb Size/MD5 checksum: 330436 27d8b24e5a2bbb57d8078c7b1d391d53 Debian 4.0 (stable) - --------------- Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch5.dsc Size/MD5 checksum: 876 e8f30ac6b710091985a2b669632ca174 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4.orig.tar.gz Size/MD5 checksum: 11017910 a675e5953bb8a29b5c6eb6f4ab0bb32a http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch5.diff.gz Size/MD5 checksum: 1590551 c7d7bfb6aa34876ec8b5d0767ed65c2d Architecture independent packages: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.4.4-7etch5_all.deb Size/MD5 checksum: 1806352 0e3b03d93b1a62a41f9d004d3f6a69eb alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 76136 61c8f8b99cd2c5e08fe20121d5a33119 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 461032 12fe64d352941f674f01b875532ec91f http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 91648 ee8cf04beb8687f4afc0684fbed232e9 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 1087614 dc627be2679028513f541ab0db184758 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 245650 57d128cab47e74d75ad56da8b81866fe http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 154868 4cac528d66a64df26a385bb15552061c http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 136110 a0d904994baba8064c640014e238020c http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 216328 7e96a8117e5397282f9027dc99fee308 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 89690 a14489d539fc5274175e92b8c1f99cc4 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 65866 c153e17e3514e566d1b719bd4941c3f2 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_alpha.deb Size/MD5 checksum: 1017046 543b2403aee468ad0a1692708de9a587 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 83852 4e7e51683f130dfdbaaaa2b6bbdfd70b http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 61474 5ed45d3180ad5cda0839f53d8d9fc716 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 768634 4f227f866f481d0a11a90b1a41d14bbb http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 141926 5944b339ff70c630a2d04026dc8a436c http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 68170 d5b5cc9a99c26889dcf685f88cc92a9a http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 129822 8f01b6b85827382fcb2ac54b561a1ec0 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 222262 b16ea5bddeb302c73844a465d5b27020 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 1072208 5458abcef1aa9174a703a51d9910bf42 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 190378 b663d232374d5d8ea6a1aeb6596e1e66 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 426424 39665f5600ac062e43d78823f79016a6 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_amd64.deb Size/MD5 checksum: 86108 786e35f5915b137445eb034ef1f53eee arm architecture (ARM) http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_arm.deb Size/MD5 checksum: 1013602 3087dae461053141fd9099ba1bf1f520 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_arm.deb Size/MD5 checksum: 63418 6d76005bc5336972fff07aa9961bcbca http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_arm.deb Size/MD5 checksum: 682712 20f548e7e7fe59ffc450c46c58b73fd1 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_arm.deb Size/MD5 checksum: 136110 b1774fea7cea371790dc1d7b9a293395 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_arm.deb Size/MD5 checksum: 173154 785af0fd07d78658edb4a4c25082ca22 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_arm.deb Size/MD5 checksum: 59834 e369f2b68c8090e91191718d207da76d http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_arm.deb Size/MD5 checksum: 206238 c69f58637e68a2d455750e32b5b770c0 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_arm.deb Size/MD5 checksum: 390054 b972d264ad97b69120ee4e4d898f3055 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_arm.deb Size/MD5 checksum: 81426 82979ab1f34edf407dc1a32f4be2a911 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_arm.deb Size/MD5 checksum: 123540 f9534a82bfa054018029c9a3934fc121 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_arm.deb Size/MD5 checksum: 78826 62163e751d27902012a16758fbbf67e0 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 1050680 8ea8f26032837464c794e615623ac59e http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 87564 ec92090e89dc2c03500c52cbd188e4c3 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 441724 6cc26ce6c3e4fa233222786b15bc08ac http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 64206 fa4e68946117f10d2dbbcea75fabe5d0 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 132802 23e6e453b5943c8df76fd87a18fe2182 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 85370 9011819683422a091d363e0d0064e82e http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 815220 652f24a16193c3d8bf9f128000888850 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 145028 88cb8fd42c037cca495bb200a8d5bacd http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 69692 0ce8e82456cc62420ba31f7ce0aa3a39 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 201216 b7aa6c970117a632b2e60d14829ba7b7 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_hppa.deb Size/MD5 checksum: 232082 7a823371e31f4b3e937a4e9d7a83d09b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_i386.deb Size/MD5 checksum: 80306 8c8461beb8bd866080134bf1a25ef557 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_i386.deb Size/MD5 checksum: 62446 22a83f7567df841b9f34ffc133534a64 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_i386.deb Size/MD5 checksum: 133360 5e72e490c20ac03f49b7fd6921047048 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_i386.deb Size/MD5 checksum: 680166 991c24aa3b8e2d82f07e49865d70119b http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_i386.deb Size/MD5 checksum: 408376 f375a2157e2b1de2eadecbb2f03c8637 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_i386.deb Size/MD5 checksum: 174112 f9efe4ee2c52dba6806f548d778e0f53 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_i386.deb Size/MD5 checksum: 58050 b99734e1b92043a8cc816c588b04fce5 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_i386.deb Size/MD5 checksum: 196558 0b03b5d3920efa1c5efbf8cbe3901f15 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_i386.deb Size/MD5 checksum: 124206 21cc6d63e1eeaeb9deb70e227d61d84b http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_i386.deb Size/MD5 checksum: 1037936 a1a2470171c5403563ed285be9caaa9a http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_i386.deb Size/MD5 checksum: 78598 80b9f57c39a90e17b67480271ec8cc2a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 305920 940370e13598d9c00b123f97aa3f09ad http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 164602 6dd81cf1a5487ad63e2ab3cf1ce342f1 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 112994 4ccb79847d301064e5e6496f2577b5e5 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 80324 88cc01f93ed8fe3b9c9861176050f004 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 105592 8745ddb42d7cb7afb95ef4f946a26c60 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 1088562 0d2cdc97965b7827a78bca972aed38fd http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 91338 40c9d44d05f3262c1a5d6950c4255e16 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 269600 4acf36a3831bd4d2bb0af4d9130d0f27 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 1043576 6e487c186d462bc98b8ccdfbb5891324 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 190500 4cc37a9cd6bb13da4ca73f87b60738d3 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_ia64.deb Size/MD5 checksum: 592208 ac3bd63fc244d99757d33c8b8fa8f745 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_mips.deb Size/MD5 checksum: 71184 99f78076e71ddc74b7809de695945048 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_mips.deb Size/MD5 checksum: 128534 d08156f659ccfaa953e612ab0f1be1e0 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_mips.deb Size/MD5 checksum: 86416 a0ccc69288f43974099646a0b4df2702 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_mips.deb Size/MD5 checksum: 807408 caa736a161edf63d4b7b0200642293cc http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_mips.deb Size/MD5 checksum: 81794 820abd7cda885cfbcd651eeb819b6ea2 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_mips.deb Size/MD5 checksum: 176908 eb82211002e6f5fa451b8c6fc72cd8c5 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_mips.deb Size/MD5 checksum: 230468 6498dab212c73d4c618a77b105d40302 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_mips.deb Size/MD5 checksum: 389766 cb2be7e8aa8890f3011c7721474048cb http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_mips.deb Size/MD5 checksum: 145004 1d8436cb03bf8df56127ab37a1787096 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_mips.deb Size/MD5 checksum: 62920 610d234fcd0e209b0d2e6c0f3be39f6b http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_mips.deb Size/MD5 checksum: 1112710 5b98f43fa267c04b32bc96927ad868a2 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 87478 dce62567d27548de56ad38615fd5a8fe http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 71596 8cfffdf23386228753133a6d675a75dc http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 131106 22011c6b9dfeaf6318baffbb40b4b005 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 63834 9a2e78369d8fa1d0d8688eb48e443518 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 810348 c36eb2099ac9fd31e57d5693ec8eb92b http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 82652 3699856d5fe3d28c74e0e66469d05859 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 1087382 a5cac22f1da48cbb4c80f7f736b70b2f http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 179494 4a1d3e8cc558c330b9f4a6bded87913b http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 145716 1f45bb37dd7e13ea4c6b21f52c43c657 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 232788 88bc4c67b09b541769a7a00abc5d2688 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_mipsel.deb Size/MD5 checksum: 391848 05272bb8eb78e5e3fa374c9cb6597403 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 222776 d87408739c95de5b207a88550278a0d0 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 1083104 a5a89067cd381199a75e9751be977884 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 143844 488e4411a9d507c14961e8c1a867a18b http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 84364 fd1d52f855615c98fc8d207dcea36d2f http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 137308 16ac4ae9b3a4eec6e584d4b9902771ed http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 399370 2c4951062f1fa124af1a36a8b0c1e761 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 86864 33e72918f1ae2f968537d4e3328237b8 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 67384 3547b618672d7e775018128fa421551d http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 753506 cdc2c41be06d280160c3f7ee8b7f3417 http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 61930 dad1ac368a357004137a4beaf0a4f8ba http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_powerpc.deb Size/MD5 checksum: 179574 499b4b287b5726f7a8afea620d5606c5 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_s390.deb Size/MD5 checksum: 63392 7e446e33886543cc1432026dbde49ea8 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_s390.deb Size/MD5 checksum: 87886 02735411cb4acaa71b8aa72bf7d9683d http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_s390.deb Size/MD5 checksum: 438990 5aacff7c6ec54f708cb98fa0718bfcc0 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_s390.deb Size/MD5 checksum: 129266 31c153db1328ee93b97e64bdb01a3cc3 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_s390.deb Size/MD5 checksum: 195506 d3175c75393ac80363919b170e1446e0 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_s390.deb Size/MD5 checksum: 1073530 ac4c767b43f20d304e9683ebfddf3a68 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_s390.deb Size/MD5 checksum: 224438 5a59744997773137c0409af842e7fdf0 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_s390.deb Size/MD5 checksum: 68782 57ed0962a4cf4f2f7c7d60edf52449ed http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_s390.deb Size/MD5 checksum: 140470 8fd23a0ec4c4b5c81c48d7b0228a5fa8 http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_s390.deb Size/MD5 checksum: 82118 7a84a0ceeb5110380a231be90d6f36ce http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_s390.deb Size/MD5 checksum: 733368 6a3ea5e404cebc11888aaad6fdc2cedd sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 131724 561314d157da780fc7de7c06524e8a3c http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 77124 6de298978f0404514a0b16d863efa276 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 961534 754258b22c1eaf83c3167775c3138a58 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 372674 20c48448253a262988a3ca876cfb2931 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 123040 00e2f8c76353547804f9ff516de1f65d http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 680434 6bf7c8d82d481a8d6d9d784f5ed617ec http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 58242 f7e89e959e30e2bd36ac3ce1191a7711 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 63800 21beab0b247e7bdeea2004876f388c59 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 166710 b5127d835935bee8ce49a1154e5fa2eb http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 200282 49524ee10fb4d4e7be223a1f25dffba7 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch5_sparc.deb Size/MD5 checksum: 78204 2462352e5493e856bd8a784ca49f95f0 These files will probably be moved into the stable distribution on its next update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2008-0009 Synopsis: Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues Issue date: 2008-06-04 Updated on: 2008-06-04 (initial release of advisory) CVE numbers: CVE-2007-5671 CVE-2008-0967 CVE-2008-2097 CVE-2008-2100 CVE-2006-1721 CVE-2008-0553 CVE-2007-5378 CVE-2007-4772 CVE-2008-0888 CVE-2008-0062 CVE-2008-0063 CVE-2008-0948 - ------------------------------------------------------------------- 1. Summary: Several critical security vulnerabilities have been addressed in patches in ESX and in the newest releases of VMware's hosted product line. 2. Relevant releases: VMware Workstation 6.0.3 and earlier, VMware Workstation 5.5.6 and earlier, VMware Player 2.0.3 and earlier, VMware Player 1.0.6 and earlier, VMware ACE 2.0.3 and earlier, VMware ACE 1.0.5 and earlier, VMware Server 1.0.5 and earlier, VMware Fusion 1.1.1 and earlier VMware ESXi 3.5 without patches ESXe350-200805501-I-SG, ESXe350-200805502-T-SG, ESXe350-200805503-C-SG VMware ESX 3.5 without patches ESX350-200805515-SG, ESX350-200805508-SG, ESX350-200805501-BG, ESX350-200805504-SG, ESX350-200805506-SG, ESX350-200805505-SG, ESX350-200805507-SG VMware ESX 3.0.2 without patches ESX-1004727, ESX-1004821, ESX-1004216, ESX-1004726, ESX-1004722, ESX-1004724, ESX-1004719, ESX-1004219 VMware ESX 3.0.1 without patches ESX-1004186, ESX-1004728, ESX-1004725, ESX-1004721, ESX-1004723, ESX-1004190, ESX-1004189 VMware ESX 2.5.5 without update patch 8 VMware ESX 2.5.4 without update patch 19 NOTES: Hosted products VMware Workstation 5.x, VMware Player 1.x, and VMware ACE 1.x will reach end of general support 2008-11-09. Customers should plan to upgrade to the latest version of their respective products. ESX 3.0.1 is in Extended Support and its end of extended support (Security and Bug fixes) is 2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1 and preferably the newest release available before the end of extended support. ESX 2.5.4 is in Extended Support and its end of extended support (Security and Bug fixes) is 2008-10-08. Users should plan to upgrade to at least 2.5.5 and preferably the newest release available before the end of extended support. 3. Problem description: a. VMware Tools Local Privilege Escalation on Windows-based guest OS The VMware Tools Package provides support required for shared folders (HGFS) and other features. An input validation error is present in the Windows-based VMware HGFS.sys driver. Exploitation of this flaw might result in arbitrary code execution on the guest system by an unprivileged guest user. It doesn't matter on what host the Windows guest OS is running, as this is a guest driver vulnerability and not a vulnerability on the host. The HGFS.sys driver is present in the guest operating system if the VMware Tools package is loaded. Even if the host has HGFS disabled and has no shared folders, Windows-based guests may be affected. This is regardless if a host supports HGFS. This issue could be mitigated by removing the VMware Tools package from Windows based guests. However this is not recommended as it would impact usability of the product. NOTE: Installing the new hosted release or ESX patches will not remediate the issue. The VMware Tools packages will need to be updated on each Windows-based guest followed by a reboot of the guest system. VMware would like to thank iDefense and Stephen Fewer of Harmony Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5671 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= Workstation 6.x Windows not affected Workstation 6.x Linux not affected Workstation 5.x Windows 5.5.6 build 80404 or later Workstation 5.x Linux 5.5.6 build 80404 or later Player 2.x Windows not affected Player 2.x Linux not affected Player 1.x Windows 1.0.6 build 80404 or later Player 1.x Linux 1.0.6 build 80404 or later ACE 2.x Windows not affected ACE 1.x Windows 1.0.5 build 79846 or later Server 1.x Windows 1.0.5 build 80187 or later Server 1.x Linux 1.0.5 build 80187 or later Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX not affected ESX 3.0.2 ESX ESX-1004727 ESX 3.0.1 ESX ESX-1004186 ESX 2.5.5 ESX ESX 2.5.5 upgrade patch 5 or later ESX 2.5.4 ESX ESX 2.5.4 upgrade patch 16 or later b. Privilege escalation on ESX or Linux based hosted operating systems This update fixes a security issue related to local exploitation of an untrusted library path vulnerability in vmware-authd. In order to exploit this vulnerability, an attacker must have local access and the ability to execute the set-uid vmware-authd binary on an affected system. Exploitation of this flaw might result in arbitrary code execution on the Linux host system by an unprivileged user. VMware would like to thank iDefense for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0967 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= Workstation 6.x Windows not affected Workstation 6.x Linux 6.0.4 build 93057 Workstation 5.x Windows not affected Workstation 5.x Linux 5.5.7 build 91707 Player 2.x Windows not affected Player 2.x Linux 2.0.4 build 93057 Player 1.x Windows not affected Player 1.x Linux 1.0.7 build 91707 ACE 2.x Windows not affected ACE 1.x Windows not affected Server 1.x Windows not affected Server 1.x Linux 1.0.6 build 91891 Fusion 1.x Mac OS/X not affected ESXi 3.5 ESXi ESXe350-200805501-I-SG ESX 3.5 ESX ESX350-200805515-SG ESX 3.0.2 ESX ESX-1004821 ESX 3.0.1 ESX ESX-1004728 ESX 2.5.5 ESX ESX 2.5.5 update patch 8 ESX 2.5.4 ESX ESX 2.5.4 update patch 19 c. Openwsman Invalid Content-Length Vulnerability Openwsman is a system management platform that implements the Web Services Management protocol (WS-Management). It is installed and running by default. It is used in the VMware Management Service Console and in ESXi. The openwsman management service on ESX 3.5 and ESXi 3.5 is vulnerable to a privilege escalation vulnerability, which may allow users with non-privileged ESX or Virtual Center accounts to gain root privileges. To exploit this vulnerability, an attacker would need a local ESX account or a VirtualCenter account with the Host.Cim.CimInteraction permission. Systems with no local ESX accounts and no VirtualCenter accounts with the Host.Cim.CimInteraction permission are not vulnerable. This vulnerability cannot be exploited by users without valid login credentials. Discovery: Alexander Sotirov, VMware Security Research The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2097 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= hosted any any not affected ESXi 3.5 ESXi ESXe350-200805501-I-SG ESX 3.5 ESX ESX350-200805508-SG ESX 3.0.2 ESX not affected ESX 3.0.1 ESX not affected ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected NOTE: VMware hosted products are not affected by this issue. d. VMware VIX Application Programming Interface (API) Memory Overflow Vulnerabilities The VIX API (also known as "Vix") is an API that lets users write scripts and programs to manipulate virtual machines. Multiple buffer overflow vulnerabilities are present in the VIX API. Exploitation of these vulnerabilities might result in code execution on the host system or on the service console in ESX Server from the guest operating system. The VIX API can be enabled and disabled using the "vix.inGuest.enable" setting in the VMware configuration file. This default value for this setting is "disabled". This configuration setting is present in the following products: VMware Workstation 6.0.2 and higher VMware ACE 6.0.2 and higher VMware Server 1.06 and higher VMware Fusion 1.1.2 and higher ESX Server 3.0 and higher ESX Server 3.5 and higher In previous versions of VMware products where the VIX API was introduced, the VIX API couldn't be disabled. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-2100 to this issue. VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= VIX API 1.1.x Windows VMware-vix-1.1.4-93057.exe VIX API 1.1.x Linux VMware-vix-1.1.4-93057.i386.tar.gz VIX API 1.1.x Linux64 VMware-vix-1.1.4-93057.x86_64.tar.gz Workstation 6.x Windows 6.0.4 build 93057 Workstation 6.x Linux 6.0.4 build 93057 Workstation 5.x Windows 5.5.7 build 91707 Workstation 5.x Linux 5.5.7 build 91707 Player 2.x Windows 2.0.4 build 93057 Player 2.x Linux 2.0.4 build 93057 Player 1.x Windows 1.0.6 build 91707 Player 1.x Linux 1.0.6 build 91707 ACE 2.x Windows 2.0.4 build 93057 ACE 1.x Windows not affected Server 1.x Windows 1.0.6 build 91891 Server 1.x Linux 1.0.6 build 91891 Fusion 1.x Mac OS/X 1.1.2 build 87978 or later ESXi 3.5 ESXi ESXe350-200805501-I-SG, ESXe350-200805502-T-SG ESX 3.5 ESX ESX350-200805501-BG ESX 3.0.2 ESX ESX-1004216, ESX-1004726, ESX-1004727 ESX 3.0.1 ESX ESX-1004186, ESX-1004725 ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected II Service Console rpm updates NOTE: ESXi and hosted products are not affected by any service console security updates a. Security update for cyrus-sasl Updated cyrus-sasl package for the ESX Service Console corrects a security issue found in the DIGEST-MD5 authentication mechanism of Cyrus' implementation of Simple Authentication and Security Layer (SASL). As a result of this issue in the authentication mechanism, a remote unauthenticated attacker might be able to cause a denial of service error on the service console. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2006-1721 to this issue. RPMs Updated: cyrus-sasl-2.1.15-15.i386.rpm cyrus-sasl-md5-2.1.15-1.i386.rpm VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= hosted any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200805504-SG ESX 3.0.2 ESX ESX-1004722 ESX 3.0.1 ESX ESX-1004721 ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected b. Security update for tcltk An input validation flaw was discovered in Tk's GIF image handling. A code-size value read from a GIF image was not properly validated before being used, leading to a buffer overflow. A specially crafted GIF file could use this to cause a crash or, potentially, execute code with the privileges of the application using the Tk graphical toolkit. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0553 to this issue. A buffer overflow flaw was discovered in Tk's animated GIF image handling. An animated GIF containing an initial image smaller than subsequent images could cause a crash or, potentially, execute code with the privileges of the application using the Tk library. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-5378 to this issue. A flaw first discovered in the Tcl regular expression engine used in the PostgreSQL database server, resulted in an infinite loop when processing certain regular expressions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-4772 to this issue. RPM Updated: tcl-8.3.5-92.8.i386.rpm VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= hosted any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200805506-SG ESX 3.0.2 ESX ESX-1004724 ESX 3.0.1 ESX ESX-1004723 ESX 2.5.5 ESX ESX 2.5.5 Upgrade Patch 8 ESX 2.5.4 ESX ESX 2.5.4 Upgrade Patch 19 c. Security update for unzip This patch includes a moderate security update to the service console that fixes a flaw in unzip. An attacker could execute malicious code with a user's privileges if the user ran unzip on a file designed to leverage this flaw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0888 to this issue. RPM Updated: Unzip-5.50-36.EL3.i386.rpm VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= hosted any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200805505-SG ESX 3.0.2 ESX ESX-1004719 ESX 3.0.1 ESX ESX-1004190 ESX 2.5.5 ESX ESX 2.5.5 Upgrade Patch 8 ESX 2.5.4 ESX ESX 2.5.4 Upgrade Patch 19 d. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0062 to this issue. NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable to this issue. NOTE: ESX doesn't contain the krb5kdc binary and is not vulnerable to this issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-0948 to this issue. RPM Updated: krb5-libs-1.2.7-68.i386.rpm VMware Product Running Replace with/ Product Version on Apply Patch ============ ======== ======= ================= hosted any any not affected ESXi 3.5 ESXi not affected ESX 3.5 ESX ESX350-200805507-SG ESX 3.0.2 ESX ESX-1004219 ESX 3.0.1 ESX ESX-1004189 ESX 2.5.5 ESX ESX 2.5.5 Upgrade Patch 8 ESX 2.5.4 ESX ESX 2.5.4 Upgrade Patch 19 4. Solution: Please review the release notes for your product and version and verify the md5sum of your downloaded file. VMware Workstation 6.0.4 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html Windows binary md5sum: f50a05831e94c19d98f363c752fca5f9 RPM Installation file for 32-bit Linux md5sum: e7793b14b995d3b505f093c84e849421 tar Installation file for 32-bit Linux md5sum: a0a8e1d8188f4be03357872a57a767ab RPM Installation file for 64-bit Linux md5sum: 960d753038a268b8f101f4b853c0257e tar Installation file for 64-bit Linux md5sum: 4697ec8a9d6c1152d785f3b77db9d539 VMware Workstation 5.5.7 ------------------------ http://www.vmware.com/download/ws/ws5.html Release notes: http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html Windows binary: md5sum: 4c6a6653b7296240197aac048591c659 Compressed Tar archive for 32-bit Linux md5sum: 8fc15d72031489cf5cd5d47b966787e6 Linux RPM version for 32-bit Linux md5sum: f0872fe447ac654a583af16b2f4bba3f VMware Player 2.0.4 and 1.0.7 ----------------------------- http://www.vmware.com/download/player/ Release notes Player 1.x: http://www.vmware.com/support/player/doc/releasenotes_player.html Release notes Player 2.0 http://www.vmware.com/support/player2/doc/releasenotes_player2.html 2.0.4 Windows binary md5sum: a117664a8bfa7336b846117e5fc048dd VMware Player 2.0.4 for Linux (.rpm) md5sum: de6ab6364a0966b68eadda2003561cd2 VMware Player 2.0.4 for Linux (.tar) md5sum: 9e1c2bfda6b22a3fc195a86aec11903a VMware Player 2.0.4 - 64-bit (.rpm) md5sum: 997e5ceffe72f9ce9146071144dacafa VMware Player 2.0.4 - 64-bit (.tar) md5sum: 18eb4ee49dd7e33ec155ef69d7d259ef 1.0.7 Windows binary md5sum: 51114b3b433dc1b3bf3e434aebbf2b9c Player 1.0.7 for Linux (.rpm) md5sum: 3b5f97a37df3b984297fa595a5cdba9c Player 1.0.7 for Linux (.tar) md5sum: b755739144944071492a16fa20f86a51 VMware ACE ---------- http://www.vmware.com/download/ace/ Release notes 2.0: http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html VMware-workstation-6.0.4-93057.exe md5sum: f50a05831e94c19d98f363c752fca5f9 VMware-ACE-Management-Server-Appliance-2.0.4-93057.zip md5sum: d2ae2246f3d87268cf84c1421d94e86c VMware-ACE-Management-Server-2.0.4-93057.exe md5sum: 41b31b3392d5da2cef77a7bb28654dbf VMware-ACE-Management-Server-2.0.4-93057.i386-rhel4.rpm md5sum: 9920be4c33773df53a1728b41af4b109 VMware-ACE-Management-Server-2.0.4-93057.i386-sles9.rpm md5sum: 4ec4c37203db863e8844460b5e80920b Release notes 1.x: http://www.vmware.com/support/ace/doc/releasenotes_ace.html VMware-ACE-1.0.6-89199.exe md5sum: 110f6e24842a0d154d9ec55ef9225f4f VMware Server 1.0.6 ------------------- http://www.vmware.com/download/server/ Release notes: http://www.vmware.com/support/server/doc/releasenotes_server.html VMware Server for Windows 32-bit and 64-bit md5sum: 3e00d5cfae123d875e4298bddabf12f5 VMware Server Windows client package md5sum: 64f3fc1b4520626ae465237d7ec4773e VMware Server for Linux md5sum: 46ea876bfb018edb6602a921f6597245 VMware Server for Linux rpm md5sum: 9d2f0af908aba443ef80bec8f7ef3485 Management Interface md5sum: 1b3daabbbb49a036fe49f53f812ef64b VMware Server Linux client package md5sum: 185e5b174659f366fcb38b1c4ad8d3c6 VMware Fusion 1.1.3 -------------- http://www.vmware.com/download/fusion/ Release notes: http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html md5sum: D15A3DFD3E7B11FC37AC684586086D VMware VIX 1.1.4 ---------------- http://www.vmware.com/support/developer/vix-api/ Release notes: http://www.vmware.com/support/pubs/vix-api/VIXAPI-1.1.4-Release-Notes.html VMware-vix-1.1.4-93057.exe md5sum: 2efb74618c7ead627ecb3b3033e3f9f6 VMware-vix-1.1.4-93057.i386.tar.gz md5sum: 988df2b2bbc975a6fc11f27ad1519832 VMware-vix-1.1.4-93057.x86_64.tar.gz md5sum: a64f951c6fb5b2795a29a5a7607059c0 ESXi ---- VMware ESXi 3.5 patch ESXe350-200805501-O-SG (authd, openwsman, VIX) http://download3.vmware.com/software/esx/ESXe350-200805501-O-SG.zip md5sum: 4ce06985d520e94243db1e0504a56d8c http://kb.vmware.com/kb/1005073 http://kb.vmware.com/kb/1004173 http://kb.vmware.com/kb/1004172 NOTE: ESXe350-200805501-O-SG contains the following patch bundles: ESXe350-200805501-I-SG, ESXe350-200805502-T-SG, ESXe350-200805503-C-SG ESX --- VMware ESX 3.5 patch ESX350-200805515-SG (authd) http://download3.vmware.com/software/esx/ESX350-200805515-SG.zip md5sum: 324b50ade230bcd5079a76e3636163c5 http://kb.vmware.com/kb/1004170 VMware ESX 3.5 patch ESX350-200805508-SG (openwsman) http://download3.vmware.com/software/esx/ESX350-200805508-SG.zip md5sum: 3ff8c06d4a9dd406f64f89c51bf26d12 http://kb.vmware.com/kb/1004644 VMware ESX 3.5 patch ESX350-200805501-BG (VIX) http://download3.vmware.com/software/esx/ESX350-200805501-BG.zip md5sum: 31a620aa249c593c30015b5b6f8c8650 http://kb.vmware.com/kb/1004637 VMware ESX 3.5 patch ESX350-200805504-SG (cyrus-sasl) http://download3.vmware.com/software/esx/ESX350-200805504-SG.zip md5sum: 4c1b1a8dcb09a636b55c64c290f7de51 http://kb.vmware.com/kb/1004640 VMware ESX 3.5 patch ESX350-200805506-SG (tcltk) http://download3.vmware.com/software/esx/ESX350-200805506-SG.zip md5sum: af279eef8fdeddb7808630da1ae717b1 http://kb.vmware.com/kb/1004642 VMware ESX 3.5 patch ESX350-200805505-SG (unzip) http://download3.vmware.com/software/esx/ESX350-200805505-SG.zip md5sum: 07af82d9fd97cccb89d9b90c6ecc41c6 http://kb.vmware.com/kb/1004641 VMware ESX 3.5 patch ESX350-200805507-SG (krb5) http://download3.vmware.com/software/esx/ESX350-200805507-SG.zip md5sum: 5d35a1c470daf13c9f4df5bdc9438748 http://kb.vmware.com/kb/1004643 VMware ESX 3.0.2 patch ESX-1004727 (HGFS,VIX) http://download3.vmware.com/software/vi/ESX-1004727.tgz md5sum: 31a67b0fa3449747887945f8d370f19e http://kb.vmware.com/kb/1004727 VMware ESX 3.0.2 patch ESX-1004821 (authd) http://download3.vmware.com/software/vi/ESX-1004821.tgz md5sum: 5c147bedd07245c903d44257522aeba1 http://kb.vmware.com/kb/1004821 VMware ESX 3.0.2 patch ESX-1004216 (VIX) http://download3.vmware.com/software/vi/ESX-1004216.tgz md5sum: 0784ef70420d28a9a5d6113769f6669a http://kb.vmware.com/kb/1004216 VMware ESX 3.0.2 patch ESX-1004726 (VIX) http://download3.vmware.com/software/vi/ESX-1004726.tgz md5sum: 44f03b274867b534cd274ccdf4630b86 http://kb.vmware.com/kb/1004726 VMware ESX 3.0.2 patch ESX-1004722 (cyrus-sasl) http://download3.vmware.com/software/vi/ESX-1004722.tgz md5sum: 99dc71aed5bab7711f573b6d322123d6 http://kb.vmware.com/kb/1004722 VMware ESX 3.0.2 patch ESX-1004724 (tcltk) http://download3.vmware.com/software/vi/ESX-1004724.tgz md5sum: fd9a160ca7baa5fc443f2adc8120ecf7 http://kb.vmware.com/kb/1004724 VMware ESX 3.0.2 patch ESX-1004719 (unzip) http://download3.vmware.com/software/vi/ESX-1004719.tgz md5sum: f0c37b9f6be3399536d60f6c6944de82 http://kb.vmware.com/kb/1004719 VMware ESX 3.0.2 patch ESX-1004219 (krb5) http://download3.vmware.com/software/vi/ESX-1004219.tgz md5sum: 7c68279762f407a7a5ee151a650ebfd4 http://kb.vmware.com/kb/1004219 VMware ESX 3.0.1 patch ESX-1004186 (HGFS,VIX) http://download3.vmware.com/software/vi/ESX-1004186.tgz md5sum: f64389a8b97718eccefadce1a14d1198 http://kb.vmware.com/kb/1004186 VMware ESX 3.0.1 patch ESX-1004728 (authd) http://download3.vmware.com/software/vi/ESX-1004728.tgz md5sum: 1f01bb819805b855ffa2ec1040eff5ca http://kb.vmware.com/kb/1004728 VMware ESX 3.0.1 patch ESX-1004725 (VIX) http://download3.vmware.com/software/vi/ESX-1004725.tgz md5sum: 9fafb04c6d3f6959e623832f539d2dc8 http://kb.vmware.com/kb/1004725 VMware ESX 3.0.1 patch ESX-1004721 (cyrus-sasl) http://download3.vmware.com/software/vi/ESX-1004721.tgz md5sum: 48190819b0f5afddefcb8d209d12b585 http://kb.vmware.com/kb/1004721 VMware ESX 3.0.1 patch ESX-1004723 (tcltk) http://download3.vmware.com/software/vi/ESX-1004723.tgz md5sum: c34ca0a5886e0c0917a93a97c331fd7d http://kb.vmware.com/kb/1004723 VMware ESX 3.0.1 patch ESX-1004190 (unzip) http://download3.vmware.com/software/vi/ESX-1004190.tgz md5sum: 05187b9f534048c79c62741367cc0dd2 http://kb.vmware.com/kb/1004190 VMware ESX 3.0.1 patch ESX-1004189 (krb5) http://download3.vmware.com/software/vi/ESX-1004189.tgz md5sum: 21b620530b99009f469c872e73a439e8 http://kb.vmware.com/kb/1004189 VMware ESX 2.5.5 Upgrade Patch 8 http://download3.vmware.com/software/esx/esx-2.5.5-90521-upgrade.tar.gz md5sum: 392b6947fc3600ca0e8e7788cd5bbb6e http://vmware.com/support/esx25/doc/esx-255-200805-patch.html VMware ESX 2.5.4 Upgrade Patch 19 http://download3.vmware.com/software/esx/esx-2.5.4-90520-upgrade.tar.gz md5sum: 442788fd0bccb0d994c75b268bd12760 http://vmware.com/support/esx25/doc/esx-254-200805-patch.html 5. References: CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0967 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0553 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5378 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4772 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0888 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0948 6. Change log: 2008-06-04 VMSA-2008-0009 Initial release - ------------------------------------------------------------------- 7. Contact: E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce@lists.vmware.com * bugtraq@securityfocus.com * full-disclosure@lists.grok.org.uk E-mail: security@vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFIRs08S2KysvBH1xkRCMxFAJ0WJX76quFzCV+avwupq3Lu72UKigCfRftj CZvxoXw/sZxDCSDjVzYAhrA= =s04s -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200803-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MIT Kerberos 5: Multiple vulnerabilities Date: March 24, 2008 Bugs: #199205, #212363 ID: 200803-31 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilites have been found in MIT Kerberos 5, which could allow a remote unauthenticated user to execute arbitrary code with root privileges. Background ========== MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. kadmind is the MIT Kerberos 5 administration daemon, KDC is the Key Distribution Center. * Jeff Altman (Secure Endpoints) discovered a buffer overflow in the RPC library server code, used in the kadmin server, caused when too many file descriptors are opened (CVE-2008-0947). * Venustech AD-LAB discovered multiple vulnerabilities in the GSSAPI library: usage of a freed variable in the gss_indicate_mechs() function (CVE-2007-5901) and a double free() vulnerability in the gss_krb5int_make_seal_token_v3() function (CVE-2007-5971). These bugs can only be triggered when Kerberos 4 support is enabled. The RPC related vulnerability can be exploited by a remote unauthenticated attacker to crash kadmind, and theoretically execute arbitrary code with root privileges or cause database corruption. This bug can only be triggered in configurations that allow large numbers of open file descriptors in a process. Workaround ========== Kerberos 4 support can be disabled via disabling the "krb4" USE flag and recompiling the ebuild, or setting "v4_mode=none" in the [kdcdefaults] section of /etc/krb5/kdc.conf. This will only work around the KDC related vulnerabilities. Resolution ========== All MIT Kerberos 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.6.3-r1" References ========== [ 1 ] CVE-2007-5901 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5894 [ 2 ] CVE-2007-5971 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971 [ 3 ] CVE-2008-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062 [ 4 ] CVE-2008-0063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063 [ 5 ] CVE-2008-0947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200803-31.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02824440 Version: 1 HPSBOV02682 SSRT100495 rev.1 - HP OpenVMS running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Modification NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-05-05 Last Updated: 2011-05-05 Potential Security Impact: Remote Denial of Service (DoS), execution of arbitrary code, unauthorized modification Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential vulnerabilities have been identified with HP OpenVMS running Kerberos. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS) or execution of arbitrary code, or by a remote unauthorized user to modify data, prompts, or responses. References: CVE-2008-0062, CVE-2008-0947, CVE-2008-0948, CVE-2009-0846, CVE-2009-4212, CVE-2010-1323 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Kerberos for OpenVMS v 3.1 and earlier. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2008-0062 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2008-0947 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2008-0948 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3 CVE-2009-0846 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2009-4212 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2010-1323 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software updates available to resolve these vulnerabilities. Kerberos V3.2 for OpenVMS Alpha and OpenVMS Integrity servers: http://h71000.www7.hp.com/openvms/products/kerberos HISTORY Version:1 (rev.1) - 5 May 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 software, allows remote authenticated users to cause a denial of service (site-to-site VPN tunnel outage), and possibly intercept network traffic, by configuring the local RFC1918 IP address to be the same as one of this tunnel's endpoint RFC1918 IP addresses, and then using SecuRemote to connect to a network interface at the other endpoint. The Check Point VPN-1 firewall contains an information disclosure vulnerability that may allow an authenticated attacker to access data that they are not authorized to access. The issue occurs because the application fails to adequately handle IP address collisions. Attackers can exploit this issue to break site-to-site VPN connectivity between a VPN-1 gateway and a third party, denying access to legitimate users. If SecuRemote back-connections are enabled, the attacker can leverage this issue to re-route site-to-site VPN traffic from the VPN gateway to their SecuRemote client. Under certain conditions, this will cause data that was destined for the third party to be sent to the attacker's client instead. This could contain sensitive information that would aid in further attacks. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: CheckPoint VPN-1 IP Address Collision Security Issue SECUNIA ADVISORY ID: SA29394 VERIFY ADVISORY: http://secunia.com/advisories/29394/ CRITICAL: Less critical IMPACT: Exposure of sensitive information, DoS WHERE: >From local network SOFTWARE: Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) http://secunia.com/product/2542/ Check Point VPN-1 UTM NGX http://secunia.com/product/13346/ Check Point VPN-1 Power NGX http://secunia.com/product/13348/ DESCRIPTION: Robert Mitchell has reported a security issue in CheckPoint VPN-1, which can lead to a DoS (Denial of Service) or disclosure of sensitive information. SOLUTION: The vendor has issued hotfixes to resolve the issue (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Robert Mitchell ORIGINAL ADVISORY: CheckPoint: https://secureknowledge.checkpoint.com/SecureKnowledge/login.do?OriginalAction=solution&id=sk34579 http://updates.checkpoint.com/fileserver/ID/8141/FILE/VPN-1_NGX_R65_HFA02_Supplement3.pdf Robert Mitchell: http://puresecurity.com.au/index.php?action=fullnews&id=5 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Printing component in Apple Mac OS X 10.5.2 uses 40-bit RC4 when printing to an encrypted PDF file, which makes it easier for attackers to decrypt the file via brute force methods. Attackers can use trivial brute-force tactics to view data that was encrypted with the insecure algorithm. Information harvested may aid in further attacks. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. NOTE: This BID is being retired. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. If users are tricked into opening malicious URLs, sensitive information may be leaked

Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML by using the window.open function to change the security context of a web page. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector. Attackers may exploit this issue to run script code in other domains and access the vulnerable computer's filesystem. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 1) An error in the processing of "javascript:" URLs can be exploited to execute arbitrary HTML and script code in context of another site via a specially crafted web page. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. This can be exploited to execute arbitrary script code in the user's security context via a specially crafted web page. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebCore, as used in Apple Safari before 3.1, does not properly mask the password field when reverse conversion is used with the Kotoeri input method, which allows physically proximate attackers to read the password. An attacker can exploit this issue to obtain potentially sensitive information that may aid in further attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28356 Apple Safari CFNetwork Arbitrary Secure Website Spoofing Vulnerability 28321 Apple Safari Error Page Cross-Site Scripting Vulnerability 28328 Apple Safari Javascript URL Parsing Cross-Site Scripting Vulnerability 28330 Apple Safari WebCore 'document.domain' Cross-Site Scripting Vulnerability 28347 Apple Safari Web Inspector Remote Code Injection Vulnerability 28326 Apple Safari WebCore 'Kotoeri' Password Field Information Disclosure Vulnerability 28332 Apple Safari WebCore 'window.open()' Function Cross-Site Scripting Vulnerability 28335 Apple Safari WebCore Java Frame Navigation Cross-Site Scripting Vulnerability 28336 Apple Safari WebCore 'document.domain' Variant Cross-Site Scripting Vulnerability 28337 Apple Safari WebCore History Object Cross-Site Scripting Vulnerability 28338 Apple Safari WebKit JavaScript Regular Expression Handling Buffer Overflow Vulnerability 28342 Apple Safari WebKit Frame Method Cross-Site Scripting Vulnerability. Safari is the WEB browser bundled with the Apple family operating system by default. Safari's version 3.1 fixes multiple security holes, as follows: Under normal circumstances, the password field of a web page is hidden to prevent leakage. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 1) An error in the processing of "javascript:" URLs can be exploited to execute arbitrary HTML and script code in context of another site via a specially crafted web page. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. This can be exploited to execute arbitrary script code in the user's security context via a specially crafted web page. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in ContentServer.py in the Wiki Server in Apple Mac OS X 10.5.2 (aka Leopard) allows remote authenticated users to write arbitrary files via ".." sequences in file attachments. Exploiting this issue allows an attacker to access arbitrary files outside of the application's document root directory. This can expose sensitive information that could help the attacker launch further attacks. Note that attackers must be registered wiki users to exploit this issue. Wiki Server from Mac OS X Server 10.5 is vulnerable. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29420 VERIFY ADVISORY: http://secunia.com/advisories/29420/ CRITICAL: Highly critical IMPACT: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 5) An error in NSApplication in AppKit can potentially be exploited to execute code with escalated privileges by sending a maliciously crafted messages to privileged applications in the same bootstrap namespace. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. This can be exploited by a malicious, local user to execute arbitrary code with system privileges. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 11) A vulnerability in CUPS can be exploited to execute arbitrary code with system privileges. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 32) An error in NetCfgTool can be exploited by a malicious, local user to execute arbitrary code with escalated privileges via a specially crafted message. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. This can be exploited by malicious users to upload arbitrary files with privileges of the wiki server execute arbitrary code. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 2) An error exists the handling of web pages that have explicitly set the document.domain property. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in NetCfgTool in the System Configuration component in Apple Mac OS X 10.4.11 and 10.5.2 allows local users to bypass authorization and execute arbitrary code via crafted distributed objects. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. The NetCfgTool privileged tool uses distributed objects to communicate with untrusted client programs on the local machine. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. Safari). 20) A race condition error exists in NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. Safari is the WEB browser bundled with the Apple family operating system by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta 4 days left of beta period. The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success. The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide. For more information: SA29393 SOLUTION: Apply updated packages via the yum utility ("yum update WebKit"). Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Apple Safari Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29393 VERIFY ADVISORY: http://secunia.com/advisories/29393/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/ DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. 2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain. 3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected. 4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested. 5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context. 6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page. 7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page. 8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames. 9) A boundary error exists in the handling of javascript regular expressions, which can be exploited to cause a buffer overflow via a specially crafted web page. Successful exploitation allows execution of arbitrary code. 10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks. SOLUTION: Update to version 3.1. PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X 10.5.2 allows user-assisted attackers to cause a denial of service (crash) via a crafted Universal Disc Format (UDF) disk image, which triggers a NULL pointer dereference. Attackers can leverage this issue to cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows user-assisted remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted PostScript Printer Description (PPD) file that is not properly handled when querying a network printer. Failed attacks will cause denial-of-service conditions. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

notifyd in Apple Mac OS X 10.4.11 does not verify that Mach port death notifications have originated from the kernel, which allows local users to cause a denial of service via spoofed death notifications that prevent other applications from receiving notifications. (DoS) There is a vulnerability that becomes a condition.Disguised disabling notifications by a malicious local user can prevent other applications from receiving notifications. Attackers can leverage this issue to cause denial-of-service conditions. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Printing component in Apple Mac OS X 10.5.2 might save authentication credentials to disk when starting a job on an authenticated print queue, which might allow local users to obtain the credentials. Attackers can leverage this issue to gain access to privileged authentication credentials. Other attacks are also possible. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28356 Apple Safari CFNetwork Arbitrary Secure Website Spoofing Vulnerability 28321 Apple Safari Error Page Cross-Site Scripting Vulnerability 28328 Apple Safari Javascript URL Parsing Cross-Site Scripting Vulnerability 28330 Apple Safari WebCore 'document.domain' Cross-Site Scripting Vulnerability 28347 Apple Safari Web Inspector Remote Code Injection Vulnerability 28326 Apple Safari WebCore 'Kotoeri' Password Field Information Disclosure Vulnerability 28332 Apple Safari WebCore 'window.open()' Function Cross-Site Scripting Vulnerability 28335 Apple Safari WebCore Java Frame Navigation Cross-Site Scripting Vulnerability 28336 Apple Safari WebCore 'document.domain' Variant Cross-Site Scripting Vulnerability 28337 Apple Safari WebCore History Object Cross-Site Scripting Vulnerability 28338 Apple Safari WebKit JavaScript Regular Expression Handling Buffer Overflow Vulnerability 28342 Apple Safari WebKit Frame Method Cross-Site Scripting Vulnerability. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. For more information: SA27648 SA28318 29) A security issue is caused due to the Podcast Capture application providing passwords to a subtask through the arguments. 30) Printing and Preview handle PDF files with weak encryption. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Podcast Capture in Podcast Producer for Apple Mac OS X 10.5.2 invokes a subtask with passwords in command line arguments, which allows local users to read the passwords via process listings. Attackers can leverage this issue to gain access to privileged authentication credentials. Apple Mac OS X is prone to multiple security vulnerabilities. These issues affect Mac OS X and various applications, including AFP Client, AFP Server, AppKit, Application Firewall, CoreFoundation, CoreServices, CUPS, Foundation, Help Viewer, Image Raw, libc, mDNSResponder, notifyd, pax archive utility, Podcast Producer, Preview, Printing, System Configuration, UDF, and Wiki Server. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. These issues affect Apple Mac OS X 10.4.11, 10.4.11 Server, 10.5.2, 10.5.2 Server and earlier. NOTE: This BID is being retired. The following individual records have been created to fully document all the vulnerabilities that were described in this BID: 28320 Apple Mac OS X AFP Client 'afp://' URI Remote Code Execution Vulnerability CVE-2008-0044. 28323 Apple Mac OS X AFP Server Cross-Realm Authentication Bypass Vulnerability CVE-2008-0994 28388 Apple Mac OS X AppKit NSDocument API's Stack Based Buffer Overflow Vulnerability CVE-2008-0048 28340 Apple Mac OS X AppKit Bootstrap Namespace Local Privilege Escalation Vulnerability CVE-2008-0049 28358 Apple Mac OS X AppKit Legacy Serialization Kit Multiple Integer Overflow Vulnerabilities CVE-2008-0057 28364 Apple Mac OS X AppKit PPD File Stack Buffer Overflow Vulnerability CVE-2008-0997 28368 Apple Mac OS X Application Firewall German Translation Insecure Configuration Weakness CVE-2008-0046 28375 Apple Mac OS X CoreFoundation Time Zone Data Local Privilege Escalation Vulnerability CVE-2008-0051 28384 Apple Mac OS X CoreServices '.ief' Files Security Policy Violation Weakness CVE-2008-0052 28334 CUPS Multiple Unspecified Input Validation Vulnerabilities 28341 Apple Mac OS X Foundation 'NSSelectorFromString' Input Validation Vulnerability 28343 Apple Mac OS X Foundation NSFileManager Insecure Directory Local Privilege Escalation Vulnerability 28357 Apple Mac OS X Foundation 'NSFileManager' Stack-Based Buffer Overflow Vulnerability 28359 Apple Mac OS X Foundation 'NSURLConnection' Cache Management Race Condition Security Vulnerability 28363 Apple Mac OS X Image RAW Stack-Based Buffer Overflow Vulnerability 28367 Apple Mac OS X Foundation 'NSXML' XML File Processing Race Condition Security Vulnerability 28371 Apple Mac OS X Help Viewer Remote Applescript Code Execution Vulnerability 28374 Apple Mac OS X libc 'strnstr(3)' Off-By-One Denial of Service Vulnerability 28387 Apple Mac OS X Printing To PDF Insecure Encryption Weakness 28386 Apple Mac OS X Preview PDF Insecure Encryption Weakness 28389 Apple Mac OS X Universal Disc Format Remote Denial of Service Vulnerability 28385 Apple Mac OS X NetCfgTool Local Privilege Escalation Vulnerability 28365 Apple Mac OS X pax Archive Utility Remote Code Execution Vulnerability 28344 Apple Mac OS X Authenticated Print Queue Information Disclosure Vulnerability 28345 Apple Mac OS X 'notifyd' Local Denial of Service Vulnerability 28372 Apple Mac OS X Podcast Producer Podcast Capture Information Disclosure Vulnerability 28339 Apple Mac OS X mDNSResponderHelper Local Format String Vulnerability. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. 1) Multiple boundary errors in AFP client when processing "afp://" URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server. Successful exploitation may allow execution of arbitrary code. 2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used. 3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA18008 SA21197 SA26636 SA27906 SA28046 4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow. 6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed. Successful exploitation may allow execution of arbitrary code. 7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server. 8) Multiple vulnerabilities in ClamAV can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. For more information: SA23347 SA24187 SA24891 SA26038 SA26530 SA28117 SA28907 9) An integer overflow error exists in CoreFoundation when handling time zone data. 10) The problem is that files with names ending in ".ief" can be automatically opened in AppleWorks if "Open 'Safe' files" is enabled in Safari. For more information: SA29431 12) Multiple input validation errors exist in CUPS, which can be exploited to execute arbitrary code with system privileges. 13) A boundary error in curl can be exploited to compromise a user's system. For more information: SA17907 14) A vulnerability in emacs can be exploited by malicious people to compromise a user's system. For more information: SA27508 15) A vulnerability in "file" can be exploited by malicious people to compromise a vulnerable system. For more information: SA24548 16) An input validation error exists in the NSSelectorFromString API, which can potentially be exploited to execute arbitrary code via a malformed selector name. 17) A race condition error in NSFileManager can potentially be exploited to gain escalated privileges. 18) A boundary error in NSFileManager can potentially be exploited to cause a stack-based buffer overflow via an overly long pathname with a specially crafted structure. 19) A race condition error exists in the cache management of NSURLConnection. This can be exploited to cause a DoS or execute arbitrary code in applications using the library (e.g. Safari). 20) A race condition error exists in NSXML. This can be exploited to execute arbitrary code by enticing a user to process an XML file in an application which uses NSXML. 21) An error in Help Viewer can be exploited to insert arbitrary HTML or JavaScript into the generated topic list page via a specially crafted "help:topic_list" URL and may redirect to a Help Viewer "help:runscript" link that runs Applescript. 22) A boundary error exists in Image Raw within the handling of Adobe Digital Negative (DNG) image files. This can be exploited to cause a stack-based buffer overflow by enticing a user to open a maliciously crafted image file. 23) Multiple vulnerabilities in Kerberos can be exploited to cause a DoS or to compromise a vulnerable system. For more information: SA29428 24) An off-by-one error the "strnstr()" in libc can be exploited to cause a DoS. 25) A format string error exists in mDNSResponderHelper, which can be exploited by a malicious, local user to cause a DoS or execute arbitrary code with privileges of mDNSResponderHelper by setting the local hostname to a specially crafted string. 26) An error in notifyd can be exploited by a malicious, local user to deny access to notifications by sending fake Mach port death notifications to notifyd. 27) An array indexing error in the pax command line tool can be exploited to execute arbitrary code. 28) Multiple vulnerabilities in php can be exploited to bypass certain security restrictions. 30) Printing and Preview handle PDF files with weak encryption. 31) An error in Printing in the handling of authenticated print queues can lead to credentials being saved to disk. 33) A null-pointer dereference error exists in the handling of Universal Disc Format (UDF) file systems, which can be exploited to cause a system shutdown by enticing a user to open a maliciously crafted disk image. 35) Some vulnerabilities in X11 can be exploited by malicious, local users to gain escalated privileges. For more information: SA27040 SA28532 36) Some vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA22900 SA25292 SA27093 SA27130 SOLUTION: Apply Security Update 2008-002. Security Update 2008-002 v1.0 (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10ppc.html Security Update 2008-002 v1.0 (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10universal.html Security Update 2008-002 v1.0 (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10leopard.html Security Update 2008-002 v1.0 Server (Leopard): http://www.apple.com/support/downloads/securityupdate2008002v10serverleopard.html Security Update 2008-002 v1.0 Server (PPC): http://www.apple.com/support/downloads/securityupdate2008002v10serverppc.html Security Update 2008-002 v1.0 Server (Universal): http://www.apple.com/support/downloads/securityupdate2008002v10serveruniversal.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm 11) regenrecht via iDefense 19) Daniel Jalkut, Red Sweater Software 22) Brian Mastenbrook 24) Mike Ash, Rogue Amoeba Software 29) Maximilian Reiss, Chair for Applied Software Engineering, TUM 33) Paul Wagland of Redwood Software, and Wayne Linder of Iomega 34) Rodrigo Carvalho CORE Security Technologies ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307562 CORE-2008-0123: http://www.coresecurity.com/?action=item&id=2189 OTHER REFERENCES: SA17907: http://secunia.com/advisories/17907/ SA18008: http://secunia.com/advisories/18008/ SA21187: http://secunia.com/advisories/21197/ SA22900: http://secunia.com/advisories/22900/ SA23347: http://secunia.com/advisories/23347/ SA24187: http://secunia.com/advisories/24187/ SA24548: http://secunia.com/advisories/24548/ SA24891: http://secunia.com/advisories/24891/ SA25292: http://secunia.com/advisories/25292/ SA26038: http://secunia.com/advisories/26038/ SA26530: http://secunia.com/advisories/26530/ SA26636: http://secunia.com/advisories/26636/ SA27040: http://secunia.com/advisories/27040/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA27648: http://secunia.com/advisories/27648/ SA27508: http://secunia.com/advisories/27508/ SA27906: http://secunia.com/advisories/27906/ SA28046: http://secunia.com/advisories/28046/ SA28117: http://secunia.com/advisories/28117/ SAS28318: http://secunia.com/advisories/28318/ SA28532: http://secunia.com/advisories/28532/ SA28907: http://secunia.com/advisories/28907/ SA29428: http://secunia.com/advisories/29428/ SA29431: http://secunia.com/advisories/29431/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------