VARIoT IoT vulnerabilities database

Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow. X.Org and XFree86 of libXfont Used in FontFileInitTable() Functions include fonts.dir An integer overflow vulnerability exists when an excessively long string is specified on the first line of a file.X Denial of service caused by a crash caused by a malicious user who can connect to the server (DoS) State, or X Server execution authority (root) May execute arbitrary code. The 'libXfont' library is prone to multiple local integer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data. An attacker can exploit these vulnerabilities to execute arbitrary code with superuser privileges. Failed exploit attempts will likely cause denial-of-service conditions. These issues affect libXfont 1.2.2; other versions may also be vulnerable. X.Org is an official reference implementation of the X Window System operated by the X.Org Foundation. X.Org's LibXFont library has an integer overflow when parsing BDF fonts, allowing attackers to cause heap overflow through specially crafted BDF fonts. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: LibXfont, TightVNC: Multiple vulnerabilities Date: May 08, 2007 Bugs: #172575, #174200 ID: 200705-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in libXfont and TightVNC, allowing for the execution of arbitrary code with root privileges. Background ========== LibXfont is the X.Org font library. TightVNC is a VNC client/server for X displays. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/tightvnc < 1.2.9-r4 >= 1.2.9-r4 2 x11-libs/libXfont < 1.2.7-r1 >= 1.2.7-r1 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== The libXfont code is prone to several integer overflows, in functions ProcXCMiscGetXIDList(), bdfReadCharacters() and FontFileInitTable(). TightVNC contains a local copy of this code and is also affected. Impact ====== A local attacker could use a specially crafted BDF Font to gain root privileges on the vulnerable host. Resolution ========== All libXfont users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=x11-libs/libXfont-1.2.7-r1" All TightVNC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tightvnc-1.2.9-r4" References ========== [ 1 ] CVE-2007-1003 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003 [ 2 ] CVE-2007-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 [ 3 ] CVE-2007-1352 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-10.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:080-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : tightvnc Date : April 10, 2007 Affected: 2007.1 _______________________________________________________________________ Problem Description: Local exploitation of a memory corruption vulnerability in the X.Org and XFree86 X server could allow an attacker to execute arbitrary code with privileges of the X server, typically root. The vulnerability exists in the ProcXCMiscGetXIDList() function in the XC-MISC extension. This request is used to determine what resource IDs are available for use. This function contains two vulnerabilities, both result in memory corruption of either the stack or heap. The ALLOCATE_LOCAL() macro used by this function allocates memory on the stack using alloca() on systems where alloca() is present, or using the heap otherwise. The handler function takes a user provided value, multiplies it, and then passes it to the above macro. This results in both an integer overflow vulnerability, and an alloca() stack pointer shifting vulnerability. (CVE-2007-1003) iDefense reported two integer overflows in the way X.org handled various font files. (CVE-2007-1351, CVE-2007-1352) TightVNC uses some of the same code base as Xorg, and has the same vulnerable code. Updated packages are patched to address these issues. Update: Packages for Mandriva Linux 2007.1 are now available. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 9c14a56106984cd16780a1fd7e9c7beb 2007.1/i586/tightvnc-1.2.9-16.1mdv2007.1.i586.rpm 8aa3673bc8843dae12d9f18c4226214e 2007.1/i586/tightvnc-doc-1.2.9-16.1mdv2007.1.i586.rpm d78d10a879bc1b1c461f75b815dcd656 2007.1/i586/tightvnc-server-1.2.9-16.1mdv2007.1.i586.rpm 59e94b523bc078f3997f689dae0e22b5 2007.1/SRPMS/tightvnc-1.2.9-16.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 26e585c8ba950720c17ea4ce1373c05c 2007.1/x86_64/tightvnc-1.2.9-16.1mdv2007.1.x86_64.rpm 6f031ef92c5bec87488bba5861f0d41e 2007.1/x86_64/tightvnc-doc-1.2.9-16.1mdv2007.1.x86_64.rpm 205e13d0c46dc25bfa39c7dcfafe6dcb 2007.1/x86_64/tightvnc-server-1.2.9-16.1mdv2007.1.x86_64.rpm 59e94b523bc078f3997f689dae0e22b5 2007.1/SRPMS/tightvnc-1.2.9-16.1mdv2007.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGG+ypmqjQ0CJFipgRAkVGAKDU/Gvf1lxdrBW8R+e80BqmE4fIBQCgnQQ6 nGHrE1CatxZlZ3wasfF2stA= =vO/P -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . (CVE-2007-1351, CVE-2007-1352) Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in x.org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or information leak via crafted images with large or negative values that trigger a buffer overflow. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Linux-PAM Login Bypass Security Vulnerability SECUNIA ADVISORY ID: SA23858 VERIFY ADVISORY: http://secunia.com/advisories/23858/ CRITICAL: Moderately critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Linux-PAM 0.x http://secunia.com/product/1701/ DESCRIPTION: A vulnerability has been reported in Linux-PAM, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to login with any given password if the hash in the passwd file is "!!" or similar. SOLUTION: Update to version 0.99.7.1. PROVIDED AND/OR DISCOVERED BY: Bernardo Innocenti ORIGINAL ADVISORY: https://www.redhat.com/archives/pam-list/2007-January/msg00017.html http://www.redhat.com/archives/fedora-devel-list/2007-January/msg01277.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability iDefense Security Advisory 04.03.07 http://labs.idefense.com/intelligence/vulnerabilities/ Apr 03, 2007 I. BACKGROUND The X Window System (or X11) is a graphical windowing system used on Unix-like systems. It is based on a client/server model. More information about about The X Window system is available at the following URL. http://en.wikipedia.org/wiki/X_Window_System II. DESCRIPTION Local exploitation of an integer overflow vulnerability in multiple vendors' implementations of the X Window System font information file parsing component could allow execution of arbitrary commands with elevated privileges. The vulnerability specifically exists in the parsing of the "fonts.dir" font information file. When the element count on the first line of the file specifies it contains more than 1,073,741,824 (2 to the power of 30) elements, a potentially exploitable heap overflow condition occurs. III. As the X11 server requires direct access to video hardware, it runs with elevated privileges. A user compromising an X server would gain those permissions. In order to exploit this vulnerability, an attacker would need to be able to cause the X server to use a maliciously constructed font. The X11 server contains multiple methods for a user to define additional paths to look for fonts. An exploit has been developed using the "-fp" command line option to the X11 server to pass the location of the attack to the server. It is also possible to use "xset" command with the "fp" option to perform an attack on an already running server. Some distributions allow users to start the X11 server only if they are logged on at the console, while others will allow any user to start it. Attempts at exploiting this vulnerability may put the console into an unusable state. This will not prevent repeated exploitation attempts. IV. DETECTION iDefense has confirmed the existence of this vulnerability in X.Org X11R7.1. V. WORKAROUND iDefense is currently unaware of any effective workaround for this issue. VI. VENDOR RESPONSE The X.Org Foundation has addressed this vulnerability with source code patches. More information can be found from their advisory at the following URL. http://lists.freedesktop.org/archives/xorg-announce/2007-april/0286.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1352 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 02/21/2007 Initial vendor notification 02/21/2007 Initial vendor response 04/03/2007 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus of iDefense Labs. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Format string vulnerability in the SCP module in Ipswitch WS_FTP 2007 Professional might allow remote attackers to execute arbitrary commands via format string specifiers in the filename, related to the SHELL WS_FTP script command. WS_FTP is prone to a format-string vulnerability because the application fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. A successful attack may allow the attacker to crash the application or possibly to execute arbitrary code. This may facilitate unauthorized access or privilege escalation in the context of the user running the application. WS_FTP is a standard FTP client tool under the Winsock protocol. A remote attacker may exploit this vulnerability to control the user's machine by tricking the user into opening a malicious file

Multiple cross-site scripting (XSS) vulnerabilities in multiple Hitachi Web Server, uCosminexus, and Cosminexus products before 20070124 allow remote attackers to inject arbitrary web script or HTML via (1) HTTP Expect headers or (2) image maps. Hitachi Web Server has vulnerabilities listed below: 1. A vulnerability that allows to roll back the Open SSL version when using the SSL. 2. 3. Cross-site scripting vulnerability due to inadequate processing of the Expect header.1. When using the SSL, there is the possibility an attacker could deceptively alter the protocol, forcing the use of SSL version 2. 2. and 3. An attacker could insert malicious script. ** Delete ** This case CVE-2005-2969 , CVE-2005-3352 , CVE-2006-3918 Contents of ( Both are Hitachi vendor information HS06-022) And was removed because it was found to be a duplicate. CVE-2005-2969 , CVE-2005-3352 , CVE-2006-3918 Please refer to. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user or to bypass certain security restrictions. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) Input passed to certain parameters in various files in Hitachi Web Server is not properly sanitised before being returned to the user. 2) Input passed via the "Expect" header in Hitachi Web Server is not properly sanitised before being returned to the user. 3) An error in the way Hitachi Web Server handles SSL 3.0 or TLS 1.0 protocols can be exploited by attackers to replace the connection with a connection using SSL 2.0 protocol. See the vendor advisory for a matrix of affected versions. SOLUTION: Updates are available for some versions (please see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS06-022_e/01-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The admin web console implemented by the Centrality Communications (aka Aredfox) PA168 chipset and firmware 1.54 and earlier, as provided by various IP phones, does not require passwords or authentication tokens when using HTTP, which allows remote attackers to connect to existing superuser sessions and obtain sensitive information (passwords and configuration data). Pa168 Chipset is prone to a information disclosure vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: SOYO G668 Ethernet IP Phone Session Management Vulnerability SECUNIA ADVISORY ID: SA23936 VERIFY ADVISORY: http://secunia.com/advisories/23936/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: SOYO G668 IP Phone 1.x http://secunia.com/product/13354/ DESCRIPTION: Adrian Pastor has reported a vulnerability in SOYO G668 Ethernet IP Phone, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error within the session management. If a superuser logs into the web management console, the web service accepts any request as long as the superuser's session is valid. This can be exploited to bypass the authentication process and e.g. allows the modification of certain settings. The vulnerability is reported in firmware version 1.42. Other versions may also be affected. SOLUTION: Only log into the web management console from trusted network environments. Use a firewall to restrict access to the phone. PROVIDED AND/OR DISCOVERED BY: Adrian Pastor ORIGINAL ADVISORY: http://milw0rm.com/exploits/3189 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The _CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service (application crash) via a crafted HTTP 301 response, which results in a NULL pointer dereference. Apple CFNetwork Framework is prone to a denial-of-service vulnerability. Attackers may exploit this issue by issuing a maliciously designed HTTP response to a client application that uses the vulnerable CFNetwork API. Successful exploits will result in denial-of-service conditions within client applications. CFNetwork 129.19 on Mac OS X 10.4.8 is vulnerable to this issue. Remote attackers may use this vulnerability to cause the client to crash. CFNetwork is a Core Services framework that provides the function libraries needed to decompress network protocols. This vulnerability can be triggered if the server sends a specially crafted response to a client using this API, resulting in a denial of service condition. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27643 VERIFY ADVISORY: http://secunia.com/advisories/27643/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to execute arbitrary code with escalated privileges. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket. 19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges. 20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges. 21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. 31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page. 32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE-----

Hitachi HiRDB Datareplicator 7HiRDB, 7(64), 6, 6(64), 5.0, and 5.0(64); and various products that bundle HiRDB Datareplicator; allows attackers to cause a denial of service (CPU consumption) via certain data. Hitachi HiRDB Datareplicator is prone to a remote denial-of-service vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Hitachi HiRDB DataReplicator Denial of Service Vulnerability SECUNIA ADVISORY ID: SA23816 VERIFY ADVISORY: http://secunia.com/advisories/23816/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network SOFTWARE: Hitachi HiRDB DataReplicator 5.x http://secunia.com/product/13320/ http://secunia.com/product// Hitachi HiRDB DataReplicator 6.x http://secunia.com/product/13318/ http://secunia.com/product// Hitachi HiRDB DataReplicator 7.x http://secunia.com/product/13316/ http://secunia.com/product// DESCRIPTION: A vulnerability has been reported in Hitachi HiRDB DataReplicator, which can be exploited by malicious people to cause a DoS (Denial of Service). See the vendor advisory for a matrix of affected versions. SOLUTION: Updates are available for some versions (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS06-023_e/01-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x allows remote attackers to cause a denial of service by sending crafted TCP traffic to an IPv4 address on the IOS device. Cisco IOS fails to properly process IPv6 packets with specially crafted routing headers. Successful exploitation of this vulnerability may allow an attacker to execute code, or create a denial-of-service condition. The Cisco IOS Transmission Control Protocol listener contains a memory leak. CISCO IOS is prone to a denial-of-service vulnerability. This issue affects only devices running the Internet Protocol version 4 (IPv4). Attackers can exploit this issue to cause memory leaks, potentially causing memory exhaustion over time. This will result in denial-of-service conditions. This issue affects all CISCO routers using CISCO IOS Software versions 9 through 12.4. This issue is being tracked by the CISCO Bug ID: CSCek37177. Please note that the attacker can trigger this vulnerability without completing the TCP triple handshake, so TCP packets with forged source addresses can also complete the attack. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-024A Cisco IOS is Affected by Multiple Vulnerabilities Original release date: January 24, 2007 Last revised: -- Source: US-CERT Systems Affected * Cisco network devices running IOS in various configurations Overview Several vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. II. Impact Although the resulting impacts of these three vulnerabilities is slightly different, in the case of VU#341288 and VU#274760, a remote attacker could cause an affected device to reload the operating system. In some cases, this creates a secondary denial-of-service condition because packets are not forwarded through the affected device while it is reloading. Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in the References section of this document for more information on upgrading. Workaround Cisco has also published practical workarounds for these vulnerabilities. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in the References section of this document for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. IV. References * US-CERT Vulnerability Note VU#217912 - <http://www.kb.cert.org/vuls/id/217912> * US-CERT Vulnerability Note VU#341288 - <http://www.kb.cert.org/vuls/id/341288> * US-CERT Vulnerability Note VU#274760 - <http://www.kb.cert.org/vuls/id/274760> * Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tc p.shtml> * Cisco Security Advisory: Crafted IP Option Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip -option.shtml> * Cisco Security Advisory: Cisco Security Advisory: IPv6 Routing Header Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.s html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-024A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-024A Feedback VU#217912" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 24, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRbf06exOF3G+ig+rAQJOzgf/X7hyKuQsU4r7KzPU9K9VyX0KFFI0Yjzi 9sg630Mg2xZ+H93LSa/sTQKOYn2iDNxi6cf5cuFnbomH7ZkAvkiU5EjOseM0NrWI DGeomQJUL7zVCKf8vOMeRK4pvItSbzC9j0VWLFYVESkQOIgTEOy5fJcWeCVI/+Qp Wafo/HVcEprAbeH8E0xoOhVJxvKhC452WlE8fTYtPMJh/zUiEy1Nnovc/q056rus vYfziC1gxyxO/YvwKwwBDH6jSFMxcmcZrUhNy1ITwTNJmedCMtFyq9R2rTw5p6ry e1xukv37h3eeLgOqBPFlC7hbOo80mLvAQmZ1NOHKEZBbMEwT/DC5dA== =j9yu -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 1) An error exists in the processing of IP options in various IP packets (including some ICMP requests, PIMv2, PGM, and URD requests). SOLUTION: Update to the latest version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Reported by the vendor. 3) Arnaud Ebalard, EADS Corporate Research Center. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Quidway R1600 Router, and possibly other models, allows remote attackers to cause a denial of service (device crash) via a long show arp command. Versatile Routing Platform is prone to a denial-of-service vulnerability

Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header. Successful exploitation of this vulnerability may allow an attacker to execute code, or create a denial-of-service condition. The Cisco IOS Transmission Control Protocol listener contains a memory leak. According to Cisco Systems, it is reported that potentially arbitrary code could be executed. Successfully exploiting this issue allows remote attackers to corrupt the memory of affected devices. This may potentially facilitate the execution of attacker-supplied machine code. Failed exploit attempts will likely crash IOS-based devices. This issue is being tracked by Cisco Bug IDs CSCsd40334 and CSCsd58381. Cisco IOS is the operating system used by Cisco equipment. The target of the attack message must be any IPv6 address defined on the device, but it has nothing to do with the specific message type (for example, TCP, ICMP, and UDP can all be triggered), because the vulnerability occurs at the IP layer. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-024A Cisco IOS is Affected by Multiple Vulnerabilities Original release date: January 24, 2007 Last revised: -- Source: US-CERT Systems Affected * Cisco network devices running IOS in various configurations Overview Several vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. II. Impact Although the resulting impacts of these three vulnerabilities is slightly different, in the case of VU#341288 and VU#274760, a remote attacker could cause an affected device to reload the operating system. In some cases, this creates a secondary denial-of-service condition because packets are not forwarded through the affected device while it is reloading. Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in the References section of this document for more information on upgrading. Workaround Cisco has also published practical workarounds for these vulnerabilities. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in the References section of this document for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. IV. References * US-CERT Vulnerability Note VU#217912 - <http://www.kb.cert.org/vuls/id/217912> * US-CERT Vulnerability Note VU#341288 - <http://www.kb.cert.org/vuls/id/341288> * US-CERT Vulnerability Note VU#274760 - <http://www.kb.cert.org/vuls/id/274760> * Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tc p.shtml> * Cisco Security Advisory: Crafted IP Option Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip -option.shtml> * Cisco Security Advisory: Cisco Security Advisory: IPv6 Routing Header Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.s html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-024A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-024A Feedback VU#217912" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 24, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRbf06exOF3G+ig+rAQJOzgf/X7hyKuQsU4r7KzPU9K9VyX0KFFI0Yjzi 9sg630Mg2xZ+H93LSa/sTQKOYn2iDNxi6cf5cuFnbomH7ZkAvkiU5EjOseM0NrWI DGeomQJUL7zVCKf8vOMeRK4pvItSbzC9j0VWLFYVESkQOIgTEOy5fJcWeCVI/+Qp Wafo/HVcEprAbeH8E0xoOhVJxvKhC452WlE8fTYtPMJh/zUiEy1Nnovc/q056rus vYfziC1gxyxO/YvwKwwBDH6jSFMxcmcZrUhNy1ITwTNJmedCMtFyq9R2rTw5p6ry e1xukv37h3eeLgOqBPFlC7hbOo80mLvAQmZ1NOHKEZBbMEwT/DC5dA== =j9yu -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco IOS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA23867 VERIFY ADVISORY: http://secunia.com/advisories/23867/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco IOS XR 3.x http://secunia.com/product/4907/ Cisco IOS R12.x http://secunia.com/product/50/ Cisco IOS R11.x http://secunia.com/product/53/ Cisco IOS 12.x http://secunia.com/product/182/ Cisco IOS 11.x http://secunia.com/product/183/ Cisco IOS 10.x http://secunia.com/product/184/ DESCRIPTION: Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. 1) An error exists in the processing of IP options in various IP packets (including some ICMP requests, PIMv2, PGM, and URD requests). 2) A memory leak error in the processing of TCP packets can be exploited to cause the device to consume a large amount of memory over time and may lead to a degraded service via a specially crafted packet sent to a physical or virtual IPv4 address configured on the device. SOLUTION: Update to the latest version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Reported by the vendor. 3) Arnaud Ebalard, EADS Corporate Research Center. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x allows remote attackers to cause a denial of service or execute arbitrary code via a crafted IP option in the IP header in a (1) ICMP, (2) PIMv2, (3) PGM, or (4) URD packet. Cisco IOS fails to properly process IPv6 packets with specially crafted routing headers. Successful exploitation of this vulnerability may allow an attacker to execute code, or create a denial-of-service condition. The Cisco IOS Transmission Control Protocol listener contains a memory leak. These issues occur because the devices fail to handle specially crafted network packets. Failed exploit attempts will result in a denial of service. These issues affect only devices that are configured to handle Internet Protocol version 4 (IPv4) packets. These issues do not affect devices that are configured to handle only Internet Protocol version 6 (IPV6) packets. These issues are being tracked by Cisco Bug IDs CSCeh52410 and CSCec71950. If all of the following 3 conditions are met: 1. The message contains a specially crafted IP option 2. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-024A Cisco IOS is Affected by Multiple Vulnerabilities Original release date: January 24, 2007 Last revised: -- Source: US-CERT Systems Affected * Cisco network devices running IOS in various configurations Overview Several vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). I. II. Impact Although the resulting impacts of these three vulnerabilities is slightly different, in the case of VU#341288 and VU#274760, a remote attacker could cause an affected device to reload the operating system. In some cases, this creates a secondary denial-of-service condition because packets are not forwarded through the affected device while it is reloading. Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in the References section of this document for more information on upgrading. Workaround Cisco has also published practical workarounds for these vulnerabilities. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in the References section of this document for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. IV. References * US-CERT Vulnerability Note VU#217912 - <http://www.kb.cert.org/vuls/id/217912> * US-CERT Vulnerability Note VU#341288 - <http://www.kb.cert.org/vuls/id/341288> * US-CERT Vulnerability Note VU#274760 - <http://www.kb.cert.org/vuls/id/274760> * Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tc p.shtml> * Cisco Security Advisory: Crafted IP Option Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip -option.shtml> * Cisco Security Advisory: Cisco Security Advisory: IPv6 Routing Header Vulnerability - <http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.s html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-024A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-024A Feedback VU#217912" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 24, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRbf06exOF3G+ig+rAQJOzgf/X7hyKuQsU4r7KzPU9K9VyX0KFFI0Yjzi 9sg630Mg2xZ+H93LSa/sTQKOYn2iDNxi6cf5cuFnbomH7ZkAvkiU5EjOseM0NrWI DGeomQJUL7zVCKf8vOMeRK4pvItSbzC9j0VWLFYVESkQOIgTEOy5fJcWeCVI/+Qp Wafo/HVcEprAbeH8E0xoOhVJxvKhC452WlE8fTYtPMJh/zUiEy1Nnovc/q056rus vYfziC1gxyxO/YvwKwwBDH6jSFMxcmcZrUhNy1ITwTNJmedCMtFyq9R2rTw5p6ry e1xukv37h3eeLgOqBPFlC7hbOo80mLvAQmZ1NOHKEZBbMEwT/DC5dA== =j9yu -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. 2) A memory leak error in the processing of TCP packets can be exploited to cause the device to consume a large amount of memory over time and may lead to a degraded service via a specially crafted packet sent to a physical or virtual IPv4 address configured on the device. SOLUTION: Update to the latest version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) Reported by the vendor. 3) Arnaud Ebalard, EADS Corporate Research Center. ORIGINAL ADVISORY: Cisco Systems: http://www.cisco.com/warp/public/707/cisco-sa-20070124-bundle.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Mini Web Server is prone to multiple buffer-overflow vulnerabilities. A successful exploit may lead to remote arbitrary code execution with the privileges of the server application, facilitating a remote compromise of affected computers. Mini Web Server 0.04 and prior versions are vulnerable to these issues.

sre/params.php in the Integrity Clientless Security (ICS) component in Check Point Connectra NGX R62 3.x and earlier before Security Hotfix 5, and possibly VPN-1 NGX R62, allows remote attackers to bypass security requirements via a crafted Report parameter, which returns a valid ICSCookie authentication token. Multiple Check Point products are prone to a security-bypass vulnerability. An attacker can exploit this issue to access cookie data and then use it to bypass certain security restrictions. This issue may potentially allow an attacker to gain unauthorized access to the affected application. Check Point Connectra is a web security gateway that provides SSL VPN access and integrates endpoint security and application security within a unified solution. There are loopholes in Connectra's processing of endpoint access authentication. One of the main functions of Connectra is the comprehensive endpoint security service. Specifically, before the client connects to the internal network, it will perform a test on the client to check whether the computer has a security risk. If a risk is detected, it will prompt the user for details of the risk. information, and the user will be asked to test again before logging on to the network. After the user submits the request, the server will send Set-Cookie to the client. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Check Point Products ICS Security Bypass SECUNIA ADVISORY ID: SA23847 VERIFY ADVISORY: http://secunia.com/advisories/23847/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: Check Point Connectra Appliances http://secunia.com/product/13352/ SOFTWARE: http://secunia.com/product// Check Point VPN-1 Power NGX http://secunia.com/product/13348/ http://secunia.com/product// Check Point VPN-1 UTM NG AI http://secunia.com/product/13350/ Check Point VPN-1 Power NG AI http://secunia.com/product/13351/ Check Point VPN-1 UTM NGX http://secunia.com/product/13346/ DESCRIPTION: Roni Bachar and Nir Goldshlager have reported a vulnerability in Check Point products, which can be exploited by malicious people to bypass certain security restrictions. The problem is that /sre/params.php in ICS (Integrity Clientless Security) does not properly validate the data being sent to it. This can be exploited to receive a cookie, which can be used to bypass certain checks before being allowed to log in to the network, by sending a POST request with a valid report to the /sre/params.php page. Successful exploitation requires that the ICS feature is enabled. The vulnerability affects the following products and versions: * Connectra NGX R62 * Connectra NGX R61 * Connectra NGX R60 * Connectra 2.0 * VPN-1 Power/UTM (Pro/Express) NGX R62 * VPN-1 Power/UTM (Pro/Express) NGX R61 * VPN-1 Power/UTM (Pro/Express) NGX R60 * VPN-1 Power/UTM (Pro/Express) NG AI R55W * VPN-1 Power/UTM (Pro/Express) NG AI R55 SOLUTION: Apply hotfix. Connectra: http://www.checkpoint.com/downloads/latest/hfa/connectra/index.html VPN-1: http://www.checkpoint.com/downloads/latest/hfa/vpn1_security/index.html PROVIDED AND/OR DISCOVERED BY: Roni Bachar and Nir Goldshlager, Avnet ORIGINAL ADVISORY: Check Point: https://secureknowledge.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?lid=sk32472 Full-Disclosure: http://lists.grok.org.uk/pipermail/full-disclosure/2007-January/051920.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption. Mac OS X QuickDraw is prone to a remote memory-corruption vulnerability because the software fails to properly handle malformed PICT image files. Successfully exploiting this issue allows remote attackers to corrupt memory and crash the affected software. Attackers may also be able to execute arbitrary machine code, but this has not been confirmed. Mac OS X 10.4.8 is vulnerable to this issue; other versions are also likely affected, since the vulnerable component has been included in Apple operating systems since System 6.0.4. QuickDraw is a graphics processing tool bundled in the Apple operating system. A memory corruption vulnerability exists in QuickDraw when parsing PICT graphics with malformed ARGB records. A remote attacker may exploit this vulnerability to cause the application to crash. If the user is tricked into opening a malicious graphics file, this vulnerability will be triggered, destroying the pointer sent to the _GetSrcBits32ARGB() function, resulting in a denial of service. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. The vulnerability is caused due to an error in Apple QuickDraw and can be exploited to cause the application using the QuickDraw routines to crash, when a specially crafted PICT image is processed. The vulnerability is reported in Mac OS X 10.4.8 (x86). Other versions may also be affected. SOLUTION: Do not open or use PICT images from untrusted sources. PROVIDED AND/OR DISCOVERED BY: LMH ORIGINAL ADVISORY: http://projects.info-pull.com/moab/MOAB-23-01-2007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

T-Com Speedport 500V routers with firmware 1.31 allow remote attackers to bypass authentication and reconfigure the device via a LOGINKEY=TECOM cookie value. Exploiting this issue allows attackers to gain unauthorized access to the device's administration interface. This can result in the compromise of the device and may facilitate attacks against computers connected to the device. T-Com Speed 500V with Firmware version 1.31 is vulnerable; other versions may also be affected. The Speedport 500V is a broadband router widely sold by German ADSL providers. Speedport only sets the cookie to the LOGINKEY=TECOM content (hard coded and cannot be changed) when authenticating the user's input password. If an attacker can create this cookie, he can bypass password authentication by directly calling the configuration HTML site, obtain unauthorized access, and change system configurations, such as disabling the firewall. While an attacker cannot change the system password without knowing the old password, it is possible to reset the password to the default via a firmware upgrade and gain full system access. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: T-Com Speedport Authentication Bypass SECUNIA ADVISORY ID: SA23853 VERIFY ADVISORY: http://secunia.com/advisories/23853/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From local network OPERATING SYSTEM: T-Com Speedport 500V 1.x http://secunia.com/product/13294/ DESCRIPTION: Virginity has reported a vulnerability in T-Com Speedport, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Use the device only in trusted networks. via a firewall). PROVIDED AND/OR DISCOVERED BY: Virginity ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value. Mac OS X is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. The vulnerability is caused due to an error in the "shared_region_map_file_np()" syscall and can cause the system to become unresponsive by providing a high "mapping_count" value. Other versions may also be affected. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Adriano Lima ORIGINAL ADVISORY: http://risesecurity.org/advisory.php?id=RISE-2007001.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WzdFTPD is an ftp server that runs on the linux/win32/freebsd/openbsd platform. WzdFTPD has a vulnerability in handling malformed user requests, and remote attackers can cause WzdFTPD to refuse service by sending a specially crafted FTP command. The 'wzdftpd' program is prone to multiple remote denial-of-service vulnerabilities. Exploiting these issues allows remote attackers to crash the application, denying further service to legitimate users. These issues reportedly affect versions prior to 0.8.1

AVM Fritz!Box 7050, and possibly other product models, allows remote attackers to cause a denial of service (VoIP application crash) via a zero-length UDP packet to the SIP port (port 5060). FRITZ!Box is prone to a remote denial-of-service vulnerability. A remote attacker can exploit this issue to crash the VoIP-telephony service, effectively denying service to legitimate users. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Fritz!Box UDP Packet SIP Denial of Service SECUNIA ADVISORY ID: SA23868 VERIFY ADVISORY: http://secunia.com/advisories/23868/ CRITICAL: Moderately critical IMPACT: DoS WHERE: >From remote OPERATING SYSTEM: AVM Fritz!Box 7050 http://secunia.com/product/13298/ DESCRIPTION: Matthias Wenzel has reported a vulnerability in AVM Fritz!Box 7050, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within the handling of certain UDP packets. SOLUTION: Use another device. PROVIDED AND/OR DISCOVERED BY: Matthias Wenzel ORIGINAL ADVISORY: http://mazzoo.de/blog/2007/01/18#FritzBox_DoS ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Rumpus 5.1 and earlier has weak permissions for certain files and directories under /usr/local/Rumpus, including the configuration file, which allows local users to have an unknown impact by creating, modifying, or deleting files. Rumpus Ftp Server is prone to a local security vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Rumpus Multiple Vulnerabilities SECUNIA ADVISORY ID: SA23842 VERIFY ADVISORY: http://secunia.com/advisories/23842/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Rumpus 5.x http://secunia.com/product/11982/ DESCRIPTION: LMH and KF have reported some vulnerabilities in Rumpus, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious users to compromise a vulnerable system. 1) The application invokes "ipfw" without an absolute path and has the setuid bit set. This can be exploited to gain "root" privileges by placing a specially crafted "ipfw" binary in the path. 2) Boundary errors within the FTP service can be exploited to cause heap-based buffer overflows and can potentially be exploited to execute arbitrary code via specially crafted packets. Successful exploitation requires a valid user account. The vulnerabilities are reported in version 5.1. Other versions may also be affected. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: LMH and KF ORIGINAL ADVISORY: http://projects.info-pull.com/moab/MOAB-18-01-2007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Untrusted search path vulnerability in Rumpus 5.1 and earlier allows local users to gain privileges via a modified PATH that points to a malicious ipfw program. Rumpus Ftp Server is prone to a local security vulnerability. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Rumpus Multiple Vulnerabilities SECUNIA ADVISORY ID: SA23842 VERIFY ADVISORY: http://secunia.com/advisories/23842/ CRITICAL: Moderately critical IMPACT: Privilege escalation, DoS, System access WHERE: >From remote SOFTWARE: Rumpus 5.x http://secunia.com/product/11982/ DESCRIPTION: LMH and KF have reported some vulnerabilities in Rumpus, which can be exploited by malicious, local users to gain escalated privileges and potentially by malicious users to compromise a vulnerable system. 1) The application invokes "ipfw" without an absolute path and has the setuid bit set. This can be exploited to gain "root" privileges by placing a specially crafted "ipfw" binary in the path. 2) Boundary errors within the FTP service can be exploited to cause heap-based buffer overflows and can potentially be exploited to execute arbitrary code via specially crafted packets. Successful exploitation requires a valid user account. The vulnerabilities are reported in version 5.1. Other versions may also be affected. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: LMH and KF ORIGINAL ADVISORY: http://projects.info-pull.com/moab/MOAB-18-01-2007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in Apple Installer 2.1.5 on Mac OS X 10.4.8 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a (1) PKG, (2) DISTZ, or (3) MPKG package filename. Apple Installer is the application responsible for installing Mac OS X software packages. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Ubuntu update for krb5 SECUNIA ADVISORY ID: SA23772 VERIFY ADVISORY: http://secunia.com/advisories/23772/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Ubuntu Linux 6.10 http://secunia.com/product/12470/ Ubuntu Linux 6.06 http://secunia.com/product/10611/ DESCRIPTION: Ubuntu has issued an update for krb5. This fixes a vulnerability, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. For more information: SA23696 SOLUTION: Apply updated packages. Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3-5ubuntu0.2.diff.gz Size/MD5: 1447550 546659a7ce8758c26c33d0241adb992d http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3-5ubuntu0.2.dsc Size/MD5: 848 ed669b2e38c5b3b6701401b99bbdb3cb http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3.orig.tar.gz Size/MD5: 7279788 43fe621ecb849a83ee014dfb856c54af Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.4.3-5ubuntu0.2_all.deb Size/MD5: 852734 748a61c88e96abcc2fd922acdafbd56c amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 79686 a56316c071cbdae9f33b10166e204340 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 222738 173b8846edc4d84b0880b293ebd819f8 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 59876 11c96393564f5422e884cda60671688d http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 134570 c2fa98268d5c486988eae91040441720 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 84774 7dc407371c107d79c69ffe054f702ba7 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 67044 4a01011a78cf0c299df6b36384c0950b http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 129430 2acabc3bcb9323fa28a69e306694a1ec http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 190294 a4044fce177ca61f9b24ff9515443e5f http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 768212 bba4e4f35f90a58177f14d35d9fccf1e http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-5ubuntu0.2_amd64.deb Size/MD5: 425220 e16e7b2709af4fb8a88a0819cdfc1a40 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 71660 d38e87ecea34868e1dac394b9047c382 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 186752 12424ad58c808a4867f0db0d014a34ec http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 53844 3aa5f6a9ae2cb49659a0577ea972d0af http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 121068 9a1fcd42b91849f0a4ce3c1614c3dbb9 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 75438 9b264a66dff08d0206370a43058687d1 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 58204 6e89a58b9d435c6e1422537a18da2dc1 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 118528 82f62332c5bae9177ce1f356b824279e http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 165130 0968da19d0bdac05e716825ba045f5e5 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 646560 89ccbd05cda4887245d7d5c5cd77d383 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-5ubuntu0.2_i386.deb Size/MD5: 380650 8a8e6bebd4955809ef62a27cc7eb8918 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 79712 119d48198050bd5e24c711c895770bf0 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 220080 3025e485a43fd6a67c6d7716f1efad63 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 59084 97104b0dcfc3a4dacd5c1334766c488b http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 135552 b1c5a4334633412e8c64d808b4a30280 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 84632 b7a70d1cb0513523911248231bbcca82 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 65420 9300e4d62e4dedad6ac85647fe157ee2 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 134396 f07964b5364af26ac18bc4c37ff71e3f http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 177082 8488709500858a66f07183a193a249e7 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 751382 96e57442a0caa1e574f0581327fc9e1a http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-5ubuntu0.2_powerpc.deb Size/MD5: 395444 b672282f98601ebe9340f251d7e2dd46 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 72292 ed56430a6017fe52fd34e8724ff5892d http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 196928 2dff67f37591eede7be792c836028920 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 55818 1de2f224962fd6e7f9a5a642995a2fb6 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 123914 871a22e98608033db8dbc3e85d18e430 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 76454 c8f134cee518c209e4f068d59e7bc90e http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 61752 e15353f761ff1b052ff790c3b22d9f03 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 120102 a72b86d5911ebf7d90454e20a5d3d6a7 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 164630 2ba7eb220cee2ef90c433520dc22bd1d http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 677878 53436fc167794aa6c7e4538156b279e4 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-5ubuntu0.2_sparc.deb Size/MD5: 368236 8cfe1fb1b04f054211103b96bd85d4d0 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3-9ubuntu1.1.diff.gz Size/MD5: 1468259 a89554ee72ae46193497b5fdb86359e5 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3-9ubuntu1.1.dsc Size/MD5: 883 92b415a7e46614bc10a6fad2971a13a4 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5_1.4.3.orig.tar.gz Size/MD5: 7279788 43fe621ecb849a83ee014dfb856c54af Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/k/krb5/krb5-doc_1.4.3-9ubuntu1.1_all.deb Size/MD5: 853430 3958e9a508ef75081c289378ee06cb5d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 81062 5e7b14c23de60189762b3776991256a3 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 223934 6cbf0f868012e01518617369f4c09d78 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 61134 c2420e53a8369ef1fb7150d8a486dd3c http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 138648 38ffe1ee542695b7e7110f752b02a735 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 86946 da6f24f2da9e84b2e13c0a296c8bdfcb http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 67556 711861722d5ef9e31d6d641076574df6 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 130170 53bf2f36db32694986426840efce7a63 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 190180 27a2f0cf1711ddf7498b20073363c5f6 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dbg_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 1072552 d9f4df032a6d0b24d4b948cdc2a17ec3 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 771828 8a490a2198a58ccea514e43ab68bce88 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-9ubuntu1.1_amd64.deb Size/MD5: 427562 f60e228b07f072ee64e66d16b01c80c9 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 74768 07466ce7134858695cd2608f7d916bc9 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 195996 77d746677df270dc89773c13f4231e98 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 56642 33f6895466f028e4f7e60fe6d0102d7b http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 128984 d57c3ae641ffc63cde21557c3db9355c http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 79602 6be865799bcf85edb35c541df35b9245 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 61366 e9c4b39d8228118d03d5df02123e437d http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 121716 588addedfb49a64c09a8517740d039d9 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 172370 b6674bf633bf623d54d53d8ee57120e5 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dbg_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 1024338 53cef35e866ba9bfa14ebb7727b10c9d http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 672520 7c1313e3eb84a448479af34eda9a0233 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-9ubuntu1.1_i386.deb Size/MD5: 403646 b30ac3ba3dc11650ef9a74b5b1d9368a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 81626 eb56ed7461f47af49023f2027d71a249 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 222676 f847921d673ba513a11b2e4da26c6589 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 61324 94d69c98e2439ead3b38757fb6503917 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 140824 a3a2c75ca459aadf29db4af247832cac http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 86812 8747cbb5e22b1611d0f35d413a29dfb8 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 66622 e03d52dd334c788d3fb7583660ac25af http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 136342 0048a761afaabaffb847273c88cb7758 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 179554 59ca8bdf4afa0ea09432aaa2e53facf7 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dbg_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 1076132 98f942e3252e3f377cd24c03dfae7120 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 757874 00cde304e78bdd85ca75454ae31f9056 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-9ubuntu1.1_powerpc.deb Size/MD5: 398636 15cd61e388f2e658709577c6c17ed9f4 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-admin-server_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 74648 a9d42678fb3d7d508c087ae7eb075eec http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-clients_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 203198 2aeac236c8864c757a55870190918302 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-ftpd_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 58498 22079ad35df8ceea0857319eb533ee35 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-kdc_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 129158 a5b36aeb90baba94d569f41d21f16548 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-rsh-server_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 79926 d889cf2987c8c48a6aef9b566ad14238 http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-telnetd_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 63040 6e9f3b3ad95536ee494d73e8ee3d252a http://security.ubuntu.com/ubuntu/pool/universe/k/krb5/krb5-user_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 122238 bd59626426b7690742520d2151b58a3c http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkadm55_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 166480 fd69c12e642a168d39ce209c1647d433 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dbg_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 957280 de94391f1d289fbe3c7639f8ca8cf303 http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb5-dev_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 684606 511b01e003f876bde73badddeda105ab http://security.ubuntu.com/ubuntu/pool/main/k/krb5/libkrb53_1.4.3-9ubuntu1.1_sparc.deb Size/MD5: 373600 66c24f51433ff5ce4670bc91f04a6187 ORIGINAL ADVISORY: http://www.ubuntu.com/usn/usn-408-1 OTHER REFERENCES: SA23696: http://secunia.com/advisories/23696/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------