VARIoT IoT vulnerabilities database

OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. Multiple RSA implementations fail to properly handle RSA signatures. This vulnerability may allow an attacker to forge RSA signatures. An attacker may exploit this issue to cause applications that use the vulnerable library to consume excessive CPU and memory resources and crash, denying further service to legitimate users. rPath Security Advisory: 2006-0175-2 Published: 2006-09-28 Updated: 2006-09-29 Resolved issue in patch for CVE-2006-2940 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Remote Deterministic Unauthorized Access Updated Versions: openssl=/conary.rpath.com@rpl:devel//1/0.9.7f-10.5-1 openssl-scripts=/conary.rpath.com@rpl:devel//1/0.9.7f-10.5-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 http://issues.rpath.com/browse/RPL-613 Description: Previous versions of the openssl package are vulnerable to multiple attacks. In particular, any connection that the mysql daemon will accept may be vulnerable. In the default configuration of mysql, that would be a local unauthorized access vulnerability, but mysql can be configured to listen for network connections from remote hosts, which would then enable remote unauthorized access. Any program that calls the SSL_get_shared_ciphers() function may be vulnerable. 29 September 2006 Update: The initial fix for this vulnerability was incomplete, and the fault in the fix could enable a Denial of Service attack in some cases of the attack described in CVE-2006-2940. _______________________________________________ Full-Disclosure - We believe in it. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2007-0001 Synopsis: VMware ESX server security updates Issue date: 2007-01-08 Updated on: 2007-01-08 CVE: CVE-2006-3589 CVE-2006-2937 CVE-2006-2940 CVE-2006-3738 CVE-2006-4339 CVE-2006-4343 CVE-2006-4980 - ------------------------------------------------------------------- 1. Summary: Updated ESX Patches address several security issues. 2. Relevant releases: VMware ESX 3.0.1 without patch ESX-9986131 VMware ESX 3.0.0 without patch ESX-3069097 VMware ESX 2.5.4 prior to upgrade patch 3 VMware ESX 2.5.3 prior to upgrade patch 6 VMware ESX 2.1.3 prior to upgrade patch 4 VMware ESX 2.0.2 prior to upgrade patch 4 3. Problem description: Problems addressed by these patches: a. Incorrect permissions on SSL key files generated by vmware-config (CVE-2006-3589): ESX 3.0.1: does not have this problem ESX 3.0.0: does not have this problem ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801) A possible security issue with the configuration program vmware-config which could set incorrect permissions on SSL key files. Local users may be able to obtain access to the SSL key files. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-3589 to this issue. b. (CVE-2006-2940) OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. (CVE-2006-4339) OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4339, and CVE-2006-4343 to these issues. c. Updated OpenSSH package addresses the following possible security issues: ESX 3.0.1: corrected by Patch ESX-9986131 ESX 3.0.0: corrected by Patch ESX-3069097 ESX 2.5.4: does not have these problems ESX 2.5.3: does not have these problems ESX 2.1.3: does not have these problems ESX 2.0.2: does not have these problems (CVE-2004-2069) sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption). (CVE-2006-0225) scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice. (CVE-2003-0386) OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. NOTE: ESX by default disables version 1 SSH protocol. NOTE: ESX doesn't use GSSAPI by default. (CVE-2006-5794) Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2004-2069, CVE-2006-0225, CVE-2003-0386, CVE-2006-4924, CVE-2006-5051, and CVE-2006-5794 to these issues. d. Object reuse problems with newly created virtual disk (.vmdk or .dsk) files: ESX 3.0.1: does not have this problem ESX 3.0.0: does not have this problem ESX 2.5.4: corrected by ESX 2.5.4 Upgrade Patch 3 (Build# 36502) ESX 2.5.3: corrected by ESX 2.5.3 Upgrade Patch 6 (Build# 35703) ESX 2.1.3: corrected by ESX 2.1.3 Upgrade Patch 4 (Build# 35803) ESX 2.0.2: corrected by ESX 2.0.2 Upgrade Patch 4 (Build# 35801) A possible security issue with virtual disk (.vmdk or .dsk) files that are newly created, but contain blocks from recently deleted virtual disk files. Information belonging to the previously deleted virtual disk files could be revealed in newly created virtual disk files. VMware recommends the following workaround: When creating new virtual machines on an ESX Server that may contain sensitive data, use vmkfstools with the -W option. This initializes the virtual disk with zeros. NOTE: ESX 3.x defines this option as -w. e. Buffer overflow in Python function repr(): ESX 3.0.1: corrected by Patch ESX-9986131 ESX 3.0.0: corrected by ESX-3069097 ESX 2.5.4: does not have this problem ESX 2.5.3: does not have this problem ESX 2.1.3: does not have this problem ESX 2.0.2: does not have this problem A possible security issue with how the Python function repr() function handles UTF-32/UCS-4 strings. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2006-4980 to this issue. 4. Solution: Please review the Patch notes for your version of ESX and verify the md5sum. ESX 3.0.1 http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html md5usm: 239375e107fd4c7af57663f023863fcb ESX 3.0.0 http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html md5sum: ca9947239fffda708f2c94f519df33dc ESX 2.5.4 http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html md5sum: 239375e107fd4c7af57663f023863fcb ESX 2.5.3 http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html md5sum: f90fcab28362edbf2311f3ca90cc7739 ESX 2.1.3 http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html md5sum: 7d7d0e40f4dccd5ca64b9c13a856da8f ESX 2.0.2 http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html md5sum: 925e70f28d17714c53fdbd24de64329f 5. References: ESX 3.0.0 Patch URL: http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html Knowledge base URL: http://kb.vmware.com/kb/3069097 ESX 3.0.1 Patch URL: http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html Knowledge base URL: http://kb.vmware.com/kb/9986131 ESX 2.5.4 Patch URL: http://www.vmware.com/support/esx25/doc/esx-254-200612-patch.html ESX 2.5.3 Patch URL: http://www.vmware.com/support/esx25/doc/esx-253-200612-patch.html ESX 2.1.3 Patch URL: http://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html ESX 2.0.2 Patch URL: http://www.vmware.com/support/esx2/doc/esx-202-200612-patch.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4980 6. Contact: http://www.vmware.com/security VMware Security Response Policy http://www.vmware.com/vmtn/technology/security/security_response.html E-mail: security@vmware.com Copyright 2007 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFovs16KjQhy2pPmkRCMfyAKCXhdGwZyXW5VzSwcOmu2NNXKN/OwCgo+CE neFG0RikD74TCYeXKW6CBy4= =9/6k -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c00967144 Version: 1 HPSBTU02207 SSRT061213, SSRT061239, SSRT071304 rev.1 - HP Tru64 UNIX SSL and BIND Remote Arbitrary Code Execution or Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. References: VU#547300, VU#386964, CAN-2006-4339, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738 (SSL) VU#697164, VU#915404, CVE-2007-0493, CVE-2007-0494 (BIND) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The following supported software versions are affected: HP Tru64 UNIX v 5.1B-4 (SSL and BIND) HP Tru64 UNIX v 5.1B-3 (SSL and BIND) HP Tru64 UNIX v 5.1A PK6 (BIND) HP Tru64 UNIX v 4.0G PK4 (BIND) HP Tru64 UNIX v 4.0F PK8 (BIND) Internet Express (IX) v 6.6 BIND (BIND) HP Insight Management Agents for Tru64 UNIX patch v 3.5.2 and earlier (SSL) BACKGROUND RESOLUTION HP has released the following Early Release Patch kits (ERPs) publicly for use by any customer. The ERP kits use dupatch to install and will not install over any Customer Specific Patches (CSPs) that have file intersections with the ERP. A new patch version for HP Insight Management Agents for Tru64 UNIX is also available that addresses the potential vulnerabilities. The fixes contained in the ERP kits will be available in the following mainstream releases: -Targeted for availability in HP Tru64 UNIX v 5.1B-5 -Internet Express (IX) v 6.7 -HP Insight Management Agents for Tru64 UNIX patch v 3.6.1 (already available) HP Tru64 UNIX Version 5.1B-4 ERP Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001167-V51BB27-ES-20070321 Name: T64KIT1001167-V51BB27-ES-20070321 MD5 Checksum: a697a90bd0b1116b6f27d1100bbf81fd HP Tru64 UNIX Version 5.1B-3 ERP Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001163-V51BB26-ES-20070315 Name: T64KIT1001163-V51BB26-ES-20070315 MD5 Checksum: d376d403176f0dbe7badd4df4e91c126 HP Tru64 UNIX Version 5.1A PK6 ERP Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001160-V51AB24-ES-20070314 Name: T64KIT1001160-V51AB24-ES-20070314 MD5 Checksum: 7bb43ef667993f7c4711b6cf978e0aa7 HP Tru64 UNIX Version 4.0G PK4 ERP Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=T64KIT1001166-V40GB22-ES-20070316 Name: T64KIT1001166-V40GB22-ES-20070316 MD5 Checksum: a446c39169b769c4a03c654844d5ac45 HP Tru64 UNIX Version 4.0F PK8 ERP Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do?patchid=DUXKIT1001165-V40FB22-ES-20070316 Name: DUXKIT1001165-V40FB22-ES-20070316 MD5 Checksum: 718148c87a913536b32a47af4c36b04e HP Insight Management Agents for Tru64 UNIX patch version 3.6.1 (for kit CPQIIM360) Location: http://h30097.www3.hp.com/cma/patches.html Name: CPQIM360.SSL.01.tar.gz MD5 Checksum: 1001a10ab642461c87540826dfe28652 Internet Express (IX) v 6.6 BIND Note: Customers who use Internet Express (IX) v 6.6 BIND should install the BIND 9.2.8 patch from the ERP kit appropriate for their base operating system version. PRODUCT SPECIFIC INFORMATION The HP Tru64 UNIX v 5.1B-3 and v 5.1B-4 ERP kits distribute two patches: -OpenSSL 0.9.8d -BIND 9.2.8 built with OpenSSL 0.9.8d Note: HP Tru64 UNIX v 5.1A, v 4.0G, and v 4.0F releases did not distribute OpenSSL and so their ERP kits provide only the BIND 9.2.8 patch that has been built with OpenSSL 0.9.8d Customers who have been using OpenSSL on HP Tru64 UNIX v 5.1B-3 and v 5.1B-4 should install the OpenSSL patch from the ERP kit appropriate for their base operating system version. The HP Insight Management Agents for Tru64 UNIX patch contains OpenSSL 0.9.8d and is applicable for HP Tru64 UNIX v 5.1A, v 5.1B-3, and v 5.1B-4. HISTORY Version:1 (rev.1) - 12 April 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2007 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. This can result in an infinite loop which consumes system memory. ASN.1 Denial of Service Attack (2/2) Certain types of public key can take disproportionate amounts of time to process. This could be used by an attacker in a denial of service attack. SSL_get_shared_ciphers() Buffer Overflow A buffer overflow was discovered in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that uses this function and overrun a buffer. SSLv2 Client Crash A flaw in the SSLv2 client code was discovered. ________________________________________________________________________ References: [0] http://www.openssl.org/news/secadv_20060928.txt [1] http://www.openssl.org/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org for details on how to verify the integrity of this advisory. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. HP Secure Web Server (SWS) for OpenVMS (based on Apache) V2.1-1 and earlier. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2002-0839 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2 CVE-2002-0840 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2003-0542 (AV:L/AC:L/Au:N/C:C/I:C/A:C) 7.2 CVE-2004-0492 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2005-2491 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2005-3352 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2005-3357 (AV:N/AC:H/Au:N/C:N/I:N/A:C) 5.4 CVE-2006-2937 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2006-2940 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 CVE-2006-3738 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2006-3747 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6 CVE-2006-3918 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2006-4339 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2006-4343 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3 CVE-2007-5000 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2007-6388 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-0005 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2009-1891 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 7.1 CVE-2009-3095 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2009-3291 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2009-3292 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2009-3293 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2009-3555 (AV:N/AC:M/Au:N/C:N/I:P/A:P) 5.8 CVE-2010-0010 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made the following software updates available to resolve these vulnerabilities. Kit Name Location HP SWS V2.2 for OpenVMS Alpha and OpenVMS Integrity servers. HP System Management Homepage (SMH) versions prior to 2.1.7 running on Linux and Windows. BACKGROUND RESOLUTION HP has provided System Management Homepage (SMH) version 2.1.7 or subsequent for each platform to resolve this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: 17e2d82c3f6c0afbf48eccbfbcc17b55 2006.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm 8c3f89e1900f069d4a4ad3162a9f7d78 2006.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm 3a68c653ba0339ba99162459385c72e2 2006.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm 8291bde3bd9aa95533aabc07280203b8 2006.0/i586/openssl-0.9.7g-2.4.20060mdk.i586.rpm 52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: b2ce6e6bb7e3114663d3a074d0cc7da5 2006.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mdk.x86_64.rpm f7c8dbc2eda0c90547d43661454d1068 2006.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mdk.x86_64.rpm 7c9ebd9f9179f4e93627dcf0f3442335 2006.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.x86_64.rpm 17e2d82c3f6c0afbf48eccbfbcc17b55 2006.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mdk.i586.rpm 8c3f89e1900f069d4a4ad3162a9f7d78 2006.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mdk.i586.rpm 3a68c653ba0339ba99162459385c72e2 2006.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mdk.i586.rpm 6ce5832a59b8b67425cb7026ea9dc876 2006.0/x86_64/openssl-0.9.7g-2.4.20060mdk.x86_64.rpm 52b3fbfc1389bcd73e406d6ff741e9dc 2006.0/SRPMS/openssl-0.9.7g-2.4.20060mdk.src.rpm Mandriva Linux 2007.0: 1bfeff47c8d2f6c020c459881be68207 2007.0/i586/libopenssl0.9.8-0.9.8b-2.1mdv2007.0.i586.rpm 1e1a4db54ddfaedb08a6d847422099ff 2007.0/i586/libopenssl0.9.8-devel-0.9.8b-2.1mdv2007.0.i586.rpm 59c80405f33b2e61ffd3cef025635e21 2007.0/i586/libopenssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.i586.rpm 3a6657970a2e7661bd869d221a69c8da 2007.0/i586/openssl-0.9.8b-2.1mdv2007.0.i586.rpm aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: af679c647d97214244a8423dc1a766b7 2007.0/x86_64/lib64openssl0.9.8-0.9.8b-2.1mdv2007.0.x86_64.rpm d7b1ed07df4115b3bcc3907e00d25a89 2007.0/x86_64/lib64openssl0.9.8-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm 5bd3ece2c0ec7a3201c29fa84e25a75a 2007.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8b-2.1mdv2007.0.x86_64.rpm 9b028020dba009eddbf06eeb8607b87f 2007.0/x86_64/openssl-0.9.8b-2.1mdv2007.0.x86_64.rpm aad29e57ddceb66105af5d6434de9a62 2007.0/SRPMS/openssl-0.9.8b-2.1mdv2007.0.src.rpm Corporate 3.0: c99ea58f6f4959a4c36398cc6b2b4ee2 corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm 98a925c5ba2ecc9d704b1e730035755e corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.C30mdk.i586.rpm 151493a50693e3b9cc67bfafadb9ce42 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.i586.rpm 82b4709bdbb9128746887013a724356a corporate/3.0/i586/openssl-0.9.7c-3.6.C30mdk.i586.rpm a5bdbe6afa52005a734dc18aa951677d corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm Corporate 3.0/X86_64: 01a922d80d6fc9d1b36dde15ee27747e corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.6.C30mdk.x86_64.rpm 30268f0b70862d1f5998694ac8b4addc corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.6.C30mdk.x86_64.rpm e0388ff1efa34ea55d033e95b4e9bb63 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.6.C30mdk.x86_64.rpm c99ea58f6f4959a4c36398cc6b2b4ee2 corporate/3.0/x86_64/libopenssl0.9.7-0.9.7c-3.6.C30mdk.i586.rpm 83759622f0cc8ea9c0f6d32671283354 corporate/3.0/x86_64/openssl-0.9.7c-3.6.C30mdk.x86_64.rpm a5bdbe6afa52005a734dc18aa951677d corporate/3.0/SRPMS/openssl-0.9.7c-3.6.C30mdk.src.rpm Corporate 4.0: 6d71d2358738be9967b2dfe19d3642f1 corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm 22890554d3096ce596eeec7393ee3fcf corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm 679fe740859fa35b2bb77b19c4a0e787 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm d8477333b67ec3a36ba46c50e6183993 corporate/4.0/i586/openssl-0.9.7g-2.4.20060mlcs4.i586.rpm b65dbbd9fb3d74d302478640476a2cd2 corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 746e5e916d1e05379373138a5db20923 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.4.20060mlcs4.x86_64.rpm a2b1d750075a32fe8badbdf1f7febafe corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm 47c464cf890a004f772c1db3e839fa12 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.x86_64.rpm 6d71d2358738be9967b2dfe19d3642f1 corporate/4.0/x86_64/libopenssl0.9.7-0.9.7g-2.4.20060mlcs4.i586.rpm 22890554d3096ce596eeec7393ee3fcf corporate/4.0/x86_64/libopenssl0.9.7-devel-0.9.7g-2.4.20060mlcs4.i586.rpm 679fe740859fa35b2bb77b19c4a0e787 corporate/4.0/x86_64/libopenssl0.9.7-static-devel-0.9.7g-2.4.20060mlcs4.i586.rpm 1030a6124a9fa4fd5a41bdff077301bf corporate/4.0/x86_64/openssl-0.9.7g-2.4.20060mlcs4.x86_64.rpm b65dbbd9fb3d74d302478640476a2cd2 corporate/4.0/SRPMS/openssl-0.9.7g-2.4.20060mlcs4.src.rpm Multi Network Firewall 2.0: 19055eda58e1f75814e594ce7709a710 mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.6.M20mdk.i586.rpm abfe548617969f619aec5b0e807f1f67 mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.6.M20mdk.i586.rpm 92e7515c9125367a79fdb490f5b39cd4 mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.6.M20mdk.i586.rpm 847eecb1d07e4cab3d1de1452103c3a0 mnf/2.0/i586/openssl-0.9.7c-3.6.M20mdk.i586.rpm b6b67fa82d7119cde7ab7816aed17059 mnf/2.0/SRPMS/openssl-0.9.7c-3.6.M20mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFHA4hmqjQ0CJFipgRApknAJ9Ybd8xjfkR+RL1fWEI2Fgn/KIuqACeOH/0 wB09L3fylyiHgrXvSV6VL7A= =/+dm -----END PGP SIGNATURE-----

POP3 Server for Ipswitch IMail 7.04 and earlier generates different responses to valid and invalid user names, which allows remote attackers to determine users on the system. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. An issue exists in Ipswitch IMail server, which could allow an unauthorized user to gain knowledge of a legitimate username and brute force the password

Web Messaging Server for Ipswitch IMail 7.04 and earlier allows remote authenticated users to change information for other users by modifying the olduser parameter in the "Change User Information" web form. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP etc. It is possible to specify another userid to whom changes in the editing form will be applied by simply modifying a hidden variable. Successful exploitation of this vulnerability could lead to a denial of service for the victim user. Vulnerabilities exist in Ipswitch IMail 7.04 and earlier versions of Web Messaging Server

Ipswitch IMail 7.04 and earlier records the physical path of attachments in an e-mail message header, which could allow remote attackers to obtain potentially sensitive configuration information. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. A vulnerability exists which may remotely disclose sensitive information about the host running IMail Server. The disclosed information may be used to maliciously map out the directory structure of the host, facilitating further "intelligent" attacks on the host

The webmail interface for Ipswitch IMail 7.04 and earlier allows remote authenticated users to cause a denial of service (crash) via a mailbox name that contains a large number of . (dot) or other characters to programs such as (1) readmail.cgi or (2) printmail.cgi, possibly due to a buffer overflow that may allow execution of arbitrary code. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. The IPSwitch IMail Server webmail interface is prone to a denial of service. Theweb interface will crash if a mailbox with a name that contains 248+ dots('.') is accessed. If the webmail interface crashes then it must be restarted to regain normal functionality. CGI scripts that access mailboxes may also induce a denial of service in the same manner. Though it is unconfirmed, this issue may be caused by a buffer overflow. If thisis the case, a possibility does exist that this issue may be exploited to execute arbitrary code on the host. (dot) or other characters, resulting in service denial (crash)

Ipswitch IMail 7.04 and earlier uses predictable session IDs for authentication, which allows remote attackers to hijack sessions of other users. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. If the attacker can anticipate a current valid session ID then they will be able to access webmail accounts without possessing a valid username/password. Session IDs are generated using alphanumeric characters. A number of the characters are static

Directory traversal vulnerability in readmail.cgi for Ipswitch IMail 7.04 and earlier allows remote attackers to access the mailboxes of other users via a .. (dot dot) in the mbx parameter. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP etc. A vulnerability exists in IMail which could enable an authenticated user to view the mailbox of another IMail user. This accomplished using directory traversal techniques while logged into the server with a valid session ID. Remote attackers use the .

Ipswitch IMail 7.04 and earlier stores a user's session ID in a URL, which could allow remote attackers to hijack sessions by obtaining the URL, e.g. via an HTML email that causes the Referrer to be sent to a URL under the attacker's control. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP etc. A vulnerability exists in IMail which could enable an authenticated user to view the mailbox of another IMail user. This accomplished using directory traversal techniques while logged into the server with a valid session ID

Buffer overflow in Web Calendar in Ipswitch IMail 7.04 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP etc. Due to improper bounds checking, the Web Calendaring feature of IMail could allow the execution of arbitrary code with the privileges of SYSTEM. This is achieveable by submitting a specially crafted GET request. Ipswitch IMail 7.04 and earlier versions have a buffer overflow vulnerability

Cisco PIX firewall manager (PFM) 4.3(2)g logs the enable password in plaintext in the pfm.log file, which could allow local users to obtain the password by reading the file. A malicious user could use this password to connect to the PIX Firewall and make configuration changes. It is important to note that a malicious user would have to obtain access to the local workstation in order to exploit this vulnerability

Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allows remote attackers to cause a denial of service (memory consumption) via a flood of CDP neighbor announcements. The Cisco IOS contains a denial-of-service vulnerability that allows nearby remote attackers to crash or temporarily disable affected network devices. CDP is implemented with some releases of the Cisco Internet Operating System. It is possible for a host on a local segment of network to cause a Cisco router to become unstable, and potentially stop routing traffic by generating large amounts of CDP traffic. This protocol can not be routed across routers to remote network segments. This could lead to the ceasing of operation of Cisco routers, and a denial of service

Nokia Firewall Appliances running IPSO 3.3 and VPN-1/FireWall-1 4.1 Service Pack 3, IPSO 3.4 and VPN-1/FireWall-1 4.1 Service Pack 4, and IPSO 3.4 or IPSO 3.4.1 and VPN-1/FireWall-1 4.1 Service Pack 5, when SYN Defender is configured in Active Gateway mode, does not properly rewrite the third packet of a TCP three-way handshake to use the NAT IP address, which allows remote attackers to gain sensitive information. A vulnerability in Check Point VPN-1/FireWall-1 running on Nokia IPXXX Appliances can allow an attacker to pass traffic allowed by the security policy through the firewall while retaining the external (untranslated) destination IP address. VPN-1 is prone to a information disclosure vulnerability

Cross-site scripting (XSS) vulnerability in the Ping tools web interface in Dlink Di-604 router allows remote attackers to inject arbitrary web script or HTML via the IP field. The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. The D-link DI-604 is a small router device. The 'Ping tools' WEB interface does not verify the size of the ip textfield, changing its size, and sending requests exceeding 500 characters can cause a denial of service attack. There is also a cross-site scripting attack on this textfield. Dlink Di-604 products are prone to a cross-site scripting and a denial-of-service vulnerability because the devices fail to properly handle user-supplied input. An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site

The Ping tools web interface in Dlink Di-604 router allows remote authenticated users to cause a denial of service via a large "ip textfield" size. The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. The D-link DI-604 is a small router device. There is also a cross-site scripting attack on this textfield. Dlink Di-604 products are prone to a cross-site scripting and a denial-of-service vulnerability because the devices fail to properly handle user-supplied input. An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. There is a vulnerability in the web interface of the Ping tool of the Dlink Di-604 route

Cross-site scripting (XSS) vulnerability in prim.htm on the D-Link DI-604 router allows remote attackers to inject arbitrary web script or HTML via the rf parameter. The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  D-Link DI-524 has multiple vulnerabilities in processing user requests. Remote attackers may use these vulnerabilities to make device services unavailable or perform cross-site scripting attacks.  The D-Link DI-524 router does not properly handle the login request sent to the web interface. If the attacker sends a long username, it will trigger a crash; if the long HTTP header is sent, it may also cause the router's web server. collapse.  The D-Link DSL-G604T router did not properly filter the input passed to the var: category parameter in cgi-bin / webcm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: D-Link DI-604 "rf" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA29531 VERIFY ADVISORY: http://secunia.com/advisories/29531/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: D-Link DI-604 Broadband Router http://secunia.com/product/11068/ DESCRIPTION: Jonas has reported a vulnerability in D-Link DI-604, which can be exploited by malicious people to conduct cross-site scripting attacks. SOLUTION: Filter malicious characters and character sequences in a web proxy. PROVIDED AND/OR DISCOVERED BY: Jonas ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in cgi-bin/webcm on the D-Link DSL-G604T router allows remote attackers to inject arbitrary web script or HTML via the var:category parameter, as demonstrated by a request for advanced/portforw.htm on the fwan page. The nslookup command fails to drop privileges, allowing local attackers to gain root privileges. D-Link is an internationally renowned provider of network equipment and solutions, and its products include a variety of router equipment.  D-Link DI-524 has multiple vulnerabilities in processing user requests. Remote attackers may use these vulnerabilities to make device services unavailable or perform cross-site scripting attacks.  The D-Link DI-524 router does not properly handle the login request sent to the web interface. If the attacker sends a long username, it will trigger a crash; if the long HTTP header is sent, it may also cause the router's web server. collapse.  The D-Link DI-604 router did not properly filter the input passed to the rf parameter in prim.htm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session.  The D-Link DSL-G604T router did not properly filter the input passed to the var: category parameter in cgi-bin / webcm and returned it to the user, which could cause arbitrary HTML and script code to be executed in the user's browser session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. D-Link is a network company founded by Taiwan D-Link Group, dedicated to the R&D, production and marketing of LAN, broadband network, wireless network, voice network and related network equipment. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: D-Link DSL-G604T "var:category" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA29530 VERIFY ADVISORY: http://secunia.com/advisories/29530/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: D-Link DSL-G604T http://secunia.com/product/5127/ DESCRIPTION: Gareth Heyes has reported a vulnerability in D-Link DSL-G604T, which can be exploited by malicious people to conduct cross-site scripting attacks. SOLUTION: Do not browse untrusted websites or follow untrusted links while logged on to the application. PROVIDED AND/OR DISCOVERED BY: Gareth Heyes ORIGINAL ADVISORY: http://www.gnucitizen.org/projects/router-hacking-challenge/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Directory traversal vulnerability in webcm in the D-Link DSL-G604T Wireless ADSL Router Modem allows remote attackers to read arbitrary files via an absolute path in the getpage parameter. The nslookup command fails to drop privileges, allowing local attackers to gain root privileges

admin.php in PHP-Nuke 5.2 and earlier, except 5.0RC1, does not check login credentials for upload operations, which allows remote attackers to copy and upload arbitrary files and read the PHP-Nuke configuration file by directly calling admin.php with an upload parameter and specifying the file to copy. PHPNuke's "admin.php" script does not properly authenticate users of its filemanager capabilities. PHP Nuke is a website creation/maintenance tool written in PHP3. PHP Nuke contains a vulnerability in 'admin.php' that may allow for remote attackers to overwrite files with custom data on target webservers. May allow for an attacker to gain access to the host, cause denial of service or deface the target website. PostNuke, a derivative of PHP Nuke, is also vulnerable. PHP-Nuke is a website creation and management tool that can use many database software as the backend, such as MySQL, PostgreSQL, mSQL, Interbase, Sybase, etc

Personal Web Sharing 1.5.5 allows a remote attacker to cause a denial of service via a long HTTP request. Personal Web Sharing is prone to a denial-of-service vulnerability

RSA BSAFE SSL-J 3.0, 3.0.1 and 3.1, as used in Cisco iCND 2.0, caches session IDs from failed login attempts, which could allow remote attackers to bypass SSL client authentication and gain access to sensitive data by logging in after an initial failure. A vulnerability exists in several versions of RSA's SSL-J Software Development Kit (SDK) that can enable an attacker to bypass SSL client authentication. Under certain conditions, if an error occurs during the SSL client-server handshake, the SSL session key may be stored in a cache rather than being discarded. Once cached, this session key can be used by an attacker to cause a server to skip the full client authentication scheme, using a much shorter one. This effectively allows the attacker to fully bypass the client authentication. On systems that rely solely on the authentication mechanism provided by SSL, this could enable an attacker to perform unauthorized actions. Additional technical details are forthcoming