VARIoT IoT vulnerabilities database

ACT P202S VOIP WIFI is a wireless VOIP phone. MPM HP-180W VOIP WIFI phones have multiple security issues that can be exploited by remote attackers to gain access to sensitive information or administrator access. The ACT P202S VOIP WIFI phone allows remote debug connections and remote unauthorized management access. Successful exploitation of these vulnerabilities allows an attacker to obtain debug information or denial of service from the device. These include undocumented port UDP/17185 VxWorks WDB for remote debugging, undocumented port TCP/7 echo, undocumented port TCP/513 rlogin

Advantage Century Telecommunication (ACT) P202S IP Phone 1.01.21 running firmware 1.1.21 on VxWorks uses a hardcoded Network Time Protocol (NTP) server in Taiwan, which could allow remote attackers to provide false time information, block access to time information, or conduct other attacks. ACT P202S VOIP WIFI Phone allows remote debugger connections and remote unauthenticated administrative access. Successful exploitation of these vulnerabilities could allow a remote attacker to obtain debugging information from the device or cause a denial of service. Other attacks are also possible. ACT P202S VOIP WIFI Phones running firmware version 1.01.21 is prone to these issues. Due to code reuse, other devices and versions may also be affected. TITLE: ACT WLAN Phone P202S Multiple Security Issues SECUNIA ADVISORY ID: SA18514 VERIFY ADVISORY: http://secunia.com/advisories/18514/ CRITICAL: Less critical IMPACT: Unknown, Security Bypass, Exposure of system information, DoS WHERE: >From local network OPERATING SYSTEM: ACT WLAN Phone P202S http://secunia.com/product/6843/ DESCRIPTION: Shawn Merdinger has reported some security issues in ACT WLAN Phone P202S, which can be exploited by malicious people to potentially disclose system information, potentially cause a DoS (Denial of Service), and bypass certain security restrictions. 2) An error caused due to the phone allowing connections to the echo service on port 7/tcp may be exploited to cause a DoS on other network devices. 3) An error caused due to the phone allowing connections to the rlogin service on port 513/tcp can be exploited to gain rlogin access to the phone without authentication. It has also been reported that the phone has a hardcoded NTP server. The security issues have been reported in version 1.01.21. SOLUTION: Restrict use to within trusted networks only. PROVIDED AND/OR DISCOVERED BY: Shawn Merdinger ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041434.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program. Check Point VPN-1 SecureClient is prone to a vulnerability that could allow an arbitrary file to be executed. The application attempts to execute an application without using properly quoted paths. Successful exploitation may allow local attackers to gain elevated privileges. Specific information about affected versions of Check Point VPN-1 SecureClient is unavailable at this time. This BID will be updated as further information is disclosed

Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:164 http://www.mandriva.com/security/ _______________________________________________________________________ Package : tetex Date : August 14, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Maurycy Prodeus found an integer overflow vulnerability in the way various PDF viewers processed PDF files. In addition, tetex contains an embedded copy of the GD library which suffers from a number of bugs which potentially lead to denial of service and possibly other issues. (CVE-2007-3472) The gdImageCreateXbm function in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors involving a gdImageCreate failure. (CVE-2007-3473) Multiple unspecified vulnerabilities in the GIF reader in the GD Graphics Library (libgd) before 2.0.35 allow user-assisted remote attackers to have unspecified attack vectors and impact. (CVE-2007-3474) The GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via a GIF image that has no global color map. (CVE-2007-3475) Array index error in gd_gif_in.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash and heap corruption) via large color index values in crafted image data, which results in a segmentation fault. (CVE-2007-3476) The (a) imagearc and (b) imagefilledarc functions in GD Graphics Library (libgd) before 2.0.35 allows attackers to cause a denial of service (CPU consumption) via a large (1) start or (2) end angle degree value. (CVE-2007-3477) Race condition in gdImageStringFTEx (gdft_draw_bitmap) in gdft.c in the GD Graphics Library (libgd) before 2.0.35 allows user-assisted remote attackers to cause a denial of service (crash) via unspecified vectors, possibly involving truetype font (TTF) support. (CVE-2007-3478) Updated packages have been patched to prevent these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3472 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3473 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3474 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3475 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3477 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3478 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: fb959e3f6f872b50954fa8da4fe3c419 2007.0/i586/jadetex-3.12-116.4mdv2007.0.i586.rpm 02e7b28c729ec9f57d5268daedee85e7 2007.0/i586/tetex-3.0-18.4mdv2007.0.i586.rpm 8b89557fbac6f6b37f78f2a2aee16569 2007.0/i586/tetex-afm-3.0-18.4mdv2007.0.i586.rpm f5169a380ec30b11a69b37c38e81555f 2007.0/i586/tetex-context-3.0-18.4mdv2007.0.i586.rpm f4dbfde981fd4658044222bc159ecd41 2007.0/i586/tetex-devel-3.0-18.4mdv2007.0.i586.rpm e0f85c8410194f78ba2aea95e4f9483b 2007.0/i586/tetex-doc-3.0-18.4mdv2007.0.i586.rpm 9753cb8ba53e41a19bdd46bd21d149e0 2007.0/i586/tetex-dvilj-3.0-18.4mdv2007.0.i586.rpm bf28b703c43dea8ddedd6b3dd31d6d4d 2007.0/i586/tetex-dvipdfm-3.0-18.4mdv2007.0.i586.rpm 456feadedb60e9b8f0fa653a4b8c242c 2007.0/i586/tetex-dvips-3.0-18.4mdv2007.0.i586.rpm 596d3a551105ed4ae7504069d97ea15b 2007.0/i586/tetex-latex-3.0-18.4mdv2007.0.i586.rpm 0fa6f2279adff2c0e49e021342684962 2007.0/i586/tetex-mfwin-3.0-18.4mdv2007.0.i586.rpm 4dfbc03ccff172c0031f3b66f49f2e67 2007.0/i586/tetex-texi2html-3.0-18.4mdv2007.0.i586.rpm 3fe94235dcf1d60559c5e22dcb661135 2007.0/i586/tetex-xdvi-3.0-18.4mdv2007.0.i586.rpm 50face08da8982afdcaa653c46d23893 2007.0/i586/xmltex-1.9-64.4mdv2007.0.i586.rpm 63549bc50b3b654e72be1947d1b3d79b 2007.0/SRPMS/tetex-3.0-18.4mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 3ba044a5b0cbd36b27fa8ebd60d51e8d 2007.0/x86_64/jadetex-3.12-116.4mdv2007.0.x86_64.rpm 94b050b17693804a81e68107b37aade8 2007.0/x86_64/tetex-3.0-18.4mdv2007.0.x86_64.rpm dca2d262c4345720681e776de7aaf3b5 2007.0/x86_64/tetex-afm-3.0-18.4mdv2007.0.x86_64.rpm 6387c4e3923b174732ea42e1c1961f31 2007.0/x86_64/tetex-context-3.0-18.4mdv2007.0.x86_64.rpm 9e31f83c40c6bf2bd0528fd8debc7da0 2007.0/x86_64/tetex-devel-3.0-18.4mdv2007.0.x86_64.rpm b61e81383f6becccb285e0e9e3c04fc8 2007.0/x86_64/tetex-doc-3.0-18.4mdv2007.0.x86_64.rpm ff32dc4e3ee6c9ce2e7160e0e2e8d000 2007.0/x86_64/tetex-dvilj-3.0-18.4mdv2007.0.x86_64.rpm d4bf450a8fc9da8d97cb03a5fd895e5d 2007.0/x86_64/tetex-dvipdfm-3.0-18.4mdv2007.0.x86_64.rpm 9bb0bb329efda5960b7c43cab4bb60a8 2007.0/x86_64/tetex-dvips-3.0-18.4mdv2007.0.x86_64.rpm a6e2b2af59a022db1ccc897d78fd3df1 2007.0/x86_64/tetex-latex-3.0-18.4mdv2007.0.x86_64.rpm 6fdee1957e97c37034bafd9546071553 2007.0/x86_64/tetex-mfwin-3.0-18.4mdv2007.0.x86_64.rpm a10d83249b768f676eabcbdc8d1def85 2007.0/x86_64/tetex-texi2html-3.0-18.4mdv2007.0.x86_64.rpm 71907f30dc7beb72245329e3df4f3d13 2007.0/x86_64/tetex-xdvi-3.0-18.4mdv2007.0.x86_64.rpm 824f5631d126e96851540ce059f378a6 2007.0/x86_64/xmltex-1.9-64.4mdv2007.0.x86_64.rpm 63549bc50b3b654e72be1947d1b3d79b 2007.0/SRPMS/tetex-3.0-18.4mdv2007.0.src.rpm Mandriva Linux 2007.1: 81f9fad03bffde4848b2684b0beaf1be 2007.1/i586/jadetex-3.12-129.3mdv2007.1.i586.rpm 240f0698cc266be75607780ca95f7df9 2007.1/i586/tetex-3.0-31.3mdv2007.1.i586.rpm adaa2d6fa7128e0c1ef125c5b2a27bd1 2007.1/i586/tetex-afm-3.0-31.3mdv2007.1.i586.rpm 143aa48143998f5ffd5877fb348c06c3 2007.1/i586/tetex-context-3.0-31.3mdv2007.1.i586.rpm 3a3b1e82a1fb3e2260eeac49bd038d44 2007.1/i586/tetex-devel-3.0-31.3mdv2007.1.i586.rpm 98781fd21fae15a9d190387bb7c894fa 2007.1/i586/tetex-doc-3.0-31.3mdv2007.1.i586.rpm 162cc4138d291f34e17589dcbaf47e02 2007.1/i586/tetex-dvilj-3.0-31.3mdv2007.1.i586.rpm c290665965a32365750302b66998cf9c 2007.1/i586/tetex-dvipdfm-3.0-31.3mdv2007.1.i586.rpm 521a43054786848837cadf65d7373adb 2007.1/i586/tetex-dvips-3.0-31.3mdv2007.1.i586.rpm db59616b644d2d040bf20bba50b98a52 2007.1/i586/tetex-latex-3.0-31.3mdv2007.1.i586.rpm 42b078d4e8b5ecfa43cecd105cfd9973 2007.1/i586/tetex-mfwin-3.0-31.3mdv2007.1.i586.rpm d80a680507279c769af4eac68342779e 2007.1/i586/tetex-texi2html-3.0-31.3mdv2007.1.i586.rpm 6ad4a6a5df7c31302c0d8f0294b441fe 2007.1/i586/tetex-usrlocal-3.0-31.3mdv2007.1.i586.rpm a636c345e691cfcad8bb057aa724ca32 2007.1/i586/tetex-xdvi-3.0-31.3mdv2007.1.i586.rpm 81cb470114d43d4ba480c7ef38ad8f9b 2007.1/i586/xmltex-1.9-77.3mdv2007.1.i586.rpm 1fe7e7ec1366f1c03208b9acf2c6e4dc 2007.1/SRPMS/tetex-3.0-31.3mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 931bdcfab39b511372c0fe1667cdec9b 2007.1/x86_64/jadetex-3.12-129.3mdv2007.1.x86_64.rpm be2917b026909b9fe2d6f54425f0ae01 2007.1/x86_64/tetex-3.0-31.3mdv2007.1.x86_64.rpm 3927b9a088b3dbbb035ab504724224fa 2007.1/x86_64/tetex-afm-3.0-31.3mdv2007.1.x86_64.rpm 5e0dc9457f6e864bfd097e52540ca691 2007.1/x86_64/tetex-context-3.0-31.3mdv2007.1.x86_64.rpm c360e8b3bb98ee7f7467028038e97e1a 2007.1/x86_64/tetex-devel-3.0-31.3mdv2007.1.x86_64.rpm d48d985a35aa93c17c45349c28c0b243 2007.1/x86_64/tetex-doc-3.0-31.3mdv2007.1.x86_64.rpm eb67ec1e91e422ecfa36f1cbbac8971a 2007.1/x86_64/tetex-dvilj-3.0-31.3mdv2007.1.x86_64.rpm 851858c723458b732e522a3c0e61369c 2007.1/x86_64/tetex-dvipdfm-3.0-31.3mdv2007.1.x86_64.rpm a0eda317da29934a5633f42b177a530f 2007.1/x86_64/tetex-dvips-3.0-31.3mdv2007.1.x86_64.rpm 753c701f03329627fb9e39753981e843 2007.1/x86_64/tetex-latex-3.0-31.3mdv2007.1.x86_64.rpm d994a4854aba90786bbd9a4ec3c12019 2007.1/x86_64/tetex-mfwin-3.0-31.3mdv2007.1.x86_64.rpm e655586388e11bf71063402efc3a7753 2007.1/x86_64/tetex-texi2html-3.0-31.3mdv2007.1.x86_64.rpm 9d5f65b626bd71949a07e6c7431817e0 2007.1/x86_64/tetex-usrlocal-3.0-31.3mdv2007.1.x86_64.rpm 55315fd53192e1d99eee611c658d803e 2007.1/x86_64/tetex-xdvi-3.0-31.3mdv2007.1.x86_64.rpm 64af62bd89fcac2a4ffad45a8eae77d6 2007.1/x86_64/xmltex-1.9-77.3mdv2007.1.x86_64.rpm 1fe7e7ec1366f1c03208b9acf2c6e4dc 2007.1/SRPMS/tetex-3.0-31.3mdv2007.1.src.rpm Corporate 4.0: ded203c11a86b123fb65dccf7ebefe7b corporate/4.0/i586/jadetex-3.12-110.6.20060mlcs4.i586.rpm 02ca90145d6b09cdd92bc9906a9dfa41 corporate/4.0/i586/tetex-3.0-12.6.20060mlcs4.i586.rpm 9af4a0c59bf34cb69ec03feeecc10b51 corporate/4.0/i586/tetex-afm-3.0-12.6.20060mlcs4.i586.rpm c4a7cdb06beb70e2652fee997cd5acd1 corporate/4.0/i586/tetex-context-3.0-12.6.20060mlcs4.i586.rpm 4d4e89d588e0ec5a1a30659b194e53a7 corporate/4.0/i586/tetex-devel-3.0-12.6.20060mlcs4.i586.rpm 7ae26e309360bdfdb9c5c503b0d4edf9 corporate/4.0/i586/tetex-doc-3.0-12.6.20060mlcs4.i586.rpm 302004f96913e500079054ecb03adda9 corporate/4.0/i586/tetex-dvilj-3.0-12.6.20060mlcs4.i586.rpm 00cd5bce374228d46b18d5b2210639f9 corporate/4.0/i586/tetex-dvipdfm-3.0-12.6.20060mlcs4.i586.rpm f216bf18966462b172832a6f8a27fd78 corporate/4.0/i586/tetex-dvips-3.0-12.6.20060mlcs4.i586.rpm f1b3b6fcb547e477570f1311fa7367a0 corporate/4.0/i586/tetex-latex-3.0-12.6.20060mlcs4.i586.rpm 86eb52c3286302e3343928a7bdeb9548 corporate/4.0/i586/tetex-mfwin-3.0-12.6.20060mlcs4.i586.rpm a769eab0038bac03e47a72b634f79e19 corporate/4.0/i586/tetex-texi2html-3.0-12.6.20060mlcs4.i586.rpm fd8530a3177047b3dd9ad9f5c1116020 corporate/4.0/i586/tetex-xdvi-3.0-12.6.20060mlcs4.i586.rpm 7d647f0f6d3db2a9a0f3b6be1fcb672c corporate/4.0/i586/xmltex-1.9-58.6.20060mlcs4.i586.rpm 8118fdc39814ac5d79b8763a5eaeee61 corporate/4.0/SRPMS/tetex-3.0-12.6.20060mlcs4.src.rpm Corporate 4.0/X86_64: 03656d00a3a0ab1847acb665ef68d947 corporate/4.0/x86_64/jadetex-3.12-110.6.20060mlcs4.x86_64.rpm df2818955a171b5e682b2e481ea456f0 corporate/4.0/x86_64/tetex-3.0-12.6.20060mlcs4.x86_64.rpm b33cd2edda19f78a7fc67d5fff165b0a corporate/4.0/x86_64/tetex-afm-3.0-12.6.20060mlcs4.x86_64.rpm 7d5818ed21c76ed6ea5db364fb4e9693 corporate/4.0/x86_64/tetex-context-3.0-12.6.20060mlcs4.x86_64.rpm 58f46f75a1d4df827911727ebacbc352 corporate/4.0/x86_64/tetex-devel-3.0-12.6.20060mlcs4.x86_64.rpm edc968cfaa147eb6c0a44d367945cdee corporate/4.0/x86_64/tetex-doc-3.0-12.6.20060mlcs4.x86_64.rpm cbb35ba57e6b7e4ff5e1f7746a556dba corporate/4.0/x86_64/tetex-dvilj-3.0-12.6.20060mlcs4.x86_64.rpm 64037dfd41b52942db831d5d1db263ae corporate/4.0/x86_64/tetex-dvipdfm-3.0-12.6.20060mlcs4.x86_64.rpm 521ac94898d0dd328a72b41a897cac77 corporate/4.0/x86_64/tetex-dvips-3.0-12.6.20060mlcs4.x86_64.rpm 7b08d2c8978a0d020d8bd29478e9300c corporate/4.0/x86_64/tetex-latex-3.0-12.6.20060mlcs4.x86_64.rpm 2c8045b7090444ae36576040d4106399 corporate/4.0/x86_64/tetex-mfwin-3.0-12.6.20060mlcs4.x86_64.rpm 3124bf387e243377003b3bf21d34b6b9 corporate/4.0/x86_64/tetex-texi2html-3.0-12.6.20060mlcs4.x86_64.rpm 88ea09f36b9281e64061a2ca25d10719 corporate/4.0/x86_64/tetex-xdvi-3.0-12.6.20060mlcs4.x86_64.rpm e34498cb80e93ccd2b592ff8a722b985 corporate/4.0/x86_64/xmltex-1.9-58.6.20060mlcs4.x86_64.rpm 8118fdc39814ac5d79b8763a5eaeee61 corporate/4.0/SRPMS/tetex-3.0-12.6.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwgCrmqjQ0CJFipgRAvxaAKD0oN2+nbJYsb/02Pfv7e91rH+OwQCgoNcD E25vkVsg47bEpt/Rv8lWmms= =oC5G -----END PGP SIGNATURE----- . Background ========== KOffice is an integrated office suite for KDE. KWord is the KOffice word processor. KPDF is a KDE-based PDF viewer included in the kdegraphics package. http://creativecommons.org/licenses/by-sa/2.5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHC/wXuhJ+ozIKI5gRAhh+AJ0dKyYwWcqlfdkzH9BPsiOB37T+vQCfbBlI 7Gg6tQlmD0S9r3+mIxCBGPQ= =oXjB -----END PGP SIGNATURE----- . For the oldstable distribution (sarge) this problem has been fixed in version 0.4.2-2sarge6. The stable distribution (etch) isn't affected by this problem. The unstable distribution (sid) isn't affected by this problem. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge6.dsc Size/MD5 checksum: 778 fbcbd62c772674dc96a26373e5aa6e01 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2-2sarge6.diff.gz Size/MD5 checksum: 9063 bb026f68189fd93686e5fd94b6cda88e http://security.debian.org/pool/updates/main/libe/libextractor/libextractor_0.4.2.orig.tar.gz Size/MD5 checksum: 5887095 d99e1b13a017d39700e376a0edbf7ba2 Alpha architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_alpha.deb Size/MD5 checksum: 19690 01b435b2688d03f3459c79526954925c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_alpha.deb Size/MD5 checksum: 5810714 dd23f39e0b388296b1fc271739712ebe http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_alpha.deb Size/MD5 checksum: 19484 7f05a34e53fd43830028912e14d2328f AMD64 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_amd64.deb Size/MD5 checksum: 18346 b0630efe8af750547c51f18e2b37e56c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_amd64.deb Size/MD5 checksum: 5641608 6cc4c3570ed2c3319944d2dadeb32df2 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_amd64.deb Size/MD5 checksum: 17618 b03292795065cdd0c9444343f216a058 ARM architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_arm.deb Size/MD5 checksum: 17726 b7d8e767fdec15d9f1dd42a4d287d093 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_arm.deb Size/MD5 checksum: 5710926 010de9d5ca245ecde20850f2077ec525 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_arm.deb Size/MD5 checksum: 17034 70da5564ca690372c8ff2f920e3145e7 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_i386.deb Size/MD5 checksum: 17870 34c81aebd99358f6a6668e6a6e766dcf http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_i386.deb Size/MD5 checksum: 5713546 59647b99f778803ae7dd04b8a3ef4f69 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_i386.deb Size/MD5 checksum: 16796 f6a61702be519be0de6ba5254a8d2bc1 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_ia64.deb Size/MD5 checksum: 20664 abbab8aca9823e749ce8f56ba180605a http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_ia64.deb Size/MD5 checksum: 5905678 6c4fae9ee6f98f8a2b04dfc8bb1e6c77 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_ia64.deb Size/MD5 checksum: 19402 7217989cd00aa203703636a12b73ef1c Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_m68k.deb Size/MD5 checksum: 17432 ad4ed814052b2b16a980916e8c26b4d5 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_m68k.deb Size/MD5 checksum: 5708490 4456e64e983995cdaada1b8003b87de9 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_m68k.deb Size/MD5 checksum: 16664 8d0a17ffea00ef3a8dd84ad1ef751382 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_mips.deb Size/MD5 checksum: 18672 ca896e1b783faaa7fd4f0b16bd5b679f http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_mips.deb Size/MD5 checksum: 5729468 b4369a7e90e9378aaf16c22e6ee8ba23 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_mips.deb Size/MD5 checksum: 17960 adf6c5dadd298f2cbfb129b329cbd396 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_mipsel.deb Size/MD5 checksum: 18720 24b4c8c7394ca7600b5d56ff6756ced0 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_mipsel.deb Size/MD5 checksum: 5727182 0d3c4b40711cd5ff424d9c3509abc959 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_mipsel.deb Size/MD5 checksum: 17990 2bfd506c4227ba2b51128ed229d05737 PowerPC architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_powerpc.deb Size/MD5 checksum: 19840 965842771a493480a596d23219240384 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_powerpc.deb Size/MD5 checksum: 5678172 d9b4e7d752db6ca53ce6adddd1c8963b http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_powerpc.deb Size/MD5 checksum: 17802 9d4275a87460db16bf31e112f8a7be72 IBM S/390 architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_s390.deb Size/MD5 checksum: 18220 218a8b4f648ee49543981dd7a418a86b http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_s390.deb Size/MD5 checksum: 5768298 367428e42de8d1af622d02d64f4fb027 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_s390.deb Size/MD5 checksum: 18166 98cb43003a7a95dbfd121cf615f73bc8 Sun Sparc architecture: http://security.debian.org/pool/updates/main/libe/libextractor/extract_0.4.2-2sarge6_sparc.deb Size/MD5 checksum: 17728 f9220d2e7654b273448c0880374f59d4 http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1_0.4.2-2sarge6_sparc.deb Size/MD5 checksum: 5752498 5c5bcdf9c749506310e95137ae80550c http://security.debian.org/pool/updates/main/libe/libextractor/libextractor1-dev_0.4.2-2sarge6_sparc.deb Size/MD5 checksum: 16938 b90780181aeb323dbcc4dfa11db7bcd0 These files will probably be moved into the stable distribution on its next update. TITLE: GNOME gpdf Xpdf Multiple Integer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA18375 VERIFY ADVISORY: http://secunia.com/advisories/18375/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: GNOME 2.x http://secunia.com/product/3277/ DESCRIPTION: Some vulnerabilities have been reported in GNOME gpdf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. For more information: SA18303 SOLUTION: Restrict use to trusted PDF files only. OTHER REFERENCES: SA18303: http://secunia.com/advisories/18303/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ** REJECTED ** Do not use this application number. ConsultIDs: CVE-2007-3387. Reason: This application number is a duplicate of CVE-2007-3387. =========================================================== Ubuntu Security Notice USN-496-2 August 07, 2007 poppler vulnerability CVE-2007-3387 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libpoppler1 0.5.1-0ubuntu7.2 Ubuntu 6.10: libpoppler1 0.5.4-0ubuntu4.2 Ubuntu 7.04: libpoppler1 0.5.4-0ubuntu8.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-496-1 fixed a vulnerability in koffice. This update provides the corresponding updates for poppler, the library used for PDF handling in Gnome. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200710-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: PDFKit, ImageKits: Buffer overflow Date: October 18, 2007 Bugs: #188185 ID: 200710-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== PDFKit and ImageKits are vulnerable to an integer overflow and a stack overflow allowing for the user-assisted execution of arbitrary code. Background ========== PDFKit is a framework for rendering of PDF content in GNUstep applications. ImageKits is a collection of frameworks to support imaging in GNUstep applications. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 gnustep-libs/pdfkit <= 0.9_pre062906 Vulnerable! 2 gnustep-libs/imagekits <= 0.6 Vulnerable! ------------------------------------------------------------------- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ImageKits also contains a copy of PDFKit. Workaround ========== There is no known workaround at this time. Resolution ========== PDFKit and ImageKits are not maintained upstream, so the packages were masked in Portage. We recommend that users unmerge PDFKit and ImageKits: # emerge --unmerge gnustep-libs/pdfkit # emerge --unmerge gnustep-libs/imagekits As an alternative, users should upgrade their systems to use PopplerKit instead of PDFKit and Vindaloo instead of ViewPDF. References ========== [ 1 ] CVE-2007-3387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3387 [ 2 ] GLSA 200709-12 http://www.gentoo.org/security/en/glsa/glsa-200709-12.xml Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200710-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . The original vulnerability was discovered by Maurycy Prodeus. Note: Gentoo's version of Xpdf is patched to use the Poppler library, so the update to Poppler will also fix Xpdf

Cisco IOS before 12.3-7-JA2 on Aironet Wireless Access Points (WAP) allows remote authenticated users to cause a denial of service (termination of packet passing or termination of client connections) by sending the management interface a large number of spoofed ARP packets, which creates a large ARP table that exhausts memory, aka Bug ID CSCsc16644. Cisco IOS Wireless access point that operates Cisco Aironet Wireless Access Points (WAP) Is illegal ARP When processing a request, there is a vulnerability where the physical memory on the device is exhausted and traffic cannot be processed.Device is out of service (DoS) It may be in a state. This issue is due to memory exhaustion caused by improper handling of an excessive number of ARP requests. This issue allows attackers who can successfully associate with a vulnerable access point to exhaust the memory of the affected device. As a result, the device fails to pass legitimate traffic until it has been rebooted. There is a loophole in Cisco Aironet's processing of ARP requests, and a remote attacker may use the loophole to carry out a denial of service attack on the device. This will cause the device to be unable to transmit traffic until it is powered off and reloaded, affecting the availability of the wireless access point, and may not be able to use management and packet forwarding services. This can be exploited by sending spoofed ARP messages to the management interface of the AP to continuously add entries to the ARP table of the device until the device runs out of memory. Successful exploitation causes the AP to be unable to pass traffic until the device is restarted, but requires the ability to send ARP messages to the management interface of the AP. SOLUTION: Update to IOS version 12.3-7-JA2. http://tools.cisco.com/support/downloads/pub/MDFTree.x?butype=wireless PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060112-wireless.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.1.3 has an undocumented administrative account with a default password, which allows local users to gain privileges via the expert command. This password is static across all installations of the software. It is possible for those running software release 4.1.3 and later to change a portion of the default administrative password, effectively addressing the vulnerability. However, earlier versions do not provide this option. In addition, CS-MARS can also perform automated tasks to alleviate safety issues. Successful exploitation of this vulnerability will allow the attacker to obtain full management rights of the CS-MARS device. The password for the account reportedly cannot be changed. Successful exploitation requires logon to the administration command line interface with e.g. the "pnadmin" account. The vulnerability has been reported in versions prior to 4.1.3. SOLUTION: Update to version 4.1.3 or later and use the "passwd expert" command to change the root password. http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20060111-mars.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Cisco IP Phone 7940 allows remote attackers to cause a denial of service (reboot) via a large amount of TCP SYN packets (syn flood) to arbitrary ports, as demonstrated to port 80. Cisco IP Phone 7940 is prone to a remote denial of service vulnerability. Successful exploitation causes the phone to restart. Cisco is tracking this issue as Cisco bug ID CSCef33398. Solaris is a commercial UNIX operating system developed and maintained by Sun. There is a buffer overflow vulnerability in the /usr/bin/uustat binary program of Solaris. An attacker who successfully exploits this vulnerability can completely control the return address of the execution function and execute arbitrary code with uucp user privileges. If the string length after the \"-S\" command line parameter is greater than or equal to 1152 bytes, it may cause the binary program to crash. The following example shows that the buffer is overflowed and the o1 register is completely overwritten by the letter A: bash-2.03\\% ls -l /usr/bin/uustat ---s--x--x 1 uucp uucp 62012 Jan 17 16:07 uustat bash-2.03$ /usr/bin/uustat -S `perl -e \'\'print \"A\"x3000\'\'` Segmentation Fault bash-2.03$ (gdb) info registers g0 0x0 0 g1 0xff315e98 - 13541736 g2 0x1cc00 117760 g3 0x440 1088 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0xff3276a8 -13470040 o1 0x41414141 1094795585 ... The vulnerability is caused due to an error in the IP Stack. SOLUTION: Update to firmware revision 7.1(1) or later, which have the capability to perform load control using TCP throttling. This prevents a device from reloading. PROVIDED AND/OR DISCOVERED BY: The vendor credits Knud Erik H\xf8jgaard. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-response-20060113-ip-phones.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792. PHPNuke EV is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation. PHPNuke EV version 7.7 is vulnerable; earlier versions may also be affected. For more information: SA17543 The vulnerability has been confirmed in version 7.7-R1. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Originally reported in PHP-Nuke by sp3x. Reported in PHPNuke EV by Lostmon. ORIGINAL ADVISORY: http://lostmon.blogspot.com/2006/01/phpnuke-ev-77-search-module-query.html OTHER REFERENCES: SA17543: http://secunia.com/advisories/17543/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title. This issue allows attackers to crash the display manager on Microsoft Windows XP, or cause a complete system crash on computers running Microsoft Windows 2000. Other operating systems where the affected display driver is available are also likely affected. Version 6.14.10.4308 of the Intel Graphics Accelerator driver is considered vulnerable to this issue. Other versions may also be affected. This issue will be updated as further information becomes available. This issue may be related to the one described in BID 10913 (Microsoft Windows Large Image Processing Remote Denial Of Service Vulnerability), but this has not been confirmed. Attempting to parse very long text in Mozilla Firefox triggers a buffer overflow that crashes the Windows Display Manager. This can potentially be exploited to cause a DoS e.g. by tricking a user to open a window to an overly long URL with the browser. Successful exploitation may cause the system to restart or cause the system to revert to a low resolution display mode. The vulnerability has been confirmed in version 6.14.10.4308. SOLUTION: Do not visit non-trusted websites or open non-trusted files. PROVIDED AND/OR DISCOVERED BY: $um$id ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in the IMAP daemon in Ipswitch Collaboration Suite 2006.02 and earlier allows remote authenticated users to execute arbitrary code via a long FETCH command. Authentication is required to exploit this vulnerability.This specific flaw exists within the IMAP daemon. A lack of bounds checking during the parsing of long arguments to the FETCH verb can result in an exploitable buffer overflow. The vulnerability presents itself when the server handles a specially crafted IMAP FETCH command. This may result in memory corruption leading to a denial-of-service condition or arbitrary code execution. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. TITLE: Ipswitch IMail Server/Collaboration Suite IMAP FETCH Vulnerability SECUNIA ADVISORY ID: SA19168 VERIFY ADVISORY: http://secunia.com/advisories/19168/ CRITICAL: Less critical IMPACT: DoS WHERE: >From remote SOFTWARE: IMail Secure Server 2006 http://secunia.com/product/8651/ IMail Server 2006 http://secunia.com/product/8653/ Ipswitch Collaboration Suite 2006 http://secunia.com/product/8652/ DESCRIPTION: A vulnerability has been reported in Ipswitch IMail Server/Collaboration Suite, which can be exploited by malicious users to cause a DoS (Denial of Service). This can be exploited to cause a buffer overflow, which crashes the server. Ipswitch Collaboration Suite 2006 Premium Edition: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/ICS/ics-premium200603.exe Ipswitch Collaboration Suite 2006 Standard Edition: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/ICS/ics-standard200603.exe IMail Secure Server 2006: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imailsecure200603.exe IMail Server 2006: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail200603.exe PROVIDED AND/OR DISCOVERED BY: The vendor credits 3Com's Zero Day Initiative. ORIGINAL ADVISORY: http://www.ipswitch.com/support/ics/updates/ics200603prem.asp http://www.ipswitch.com/support/ics/updates/ics200603stan.asp http://www.ipswitch.com/support/imail/releases/imsec200603.asp http://www.ipswitch.com/support/imail/releases/im200603.asp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-06-003: Ipswitch Collaboration Suite Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-003.html March 13, 2006 -- CVE ID: CVE-2005-3526 -- Affected Vendor: Ipswitch -- Affected Products: Ipswitch Collaboration Suite 2006.02 and below -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 13, 2005 by Digital Vaccine protection filter ID 3982. -- Vendor Response: >>From http://www.ipswitch.com/support/ics/updates/ics200603prem.asp: "IMAP: Corrected a vulnerability issue where a properly crafted Fetch command causes IMAP to crash with a buffer overflow (disclosed by TippingPoint, a division of 3Com)." -- Disclosure Timeline: 2005.12.13 - Vulnerability reported to vendor 2005.12.13 - Digital Vaccine released to TippingPoint customers 2006.03.13 - Public release of advisory -- Credit: This vulnerability was discovered by Manuel Santamarina Suarez aka 'FistFuXXer'. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in the iGateway service for various Computer Associates (CA) iTechnology products, in iTechnology iGateway before 4.0.051230, allows remote attackers to execute arbitrary code via an HTTP request with a negative Content-Length field. The attacker can trigger the vulnerability by supplying a negative HTTP Content-Length value and a large URI to the service. A successful attack can result in corrupting process memory and the execution of arbitrary code with SYSTEM privileges on Windows platforms. The vendor has reported that this issue triggers only a denial-of-service condition on other platforms. Products containing iGateway 4.0.051230 are vulnerable to this issue. iTechnology is an integrated technology that provides standard Web service interfaces for third-party products. There is a heap overflow vulnerability in iTechnology's processing of HTTP request headers. iGateway service monitors standard HTTP or SSL communication on port 5250. The service does not properly handle negative HTTP Content-Length fields. iGateway parses the Content-length field value of the HTTP request and uses this value directly in the malloc() heap allocation call, so if a negative value is provided, the heap allocation call will return a small buffer. After the malloc() call, memcpy the provided URI to the allocated buffer and overwrite it to the heap. TITLE: CA Products iGateway Service Content-Length Buffer Overflow SECUNIA ADVISORY ID: SA18591 VERIFY ADVISORY: http://secunia.com/advisories/18591/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From local network SOFTWARE: BrightStor ARCserve Backup 11.x http://secunia.com/product/312/ BrightStor ARCserve Backup 11.x (for Windows) http://secunia.com/product/3099/ BrightStor ARCserve Backup 9.x http://secunia.com/product/313/ BrightStor ARCserve Backup for Laptops & Desktops 11.x http://secunia.com/product/5906/ BrightStor Enterprise Backup 10.x http://secunia.com/product/314/ BrightStor Process Automation Manager 11.x http://secunia.com/product/5908/ BrightStor Storage Resource Manager 11.x http://secunia.com/product/5909/ BrightStor Storage Resource Manager 6.x http://secunia.com/product/5910/ CA Advantage Data Transformer 2.x http://secunia.com/product/5904/ CA AllFusion Harvest Change Manager 7.x http://secunia.com/product/5905/ CA BrightStor Portal 11.x http://secunia.com/product/5577/ CA BrightStor SAN Manager 11.x http://secunia.com/product/5576/ CA eTrust Admin 8.x http://secunia.com/product/5584/ CA eTrust Audit 1.x http://secunia.com/product/5911/ CA eTrust Audit 8.x http://secunia.com/product/5912/ CA eTrust Identity Minder 8.x http://secunia.com/product/5913/ CA Unicenter Service Fulfillment 2.x http://secunia.com/product/5942/ eTrust Secure Content Manager (SCM) http://secunia.com/product/3391/ DESCRIPTION: Erika Mendoza has reported a vulnerability in various CA products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the handling of HTTP data in the iGateway component. SOLUTION: Update the iGateway component to version 4.0.051230 or later. ftp://ftp.ca.com/pub/iTech/downloads/ PROVIDED AND/OR DISCOVERED BY: Erika Mendoza ORIGINAL ADVISORY: Computer Associates: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778 iDEFENSE: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Please see below for important changes to CAID 33778 (aka CVE-2005-3653; OSVDB 22688; X-Force 24269; SecurityTracker Alert ID 1015526). Changelog is near end of advisory. Regards, Ken Williams Title: CAID 33778 - CA iGateway Content-Length Buffer Overflow Vulnerability [v1.1] CA Vulnerability ID: 33778 CA Advisory Date: 2006-01-23 Updated Advisory [v1.1]: 2006-01-26 Discovered By: Erika Mendoza reported this issue to iDefense. Mitigating Factors: None. Severity: CA has given this vulnerability a Medium risk rating. Affected Technologies: Please note that the iGateway component is not a product, but rather a common component that is included with multiple products. The iGateway component is included in the following CA products, which are consequently potentially vulnerable. Affected Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Backup Laptop & Desktop r11.1 BrightStor ARCserve Backup Laptop & Desktop r11 BrightStor Process Automation Manager r11.1 BrightStor SAN Manager r11.1 BrightStor SAN Manager r11.5 BrightStor Storage Resource Manager r11.5 BrightStor Storage Resource Manager r11.1 BrightStor Storage Resource Manager 6.4 BrightStor Storage Resource Manager 6.3 BrightStor Portal 11.1 Note to BrightStor Storage Resource Manager and BrightStor Portal users: In addition to the application servers where these products are installed, all hosts that have iSponsors deployed to them for managing applications like Veritas Volume Manager and Tivoli TSM are also affected by this vulnerability. eTrust Products: eTrust Audit 1.5 SP2 (iRecorders and ARIES) eTrust Audit 1.5 SP3 (iRecorders and ARIES) eTrust Audit 8.0 (iRecorders and ARIES) eTrust Admin 8.1 eTrust Identity Minder 8.0 eTrust Secure Content Manager (SCM) R8 eTrust Integrated Threat Management (ITM) R8 eTrust Directory, R8.1 (Web Components Only) Unicenter Products: Unicenter CA Web Services Distributed Management R11 Unicenter AutoSys JM R11 Unicenter Management for WebLogic / Management for WebSphere R11 Unicenter Service Delivery R11 Unicenter Service Level Management (USLM) R11 Unicenter Application Performance Monitor R11 Unicenter Service Desk R11 Unicenter Service Desk Knowledge Tools R11 Unicenter Asset Portfolio Management R11 Unicenter Service Metric Analysis R11 Unicenter Service Catalog/Assure/Accounting R11 Unicenter MQ Management R11 Unicenter Application Server Management R11 Unicenter Web Server Management R11 Unicenter Exchange Management R11 Affected platforms: AIX, HP-UX, Linux Intel, Solaris, and Windows Status and Recommendation: Customers with vulnerable versions of the iGateway component should upgrade to the current version of iGateway (4.0.051230 or later), which is available for download from the following locations: http://supportconnect.ca.com/ ftp://ftp.ca.com/pub/iTech/downloads/ Determining the version of iGateway: To determine the version numbers of the iGateway components: Go to the igateway directory: On windows, this is %IGW_LOC% Default path for v3.*: C:\Program Files\CA\igateway Default path for v4.*: C:\Program Files\CA\SharedComponents\iTechnology On unix, Default path for v3.*: /opt/CA/igateway Default path for v4.*: the install directory path is contained in opt/CA/SharedComponents/iTechnology.location. The default path is /opt/CA/SharedComponents/iTechnology Look at the <Version> element in igateway.conf. The versions are affected by this vulnerability if you see a value LESS THAN the following: <Version>4.0.051230</Version> (note the format of v.s.YYMMDD) References: (note that URLs may wrap) CA SupportConnect: http://supportconnect.ca.com/ http://supportconnectw.ca.com/public/ca_common_docs/igatewaysecurity_not ice.asp CAID: 33778 CAID Advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33778 CVE Reference: CVE-2005-3653 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3653 OSVDB Reference: OSVDB-22688 http://osvdb.org/22688 iDefense Reference: Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow http://www.idefense.com/intelligence/vulnerabilities/display.php?id=376 Changelog: v1.0 - Initial Release v1.1 - Removed several unaffected technologies; added more reference links. Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln@ca.com, or contact me directly. If you discover a vulnerability in CA products, please report your findings to vuln@ca.com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Dir. of CA Vulnerability Research Team CA, One Computer Associates Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://ca.com/calegal.htm Privacy Policy http://www.ca.com/caprivacy.htm Copyright 2006 CA. All rights reserved

D-Link DI-524 Wireless Router, DI-624 Wireless Router, and DI-784 allow remote attackers to cause a denial of service (device reboot) via a series of crafted fragmented UDP packets, possibly involving a missing fragment. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  D-Link's multiple wireless access routers have a denial of service vulnerability. Remote attackers may use this vulnerability to conduct denial of service attacks on devices.  If the attacker sends three consecutive fragmented UDP packets as follows, the device will restart:  The IP header of all messages must have the same Identification Number.  Message 1:  The MORE_FRAGMENTS flag must be set to 1 (IP_MF)  Debris offset = 0  The effective part size of the message is 8 bytes. Null bytes were used in the attack code.  Message 2:  Set the MORE_FRAGMENTS flag to 1 (0x2002)  Debris offset = 16  The valid part is 8 bytes long.  Message 3:  Set the MORE_FRAGMENTS flag to 0 (0x0003)  Debris offset = 24  The valid part is 8 bytes long.  Upon receiving the above message, the affected router will immediately terminate all current connections. DI-524 takes about 1 minute to restart to restore the connection, and DI-624 takes about 30 seconds to restart. This issue is due to a flaw in affected devices that causes them to fail when attempting to reassemble certain IP packets. D-Link DI-524, DI-624, and Di-784 devices are affected by this issue. Due to code reuse among routers, other devices may also be affected. It is reported that US Robotics USR8054 devices are also affected. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. TITLE: D-Link Wireless Access Point Denial of Service Vulnerability SECUNIA ADVISORY ID: SA18833 VERIFY ADVISORY: http://secunia.com/advisories/18833/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: D-Link DI-784 http://secunia.com/product/8029/ D-Link DI-624 http://secunia.com/product/3660/ D-Link DI-524 http://secunia.com/product/8028/ DESCRIPTION: Aaron Portnoy and Keefe Johnson has reported a vulnerability in D-Link Wireless Access Point, which potentially can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of fragmented UDP packets. The vulnerability has been reported in the following products: * D-Link DI-524 Wireless Router (firmware version 3.20 August 18, 2005). * D-Link DI-624 Wireless Router. * D-Link DI-784. SOLUTION: The vulnerability has reportedly been fixed in the latest firmware. PROVIDED AND/OR DISCOVERED BY: Aaron Portnoy and Keefe Johnson ORIGINAL ADVISORY: http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Clean Access 3.5.5 and earlier on the Secure Smart Manager allows remote attackers to bypass authentication and cause a denial of service (disk consumption), or make unauthorized files accessible, by uploading files through requests to certain JSP scripts, a related issue to CVE-2005-4332. Cisco Clean Access (CCA) is prone to a denial-of-service vulnerability

Unspecified vulnerability in the VLAN Trunking Protocol (VTP) feature in Cisco IOS 12.1(22)EA3 on Catalyst 2950T switches allows remote attackers to cause a denial of service (device reboot) via a crafted Subset-Advert message packet, a different issue than CVE-2006-4774, CVE-2006-4775, and CVE-2006-4776. The VLAN Trunking Protocol (VTP) is Cisco's proprietary protocol for centralized management of VLANs.  If a malformed VTP packet is received, some switch devices may be overloaded. However, an attacker must know the VTP domain name and send malformed VTP packets to the port configured for relay on the switch to exploit this vulnerability. Multiple Cisco switches are prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause affected devices to restart, effectively denying service to legitimate users. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS VTP Denial of Service Vulnerability SECUNIA ADVISORY ID: SA23892 VERIFY ADVISORY: http://secunia.com/advisories/23892/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS R12.x http://secunia.com/product/50/ DESCRIPTION: David Barroso Berrueta and Alfredo Andres Omella have reported a vulnerability in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service). This can be exploited to cause a device to reload by sending a specially crafted VTP packet. Successful exploitation requires knowledge of the VTP domain name and the port that is configured for trunking. PROVIDED AND/OR DISCOVERED BY: Alfredo Andres Omella and David Barroso Berrueta, S21SEC ORIGINAL ADVISORY: Cisco Advisory: http://www.cisco.com/en/US/products/products_security_response09186a00807d1a81.html 21SEC Advisory: http://www.s21sec.com/es/avisos/s21sec-034-en.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The network interface for Apple AirPort Express 6.x before Firmware Update 6.3, and AirPort Extreme 5.x before Firmware Update 5.7, allows remote attackers to cause a denial of service (unresponsive interface) via malformed packets. The Apple AirPort device is a wireless access point that provides 802.11 services to network clients.  A denial of service vulnerability exists in Apple AirPort. A malicious network attacker can send a specially crafted message, causing the network interface of the AirPort base station to stop responding. This occurs when the device handles malformed packets. Specific details regarding this issue are not currently known. This record will be updated when more information becomes available. AirPort Express firmware versions prior to 6.3 and AirPort Extreme firmware versions prior to 5.7 are vulnerable. The vulnerability is caused due to an unspecified error in the base station when handling certain network packets. SOLUTION: Apply updated firmware. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=303072 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Credit to Michael Zanetta of NETwork Security Consortium for reporting this issue

The SISCO OSI stack for Windows, as used by MMS-EASE 7.10 and earlier, AX-S4 MMS 5.01 and earlier, AX-S4 ICCP 3.0103 and earlier, and the ICCP Toolkit for MMS-EASE 4.10 and earlier, allows remote attackers to cause a denial of service (process crash) via certain network traffic, as demonstrated using a Nessus scan. A vulnerability exists in the SISCO OSI stack for Windows. If successfully exploited, an attacker could cause a denial-of-service condition. The Inter-control Center Communications Protocol (ICCP) is a protocol for communicating data in the control center of a SCADA network. A remote attacker can exploit the vulnerability to perform a denial of service attack on the service. The SISCO OSI stack on the Windows platform incorrectly handles malformed packets, and remote unauthenticated users can perform denial of service attacks on services. This issue allows remote, unauthenticated attackers to crash affected applications, denying further service to legitimate users. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/quality_assurance_analyst/ http://secunia.com/web_application_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: SISCO OSI Stack Denial of Service Vulnerability SECUNIA ADVISORY ID: SA22047 VERIFY ADVISORY: http://secunia.com/advisories/22047/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote SOFTWARE: SISCO MMS-EASE 7.x http://secunia.com/product/12072/ SISCO ICCP Toolkit for MMS-EASE 4.x http://secunia.com/product/12073/ SISCO AX-S4 MMS 5.x http://secunia.com/product/12071/ SISCO AX-S4 ICCP 3.x http://secunia.com/product/12070/ DESCRIPTION: A vulnerability has been reported in various SISCO products, which can be exploited by malicious people to cause a DoS (Denial of Service). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: SISCO: http://www.sisconet.com/downloads/NESSUS_Vulnerability_Announcement.pdf OTHER REFERENCES: US-CERT VU#468798: http://www.kb.cert.org/vuls/id/468798 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Drivers for certain display adapters, including (1) an unspecified ATI driver and (2) an unspecified Intel driver, might allow remote attackers to cause a denial of service (system crash) via a large JPEG image, as demonstrated in Internet Explorer using stoopid.jpg with a width and height of 9999999. Display Adapter Driver is prone to a denial-of-service vulnerability

Unspecified vulnerability in the Mac OS X kernel before 10.3.8 allows local users to cause a denial of service (temporary hang) via unspecified attack vectors related to the fan control unit (FCU) driver. There is an unknown vulnerability in the Mac OS X kernel before 10.3.8

Mac OS X 10.4.3 up to 10.4.6, when loginwindow uses the "Name and password" setting, and the "Show the Restart, Sleep, and Shut Down buttons" option is disabled, allows users with physical access to bypass login and reboot the system by entering ">restart", ">power", or ">shutdown" sequences after the username. Apple Mac OS X Server is prone to a denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users

Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field. Apple's QuickTime is a player for files and streaming media in a variety of different formats. QuickTime is prone to a remote heap-based overflow vulnerability. This issue presents itself when the application processes a specially crafted QTIF (QuickTime Image) file. A successful attack can result in a remote compromise. Apple QuickTime is prone to a buffer-overflow vulnerability because the application fails to do proper bounds checking on user-supplied data before copying it to finite-sized process buffers. Unsuccessful exploit attempts will most likely crash the application. This issue affects QuickTime 6.5.2 and 7.0.3; other versions may also be vulnerable. QuickTime 7.0.4 may also be vulnerable, but this has not been confirmed. This issue may have previously been discussed in BID 16202 (Apple QuickTime Multiple Code Execution Vulnerabilities). Quicktime will copy to the stack byte by byte when processing the data field of the qtif format file, but it does not perform the correct check, so it will cause a stack overflow in memory. The original function pointer value is 0x44332211. Just overflow it to 0x08332211 and make sure it doesn't crash before overflowing 0x44 to 0x08, and the code will execute. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA06-011A Apple QuickTime Vulnerabilities Original release date: January 11, 2006 Last revised: January 11, 2006 Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows XP * Microsoft Windows 2000 Overview Apple has released QuickTime 7.0.4 to correct multiple vulnerabilities. The impacts of these vulnerabilities include execution of arbitrary code and denial of service. I. (CAN-2005-3713) II. Impact The impacts of these vulnerabilities vary. For information about specific impacts, please see the Vulnerability Notes. Potential consequences include remote execution of arbitrary code or commands and denial of service. III. Solution Upgrade Upgrade to QuickTime 7.0.4. Appendix A. References * US-CERT Vulnerability Note VU#629845 - <http://www.kb.cert.org/vuls/id/629845> * US-CERT Vulnerability Note VU#921193 - <http://www.kb.cert.org/vuls/id/921193> * US-CERT Vulnerability Note VU#115729 - <http://www.kb.cert.org/vuls/id/115729> * US-CERT Vulnerability Note VU#150753 - <http://www.kb.cert.org/vuls/id/150753> * US-CERT Vulnerability Note VU#913449 - <http://www.kb.cert.org/vuls/id/913449> * CVE-2005-2340 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2340> * CVE-2005-4092 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4092> * CVE-2005-3707 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3707> * CVE-2005-3710 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3710> * CVE-2005-3713 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3713> * Security Content for QuickTime 7.0.4 - <http://docs.info.apple.com/article.html?artnum=303101> * QuickTime 7.0.4 - <http://www.apple.com/support/downloads/quicktime704.html> * About the Mac OS X 10.4.4 Update (Delta) - <http://docs.info.apple.com/article.html?artnum=302810> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA06-011A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA06-011A Feedback VU#913449" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2006 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 11, 2006: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQ8V8iX0pj593lg50AQJ85wf+OuHVseQVzZ0uI8h8TnmtAJmjzV6tp3Cj 34jwpSLlvo5S8svIHChcX/BYOwKVL/uQZswsjk/mbEu+TrPcVKPd7VPCetxIXVey AdC5hsAH1Wm0MnvY1LgvONo8IQ9RlT6Rj6fY7k7QhPUWsYxj/rDCWDAY9kgsHXc/ HpXWL/Cy5va35z8aYHrLVlxmofKrOWtX0PVa6lSKV8lIsY+TDihA5tYIb5wRDVxL osieJ+MHSXGchXpjX2c0o6Ja6vhJNR61LEwelk9FMLT1JRTkp+wz9/AoVUSyZ/hy 0WBP0M8cwl8koWgijNcLXA18YX8QtDftAVRwpwHKMrbNCYdrWblYVw== =5Kiq -----END PGP SIGNATURE-----