VARIoT IoT vulnerabilities database

Unspecified vulnerability in Alias Manager in Apple Mac OS X 10.5.1 and earlier on Intel platforms allows local users to gain privileges or cause a denial of service (memory corruption and application crash) by resolving an alias that contains crafted AFP volume mount information. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30802 VERIFY ADVISORY: http://secunia.com/advisories/30802/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities and a weakness. 2) A weakness is caused due to users not being warned before opening certain potentially unsafe content types, e.g. .xht and .xhtm files. 3) A format string error in c++filt can be exploited to exploited to execute arbitrary code when a specially crafted string is passed to the application. 4) An vulnerability in Dock can be exploited by malicious people with physical access to a system to bypass the screen lock when Expos\xe9 hot corners are set. 5) A race condition error exists in Launch Services in the download validation of symbolic links. This can be exploited to execute arbitrary code when a user visits a malicious web site. Successful exploitation requires that the "Open 'safe' files" option is enabled in Safari. 6) A vulnerability in Net-SNMP can be exploited by malicious people to spoof authenticated SNMPv3 packets. For more information: SA30574 7) Some vulnerabilities in Ruby can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA29232 SA29794 NOTE: Reportedly, the directory traversal issue does not affect Mac OS X. 8) A vulnerability in SMB File Server can be exploited by malicious people to compromise a vulnerable system. For more information: SA30228 9) It is possible to store malicious files within the User Template directory. This can be exploited to execute arbitrary code with permissions of a new user when his home directory is created using the User Template directory. 10) Some vulnerabilities in Tomcat can be exploited by malicious users to disclose sensitive information and by malicious people to disclose sensitive information or to conduct cross-site scripting attacks. For more information: SA25678 SA26466 SA27398 SA28878 11) A vulnerability in WebKit can be exploited by malicious people to compromise a user's system. or apply Security Update 2008-004. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Dock in Apple Mac OS X 10.5 before 10.5.4, when Exposé hot corners is enabled, allows physically proximate attackers to gain access to a locked session in (1) sleep mode or (2) screen saver mode via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Permissions license and access control issues exist in the Dock component of Apple Mac OS X prior to 10.5.4. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30802 VERIFY ADVISORY: http://secunia.com/advisories/30802/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities and a weakness. 1) An unspecified error in the Alias Manager when handling AFP volume mount information in an alias data structure can be exploited to cause a memory corruption and potentially execute arbitrary code. 2) A weakness is caused due to users not being warned before opening certain potentially unsafe content types, e.g. .xht and .xhtm files. 3) A format string error in c++filt can be exploited to exploited to execute arbitrary code when a specially crafted string is passed to the application. 4) An vulnerability in Dock can be exploited by malicious people with physical access to a system to bypass the screen lock when Expos\xe9 hot corners are set. 5) A race condition error exists in Launch Services in the download validation of symbolic links. This can be exploited to execute arbitrary code when a user visits a malicious web site. Successful exploitation requires that the "Open 'safe' files" option is enabled in Safari. 6) A vulnerability in Net-SNMP can be exploited by malicious people to spoof authenticated SNMPv3 packets. For more information: SA30574 7) Some vulnerabilities in Ruby can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA29232 SA29794 NOTE: Reportedly, the directory traversal issue does not affect Mac OS X. 8) A vulnerability in SMB File Server can be exploited by malicious people to compromise a vulnerable system. For more information: SA30228 9) It is possible to store malicious files within the User Template directory. This can be exploited to execute arbitrary code with permissions of a new user when his home directory is created using the User Template directory. 10) Some vulnerabilities in Tomcat can be exploited by malicious users to disclose sensitive information and by malicious people to disclose sensitive information or to conduct cross-site scripting attacks. For more information: SA25678 SA26466 SA27398 SA28878 11) A vulnerability in WebKit can be exploited by malicious people to compromise a user's system. or apply Security Update 2008-004. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Mac OS X before 10.5 uses weak permissions for the User Template directory, which allows local users to gain privileges by inserting a Trojan horse file into this directory. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30802 VERIFY ADVISORY: http://secunia.com/advisories/30802/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities and a weakness. 1) An unspecified error in the Alias Manager when handling AFP volume mount information in an alias data structure can be exploited to cause a memory corruption and potentially execute arbitrary code. 2) A weakness is caused due to users not being warned before opening certain potentially unsafe content types, e.g. .xht and .xhtm files. 3) A format string error in c++filt can be exploited to exploited to execute arbitrary code when a specially crafted string is passed to the application. 4) An vulnerability in Dock can be exploited by malicious people with physical access to a system to bypass the screen lock when Expos\xe9 hot corners are set. 5) A race condition error exists in Launch Services in the download validation of symbolic links. This can be exploited to execute arbitrary code when a user visits a malicious web site. Successful exploitation requires that the "Open 'safe' files" option is enabled in Safari. 6) A vulnerability in Net-SNMP can be exploited by malicious people to spoof authenticated SNMPv3 packets. For more information: SA30574 7) Some vulnerabilities in Ruby can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA29232 SA29794 NOTE: Reportedly, the directory traversal issue does not affect Mac OS X. 8) A vulnerability in SMB File Server can be exploited by malicious people to compromise a vulnerable system. For more information: SA30228 9) It is possible to store malicious files within the User Template directory. This can be exploited to execute arbitrary code with permissions of a new user when his home directory is created using the User Template directory. 10) Some vulnerabilities in Tomcat can be exploited by malicious users to disclose sensitive information and by malicious people to disclose sensitive information or to conduct cross-site scripting attacks. For more information: SA25678 SA26466 SA27398 SA28878 11) A vulnerability in WebKit can be exploited by malicious people to compromise a user's system. or apply Security Update 2008-004. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Launch Services in Apple Mac OS X before 10.5, when Open Safe Files is enabled, allows remote attackers to execute arbitrary code via a symlink attack, probably related to a race condition and automatic execution of a downloaded file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30802 VERIFY ADVISORY: http://secunia.com/advisories/30802/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities and a weakness. 1) An unspecified error in the Alias Manager when handling AFP volume mount information in an alias data structure can be exploited to cause a memory corruption and potentially execute arbitrary code. 2) A weakness is caused due to users not being warned before opening certain potentially unsafe content types, e.g. .xht and .xhtm files. 3) A format string error in c++filt can be exploited to exploited to execute arbitrary code when a specially crafted string is passed to the application. 4) An vulnerability in Dock can be exploited by malicious people with physical access to a system to bypass the screen lock when Expos\xe9 hot corners are set. 5) A race condition error exists in Launch Services in the download validation of symbolic links. This can be exploited to execute arbitrary code when a user visits a malicious web site. Successful exploitation requires that the "Open 'safe' files" option is enabled in Safari. 6) A vulnerability in Net-SNMP can be exploited by malicious people to spoof authenticated SNMPv3 packets. For more information: SA30574 7) Some vulnerabilities in Ruby can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA29232 SA29794 NOTE: Reportedly, the directory traversal issue does not affect Mac OS X. 8) A vulnerability in SMB File Server can be exploited by malicious people to compromise a vulnerable system. For more information: SA30228 9) It is possible to store malicious files within the User Template directory. This can be exploited to execute arbitrary code with permissions of a new user when his home directory is created using the User Template directory. 10) Some vulnerabilities in Tomcat can be exploited by malicious users to disclose sensitive information and by malicious people to disclose sensitive information or to conduct cross-site scripting attacks. For more information: SA25678 SA26466 SA27398 SA28878 11) A vulnerability in WebKit can be exploited by malicious people to compromise a user's system. or apply Security Update 2008-004. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Format string vulnerability in c++filt in Apple Mac OS X 10.5 before 10.5.4 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string in (1) C++ or (2) Java source code. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4. Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30802 VERIFY ADVISORY: http://secunia.com/advisories/30802/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities and a weakness. 1) An unspecified error in the Alias Manager when handling AFP volume mount information in an alias data structure can be exploited to cause a memory corruption and potentially execute arbitrary code. 2) A weakness is caused due to users not being warned before opening certain potentially unsafe content types, e.g. .xht and .xhtm files. 4) An vulnerability in Dock can be exploited by malicious people with physical access to a system to bypass the screen lock when Expos\xe9 hot corners are set. 5) A race condition error exists in Launch Services in the download validation of symbolic links. This can be exploited to execute arbitrary code when a user visits a malicious web site. Successful exploitation requires that the "Open 'safe' files" option is enabled in Safari. 6) A vulnerability in Net-SNMP can be exploited by malicious people to spoof authenticated SNMPv3 packets. For more information: SA30574 7) Some vulnerabilities in Ruby can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA29232 SA29794 NOTE: Reportedly, the directory traversal issue does not affect Mac OS X. 8) A vulnerability in SMB File Server can be exploited by malicious people to compromise a vulnerable system. For more information: SA30228 9) It is possible to store malicious files within the User Template directory. This can be exploited to execute arbitrary code with permissions of a new user when his home directory is created using the User Template directory. 10) Some vulnerabilities in Tomcat can be exploited by malicious users to disclose sensitive information and by malicious people to disclose sensitive information or to conduct cross-site scripting attacks. For more information: SA25678 SA26466 SA27398 SA28878 11) A vulnerability in WebKit can be exploited by malicious people to compromise a user's system. or apply Security Update 2008-004. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

ServerView is an asset management tool for automated analysis and version maintenance.  There are multiple stack overflow vulnerabilities in some components of the ServerView Web interface (such as SnmpGetMibValues.exe). If a remote attacker sends a malicious URL request to the Web interface, these overflows can be triggered, causing arbitrary instructions to be executed.

Cross-site scripting (XSS) vulnerability in UPM/English/login/login.asp in Commtouch Enterprise Anti-Spam Gateway 4 and 5 allows remote attackers to inject arbitrary web script or HTML via the PARAMS parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Commtouch Anti-Spam Enterprise Gateway 4 and 5 are vulnerable; other versions may also be affected. Commtouch Anti-Spam is an enterprise-level anti-spam protection platform developed by Israel Commtouch Company. The Commtouch Anti-Spam product regularly sends email reports to users, listing the blocked suspicious spam emails, and then users can click related links in the emails to confirm whether suspicious emails should be released. If an attacker sends an email message containing a malicious link, the user is tricked into clicking the link in the message, which can lead to a cross-site scripting attack. Input passed to the "PARAMS" parameter in AntiSpamGateway/UPM/English/login/login.asp is not properly sanitised before being returned to a user. The vulnerability is reported in version 4 and 5. SOLUTION: Filter malicious characters and character sequences using a web proxy. PROVIDED AND/OR DISCOVERED BY: Erez Metula ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062955.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsj90843. The problem is Bug ID : CSCsj90843 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. Attackers can exploit this issue to gain read-only access to potentially sensitive information about a CUCM cluster. Information harvested can aid in further attacks. The following versions of CUCM are affected: 4.2 prior to 4.2(3)SR4 4.3 prior to 4.3(2)SR1 5.0 prior to 5.1(3c) 6.0 prior to 6.1(2) Unified CallManager 4.1 versions are also affected. In normal operation, Real-Time Monitoring Tool (RTMT) clients collect CUCM cluster statistics by authenticating to the Simple Object Access Protocol (SOAP)-based web interface, which proxies the authenticated connection to the RIS data collector process. 1) An unspecified error in the Computer Telephony Integration (CTI) Manager service can be exploited to cause a DoS by sending a specially crafted packet to port 2748/TCP. information about performance statistics, user names, and configured IP phones. PROVIDED AND/OR DISCOVERED BY: VoIPshield CHANGELOG: 2008-06-26: Added links to VoIPshield. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml VoIPshield: http://www.voipshield.com/research-details.php?id=64 http://www.voipshield.com/research-details.php?id=65 http://www.voipshield.com/research-details.php?id=66 http://www.voipshield.com/research-details.php?id=67 http://www.voipshield.com/research-details.php?id=68 http://www.voipshield.com/research-details.php?id=69 http://www.voipshield.com/research-details.php?id=70 http://www.voipshield.com/research-details.php?id=71 http://www.voipshield.com/research-details.php?id=72 http://www.voipshield.com/research-details.php?id=73 http://www.voipshield.com/research-details.php?id=74 http://www.voipshield.com/research-details.php?id=75 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Computer Telephony Integration (CTI) Manager service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3c) and 6.x before 6.1(2) allows remote attackers to cause a denial of service (TSP crash) via malformed network traffic to TCP port 2748. By a remote attacker, TCP port 2748 Service disruption through unauthorized network traffic to (DoS) There is a possibility of being put into a state.Please refer to the “Overview” for the impact of this vulnerability. Cisco Unified Communications Manager is prone to a denial-of-service vulnerability because it fails to handle malformed input. An attacker can exploit this issue to cause an interruption in voice services. This issue is documented by Cisco Bug ID CSCso75027. Cisco has released free software updates that address these vulnerabilities. There are no workarounds for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml. Administrators of systems that are running CUCM versions 5.x and 6.x can determine the software version by viewing the main page of the CUCM administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager (CUCM) is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, VoIP gateways, and multimedia applications. The CTI Manager service listens by default on TCP port 2748 and is not user-configurable. There is no workaround for this vulnerability. This vulnerability is fixed in CUCM versions 5.1(3c) and 6.1(2). Real-Time Information Server Data Collector Related Vulnerability The Real-Time Information Server (RIS) Data Collector service of CUCM versions 4.x, 5.x, and 6.x contains an authentication bypass vulnerability that may result in the unauthorized disclosure of certain CUCM cluster information. In normal operation, Real-Time Monitoring Tool (RTMT) clients gather CUCM cluster statistics by authenticating to a Simple Object Access Protocol (SOAP) based web interface. The SOAP interface proxies authenticated connections to the RIS Data Collector process. The RIS Data Collector service listens on TCP port 2556 by default and is user configurable. By connecting directly to the port that the RIS Data Collector process listens on, it may be possible to bypass authentication checks and gain read-only access to information about a CUCM cluster. The information available includes performance statistics, user names, and configured IP phones. This information may be used to mount further attacks. No passwords or other sensitive CUCM configuration may be obtained via this vulnerability. No CUCM configuration changes can be made. There is no workaround for this vulnerability. This vulnerability is fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1). Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCso75027 - CTI Manager TSP Crash CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed CSCsq35151 - RISDC Authentication Bypass CVSS Base Score - 5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed CSCsj90843 - RISDC Authentication Bypass CVSS Base Score - 5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services or disclosure of information useful for reconnaissance. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager 4.1 version administrators are encouraged to upgrade to CUCM version 4.2(3)SR4 in order to obtain fixed software. Version 4.2(3)SR4 can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdid=null&imname=null&hybrid=Y&imst=N CUCM version 4.3(2)SR1 contains fixes for all vulnerabilities affecting CUCM version 4.3 listed in this advisory and is scheduled to be released in mid-July, 2008. Version 4.3(2)SR1 will be available for download at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N CUCM version 5.1(3c) contains fixes for all vulnerabilities affecting CUCM version 5.x listed in this advisory. Version 5.1(3c) can downloaded at the following link: http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N CUCM version 6.1(2) contains fixes for all vulnerabilities affecting CUCM version 6.x listed in this advisory. Version 6.1(2) can be downloaded at the following link: http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N Workarounds =========== CTI Manager Related Vulnerability It is possible to mitigate the CTI Manager vulnerability (CSCso75027) by implementing filtering on screening devices. Administrators are advised to permit access to TCP port 2748 only from networks that contain systems running CTI-enabled applications. RIS Data Collector Related Vulnerability It is possible to mitigate the RIS Data Collector vulnerability (CSCsq35151 and CSCsj90843) by implementing filtering on screening devices. Administrators are advised to permit access to TCP port 2556 only from other CUCM cluster systems. It is possible to change the default port (TCP 2556) of the RIS Data Collector service. If changed, filtering should be based on the values used. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080625-cucm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. We would like to thank VoIPshield for working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-June-25 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/ products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/ go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIYmPu86n/Gc8U/uARAnjvAJ9P4Ph/Lcj8OcF1ptXKm75OHJeNuQCfdcS2 N0WGH2mNx0asIo4pzmCb4VE= =/vU7 -----END PGP SIGNATURE----- . PROVIDED AND/OR DISCOVERED BY: VoIPshield CHANGELOG: 2008-06-26: Added links to VoIPshield. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml VoIPshield: http://www.voipshield.com/research-details.php?id=64 http://www.voipshield.com/research-details.php?id=65 http://www.voipshield.com/research-details.php?id=66 http://www.voipshield.com/research-details.php?id=67 http://www.voipshield.com/research-details.php?id=68 http://www.voipshield.com/research-details.php?id=69 http://www.voipshield.com/research-details.php?id=70 http://www.voipshield.com/research-details.php?id=71 http://www.voipshield.com/research-details.php?id=72 http://www.voipshield.com/research-details.php?id=73 http://www.voipshield.com/research-details.php?id=74 http://www.voipshield.com/research-details.php?id=75 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) before 4.2(3)SR4, and 4.3 before 4.3(2)SR1, allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsq35151. The problem is Bug ID : CSCsq35151 It is a problem.Please refer to the “Overview” for the impact of this vulnerability. Attackers can exploit this issue to gain read-only access to potentially sensitive information about a CUCM cluster. Information harvested can aid in further attacks. The following versions of CUCM are affected: 4.2 prior to 4.2(3)SR4 4.3 prior to 4.3(2)SR1 5.0 prior to 5.1(3c) 6.0 prior to 6.1(2) Unified CallManager 4.1 versions are also affected. In normal operation, Real-Time Monitoring Tool (RTMT) clients collect CUCM cluster statistics by authenticating to the Simple Object Access Protocol (SOAP)-based web interface, which proxies the authenticated connection to the RIS data collector process. 1) An unspecified error in the Computer Telephony Integration (CTI) Manager service can be exploited to cause a DoS by sending a specially crafted packet to port 2748/TCP. information about performance statistics, user names, and configured IP phones. PROVIDED AND/OR DISCOVERED BY: VoIPshield CHANGELOG: 2008-06-26: Added links to VoIPshield. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml VoIPshield: http://www.voipshield.com/research-details.php?id=64 http://www.voipshield.com/research-details.php?id=65 http://www.voipshield.com/research-details.php?id=66 http://www.voipshield.com/research-details.php?id=67 http://www.voipshield.com/research-details.php?id=68 http://www.voipshield.com/research-details.php?id=69 http://www.voipshield.com/research-details.php?id=70 http://www.voipshield.com/research-details.php?id=71 http://www.voipshield.com/research-details.php?id=72 http://www.voipshield.com/research-details.php?id=73 http://www.voipshield.com/research-details.php?id=74 http://www.voipshield.com/research-details.php?id=75 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files. Windows Edition Safari Is Internet Explorer There is a problem of automatically executing the downloaded file depending on the setting contents. As a result, a remote attacker may execute arbitrary code. Apple Safari is prone to a remote code-execution vulnerability. Successfully exploiting this issue will allow attackers to run arbitrary code with the privileges of the user running the affected application. This issue affects versions prior to Apple Safari 3.1.2 running on Microsoft Windows XP and Windows Vista. Safari is the web browser bundled by default in the Apple family operating system. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple Safari for Windows Multiple Vulnerabilities SECUNIA ADVISORY ID: SA30775 VERIFY ADVISORY: http://secunia.com/advisories/30775/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, System access WHERE: >From remote REVISION: 1.1 originally posted 2008-06-20 SOFTWARE: Safari for Windows 3.x http://secunia.com/product/17978/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Apple Safari, which can be exploited by malicious people to disclose sensitive information or to compromise a user's system. 1) A boundary error within the handling of BMP and GIF images can be exploited to trigger an out-of-bounds read and disclose content in memory. 3) An unspecified error in the handling of Javascript arrays can be exploited to cause a memory corruption when a user visits a specially crafted web page. SOLUTION: Update to version 3.1.2. http://www.apple.com/support/downloads/safari312forwindows.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Gynvael Coldwind, Hispasec 2) Will Dormann, CERT/CC 3) James Urquhart CHANGELOG: 2008-06-20: Added link to US-CERT. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT2092 US-CERT VU#127185: http://www.kb.cert.org/vuls/id/127185 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Open Scripting Architecture in Apple Mac OS X 10.4.11 and 10.5.4, and some other 10.4 and 10.5 versions, does not properly restrict the loading of scripting addition plugins, which allows local users to gain privileges via scripting addition commands to a privileged application, as originally demonstrated by an osascript tell command to ARDAgent. Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer. This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable. A local attacker can invoke Mac OS X's ARDAgent via AppleScript (such as osascript). This vulnerability is currently being actively exploited by a Trojan named AppleScript.THT. Once the user is tricked into installing a malicious file with a Trojan horse, the Trojan horse will open file sharing, Web sharing, and remote login. The default file name of the Trojan is AStht_06.app, and the installation location is /Library/Caches. The problem is that "ARDAgent", which is owned by "root" and has the setuid bit set, can be invoked to execute shell commands via AppleScript (e.g. through "osascript"). This can be exploited to execute arbitrary commands with root privileges. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Reported in the Macshadows.com forums and via Slashdot. ORIGINAL ADVISORY: http://www.macshadows.com/forums/index.php?showtopic=8640 http://it.slashdot.org/article.pl?sid=08/06/18/1919224 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Intrusion Prevention System (IPS) 5.x before 5.1(8)E2 and 6.x before 6.0(5)E2, when inline mode and jumbo Ethernet support are enabled, allows remote attackers to cause a denial of service (panic), and possibly bypass intended restrictions on network traffic, via a "specific series of jumbo Ethernet frames.". Cisco Intrusion Prevention System (IPS) There is a service disruption (DoS) An unknown vulnerability exists. An attacker can exploit this issue to cause a kernel panic and deny service for legitimate users. Versions prior to Cisco Intrustion Prevention System 5.1(8)E2 and 6.0(5)E2 are vulnerable. NOTE: This issue affects only platforms that contain gigabit network interfaces and are deployed in inline mode. Successful exploitation of the vulnerabilities described in this article could result in a denial of service over the network, requiring a power outage to resume operation. SOLUTION: Reportedly, fixed versions 5.1(8)E2 and 6.0(5)E2 will be available soon. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml. To determine the version of software that is running on a Cisco IPS platform, log into the platform using the console or Secure Shell (SSH) and issue the show version command. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 6.0(4a)E1 To determine whether a Cisco IPS platform has interfaces configured for inline mode, log into the platform using the console or SSH and issue the show interfaces command. Look for paired interfaces in the Inline Mode statement of the command output. sensor# show interfaces ... MAC statistics from interface GigabitEthernet0/1 Interface function = Sensing interface Description = Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface GigabitEthernet0/0 ... MAC statistics from interface GigabitEthernet0/0 Interface function = Sensing interface Description = Media Type = TX Missed Packet Percentage = 0 Inline Mode = Paired with interface GigabitEthernet0/1 Products Confirmed Not Vulnerable +-------------------------------- The following Cisco IPS platforms are not vulnerable: * 4210 * 4215 * SSM-AIP10 * SSM-AIP20 * SSM-AIP40 * AIM-IPS * NM-CIDS * IDSM2 Cisco IPS version 6.1(1) is not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Jumbo Ethernet support is usually deployed in data center environments to increase inter-server communication performance and is not a default configuration for Cisco routers and switches. If they are configured to use bypass mode to allow traffic to pass in the event of a system failure, all Cisco IPS platforms will fail to forward traffic except for the 4260 and 4270 platforms. The Cisco IPS 4260 and 4270 platforms contain a hardware bypass feature that allows them to pass network traffic in the event of a kernel panic or power outage. They will pass traffic by default if the hardware bypass feature is engaged. This vulnerability is documented in Cisco Bug ID CSCso64762 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-2060. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCso64762 - IPS Jumbo frame not processed properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in a network denial of service condition. A power cycle is required to recover operation. An attacker may be able to evade access controls and detection of malicious activity in the case of Cisco IPS 4260/4270 platforms that have hardware bypass configured to pass traffic in the event of a kernel panic. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability is fixed in Cisco IPS versions 5.1(8)E2 and 6.0(5) E2 that are expected to be available for download by June 20, 2008. Fixed software Cisco IPS version 5.1(8)E2 will be available at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5?psrtdcat20e2 Fixed software Cisco IPS version 6.0(5)E2 will be available at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/ips6?psrtdcat20e2 Workarounds =========== To workaround this vulnerability, administrators can disable jumbo Ethernet support on routers and switches directly that are connected to vulnerable Cisco IPS platforms. This workaround may produce a negative performance impact in certain environments. Administrators are encouraged to upgrade to fixed software. For more information about configuring Jumbo frames on Cisco switches, please reference the following link: http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by HD Moore of BreakingPoint Systems. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-June-18 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIWTYs86n/Gc8U/uARAn3FAKCIkVy8TfwwoKE3pFjMfRMyZN4+SACghKEB Vb2Ngh4ALQrSRsWdWiy/2u4= =IvlU -----END PGP SIGNATURE-----

dne2000.sys in Citrix Deterministic Network Enhancer (DNE) 2.21.7.233 through 3.21.7.17464, as used in (1) Cisco VPN Client, (2) Blue Coat WinProxy, and (3) SafeNet SoftRemote and HighAssurance Remote, allows local users to gain privileges via a crafted DNE_IOCTL DeviceIoControl request to the \\.\DNE device interface. Deterministic Network Enhancer (DNE) Contains an elevation of privilege vulnerability. As a result, local users Windows Arbitrary code may be executed with kernel privileges. Deterministic Networks Provided by Deterministic Network Enhancer (DNE) Is Microsoft Windows This product is an extension of the network stack. DNE Is Cisco VPN Client It is used by multiple products. DNE Driver dne2000.sys Contains an elevation of privilege vulnerability. For details, refer to the information provided by each vendor.Local users Windows Arbitrary code may be executed with kernel privileges. Successful attacks will completely compromise affected computers. DNE 'dne2000.sys' 2.21.7.233 to 3.21.8 are vulnerable; other versions may also be affected. There is a loophole in the implementation of the DNE driver. The vulnerability is reported in dne2000.sys versions 2.21.7.233 to 3.21.7.17464. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: mu-b ORIGINAL ADVISORY: http://www.digit-labs.org/files/exploits/dne2000-call.c ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the e1000g driver in Sun Solaris 10 and OpenSolaris before snv_93 allows remote attackers to cause a denial of service (network connectivity loss) via unknown vectors. Sun Solaris of e1000g The driver has a service disruption (DoS) Vulnerabilities exist.Service disruption by a malicious local user (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to block all inbound network packets on the affected system, resulting in a denial-of-service condition. This issue affects Solaris 10 and OpenSolaris for SPARC and x86 platforms. This can be exploited to block all incoming traffic to the system. SOLUTION: Apply patches. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://sunsolve.sun.com/search/document.do?assetkey=1-66-238250-1 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the embedded web server in Xerox 4110, 4590, and 4595 Copier/Printers allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. The webserver in multiple Xerox copier/printer models is prone to an unspecified HTML-injection vulnerability because it fails to properly sanitize user-supplied input. Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible. The following Xerox copier/printer models are affected: Xerox 4110 Xerox 4590 Xerox 4595. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Xerox Copier/Printer Products Web Server Unspecified Script Insertion SECUNIA ADVISORY ID: SA30639 VERIFY ADVISORY: http://secunia.com/advisories/30639/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From local network OPERATING SYSTEM: Xerox 4110 Copier/Printer http://secunia.com/product/19057/ Xerox 4590 Copier/Printer http://secunia.com/product/19056/ Xerox 4595 Copier/Printer http://secunia.com/product/19058/ DESCRIPTION: A vulnerability has been reported in some Xerox Copier/Printer products, which can be exploited by malicious people to conduct script insertion attacks. Certain unspecified input in the Web Server is not properly sanitised before being used. The vulnerability affects the following products: * Xerox 4110 Copier/Printer * Xerox 4590 Copier/Printer * Xerox 4595 Copier/Printer SOLUTION: Apply updates (see vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: The vendor credits Louhi Networks. ORIGINAL ADVISORY: XRX08-007: http://www.xerox.com/downloads/usa/en/c/cert_XRX08_007.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222. Citect Made by company CitectSCADA Contains a buffer overflow vulnerability. Citect CitectSCADA Is SCADA (Supervisory Control And Data Acquisition) Software used for monitoring and control in the system. CitectSCADA Contains a buffer overflow vulnerability because it cannot properly handle crafted requests from clients.Arbitrary code is executed by a remote party or service operation is interrupted (DoS) There is a possibility of being attacked.  Citect SCADA and CitectFacilities include ODBC server functionality to provide remote SQL access to relational databases. The ODBC server component listens to client requests from the network on the port 20222 / tcp by default. The application layer protocol on TCP reads the 4-byte initial message to specify the length of the data in the next message, and then sockets from the same TCP. Word reads the next message of this length, where the first 5 bytes are a fixed header. After the second message in the network is read into the buffer, the data is copied to a fixed-size internal buffer on the stack.  Due to the lack of a correct length check of the data read, memory copy operations using fixed-size target buffers allocated on the stack may overflow, allowing unauthenticated remote attackers to execute arbitrary instructions on the vulnerable system . CitectSCADA is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks will likely cause denial-of-service conditions. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Citect Products ODBC Server Component Buffer Overflow SECUNIA ADVISORY ID: SA30638 VERIFY ADVISORY: http://secunia.com/advisories/30638/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From local network SOFTWARE: CitectFacilities 7.x http://secunia.com/product/19043/ CitectSCADA 6.x http://secunia.com/product/19041/ CitectSCADA 7.x http://secunia.com/product/19042/ DESCRIPTION: Core Security Technologies has reported a vulnerability in CitectSCADA and CitectFacilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. The vulnerability is reported in the following versions: * CitectSCADA v6 * CitectSCADA v7 * CitectFacilities v7 SOLUTION: Contact the vendor for patches. PROVIDED AND/OR DISCOVERED BY: Sebasti\xe1n Mu\xf1iz, Core Security Technologies ORIGINAL ADVISORY: CORE-2008-0125: http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2186 OTHER REFERENCES: US-CERT VU#476345: http://www.kb.cert.org/vuls/id/476345 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ~ Core Security Technologies - CoreLabs Advisory ~ http://www.coresecurity.com/corelabs/ ~ CitectSCADA ODBC service vulnerability *Advisory Information* Title: CitectSCADA ODBC service vulnerability Advisory ID: CORE-2008-0125 Advisory URL: http://www.coresecurity.com/?action=item&id=2186 Date published: 2008-06-11 Date of last update: 2008-06-10 Vendors contacted: Citect Release mode: Coordinated release *Vulnerability Information* Class: Buffer overflow Remotely Exploitable: Yes Locally Exploitable: Yes Bugtraq ID: 29634 CVE Name: CVE-2008-2639 *Vulnerability Description* Citect is a supplier of industrial automation software with headquarters in Australia and over 20 offices in Oceania, South East Asia, China, Japan, the Americas, Europe, Africa and the Middle East. Citect's products are distributed in over 80 countries through a network of more than 500 partners. According to Citect's website [1] the company, a fully owned subsidiary of Schneider Electric, has more than 150,000 licenses of its software sold to date. Citect's products are used by organizations worldwide in numerous industries including Aerospace & Defense, Oil & Gas, Power/Utilities, Chemical, Pharmaceutical, Manufacturing and others. with an integrated Human Machine Interface (HMI) / SCADA solution to deliver a scalable and reliable control and monitoring system. The system is composed by software installed on standard computer equipment running on commercial-of-the-shelf Microsoft Windows operating systems. To accomplish such goal the would-be attacker must be able to connect to the vulnerable service on a TCP high-port. *Vulnerable Packages* . CitectSCADA v6 . CitectSCADA v7 . CitectFacilities v7 *Non-vulnerable Packages* . Contact the vendor for fixed versions of the product. *Vendor Information, Solutions and Workarounds* In general process control networks should be physically isolated from corporate or other publicly accessible data networks as such an isolated network will limit the exposure of systems with network facing vulnerabilities only to accidental disruption or potentially malicious users or systems within the process control network itself. However, if physical isolation of the process control network is not feasible it is strongly recommended to enforce and monitor strict network access control mechanisms to verify that only the absolute minimal required set of systems from both within and outside the process control network are allowed to connect to any systems within the process control network. In this particular case, access control mechanisms on both end-systems and network boundary devices such as firewalls and IPSes must ensure that only hardened and trusted systems from that minimal set can connect to systems in the process control network running potentially vulnerable software. Nonetheless systems on that minimal set must still be considered potential attack vectors into the process control network and should they become compromised, providers of transitive trust from the process control network to external untrusted systems. Besides the recommendation of a secure network architecture with strict network access control measures, OS hardening and other sound system administration practices a specific workaround for the vulnerability reported in this advisory is provided below. The vulnerability is located in the ODBC server service, vulnerable organizations that do not require ODBC connectivity may disable the service with no adverse effects to the CitectSCADA software. Installations that require ODBC connectivity to SQL databases, spreadsheets, etc. will suffer loss of connection with ODBC data sources if this workaround is applied. Vulnerable organizations should obtain positive verification that ODBC connectivity is not necessary in their installation and prepare appropriate contingency procedures before the workaround is applied. Vendor statement: CitectSCADA is not designed to be accessible on public networks and recommends that the SCADA and control networks be protected by firewall or similar on live sites. The system must be network hardened regardless of the corrupt packet software change to ensure a secure system given the likelihood that on the same network are open industry standard protocol devices perhaps communicating via ethernet. Please follow this link on Citect website under "Industries and Solutions" for security, that provides some information for customers interested in securing their SCADA systems: http://www.citect.com/index.php?option=com_content&task=view&id=186&Itemid=322 *Credits* This vulnerability was discovered and researched by Sebastian Mu\xf1iz from the Core IMPACT Exploit Writers Team (EWT) at Core Security Technologies. Exploitation was further investigated by Nicolas Economou also from the Core IMPACT Exploit Writers Team (EWT). Core would also like to thank Paul Fahey of AusCERT, Gaston Franco and Patricia Prandini of ArCERT and Art Manion and Chris Taschner of CERT/CC for their assistance during the vulnerability reporting process. This bug is a textbook example of a classic stack-based buffer overflow that can be exploited by overwriting the return address of the currently running thread. The following binary excerpt shows the nature of the problem: /----------- ~ .text:0051BC33 loc_51BC33: ~ .text:0051BC33 lea ecx, [ebp+pDestBuffer] ~ .text:0051BC39 push ecx ; stack based buffer ~ .text:0051BC3A mov edx, [ebp+arg_0] ~ .text:0051BC3D push edx ; class that contains packet ~ .text:0051BC3E call sub_52125A ; memcpy - -----------/ *Report Timeline* . 2008-01-30: Initial contact mail sent by Core to Citect's support team. 2008-01-30: Additional mail sent to Citect support team asking for a software security contact at Citect. 2008-01-30: Email from Citect's support team acknowledging notification and requesting information in plaintext. 2008-02-06: Core sends the draft advisory, including proof of concept code to demonstrate the vulnerability. 2008-02-28: Core requests a response from the vendor and asks for the vendor's plan to release fixes to vulnerable products. 2008-03-06: Email from the vendor's technical architect confirms reception of the report and indicating that there are not concerns around publication of a security advisory disclosing the vulnerability. The vendor asks for a phone conference to ensure that both Core and Citect have a common understanding of the issue and expresses the possibility of adding additional information to the advisory. The vendor also states that it will formulate a plan for handling this issue. 2008-03-12: Core asks to continue the discussion concerning the vulnerability by mail so as to have all the involved parties informed simultaneously and all communications documented. Core requests confirmation that the vendor has been able to reproduce the vulnerability and requests details concerning the plan to release fixes and asks for the additional information that the vendor would like to include in the advisory (in the "vendor information" section). Core reminds the vendor that the original publication date of the advisory was February 25th and states that the publication of the advisory is now re-scheduled to March 24th because fixed versions were not available at the date initially scheduled. 2008-03-25: Vendor confirms that it reproduced and identified the vulnerability and indicates that the official stance is that CitectSCADA is not designed to be accessible on public networks and recommends that SCADA and control networks are protected by firewalls and other security measures on live sites. The vendor also states that it has no immediate plans to support CitectSCADA on public networks but is investigating the possibility of having a security audit of the product. 2008-03-25: Core notifies the vendor the intention to release the advisory on March 26th given that the vendor has no immediate plans for fixing the vulnerability. 2008-03-26: Core consults under NDA with a process control security expert to obtain a better understanding of the scope and impact of the vulnerability. The specific technical details about the vulnerability are not disclosed, only the general type of bug and the specific TCP port on which the vulnerable service listens are discussed. 2008-04-02: Core revisits its current plan to disclose the vulnerability and decides to get Computer Emergency Response Teams (CERTs) involved in the process. Core notifies the vendor that it will postpone the publication of the advisory, and that it will contact the Computer Emergency Response Teams (CERTs) of countries were Core has physical offices (Argentina and USA) and the country were Citect has its headquarters (Australia). Core will then determine the contents and date of publication for the security advisory based on further communication with the vendor and CERTs and more precise details that the vendor may provide regarding availability of fixes. 2008-04-02: Core notifies the vendor that it will contact the CERTs of Australia, USA and Argentina. Core reminds the vendor that the vulnerability reported is a classic example of a stack-based buffer overflow bug trivial to exploit in present times and that although the previous email from the vendor provided a vague statement indicating that "the scenario is under consideration for the next release", to date there has not been any concrete details about development and release of fixes or a firm commitment to any specific date to release them. 2008-04-08: Core sends an initial notification to AusCERT, CERT/CC and ArCert including a draft advisory describing the bug and the vendor's contact information, requesting an acknowledgement within 2 working days. 2008-04-08: AusCERT acknowledges reception of the advisory . 2008-04-09: ArCERT acknowledges reception of the advisory . 2008-04-10: CERT/CC acknowledges reception of the advisory on a phone call . 2008-04-10: AusCERT notifies Core that so far it has not been able to contact the vendor and asks for approval to disseminate the information to the Australian government and other national and international entities overlooking national infrastructure security. AusCERT also asks if CORE intends to publish the advisory and if so requests some time to be able to notify affected organizations. Meanwhile AusCERT indicates that it will continue to try to work with the vendor. 2008-04-10: Core responds that it has no problems with AusCERT notifying other parties that may be able to better prepare risk mitigation procedures and/or work more closely with the vendor towards development and release of a fix. However, Core asks to keep the dissemination of the information to a minimum in order to avoid a potential leak. Core indicates that it has asked the vendor to provide concrete details about how and when it plans to address the issue and that based on the response to that question it will determine a publication date for the security advisory. Lacking a response from the vendor, Core will determine the publication date based on the feedback received from the CERTs and the progress of their preparations to address the report. 2008-04-10: AusCERT asks if it is ok to contact other CERTs and international government communities to make them aware of the issue and to ensure everyone is prepared when the report is published. 2008-04-10: Core response indicating that it is ok to contact any organization that AusCERT deems relevant for the stated purpose . 2008-04-10: ArCert reports that it will start gathering information about appropriate organizations in Argentina to report the problem and start contacting them. 2008-04-11: CERT/CC reports that US-CERT has been made aware of the issue and will be kept updated going forward. If AusCERT is already in contact with the vendor CERT/CC will standby and follow AusCERT's lead. 2008-04-14: AusCERT reports that after several communication attempts the vendor said that it will address the issue in the next release of the product (by mid-year) and release a patch in a couple of months. However, the information is not to be considered an official statement and there is no official indication of a plan to provide immediate resolution. 2008-04-14: CERT/CC asks if Core will publish the advisory before mid-year and states concerns about the potential time elapsed between advisory publication and release of the fix. CERT/CC will likely put out information soon after Core does and expresses its interest to receive more information from the vendor regarding their response plan. 2008-04-14: AusCERT notes that Core has given the CERTs the time to notify possibly affected organizations before the report is published and requests any specific questions to be asked to the vendor. 2008-04-14: Core states that it is entirely possible to re-visit the publication date of the report (which has been done twice so far) but to do so Core requires concrete details and a committed date for the release of a fix noting that it wasn't until AusCERT's email from April 14th that the possibility that the vendor would release of a patch seemed realistic. Core is willing to postpone publication of the report provided that the vendor commits to release a fix no later than June 30th (the upper bound to the promised mid-year deadline indicated by the vendor). Core also reminds the CERTs that its intent in notifying them of the bug was to help to coordinate a way to address the bug should an official patch or fix is not made available by the vendor. 2008-04-24: Core sends an email to the 3 CERTs requesting a status update and any further details about the availability of fixes. Core would like to set a final date for the publication of its report. 2008-04-28: AusCERT indicates that after several calls and messages, the vendor has stated that it does not publish specific release schedules for updates and does not indicate what will or will not be their contents and that once a release is finalized all relevant materials are updated to reflect that fact. AusCERT asks about Core's plans regarding the issue. 2008-04-28: CERT/CC suggests that in light of the vendor statement one last effort should be attempted, setting a date for publication one or two weeks into the future and presenting the final drafts of the report to the vendor. 2008-04-28: Core sets the advisory publication date to May 12th and indicates to the three CERTs that the date is considered final unless concrete details about a patch release schedule are communicated no later than May 8th. The vendor has already been sent drafts of the advisory, the last one sent on March 25th, and Core has little confidence that the current status process will change in a positive manner. Core will consider the time up to May 12th as a period to finalize the preparation of guidance documents about how to deal with the issue without an official fix available. Should such a document be provided, Core is willing and open to include its recommendations in the security advisory. 2008-05-06: Core informs the CERTs that it is still editing its security advisory and that once the final draft is ready it will be sent for review to the vendor and the CERTs before it is published. Core informs that it will also issue a press release disclosing the issue and invites spokesmen from any of the CERTs to participate with a quote should they want to do so. 2008-05-08: CERT/CC acknowledges Core's email and thanks for the update indicating that it will not participate in a press release. 2008-05-14: Core sends its final draft of the security advisory to Citect and the 3 CERTs indicating that the publication date is set to May 19th, 2008 at approximately 3pm UTC. Should the vendor or the CERTS have any official comments or statements or workarounds that they would like to be included in Core's advisory they must be provided them by email no later than Friday May 16th 2008 at 9pm (UTC). 2008-05-15: Email from the vendor indicating the Citect has allocated resources to address the issue and is pleased to advise that a patch will be available by the end of May. The vendor assumes that publication of the advisory will be postponed given Core's previous email from April 14th stating that it is willing to review the publication date if the vendor commits to releasing a fix no later than June 30th. 2008-05-16: Email from CERT/CC asking about Core's plan to publish the advisory and stating that CERT/CC is inclined to hold off publication for a couple of weeks provided that Core does the same. JPCERT has been informed of the vulnerability to prepare for the upcoming disclosure. 2008-05-16: Core sends email to Citect and the three CERTs stating that publication of the advisory has been re-scheduled to June 2nd 2008 and reiterating that should the vendor want to include additional information or specific pointers to the patch it should be provided at least a day in advance. 2008-05-28: Core sends a follow up to the email sent on May 16th requesting confirmation that Citect is on track to release fixes for the vulnerability. Core had re-scheduled publication of the security advisory to June 2nd, 2008 (next Monday) and wants to confirm that software fixes will be ready to roll out and to provide the opportunity to include in the advisory any official guidelines on how to obtain them and/or any alternative workarounds to the problem. Specific questions about the potential workaround of disabling the vulnerable service are sent to the vendor as well as a request to provide a list of both vulnerable and not vulnerable packages. This information should be received no later than Friday June 30th, 2008 at 1pm UTC. 2008-06-01: Email received from the vendor stating: "The fix is on track and is currently in code review and testing stage. We will advise when and how the patch will be released". 2008-06-01: Core asks if the vendor has a concrete estimated date for the patch release. It is noted that publication of the security advisory was re-scheduled to June 2nd, 2008 on the basis of the vendor's commitment to release fixes "by the end of May" as indicated in the vendor's email from May 15th 2008. May is already past and Core still has no concrete details about when and how the fixes will be available. Core also notes that the previous email from May 28th 2008 had specific questions that may help craft guidance and recommendations for vulnerable organizations to mitigate risk due to the vendor's software security exposure and asks if the vendor is able to provide answers to those specific inquires. Core also states that it would like to discuss with the CERTs any specific details and information about their plans to address this issue in the upcoming week. In the absence of concrete fix details and workarounds from the vendor Core would like to coordinate with CERTs the dissemination of information to help reduce risk to vulnerable organizations worldwide. 2008-06-01: AusCERT indicates that it's ready for the publication and that it will publish its own report after Core has done so. 2008-06-04: Email from CERT/CC asking for a status update from Core and noting that neither the vendor patches nor Core's advisory have been published by June 2nd as planned. CERT/CC is ready to publish information about the issue and is willing to do so on Core's timetable. 2008-06-04: Citect informs that the patch for the reported issue has been completed at the code level and is being QA tested. The timing of software releases is a company commercial decision, and no guarantee of delivery dates is given. However, the vendor anticipates the patch will be published on its website in the next day or so, assuming QA approval is given. The vendor informs that the suggested workaround of disabling the ODBC server is viable for users that do not need this functionality (most users of CitectSCADA) and would not affect the operation of the software in any other way. The vendor states that "Although this patch will be made available to our supported customers, Citect maintains the stated stance that under NO circumstances should any SCADA/PLC/DCS/RTU/Process Control network should ever be exposed unprotected to the internet. The network should either be securely firewalled or better still isolated, or otherwise protected using approved IT security methodology. Citect has previously published security recommendations in a whitepaper located on our website at http://www.citect.com/documents/whitepapers/SCADA%20Security%20Whitepaper.pdf "SECURING AN INTEGRATED SCADA SYSTEM - Network Security & SCADA Systems Whitepaper". The vendor also indicates that "copies of the security alert report appear to have been circulated before the advised date of publication, contrary to the undertaking given to Citect." . 2008-06-04: Core's email to Citect, AusCERT, CERT/CC and ArCert informing them that publication of the security advisory has now been re-scheduled to June 11th 2008. The date is final. The advisory will include references to the vendor's security recommendations and white paper as well as the proposed workaround. Core also indicates that to date the company has not published any report about the issue and has no indication of any such reports circulating "in the wild" but cannot discard that as a possibility given that the vendor's lack of proper secure communications procedures forced all the involved parties to communicate without any form of email encryption and that those communications have occurred over a public network such as the Internet for a period of over 4 months. 2008-06-04: Email from CERT/CC indicating that it will too publish a report on June 11th also noting the importance of sound system administration practices such as disabling unneeded features and a secure network architecture. CERT/CC agrees on the need of isolated or otherwise secured process control networks but indicates that in practice that is not always the case. Further information about any potential information leak is requested. 2008-06-10: Final draft of the advisory sent to Citect and CERTs, asking for confirmation that patches are now available. 2008-06-10: Citect confirms that patches are available to customers upon request and reiterates that the vendor's official stance is that the control network must be secured, and customers requesting the patch will be offered advice and links on how to do this. 2008-06-10: CERT/CC asks for any official guidance or wording that could be used in documents to direct readers appropriately. For example, an URL to a support/contact web site, or a case number. 2008-06-11: Security advisory CORE-2008-0125 published. *References* [1] Citect Corporate Profile http://www.citect.com/index.php?option=com_content&task=view&id=94&Itemid=151 *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhP2lEACgkQyNibggitWa29yQCdHfYtgLzOvys9Msi95eqF8H/X ADEAoKB9r52U9KXlEvBn5GgCaqXqC8OG =5qtX -----END PGP SIGNATURE-----

Unspecified vulnerability in the Interstage Management Console, as used in Fujitsu Interstage Application Server 6.0 through 9.0.0A, Apworks Modelers-J 6.0 through 7.0, and Studio 8.0.1 and 9.0.0, allows remote attackers to read or delete arbitrary files via unspecified vectors. Very few technical details are currently available. We will update this BID as more information emerges. Please see the vendor's advisory for a list of affected products and versions. SOLUTION: Please see the vendor's advisory for workaround details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200805e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. SNMPv3 The implementation of contains an authentication bypass vulnerability because it does not properly handle crafted packets. SNMP (Simple Network Management Protocol) Is a widely used protocol for monitoring and managing network devices. SNMPv3 Supports security features such as authentication and privacy control. SNMPv3 In the authentication of HMAC (keyed-Hash Message Authentication Code) Is used. This code is generated by combining a private key and a cryptographic hash function. SNMPv3 Depending on the implementation of, there is a possibility that authentication may be bypassed by processing specially crafted packets due to vulnerability in authentication processing.By remote third party SNMP The object may be read or modified. Net-SNMP is prone to a remote authentication-bypass vulnerability caused by a design error. Successfully exploiting this issue will allow attackers to gain unauthorized access to the affected application. Net-SNMP 5.4.1, 5.3.2, 5.2.4, and prior versions are vulnerable. The software is used to monitor network equipment, computer equipment, UPS equipment, etc. Net-SNMP's authentication code depends on the length of the HMAC length specified in the user input to read the length to be checked. If the user provides a single-byte HMAC code in the authentication code field, only the first byte will be checked, so there will be a 1/256 probability of matching the correct HMAC and Through authentication, this greatly improves the success rate of brute force guessing. An attacker could exploit this vulnerability to read and modify any SNMP object accessible using the authenticated credentials logged into the system. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: SNMP Version 3 Authentication Vulnerabilities Document ID: 107408 Advisory ID: cisco-sa-20080610-snmpv3 http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml Revision 1.0 For Public Release 2008 June 10 1600 UTC (GMT) - --------------------------------------------------------------------- Summary ======= Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network information or may enable an attacker to perform configuration changes to vulnerable devices. The SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities described in this document. The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has also been assigned to these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml Affected Products ================= Vulnerable Products +------------------ The following Cisco products are vulnerable. * Cisco IOS * Cisco IOS-XR * Cisco Catalyst Operating System (CatOS) * Cisco NX-OS * Cisco Application Control Engine (ACE) Module * Cisco ACE Appliance * Cisco ACE XML Gateway * Cisco MDS 9000 Series Multilayer Fabric Switches Note: The SNMP server is disabled by default. These vulnerabilities only impact devices that are configured for SNMPv3. To determine the version of SNMP configured in Cisco IOS, CatOS and IOS-XR, log in to the device and issue the show snmp group command. The security model field indicates the version of SNMP configured. The output "usm" is the abbreviation for user-based security model and this indicates SNMPv3 is configured. Cisco IOS router#show snmp group groupname: test security model:v3 noauth readview : v1default writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active Cisco CatOS 5500-1 (enable) show snmp group Security Model: v3 Security Name: userv3 Group Name: groupv3 Storage Type: nonvolatile Row Status: active Cisco IOS-XR RP/0/RP0/CPU0:ios#show snmp group groupname: test security model:usm readview : v1default writeview: - notifyview: v1default row status: nonVolatile IronPort +------- IronPort C-Series, X-Series, and M-Series appliances utilize code covered by this advisory, but are not susceptible to any security risk. IronPort C-Series, X-Series, and M-Series incorporate the libraries under the advisory to provide anonymous read-only access to system health data. There is no risk of escalated authorization privileges allowing a 3rd party to make any configuration changes to the IronPort devices. IronPort S-Series and Encryption Appliances are not affected by this advisory. This announcement has also been posted on the IronPort Support Portal, available to IronPort customers: https://supportportal.ironport.com/irppcnctr/srvcd?u=http://secure-support.soma.ironport.com/announcement&sid=900016 Products Confirmed Not Vulnerable +-------------------------------- The following Cisco products are confirmed not vulnerable: * Cisco PIX Security Appliances * Cisco ASA Security Appliances * Cisco Firewall Services Module (FWSM) * Cisco Security Monitoring, Analysis, and Response System (MARS) * Cisco Network Admission Control (NAC) Appliance * CiscoWorks Wireless LAN Solution Engine (WLSE) No other Cisco products are currently known to be affected by these vulnerabilities. There are three general types of SNMP operations: "get" requests to request information, "set" requests that modify the configuration of a remote device, and "trap" messages that provide a monitoring function. SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received at the assigned destination port numbers 161 and 162, respectively. SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network. RFC2574 defines the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible authentication protocols for SNMPv3. This advisory identifies two vulnerabilities that are almost identical. Both are specifically related to malformed SNMPv3 packets that manipulate the Hash Message Authentication Code (HMAC). The two vulnerabilities may impact both Secure Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm 5 (MD5). The vulnerabilities described in this document can be successfully exploited using spoofed SNMPv3 packets. These vulnerabilities are documented in the following Cisco Bug IDs: * CSCsf04754 - IOS SNMPv3 HMAC Authentication issue * CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue * CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue * CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue * CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue * CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue * CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue Note: Although multiple software defects are listed, this advisory only identifies two vulnerabilities. Because different Cisco products require their own fixes, additional Bug IDs have been assigned. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsf04754 - IOS SNMPv3 HMAC Authentication issue - ----------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsf30109 - IOS-XR SNMPv3 HMAC Authentication issue - -------------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsf29976 - CatOS SNMPv3 HMAC Authentication issue - ------------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq62662 - ACE XML Gw SNMPv3 HMAC Authentication issue - ------------------------------------------------------------ CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq60664 - ACE Appliance SNMPv3 HMAC Authentication issue - --------------------------------------------------------------- CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Functional Remediation Level - Workaround Report Confidence - Confirmed CSCsq60695 - ACE Module SNMPv3 HMAC Authentication issue - ------------------------------------------------------------ CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Functional Remediation Level - Workaround Report Confidence - Confirmed CSCsq60582 - Nexus SNMPv3 HMAC Authentication issue - ------------------------------------------------------- CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.4 Exploitability - Functional Remediation Level - Workaround Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities could result in the disclosure of sensitive information on a device or allow an attacker to make configuration changes to a vulnerable device that is based on the SNMP configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +---------------------------------------+ | Affected | Affected | First | | Product | Release | Fixed | | | | Release | |-----------------+----------+----------| | | 6.x | 6.4(23) | | |----------+----------| | Cisco Catalyst | 7.x | 7.6(19) | |Operating |----------+----------| | System (CatOS) | 8.5.x | 8.5(7) | | |----------+----------| | | 8.6.x | 8.6(1) | +---------------------------------------+ Cisco IOS XR +----------- The following table lists fixed Cisco IOS XR software. +---------------------------------------------------+ | Cisco | | | | IOS XR | SMU ID | SMU Name | | Version | | | |---------+------------+----------------------------| | 3.2.2 | AA01681 | hfr-base-3.2.2.CSCsf30109 | |---------+------------+----------------------------| | 3.2.3 | AA01682 | hfr-base-3.2.3.CSCsf30109 | |---------+------------+----------------------------| | 3.2.4 | AA01683 | hfr-base-3.2.4.CSCsf30109 | |---------+------------+----------------------------| | 3.2.6 | AA01684 | hfr-base-3.2.6.CSCsf30109 | |---------+------------+----------------------------| | 3.3.0 | AA01685 | hfr-base-3.3.0.CSCsf30109 | |---------+------------+----------------------------| | 3.3.0 | AA01690 | c12k-base-3.3.0.CSCsf30109 | |---------+------------+----------------------------| | 3.3.1 | AA01686 | hfr-base-3.3.1.CSCsf30109 | |---------+------------+----------------------------| | 3.3.1 | AA01688 | c12k-base-3.3.1.CSCsf30109 | |---------+------------+----------------------------| | 3.3.2 | Not | Not vulnerable | | | vulnerable | | |---------+------------+----------------------------| | 3.4.x | Not | Not vulnerable | | | vulnerable | | +---------------------------------------------------+ Cisco NX-OS +---------- The following table lists fixed Cisco NX-OS software. +----------------------------------------+ | Affected | Affected | First Fixed | | Product | Release | Release | |-----------+-----------+----------------| | Cisco | | 4.0.(2) | | NX-OS | 4.0.(1)a | Available June | | | | 2008 | +----------------------------------------+ Cisco ACE Products +----------------- The following table lists fixed Cisco Application Control Engine (ACE) software. +---------------------------------------+ | Affected | Affected | First | | Product | Release | Fixed | | | | Release | |----------------+----------+-----------| | | 3.0(0)A1 | | | Cisco | (6.x) | | | Application | | A2(1.1) | | Control Engine | A2(1.0) | | | (ACE) Module | | | | | A2(1.0a) | | |----------------+----------+-----------| | | A1(7.0) | | | | | | | Cisco | A1(7.0a) | | | Application | | | | Control Engine | A1(7.0b) | A1(8.0a) | | (ACE) | | | | Appliance | A1(7.0c) | | | | | | | | A1(8.0) | | |----------------+----------+-----------| | Cisco | 4.x | | | Application | | 6.0.1 | | Control Engine | 5.x | Available | | (ACE) XML | | June 2008 | | Gateway | 6.0 | | +---------------------------------------+ Cisco MDS software +----------------- The following table lists fixed Cisco MDS Multilayer Switch software. +---------------------------------------+ | Affected | Affected | First Fixed | | Product | Release | Release | |-----------+-----------+---------------| | | 2.1 | | | Cisco MDS | | 3.4.1 | | 9000 | 3.0 | Available | | | | June 2008 | | | 3.2 | | +---------------------------------------+ Workarounds =========== The following workarounds have been identified for these vulnerabilities. Infrastructure Access Control Lists +---------------------------------- Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that should never be allowed to target infrastructure devices and block that traffic at the border of networks. Infrastructure Access Control Lists (iACLs) are a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for these specific vulnerabilities. The iACL example below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range: Note: UDP port 161 is applicable for all versions of SNMP. !--- Permit SNMP UDP 161 packets from !--- trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Deny SNMP UDP 161 packets from all !--- other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161 !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Control Plane Policing +--------------------- Control Plane Policing (CoPP) can be used to block untrusted SNMP access to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be configured on a device to protect the management and control planes and minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent to infrastructure devices in accordance with existing security policies and configurations. The following example, which uses 192.168.100.1 to represent a trusted host, can be adapted to your network. !--- Deny SNMP UDP traffic from trusted hosts to all IP addresses !--- configured on all interfaces of the affected device so that !--- it will be allowed by the CoPP feature access-list 111 deny udp host 192.168.100.1 any eq 161 !--- Permit all other SNMP UDP traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will be policed and dropped by the CoPP feature access-list 111 permit udp any any eq 161 !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !--- traffic in accordance with existing security policies and !--- configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature class-map match-all drop-snmpv3-class match access-group 111 !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. policy-map drop-snmpv3-traffic class drop-snmpv3-class drop !--- Apply the Policy-Map to the !--- Control-Plane of the device control-plane service-policy input drop-snmpv3-traffic In the above CoPP example, the access control list entries (ACEs) that match the potential exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop function. Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS trains: policy-map drop-snmpv3-traffic class drop-snmpv3-class police 32000 1500 1500 conform-action drop exceed-action drop Additional information on the configuration and use of the CoPP feature is available at the following links: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html Transit Access Control Lists +--------------------------- Filters that deny SNMP packets using UDP port 161 should be deployed throughout the network as part of a Transit Access Control List (tACL) policy for protection of traffic that enters the network at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices behind it. Filters for SNMP packets that use UDP port 161 should also be deployed in front of vulnerable network devices so that traffic is only allowed from trusted clients. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge:" http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Hardening Guide Statement +------------------------ Customers are advised to review the "Fortifying the Simple Network Management Protocol" section of the "Cisco Guide to Harden Cisco IOS Devices" for information on configuring an IOS device for SNMPv3 authentication and privacy: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#fortify Cisco IOS authPriv Configuration +------------------------------- Enabling the SNMPv3 privacy subsystem (if it is not already in use) is a short-term workaround for users who are unable to upgrade in a timely fashion. This subsystem is used to encrypt SNMPv3 traffic using a shared secret. In Cisco IOS, administrators can enable this workaround by using the authPriv SNMPv3 feature. Only Cisco IOS crypto images can run the authPriv feature. Note: Ensure that the management application supports SNMPv3 authPriv before implementing this feature. Applied Mitigation Bulletin +-------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080610-SNMPv3.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== Cisco is releasing this combined Cisco IOS and non-IOS product advisory out of our normal bi-yearly IOS security advisory cycle due to public disclosure of these vulnerabilities. Cisco is not aware of any malicious exploitation of these vulnerabilities. These vulnerabilities were reported to Cisco by Dr. Tom Dunigan of the University of Tennessee and Net-SNMP in cooperation with the CERT Coordination Center. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-June-10 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - --------------------------------------------------------------------- Updated: Jun 10, 2008 Document ID: 107408 - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFITruJ86n/Gc8U/uARAiuNAJwIq42/p8CUh7Dc88nAn9a1pfhhqgCfWXjv 8bYhCD0EKNQ28koObq4S+vQ= =zOBL -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Net-SNMP: Multiple vulnerabilities Date: August 06, 2008 Bugs: #222265, #225105 ID: 200808-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Net-SNMP allow for authentication bypass in snmpd and execution of arbitrary code in Perl applications using Net-SMNP. Background ========== Net-SNMP is a collection of tools for generating and retrieving SNMP data. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/net-snmp < 5.4.1.1 >= 5.4.1.1 Description =========== Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length (CVE-2008-0960). John Kortink reported a buffer overflow in the Perl bindings of Net-SNMP when processing the OCTETSTRING in an attribute value pair (AVP) received by an SNMP agent (CVE-2008-2292). Impact ====== An attacker could send SNMPv3 packets to an instance of snmpd providing a valid user name and an HMAC length value of 1, and easily conduct brute-force attacks to bypass SNMP authentication. An attacker could further entice a user to connect to a malicious SNMP agent with an SNMP client using the Perl bindings, possibly resulting in the execution of arbitrary code. Workaround ========== There is no known workaround at this time. Resolution ========== All Net-SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.1.1" References ========== [ 1 ] CVE-2008-0960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960 [ 2 ] CVE-2008-2292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-02.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . CVE-2008-4309 It was reported that an integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c allows remote attackers to cause a denial of service attack via a crafted SNMP GETBULK request. For the stable distribution (etch), these problems has been fixed in version 5.2.3-7etch4. For the testing distribution (lenny) and unstable distribution (sid) these problems have been fixed in version 5.4.1~dfsg-11. We recommend that you upgrade your net-snmp package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.diff.gz Size/MD5 checksum: 94030 2ccd6191c3212980956c30de392825ec http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3-7etch4.dsc Size/MD5 checksum: 1046 8018cc23033178515298d5583a74f9ff http://security.debian.org/pool/updates/main/n/net-snmp/net-snmp_5.2.3.orig.tar.gz Size/MD5 checksum: 4006389 ba4bc583413f90618228d0f196da8181 Architecture independent packages: http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-base_5.2.3-7etch4_all.deb Size/MD5 checksum: 1214368 d579d8f28f3d704b6c09b2b480425086 http://security.debian.org/pool/updates/main/n/net-snmp/tkmib_5.2.3-7etch4_all.deb Size/MD5 checksum: 855594 b5ccd827adbcefcca3557fa9ae28cc08 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 2169470 265835564ef2b0e2e86a08000461c53b http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 944098 5b903886ee4740842715797e3231602c http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 1901802 5486eb1f2a5b076e5342b1dd9cbb12e2 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 933202 e3210ba1641079e0c3aaf4a50e89aedd http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_alpha.deb Size/MD5 checksum: 835584 b14db8c5e5b5e2d34799952975f903fb amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 932008 fc79672bf64eaabd41ed1c2f4a42c7da http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 1890766 ae3832515a97a79b31e0e7f0316356ee http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 835088 62867e9ba9dfca3c7e8ae575d5a478f5 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 918844 d2d1bc5f555bc9dba153e2a9a964ffbf http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_amd64.deb Size/MD5 checksum: 1557924 5c2a33a015dd44708a9cc7602ca2525c arm architecture (ARM) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_arm.deb Size/MD5 checksum: 909974 4c1cef835efc0b7ff3fea54a618eabee http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_arm.deb Size/MD5 checksum: 835284 3ac835d926481c9e0f589b578455ddee http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_arm.deb Size/MD5 checksum: 928252 b98e98b58c61be02e477185293427d5c http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_arm.deb Size/MD5 checksum: 1778292 b903adf3d1fa6e7a26f7cafb7bffdd6b http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_arm.deb Size/MD5 checksum: 1344158 78b6cf6b2974983e8e3670468da73cd1 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 835940 9eeaf116e386dd7733ab2106c662dfa9 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 1809132 78bb5f1c12b004d32fa265e6bd99ffa1 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 1926116 71c7f3095ffe1bb22e84ade21f32b3a4 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 935434 85deac8531b02a0fdf3c9baa21d8e4bd http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_hppa.deb Size/MD5 checksum: 935640 958cb158264f75772864cd5d5c0bf251 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_i386.deb Size/MD5 checksum: 1423294 f05c7491a8100684c5085588738f05b5 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_i386.deb Size/MD5 checksum: 833970 cb705c9fe9418cc9348ac935ea7b0ba2 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_i386.deb Size/MD5 checksum: 920070 3df41a0c99c41d1bccf6801011cf8ed5 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_i386.deb Size/MD5 checksum: 925914 159b4244ef701edbe0fb8c9685b5b477 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_i386.deb Size/MD5 checksum: 1838900 3b7ac7b8fe0da1a3909ee56aba46d464 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 2205680 6868a56b1db04627e6921bf7237939a2 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 970440 783f0cccabfbcc63590730b3803d164d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 2281114 fd04b505755a3aed0fe4c9baaac84500 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 842690 9f9ca89c3d3ba7c46481e9cd39c242a6 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_ia64.deb Size/MD5 checksum: 962854 c8a32f808d719357a5b6350e2b60794e mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mips.deb Size/MD5 checksum: 895414 5dd919d188291cb3727d39b5e06c9e26 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mips.deb Size/MD5 checksum: 927342 28c245db4d8ea82ba4075b27d674d72a http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mips.deb Size/MD5 checksum: 833182 0e0b21e13d77de82bed7a38d30f65e4b http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mips.deb Size/MD5 checksum: 1769524 24bdc73a3d20c4046c7741957442c713 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mips.deb Size/MD5 checksum: 1717562 977ae5c34a127d32d8f2bf222de9a431 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 1755032 cab5c112911465a9ce23a0d2ea44ded9 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 926616 2bf14a3fe74d9f2a523aacc8b04f5282 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 895194 b7c9ed37bf83ad92371f5472ac5d917b http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 833098 08b63ba6c3becf25ba2f941a532a7b71 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_mipsel.deb Size/MD5 checksum: 1720642 1ff7568eb478edee923edb76cf42e9ac powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 941434 bbac9384bd7f88339e2b86fa665208c1 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 835212 4790d79f8de7f1bee7aabf0473f25268 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 1657890 b91fcf52e80c7196cea0c13df9ac79ef http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 1803262 4d298c9509941390c7b2eb68320ad211 http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_powerpc.deb Size/MD5 checksum: 928170 b17966a6a61313344ac827b58f32eeef s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_s390.deb Size/MD5 checksum: 1409718 2a128cbdce2522ef49604255cff41af2 http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_s390.deb Size/MD5 checksum: 931452 d3bb7c3a849cd2b35fa6e4acb19c318d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_s390.deb Size/MD5 checksum: 1834914 67e5b946df18b06b41b3e108d5ddc4e3 http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_s390.deb Size/MD5 checksum: 836102 7a4b85e8ea0e50d7213997b5f7d6309f http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_s390.deb Size/MD5 checksum: 903864 3f80e78e4e2672aacf3da0690ff24b79 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/net-snmp/snmp_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 925336 5824ea607689f3f1bd62a9e6e28f95ae http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9-dev_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 1548630 1378d1cf730d3026bc1f01a4ab2ccedb http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp-perl_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 918592 28a086f6aa2ee8d510b38c1a177843fc http://security.debian.org/pool/updates/main/n/net-snmp/snmpd_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 834186 068cbf2b4774ecf9504b820db26e6f1d http://security.debian.org/pool/updates/main/n/net-snmp/libsnmp9_5.2.3-7etch4_sparc.deb Size/MD5 checksum: 1782014 d39fae5fe0d1397a2a1bd7397d6e850a These files will probably be moved into the stable distribution on its next update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________________________________________________________ SUSE Security Announcement Package: net-snmp Announcement ID: SUSE-SA:2008:039 Date: Fri, 01 Aug 2008 13:00:00 +0000 Affected Products: openSUSE 10.2 openSUSE 10.3 openSUSE 11.0 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SLE SDK 10 SP2 SUSE Linux Enterprise Server 10 SP1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: authentication bypass, denial-of-service Severity (1-10): 6 SUSE Default Package: no Cross-References: CVE-2008-0960 CVE-2008-2292 Content of This Advisory: 1) Security Vulnerability Resolved: - authentication bypass - denial-of-service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion 6) Authenticity Verification and Additional Information ______________________________________________________________________________ 1) Problem Description and Brief Discussion The net-snmp daemon implements the "simple network management protocol". The version 3 of SNMP as implemented in net-snmp uses the length of the HMAC in a packet to verify against a local HMAC for authentication. An attacker can therefore send a SNMPv3 packet with a one byte HMAC and guess the correct first byte of the local HMAC with 256 packets (max). Additionally a buffer overflow in perl-snmp was fixed that can cause a denial-of-service/crash. 2) Solution or Work-Around Please install the update package. 3) Special Instructions and Notes Please restart net-snmp after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv <file.rpm> to apply the update, replacing <file.rpm> with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/libsnmp15-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-devel-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/perl-SNMP-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/snmp-mibs-5.4.1-77.2.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/libsnmp15-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-devel-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/perl-SNMP-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/snmp-mibs-5.4.1-19.2.i586.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-devel-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/perl-SNMP-5.4.rc2-8.i586.rpm x86-64 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/x86_64/net-snmp-32bit-5.4.1-77.2.x86_64.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/net-snmp-32bit-5.4.1-19.2.x86_64.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/net-snmp-32bit-5.4.rc2-8.x86_64.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/net-snmp-5.4.1-77.2.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/net-snmp-5.4.1-19.2.src.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/net-snmp-5.4.rc2-8.src.rpm Our maintenance customers are notified individually. The packages are offered for installation from the maintenance web: Open Enterprise Server http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 Novell Linux POS 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 Novell Linux Desktop 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Server 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Server 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SLE SDK 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SLE SDK 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Desktop 10 SP1 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE Linux Enterprise Desktop 10 SP2 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 SUSE SLES 9 http://download.novell.com/index.jsp?search=Search&keywords=71093bdfd49361f6dbe32a8fde43b848 ______________________________________________________________________________ 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion This update of subversion fixes multiple vulnerabilities. - CVE-2008-1290: list CVS or SVN commits on "all-forbidden" files - CVE-2008-1291: directly access hidden CVSROOT folders - CVE-2008-1292: expose restricted content via the revision view, the log history, or the diff view ______________________________________________________________________________ 6) Authenticity Verification and Additional Information - Announcement authenticity verification: SUSE security announcements are published via mailing lists and on Web sites. The authenticity and integrity of a SUSE security announcement is guaranteed by a cryptographic signature in each announcement. All SUSE security announcements are published with a valid signature. To verify the signature of the announcement, save it as text into a file and run the command gpg --verify <file> replacing <file> with the name of the file where you saved the announcement. The output for a valid signature looks like: gpg: Signature made <DATE> using RSA key ID 3D25D3D9 gpg: Good signature from "SuSE Security Team <security@suse.de>" where <DATE> is replaced by the date the document was signed. If the security team's key is not contained in your key ring, you can import it from the first installation CD. To import the key, use the command gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc - Package authenticity verification: SUSE update packages are available on many mirror FTP servers all over the world. While this service is considered valuable and important to the free and open source software community, the authenticity and the integrity of a package needs to be verified to ensure that it has not been tampered with. The internal rpm package signatures provide an easy way to verify the authenticity of an RPM package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, replacing <file.rpm> with the filename of the RPM package downloaded. The package is unmodified if it contains a valid signature from build@suse.de with the key ID 9C800ACA. This key is automatically imported into the RPM database (on RPMv4-based distributions) and the gpg key ring of 'root' during installation. You can also find it on the first installation CD and at the end of this announcement. - SUSE runs two security mailing lists to which any interested party may subscribe: opensuse-security@opensuse.org - General Linux and SUSE security discussion. All SUSE security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security+subscribe@opensuse.org>. opensuse-security-announce@opensuse.org - SUSE's announce-only mailing list. Only SUSE's security announcements are sent to this list. To subscribe, send an e-mail to <opensuse-security-announce+subscribe@opensuse.org>. The <security@suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________ The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, the clear text signature should show proof of the authenticity of the text. SUSE Linux Products GmbH provides no warranties of any kind whatsoever with respect to the information contained in this security advisory. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . Summary Updated ESX packages for OpenSSL, net-snmp, perl. 2. Relevant releases ESX 3.0.2 ESX 3.0.1 Extended Support (Security and Bug fixes) for ESX 3.0.1 has ended on 2008-07-31. Users should plan to upgrade to at least 3.0.2 update 1 and preferably the newest release available. 3. Problem Description I Security Issues a. OpenSSL Binaries Updated This fix updates the third party OpenSSL library. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows affected, patch pending hosted * any any for patch info see VMSA-2008-0005 ESXi 3.5 ESXi affected, patch pending ESX 3.5 ESX for patch info see VMSA-2008-0001 ESX 3.0.3 ESX not affected ESX 3.0.2 ESX affected, patch pending ESX 3.0.1 ESX affected, patch pending ESX 2.5.5 ESX for patch info see VMSA-2008-0001 ESX 2.5.4 ESX for patch info see VMSA-2008-0001 * hosted products are VMware Workstation, Player, ACE, Server, Fusion II Service Console rpm updates a. net-snmp Security update This fix upgrades the service console rpm for net-snmp to version net-snmp-5.0.9-2.30E.24. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not applicable hosted * any any not applicable ESXi 3.5 ESXi not applicable ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX not affected ESX 3.0.2 ESX affected, patch pending ESX 3.0.1 ESX affected, patch pending ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion b. perl Security update This fix upgrades the service console rpm for perl to version perl-5.8.0-98.EL3. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not applicable hosted * any any not applicable ESXi 3.5 ESXi not applicable ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX not affected ESX 3.0.2 ESX affected, patch pending ESX 3.0.1 ESX affected, patch pending ESX 2.5.5 ESX not affected ESX 2.5.4 ESX not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. ESX --- ESX 3.0.3 build 104629 ESX Server 3.0.3 CD image md5sum: c2cda9242c6981c7eba1004e8fc5626d Upgrade package from ESX Server 2.x to ESX Server 3.0.3 md5sum: 0ad8fa4707915139d8b2343afebeb92b Upgrade package from earlier releases of ESX Server 3 to ESX Server 3.0.3 md5sum: ff7f3dc12d34b474b231212bdf314113 release notes: http://www.vmware.com/support/vi3/doc/releasenotes_esx303.html 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1927 - ------------------------------------------------------------------------ 6. Change log 2008-08-12 VMSA-2008-0013 Initial release following release of ESX 3.0.3. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2008 VMware Inc. All rights reserved. An attacker could exploit this flaw to spoof an authenticated SNMPv3 packet (CVE-2008-0960). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 8db66ef5a5468d3fd72a47855230a28e 2007.1/i586/libnet-snmp10-5.3.1-3.2mdv2007.1.i586.rpm c951b17138ef11828b2ccf031d4cddaf 2007.1/i586/libnet-snmp10-devel-5.3.1-3.2mdv2007.1.i586.rpm 536a87919f32fac81964d0a907bf08fe 2007.1/i586/libnet-snmp10-static-devel-5.3.1-3.2mdv2007.1.i586.rpm 39e33947c21666dac5dbe5cfe103b26d 2007.1/i586/net-snmp-5.3.1-3.2mdv2007.1.i586.rpm 1eed5ebaff8f6f83befbf8d831900073 2007.1/i586/net-snmp-mibs-5.3.1-3.2mdv2007.1.i586.rpm 874db03c69584025e4d91049072d3c4e 2007.1/i586/net-snmp-trapd-5.3.1-3.2mdv2007.1.i586.rpm 11af93c879d8cd9353b7cb1826900222 2007.1/i586/net-snmp-utils-5.3.1-3.2mdv2007.1.i586.rpm 2c9e819eeb5fd472f6a0fe338d86182b 2007.1/i586/perl-NetSNMP-5.3.1-3.2mdv2007.1.i586.rpm 7a0806202ff8f3d838fa7958b636a449 2007.1/SRPMS/net-snmp-5.3.1-3.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: aa27de502ce22110fd745c0b847b79d9 2007.1/x86_64/lib64net-snmp10-5.3.1-3.2mdv2007.1.x86_64.rpm 1843dd154c443cca9ae977e502221d6d 2007.1/x86_64/lib64net-snmp10-devel-5.3.1-3.2mdv2007.1.x86_64.rpm 838bd7820d446bd947bc46e090b38066 2007.1/x86_64/lib64net-snmp10-static-devel-5.3.1-3.2mdv2007.1.x86_64.rpm e659d3df04816330c7bf45008f66bc27 2007.1/x86_64/net-snmp-5.3.1-3.2mdv2007.1.x86_64.rpm 756d5606a1039d20a7512b0a109d53bb 2007.1/x86_64/net-snmp-mibs-5.3.1-3.2mdv2007.1.x86_64.rpm 8ad36943e07362865f3a48c99914e48c 2007.1/x86_64/net-snmp-trapd-5.3.1-3.2mdv2007.1.x86_64.rpm 483140c06017507127d12357c3ed2b41 2007.1/x86_64/net-snmp-utils-5.3.1-3.2mdv2007.1.x86_64.rpm e2bb901815ffa1ca5b0a16bc1363f84f 2007.1/x86_64/perl-NetSNMP-5.3.1-3.2mdv2007.1.x86_64.rpm 7a0806202ff8f3d838fa7958b636a449 2007.1/SRPMS/net-snmp-5.3.1-3.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 8de3c4975620db2b2c2697d6f9deb79b 2008.0/i586/libnet-snmp15-5.4.1-1.1mdv2008.0.i586.rpm b1991c58d996f4be200fe141e28c5f7d 2008.0/i586/libnet-snmp-devel-5.4.1-1.1mdv2008.0.i586.rpm 03c54182cc7f97633f29ff0251a8c898 2008.0/i586/libnet-snmp-static-devel-5.4.1-1.1mdv2008.0.i586.rpm 1f792de19b7b38b56d68242958d5d800 2008.0/i586/net-snmp-5.4.1-1.1mdv2008.0.i586.rpm e3362a641e232a6ecf0b8230f0e49ec8 2008.0/i586/net-snmp-mibs-5.4.1-1.1mdv2008.0.i586.rpm bc6d8c10135ea64a4d512d80d04b1b39 2008.0/i586/net-snmp-trapd-5.4.1-1.1mdv2008.0.i586.rpm 8e7f28ee85fb48129eea57d11d391c8b 2008.0/i586/net-snmp-utils-5.4.1-1.1mdv2008.0.i586.rpm beab129e378f61a6bf62d366a4d90639 2008.0/i586/perl-NetSNMP-5.4.1-1.1mdv2008.0.i586.rpm 3fce488df784163f19e6a55061d773ca 2008.0/SRPMS/net-snmp-5.4.1-1.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 82b570c9cb7e0662df4d7da730c131db 2008.0/x86_64/lib64net-snmp15-5.4.1-1.1mdv2008.0.x86_64.rpm 20b8a6e3fc8dd82fe5ecfdb337553938 2008.0/x86_64/lib64net-snmp-devel-5.4.1-1.1mdv2008.0.x86_64.rpm 555688caa0eee850b3a5f835a5778849 2008.0/x86_64/lib64net-snmp-static-devel-5.4.1-1.1mdv2008.0.x86_64.rpm 60d65f80aec29dcb6d4ceb4bb117a9bc 2008.0/x86_64/net-snmp-5.4.1-1.1mdv2008.0.x86_64.rpm 685c9dd25b585afc128de1b3c092e5d5 2008.0/x86_64/net-snmp-mibs-5.4.1-1.1mdv2008.0.x86_64.rpm 7bff860904572c092f737ac17940d5b2 2008.0/x86_64/net-snmp-trapd-5.4.1-1.1mdv2008.0.x86_64.rpm e434686bddfb04f2a8bd01346517ecb4 2008.0/x86_64/net-snmp-utils-5.4.1-1.1mdv2008.0.x86_64.rpm 4fab6e498e1f05809db500ce895aad66 2008.0/x86_64/perl-NetSNMP-5.4.1-1.1mdv2008.0.x86_64.rpm 3fce488df784163f19e6a55061d773ca 2008.0/SRPMS/net-snmp-5.4.1-1.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 4bafceae1a29f6557b5aa884eca24ba0 2008.1/i586/libnet-snmp15-5.4.1-5.1mdv2008.1.i586.rpm 1eedbae5df7e503de1cba736129beaa1 2008.1/i586/libnet-snmp-devel-5.4.1-5.1mdv2008.1.i586.rpm 615a88847cbf1ce6eaf0029037a14b1b 2008.1/i586/libnet-snmp-static-devel-5.4.1-5.1mdv2008.1.i586.rpm 7323cb7d35eb67664d40ad73b413679d 2008.1/i586/net-snmp-5.4.1-5.1mdv2008.1.i586.rpm d43ed96a806639a94af2a137c75e276e 2008.1/i586/net-snmp-mibs-5.4.1-5.1mdv2008.1.i586.rpm 7394b1361b43056b5eb99827771358cf 2008.1/i586/net-snmp-tkmib-5.4.1-5.1mdv2008.1.i586.rpm 8d6fd9308c2edbe8c020d2c33b3a841d 2008.1/i586/net-snmp-trapd-5.4.1-5.1mdv2008.1.i586.rpm dc58047a02e1a222af20aa794ea8f447 2008.1/i586/net-snmp-utils-5.4.1-5.1mdv2008.1.i586.rpm 2ad9888cd61fc4952c1cee0c48f714b5 2008.1/i586/perl-NetSNMP-5.4.1-5.1mdv2008.1.i586.rpm 7a19c1f8d42052af6392b18b48bd965c 2008.1/SRPMS/net-snmp-5.4.1-5.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 618c241e0ecb57685646264c9bb083b4 2008.1/x86_64/lib64net-snmp15-5.4.1-5.1mdv2008.1.x86_64.rpm bb0ebf49ee7cca29965aeb398f4725f6 2008.1/x86_64/lib64net-snmp-devel-5.4.1-5.1mdv2008.1.x86_64.rpm b4f29f00773291f6cc00784ed7cde470 2008.1/x86_64/lib64net-snmp-static-devel-5.4.1-5.1mdv2008.1.x86_64.rpm 3039811b6682dc4009b32ff48a99eb2b 2008.1/x86_64/net-snmp-5.4.1-5.1mdv2008.1.x86_64.rpm fab09178635501eb5d6a82eb7bd532a3 2008.1/x86_64/net-snmp-mibs-5.4.1-5.1mdv2008.1.x86_64.rpm da29d4c7edaa15d95f8bee98dbfab025 2008.1/x86_64/net-snmp-tkmib-5.4.1-5.1mdv2008.1.x86_64.rpm d9aad834d82d310c64f6f21e17a55920 2008.1/x86_64/net-snmp-trapd-5.4.1-5.1mdv2008.1.x86_64.rpm 7a7c871bd87dc91c16b046ac115cda70 2008.1/x86_64/net-snmp-utils-5.4.1-5.1mdv2008.1.x86_64.rpm d102ea2af0fcaaebd98defda72bcfc91 2008.1/x86_64/perl-NetSNMP-5.4.1-5.1mdv2008.1.x86_64.rpm 7a19c1f8d42052af6392b18b48bd965c 2008.1/SRPMS/net-snmp-5.4.1-5.1mdv2008.1.src.rpm Corporate 3.0: 335af3930865c8eb44ef436cad5fb373 corporate/3.0/i586/libnet-snmp5-5.1-7.4.C30mdk.i586.rpm b8e1d307ee6fa3905d292077fc063318 corporate/3.0/i586/libnet-snmp5-devel-5.1-7.4.C30mdk.i586.rpm a668cc4de411865567d1a93f34cee1e3 corporate/3.0/i586/libnet-snmp5-static-devel-5.1-7.4.C30mdk.i586.rpm d8c0d342b03e5719443d2de06c631bd5 corporate/3.0/i586/libsnmp0-4.2.3-8.2.C30mdk.i586.rpm 6bbe3bb2502ce3c974f7b5737331bb4d corporate/3.0/i586/libsnmp0-devel-4.2.3-8.2.C30mdk.i586.rpm daca10f2e578f75c1e7415d78ed30265 corporate/3.0/i586/net-snmp-5.1-7.4.C30mdk.i586.rpm 1630ebd75201e1bc3956b12a26282f92 corporate/3.0/i586/net-snmp-mibs-5.1-7.4.C30mdk.i586.rpm 5a4f483c877a6278088a265cb3273d61 corporate/3.0/i586/net-snmp-trapd-5.1-7.4.C30mdk.i586.rpm 316d866de7fa7cd984d58f5cb742f5e3 corporate/3.0/i586/net-snmp-utils-5.1-7.4.C30mdk.i586.rpm e3d4197517565f12e2c3a8fd1cc5d2e7 corporate/3.0/i586/ucd-snmp-4.2.3-8.2.C30mdk.i586.rpm 17e8d856fd1dac18552818a842105c88 corporate/3.0/i586/ucd-snmp-utils-4.2.3-8.2.C30mdk.i586.rpm ccaa4d311ad0e5d119e17b1f1876c7e2 corporate/3.0/SRPMS/net-snmp-5.1-7.4.C30mdk.src.rpm 53e16d2069cffb7e7d1e7a324192d5c2 corporate/3.0/SRPMS/ucd-snmp-4.2.3-8.2.C30mdk.src.rpm Corporate 3.0/X86_64: b31f277942fca76d953007c94a60cae2 corporate/3.0/x86_64/lib64net-snmp5-5.1-7.4.C30mdk.x86_64.rpm e4a3fba10ccdd805dc8783ae68c99a42 corporate/3.0/x86_64/lib64net-snmp5-devel-5.1-7.4.C30mdk.x86_64.rpm 530a94cc87af0e4d6e9f3815473c0dd4 corporate/3.0/x86_64/lib64net-snmp5-static-devel-5.1-7.4.C30mdk.x86_64.rpm f246ca421b5d16c599d53f70e4b97660 corporate/3.0/x86_64/lib64snmp0-4.2.3-8.2.C30mdk.x86_64.rpm b943e07726a2fecb016ef4ba626906d8 corporate/3.0/x86_64/lib64snmp0-devel-4.2.3-8.2.C30mdk.x86_64.rpm 22822876f72e35cf6d1ed027df93e74a corporate/3.0/x86_64/net-snmp-5.1-7.4.C30mdk.x86_64.rpm e7e51782b9bbd1e1bdf93c17fb953280 corporate/3.0/x86_64/net-snmp-mibs-5.1-7.4.C30mdk.x86_64.rpm e67a9105f9492c020693d48ce55652ea corporate/3.0/x86_64/net-snmp-trapd-5.1-7.4.C30mdk.x86_64.rpm 171a17e507b2dfdb9c70c0089e582221 corporate/3.0/x86_64/net-snmp-utils-5.1-7.4.C30mdk.x86_64.rpm 96886146d21175b076e92d59e96f5016 corporate/3.0/x86_64/ucd-snmp-4.2.3-8.2.C30mdk.x86_64.rpm 1b6ee4c253f15be516a1928a4f791f15 corporate/3.0/x86_64/ucd-snmp-utils-4.2.3-8.2.C30mdk.x86_64.rpm ccaa4d311ad0e5d119e17b1f1876c7e2 corporate/3.0/SRPMS/net-snmp-5.1-7.4.C30mdk.src.rpm 53e16d2069cffb7e7d1e7a324192d5c2 corporate/3.0/SRPMS/ucd-snmp-4.2.3-8.2.C30mdk.src.rpm Corporate 4.0: 6cbe9d76db3b05c2435bcbc5cf16c898 corporate/4.0/i586/libnet-snmp5-5.2.1.2-5.2.20060mlcs4.i586.rpm 586a55cfde45020d5ea0ebf5f2d6c840 corporate/4.0/i586/libnet-snmp5-devel-5.2.1.2-5.2.20060mlcs4.i586.rpm d992d8300cf0639942a179349d592e15 corporate/4.0/i586/libnet-snmp5-static-devel-5.2.1.2-5.2.20060mlcs4.i586.rpm 03a49b848c376b705dcfcef0ec817daf corporate/4.0/i586/net-snmp-5.2.1.2-5.2.20060mlcs4.i586.rpm 22b9d01b3b7a8a34ed3e1a5a435286a8 corporate/4.0/i586/net-snmp-mibs-5.2.1.2-5.2.20060mlcs4.i586.rpm dccc01a94c1f29eac2875e6a935bf589 corporate/4.0/i586/net-snmp-trapd-5.2.1.2-5.2.20060mlcs4.i586.rpm 77f93230f96abce039b52ca5612eaa36 corporate/4.0/i586/net-snmp-utils-5.2.1.2-5.2.20060mlcs4.i586.rpm 8a7209b70979c9d73035ff40cbd8dbb4 corporate/4.0/i586/perl-NetSNMP-5.2.1.2-5.2.20060mlcs4.i586.rpm ac919459a8752cddfd441c085ca69117 corporate/4.0/SRPMS/net-snmp-5.2.1.2-5.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: f94c7e967973ba8aa12b5605251d6e78 corporate/4.0/x86_64/lib64net-snmp5-5.2.1.2-5.2.20060mlcs4.x86_64.rpm f332985986eff2d6c8a75b5c263dedb1 corporate/4.0/x86_64/lib64net-snmp5-devel-5.2.1.2-5.2.20060mlcs4.x86_64.rpm 82fc454916e75866370ee738292021c8 corporate/4.0/x86_64/lib64net-snmp5-static-devel-5.2.1.2-5.2.20060mlcs4.x86_64.rpm ff0adeb23df57eb34869c7100df159da corporate/4.0/x86_64/net-snmp-5.2.1.2-5.2.20060mlcs4.x86_64.rpm 72f2dc9cb1695999660a9ff9c97e4c47 corporate/4.0/x86_64/net-snmp-mibs-5.2.1.2-5.2.20060mlcs4.x86_64.rpm 0f244551c87e051a8274e5050cf0bc2a corporate/4.0/x86_64/net-snmp-trapd-5.2.1.2-5.2.20060mlcs4.x86_64.rpm 7c4e7fb304c77c6551a50495d338e84e corporate/4.0/x86_64/net-snmp-utils-5.2.1.2-5.2.20060mlcs4.x86_64.rpm 68d81ca4c173710ef43b36092df2a6ee corporate/4.0/x86_64/perl-NetSNMP-5.2.1.2-5.2.20060mlcs4.x86_64.rpm ac919459a8752cddfd441c085ca69117 corporate/4.0/SRPMS/net-snmp-5.2.1.2-5.2.20060mlcs4.src.rpm Multi Network Firewall 2.0: f98286a301d580fe306917cf0169ef88 mnf/2.0/i586/libnet-snmp5-5.1-7.4.M20mdk.i586.rpm 3ba27516773b1dd933828207cecc7754 mnf/2.0/SRPMS/net-snmp-5.1-7.4.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security

The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. Hitachi Web Server contains a vulnerability that could lead to a denial of service (DoS) condition when using it as a reverse proxy due to excessive memory usage.The server could fall into a denial of service (DoS) state when continuously receiving fraudulent responses from backend Web servers. (DoS) Vulnerabilities exist.Denial of service due to response sent in large quantities by third parties (DoS) There is a possibility of being put into a state. Attackers may exploit this issue to cause denial-of-service conditions. Reportedly, the issue affects Apache 2.2.8 and 2.0.63; other versions may also be affected. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-007. The security update addresses a total of 11 new vulnerabilities that affect the ColorSync, CUPS, Finder, launchd, Networking, Postfix, PSNormalizer, rlogin, Script Editor, and Weblog components of Mac OS X. The advisory also contains security updates for 30 previously reported issues. NOTE: This BID is being retired; the following individual records have been created to better document these issues: 31716 Apple Script Editor Unspecified Insecure Temporary File Creation Vulnerability 31718 Apple Mac OS X Server Weblog Access Control List Security Bypass Vulnerability 31708 Apple Mac OS X 'hosts.equiv' Security Bypass Vulnerability 31721 Apple Mac OS X 10.5 Postfix Security Bypass Vulnerability 31719 Apple PSNormalizer PostScript Buffer Overflow Vulnerability 31711 Apple Mac OS X 'configd' EAPOLController Plugin Local Heap Based Buffer Overflow Vulnerability 31715 Apple Mac OS X ColorSync ICC Profile Remote Buffer Overflow Vulnerability 31720 Apple Finder Denial of Service Vulnerability 31707 Apple OS X QuickLook Excel File Integer Overflow Vulnerability 31688 CUPS 'HP-GL/2' Filter Remote Code Execution Vulnerability 31722 Apple Mac OS X 10.5 'launchd' Unspecified Security Bypass Vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01650939 Version: 1 HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-02-02 Last Updated: 2009-02-02 Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite. References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following upgrades to resolve these vulnerabilities. The upgrades are available from the following location: URL: http://software.hp.com Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01 HP-UX Release - B.11.23 and B.11.31 PA-32 Apache Depot name - HPUXWSATW-B302-32.depot HP-UX Release - B.11.23 and B.11.31 IA-64 Apache Depot name - HPUXWSATW-B302-64.depot HP-UX Release - B.11.11 PA-32 Apache Depot name - HPUXWSATW-B222-1111.depot MANUAL ACTIONS: Yes - Update Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY hpuxwsTOMCAT.TOMCAT hpuxwsWEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 2 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBSYhX8+AfOvwtKn1ZEQJxcACeJa8lt5TkhV5qnaGRTaBh4kqHutgAoJbH XCe08aGCzEZj/q4n91JQnhq6 =XImF -----END PGP SIGNATURE----- . This update also provides HTTP/1.1 compliance fixes. The updated packages have been patched to prevent this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364 _______________________________________________________________________ Updated Packages: Corporate 3.0: 532973a116bcdf63ed72042b819b59cc corporate/3.0/i586/apache2-2.0.48-6.19.C30mdk.i586.rpm e2913623f1876d02e426bbca997f3435 corporate/3.0/i586/apache2-common-2.0.48-6.19.C30mdk.i586.rpm 2e583f46edd8e83d8071e1912fbcced6 corporate/3.0/i586/apache2-devel-2.0.48-6.19.C30mdk.i586.rpm 83b6d9adea62a2c186f2acfb7372a8f0 corporate/3.0/i586/apache2-manual-2.0.48-6.19.C30mdk.i586.rpm f797d9dd78f6a75328f3156f4d97de54 corporate/3.0/i586/apache2-mod_cache-2.0.48-6.19.C30mdk.i586.rpm 1e13b9cf9ed69f69f1700d89e7b0a625 corporate/3.0/i586/apache2-mod_dav-2.0.48-6.19.C30mdk.i586.rpm eeacd8fa60a510fe23a949303aefa934 corporate/3.0/i586/apache2-mod_deflate-2.0.48-6.19.C30mdk.i586.rpm 12978be0a831fb2164e8663e0aa96c16 corporate/3.0/i586/apache2-mod_disk_cache-2.0.48-6.19.C30mdk.i586.rpm ff7133c4d2f3a18d5ca86398b6a3b482 corporate/3.0/i586/apache2-mod_file_cache-2.0.48-6.19.C30mdk.i586.rpm de43091c378ef1b0a465f409d4198c7d corporate/3.0/i586/apache2-mod_ldap-2.0.48-6.19.C30mdk.i586.rpm 2a884bf3c648fe6e45bd1858e7ac8fca corporate/3.0/i586/apache2-mod_mem_cache-2.0.48-6.19.C30mdk.i586.rpm 435c1058b34b3e5603e8502315d3f1be corporate/3.0/i586/apache2-mod_proxy-2.0.48-6.19.C30mdk.i586.rpm 5a54d1929057b311ab83863fcfc6785b corporate/3.0/i586/apache2-mod_ssl-2.0.48-6.19.C30mdk.i586.rpm 37bb90e385c1571579d604120cd1c1d4 corporate/3.0/i586/apache2-modules-2.0.48-6.19.C30mdk.i586.rpm 377a8d1250fb1276e0c52fe89b63775a corporate/3.0/i586/apache2-source-2.0.48-6.19.C30mdk.i586.rpm 2c6db35de4997018b043181957072182 corporate/3.0/i586/libapr0-2.0.48-6.19.C30mdk.i586.rpm 30da5c4069b7b8ea5b3bb13734ca0058 corporate/3.0/SRPMS/apache2-2.0.48-6.19.C30mdk.src.rpm Corporate 3.0/X86_64: 43cb9996c4ad55ead2a2bba2a618b939 corporate/3.0/x86_64/apache2-2.0.48-6.19.C30mdk.x86_64.rpm 898f1420c5fe218c748281c238da9d00 corporate/3.0/x86_64/apache2-common-2.0.48-6.19.C30mdk.x86_64.rpm b7ca472734ea5776cfecf1dd2315f71d corporate/3.0/x86_64/apache2-devel-2.0.48-6.19.C30mdk.x86_64.rpm 8ebd24059163cd8f8e22eb0203682e41 corporate/3.0/x86_64/apache2-manual-2.0.48-6.19.C30mdk.x86_64.rpm ac6f64c5aabbf463be38023dfb2e30e0 corporate/3.0/x86_64/apache2-mod_cache-2.0.48-6.19.C30mdk.x86_64.rpm 2e66000edd688d563645ecf526724899 corporate/3.0/x86_64/apache2-mod_dav-2.0.48-6.19.C30mdk.x86_64.rpm d82ba16ad19ebfbb412f033537fe7dfb corporate/3.0/x86_64/apache2-mod_deflate-2.0.48-6.19.C30mdk.x86_64.rpm e83174382435df2220f7563545543342 corporate/3.0/x86_64/apache2-mod_disk_cache-2.0.48-6.19.C30mdk.x86_64.rpm af5d024a4cff0c216d0c02dcbe08ab83 corporate/3.0/x86_64/apache2-mod_file_cache-2.0.48-6.19.C30mdk.x86_64.rpm b6a74826d456381f9c3807d7cdaef8ff corporate/3.0/x86_64/apache2-mod_ldap-2.0.48-6.19.C30mdk.x86_64.rpm 3e0c99c91a186db1650ab277fb266ddf corporate/3.0/x86_64/apache2-mod_mem_cache-2.0.48-6.19.C30mdk.x86_64.rpm 5bcf1224653b851df20d07d6fbb248b6 corporate/3.0/x86_64/apache2-mod_proxy-2.0.48-6.19.C30mdk.x86_64.rpm c07af351ea84b7d8a0b0de879c9aad2e corporate/3.0/x86_64/apache2-mod_ssl-2.0.48-6.19.C30mdk.x86_64.rpm fa40774c92468aa0080979674ff473c5 corporate/3.0/x86_64/apache2-modules-2.0.48-6.19.C30mdk.x86_64.rpm a387e498b01b876ee31066aa3a73970a corporate/3.0/x86_64/apache2-source-2.0.48-6.19.C30mdk.x86_64.rpm 659d44dc9615de5b556d35425d628bf7 corporate/3.0/x86_64/lib64apr0-2.0.48-6.19.C30mdk.x86_64.rpm 30da5c4069b7b8ea5b3bb13734ca0058 corporate/3.0/SRPMS/apache2-2.0.48-6.19.C30mdk.src.rpm Multi Network Firewall 2.0: 93eef0301be074129e8c8f67381c09ad mnf/2.0/i586/apache2-2.0.48-6.19.C30mdk.i586.rpm 0dd927e4efb8dc43f2168227d22c1407 mnf/2.0/i586/apache2-common-2.0.48-6.19.C30mdk.i586.rpm 366c8a236e33babca8447b3c3f926c83 mnf/2.0/i586/apache2-devel-2.0.48-6.19.C30mdk.i586.rpm 73490cae06d07885512ff28fb24c1d6c mnf/2.0/i586/apache2-manual-2.0.48-6.19.C30mdk.i586.rpm 8bf01fed207bf8ae9c265be3d3f0e0f5 mnf/2.0/i586/apache2-mod_cache-2.0.48-6.19.C30mdk.i586.rpm b06f622b9c96bfa10cdc4d2067e5826f mnf/2.0/i586/apache2-mod_dav-2.0.48-6.19.C30mdk.i586.rpm c5600da4764bcb84733c16034871ced1 mnf/2.0/i586/apache2-mod_deflate-2.0.48-6.19.C30mdk.i586.rpm cccdb0578c7443e46154a8f64b78a86b mnf/2.0/i586/apache2-mod_disk_cache-2.0.48-6.19.C30mdk.i586.rpm 67fb4bcf03bef82c78fb42ec3de85b55 mnf/2.0/i586/apache2-mod_file_cache-2.0.48-6.19.C30mdk.i586.rpm 20cb9f0132cd5181f6cff7699373d488 mnf/2.0/i586/apache2-mod_ldap-2.0.48-6.19.C30mdk.i586.rpm 1f0f71765b82dd9086c99a2ec98ce458 mnf/2.0/i586/apache2-mod_mem_cache-2.0.48-6.19.C30mdk.i586.rpm 26d8d7db3f8a8ed9dd22add69cc908cd mnf/2.0/i586/apache2-mod_proxy-2.0.48-6.19.C30mdk.i586.rpm 538e1d3b6eab0b6770de516d9c6e59e4 mnf/2.0/i586/apache2-mod_ssl-2.0.48-6.19.C30mdk.i586.rpm 82674d6c664adb4e9a8539703ee113d7 mnf/2.0/i586/apache2-modules-2.0.48-6.19.C30mdk.i586.rpm d1dc24f4698a7cef16c292ba19302ca1 mnf/2.0/i586/apache2-source-2.0.48-6.19.C30mdk.i586.rpm b83a8c4eda842c3e358d16d22febbe80 mnf/2.0/i586/libapr0-2.0.48-6.19.C30mdk.i586.rpm 5ff603859246c39086f9b6ad300f97c6 mnf/2.0/SRPMS/apache2-2.0.48-6.19.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJOCuNmqjQ0CJFipgRAt+pAKDO9fruRTCR1580NTYdYmnky057aACdFVGo NmJlapeQ2vPQcDIjsktx95s= =5zLR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200807-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache: Denial of Service Date: July 09, 2008 Bugs: #222643, #227111 ID: 200807-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Apache might lead to a Denial of Service. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/apache < 2.2.9 >= 2.2.9 Description =========== Multiple vulnerabilities have been discovered in Apache: * Dustin Kirkland reported that the mod_ssl module can leak memory when the client reports support for a compression algorithm (CVE-2008-1678). Impact ====== A remote attacker could exploit these vulnerabilities by connecting to an Apache httpd, by causing an Apache proxy server to connect to a malicious server, or by enticing a balancer administrator to connect to a specially-crafted URL, resulting in a Denial of Service of the Apache daemon. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.9" References ========== [ 1 ] CVE-2007-6420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420 [ 2 ] CVE-2008-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1678 [ 3 ] CVE-2008-2364 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200807-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-731-1 March 10, 2009 apache2 vulnerabilities CVE-2007-6203, CVE-2007-6420, CVE-2008-1678, CVE-2008-2168, CVE-2008-2364, CVE-2008-2939 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: apache2-common 2.0.55-4ubuntu2.4 apache2-mpm-perchild 2.0.55-4ubuntu2.4 apache2-mpm-prefork 2.0.55-4ubuntu2.4 apache2-mpm-worker 2.0.55-4ubuntu2.4 Ubuntu 7.10: apache2-mpm-event 2.2.4-3ubuntu0.2 apache2-mpm-perchild 2.2.4-3ubuntu0.2 apache2-mpm-prefork 2.2.4-3ubuntu0.2 apache2-mpm-worker 2.2.4-3ubuntu0.2 apache2.2-common 2.2.4-3ubuntu0.2 Ubuntu 8.04 LTS: apache2-mpm-event 2.2.8-1ubuntu0.4 apache2-mpm-perchild 2.2.8-1ubuntu0.4 apache2-mpm-prefork 2.2.8-1ubuntu0.4 apache2-mpm-worker 2.2.8-1ubuntu0.4 apache2.2-common 2.2.8-1ubuntu0.4 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Apache did not sanitize the method specifier header from an HTTP request when it is returned in an error message, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2007-6203) It was discovered that Apache was vulnerable to a cross-site request forgery (CSRF) in the mod_proxy_balancer balancer manager. If an Apache administrator were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands that could modify the balancer manager configuration. (CVE-2007-6420) It was discovered that Apache had a memory leak when using mod_ssl with compression. A remote attacker could exploit this to exhaust server memory, leading to a denial of service. (CVE-2008-1678) It was discovered that in certain conditions, Apache did not specify a default character set when returning certain error messages containing UTF-7 encoded data, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2364) It was discovered that mod_proxy_ftp did not sanitize wildcard pathnames when they are returned in directory listings, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. (CVE-2008-2939) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4.diff.gz Size/MD5: 123478 7a5b444231dc27ee60c1bd63f42420c6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4.dsc Size/MD5: 1156 4f9a0f31d136914cf7d6e1a92656a47b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.4_all.deb Size/MD5: 2124948 5153435633998e4190b54eb101afd271 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 833336 d5b9ecf82467eb04a94957321c4a95a2 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 228588 f4b9b82016eb22a60da83ae716fd028a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 223600 2cf77e3daaadcc4e07da5e19ecac2867 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 228216 60ff106ddefe9b68c055825bcd6ec52f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 171724 bae5e3d30111e97d34b25594993ad488 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 172508 77bdf00092378c89ae8be7f5139963e0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 94562 f3a168c57db1f5be11cfdba0bdc20062 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 36618 a7f34da28f7bae0cffb3fdb73da70143 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 286028 a5b380d9c6a651fe043ad2358ef61143 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_amd64.deb Size/MD5: 144590 9a4031c258cfa264fb8baf305bc0cea6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 786528 353ed1839a8201d0211ede114565e60d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 203256 7b0caa06fd47a28a8a92d1b69c0b4667 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 199114 6a77314579722ca085726e4220be4e9f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 202654 ffad2838e3c8c79ecd7e21f79aa78216 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 171716 771492b2b238424e33e3e7853185c0ca http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 172498 b5f7a4ed03ebafa4c4ff75c05ebf53b7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 92520 787a673994d746b4ad3788c16516832a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 36620 4d5f0f18c3035f41cb8234af3cc1092c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 262082 d6a7111b9f2ed61e1aeb2f18f8713873 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_i386.deb Size/MD5: 132518 5a335222829c066cb9a0ddcaeee8a0da powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 859446 cf555341c1a8b4a39808b8a3bd76e03a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 220622 85b902b9eecf3d40577d9e1e8bf61467 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 216314 146e689e30c6e1681048f6cf1dd659e3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 220128 10f65b3961a164e070d2f18d610df67b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 171726 9e341f225cb19d5c44f343cc68c0bba5 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 172512 331dff8d3de7cd694d8e115417bed4f8 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 104284 7ab80f14cd9072d23389e27f934079f3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 36620 713bfffcca8ec4e9531c635069f1cd0d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 281600 ad1671807965e2291b5568c7b4e95e14 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_powerpc.deb Size/MD5: 141744 6b04155aa1dbf6f657dbfa27d6086617 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 803706 f14be1535acf528f89d301c8ec092015 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 211028 28b74d86e10301276cadef208b460658 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 206566 6d6b2e1e3e0bbf8fc0a0bcca60a33339 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 210280 45690384f2e7e0a2168d7867283f9145 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 171732 6595a330344087593a9443b9cdf5e4ba http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 172498 f1ac3a442b21db9d2733e8221b218e25 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 93606 f229d1c258363d2d0dfb3688ec96638e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 36616 6f470e2e17dfc6d587fbe2bf861bfb06 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 268178 5a853d01127853405a677c53dc2bf254 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.4_sparc.deb Size/MD5: 130456 a0a51bb9405224948b88903779347427 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2.diff.gz Size/MD5: 125080 c5c1b91f6918d42a75d23e95799b3707 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2.dsc Size/MD5: 1333 b028e602b998a666681d1aa73b980c06 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4.orig.tar.gz Size/MD5: 6365535 3add41e0b924d4bb53c2dee55a38c09e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.4-3ubuntu0.2_all.deb Size/MD5: 2211750 9dc3a7e0431fe603bbd82bf647d2d1f5 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.4-3ubuntu0.2_all.deb Size/MD5: 278670 985dd1538d0d2c6bb74c458eaada1cb7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.4-3ubuntu0.2_all.deb Size/MD5: 6702036 3cdb5e1a9d22d7172adfd066dd42d71a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.4-3ubuntu0.2_all.deb Size/MD5: 42846 ba7b0cbf7f33ac3b6321c132bc2fec71 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 457286 b37825dc4bb0215284181aa5dfc9dd44 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 453094 380ea917048a64c2c9bc12d768ac2ffa http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 456804 b075ef4e563a55c7977af4d82d90e493 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 410658 6dff5030f33af340b2100e8591598d9d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 411244 9c79a2c0a2d4d8a88fae1b3f10d0e27c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 348256 ef1e159b64fe2524dc94b6ab9e22cefb http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_amd64.deb Size/MD5: 992256 0e9bac368bc57637079f839bcce8ebbc i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 440388 bdb2ced3ca782cda345fcfb109e8b02a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 436030 44d372ff590a6e42a83bcd1fb5e546fe http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 439732 5119be595fb6ac6f9dd94d01353da257 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 410656 01be0eca15fe252bbcab7562462af5ca http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 411250 10d8929e9d37050488f2906fde13b2fd http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 347322 d229c56720ae5f1f83645f66e1bfbdf1 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_i386.deb Size/MD5: 947460 3dc120127b16134b42e0124a1fdfa4ab lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 439896 8e856643ebeed84ffbeb6150f6e917c5 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 435524 ce18d9e09185526c93c6af6db7a6b5cf http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 439180 9622bf2dfee7941533faedd2e2d4ebbd http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 410674 684ad4367bc9250468351b5807dee424 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 411258 17f53e8d3898607ce155dc333237690c http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 347664 1197aa4145372ae6db497fb157cb0da1 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_lpia.deb Size/MD5: 939924 470a7163e2834781b2db0689750ce0f2 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 458848 4efbbcc96f05a03301a13448f9cb3c01 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 454226 1fe4c7712fd4597ed37730a27df95113 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 458134 5786d901931cecd340cc1879e27bcef7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 410676 9fc94d5b21a8b0f7f8aab9dc60339abf http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 411266 c44cde12a002910f9df02c10cdd26b0c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 367392 612ddcebee145f765163a0b30124393a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_powerpc.deb Size/MD5: 1094288 72fd7d87f4876648d1e14a5022c61b00 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 441650 28e5a2c2d18239c0810b6de3584af221 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 437796 3ee7408c58fbdf8de6bf681970c1c9ad http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 441114 b1b1bb871fe0385ea4418d533f0669aa http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 410676 cf7bed097f63e3c24337813621866498 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 411252 5a30177f7039f52783576e126cf042d0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 350468 ce216a4e9739966cd2aca4262ba0ea4e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.4-3ubuntu0.2_sparc.deb Size/MD5: 959090 98ad8ee7328f25e1e81e110bbfce10c2 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4.diff.gz Size/MD5: 132376 1a3c4e93f08a23c3a3323cb02f5963b6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4.dsc Size/MD5: 1379 ed1a1e5de71b0e35100f60b21f959db4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.4_all.deb Size/MD5: 1928164 86b52d997fe3e4baf9712be0562eed2d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.4_all.deb Size/MD5: 72176 1f4efe37abf317c3c42c4c0a79a4f232 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.4_all.deb Size/MD5: 6254152 fe271b0e4aa0cf80e99b866c23707b6a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.4_all.deb Size/MD5: 45090 3f44651df13cfd495d7c33dda1c709ea amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 252272 3d27b0311303e7c5912538fb7d4fc37c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 247850 1ce7ff6190c21da119d98b7568f2e5d0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 251658 ac7bc78b449cf8d28d4c10478c6f1409 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 204658 66e95c370f2662082f3ec41e4a033877 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 205336 6b1e7e0ab97b7dd4470c153275f1109c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 140940 cad14e08ab48ca8eb06480c0db686779 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_amd64.deb Size/MD5: 801764 3759103e3417d44bea8866399ba34a66 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 235194 dddbc62f458d9f1935087a072e1c6f67 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 230748 db0a1dc277de5886655ad7b1cc5b0f1a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 234542 0e4997e9ed55d6086c439948cf1347ff http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 204672 1f58383838b3b9f066e855af9f4e47e0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 205348 fa032fc136c5b26ccf364289a93a1cda http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 139904 b503316d420ccb7efae5082368b95e01 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_i386.deb Size/MD5: 754788 140fddccc1a6d3dc743d37ab422438c2 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 234752 bc06d67259257109fe8fc17204bc9950 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 230424 9421376c8f6d64e5c87af4f484b8aacf http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 233908 179236460d7b7b71dff5e1d1ac9f0509 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 204664 764d773d28d032767d697eec6c6fd50a http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 205342 2891770939b51b1ca6b8ac8ca9142db1 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 140478 4a062088427f1d8b731e06d64eb7e2ea http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_lpia.deb Size/MD5: 748672 b66dbda7126616894cf97eb93a959af9 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 253368 bad43203ed4615216bf28f6da7feb81b http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 248800 aa757fd46cd79543a020dcd3c6aa1b26 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 252904 682a940b7f3d14333037c80f7f01c793 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 204678 30af6c826869b647bc60ed2d99cc30f7 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 205376 cd02ca263703a6049a6fe7e11f72c98a http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 157662 df6cdceecb8ae9d25bbd614142da0151 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_powerpc.deb Size/MD5: 904904 34581d1b3c448a5de72a06393557dd48 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 236418 2eda543f97646f966f5678e2f2a0ba90 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 232386 69e2419f27867b77d94a652a83478ad7 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 235788 414a49286d9e8dd7b343bd9207dc727b http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 204668 f7d099cd9d3ebc0baccbdd896c94a88f http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 205352 0a5cb5dfd823b4e6708a9bcc633a90cd http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 143108 ad78ead4ac992aec97983704b1a3877f http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.4_sparc.deb Size/MD5: 763946 0d40a8ebecfef8c1a099f2170fcddb73 . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. The vulnerability is caused due to an unspecified error, which can be exploited to cause a high memory usage when the application is used as a reverse proxy. Please see the vendor's advisory for a full list of affected products. SOLUTION: Update to a fixed version. See vendor advisory for details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS09-009/index.html OTHER REFERENCES: http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-001740.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------