ESA-2010-015: EMC Celerra NFS authentication bypass vulnerability using IP spoofing.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2010-015: EMC Celerra NFS authentication bypass vulnerability using IP spoofing. EMC Identifier: ESA-2010-015 CVE Identifier: CVE-2010-2860 Severity Rating: CVSS v2 Base Score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C) Affected products: EMC SW: NAS Code 5.6.50 and earlier Vulnerability Summary: A vulnerability exists in EMC Celerra which can be exploited to gain unauthorized access to root NFS export on EMC Celerra NAS. Vulnerability Details: A vulnerability in EMC Celerra may allow an attacker to spoof IP addresses that are normally used between the Celerra Control Station and X-Blade (Data Mover) over a private IP network. While these IP addresses are normally intended for communication internal to the Celerra, they are also accepted from external sources. By spoofing these IP addresses, an attacker may be able to gain unauthorized access to file systems on the Celerra. The vulnerability only exists when the attacker and external IP of the Data Mover are on the same subnet. Problem Resolution: The following EMC Celerra products contain resolutions to this issue: EMC Celerra NAS Code 5.6.51 EMC strongly recommends all customers apply the latest patch, which contains the resolution to this issue, at the earliest opportunity. Link to remedies: Registered EMC Powerlink customers can download software from Powerlink. For Celerra Software, navigate in Powerlink to Home > Support > Software Downloads and Licensing > Downloads C > Celerra Software. Because the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a software download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045. Workaround: 1. Create IP-based access rules on the network equipment rejecting traffic for IP addresses belonging to the internal Celerra network. These addresses are listed in the /etc/hosts file of the Celerra Control Station. That traffic should never be routed to the Control Station; the traffic remains internal to the cabinet and has its own network switches for that purpose. 2. Configure firewalls between Data Movers and NFS clients to reject traffic for IP addresses belonging to the internal Celerra network. 3. Hide the Data Mover's NFS exports from clients that do not have access by setting the forceFullShowmount parameter to 0 (default is 1). This will hide the " / " from the list since only the Control Station has access to it (for administrative purposes). 4. Disable IP reflect. 5. Change the default IP addresses for the internal network of the Celerra to a non-routable IP address scheme that does not conflict with any other non-routable IP networks. To implement Step 3 above, modify the forceFullShowmount parameter as follows: [r...@virgil slot_3]# server_param server_3 -f mount -info forceFullShowmount server_3 : name= forceFullShowmount facility_name = mount default_value = 1 current_value = 1 configured_value= user_action = none change_effective= immediate range = (0,1) description = Forces response to showmount requests to fully populate response. [r...@virgil slot_3]# server_param server_3 -f mount -modify \ forceFullShowmount -value 0 server_3 : done After the above change, client will see only the shares he has permissions to access to. For explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. Credits: EMC would like to thank Steve Ocepek of Trustwave's SpiderLabs for reporting this issue. EMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important security information. EMC recommends all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.htm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Cygwin) iEYEARECAAYFAkyH0XoACgkQtjd2rKp+ALxaUgCdHiV0k
[USN-985-1] mountall vulnerability
=== Ubuntu Security Notice USN-985-1 September 08, 2010 mountall vulnerability CVE-2010-2961 === A security issue affects the following Ubuntu releases: Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 10.04 LTS: mountall2.15.2 In general, a standard system update will make all the necessary changes. Details follow: Alasdair MacGregor discovered that mountall created a udev rule file with world-writable permissions. A local attacker could exploit this under certain conditions to cause udev to execute arbitrary commands as the root user. Updated packages for Ubuntu 10.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mountall/mountall_2.15.2.dsc Size/MD5: 972 92e488f0e51ab3c20ddf537fdc92fd24 http://security.ubuntu.com/ubuntu/pool/main/m/mountall/mountall_2.15.2.tar.gz Size/MD5: 564582 036e6a108a9bc0c2155a7226ad5437c3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/m/mountall/mountall_2.15.2_amd64.deb Size/MD5:56016 76dc051afb8a20077f0c0b709369d6c0 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/m/mountall/mountall_2.15.2_i386.deb Size/MD5:52384 42ebb3fa3f81ed1a08270d48a8f6b367 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/m/mountall/mountall_2.15.2_powerpc.deb Size/MD5:55780 cf51c1268b9b188150f9d2131882d8bb sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/m/mountall/mountall_2.15.2_sparc.deb Size/MD5:56758 276c85acaf4feaa54c53615f0a572b8b signature.asc Description: Digital signature
ESA-2010-016: RSA, The Security Division of EMC, releases security hot fix for a potential vulnerability in RSA� Access Manager Agent when working with RSA� Adaptive Authentication.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2010-016: RSA, The Security Division of EMC, releases security hot fix for a potential vulnerability in RSA® Access Manager Agent when working with RSA® Adaptive Authentication Security Advisory Updated September 2, 2010 Summary: RSA Access Manager Agent version 4.7.1 with RSA Adaptive Authentication Integration contains a potential vulnerability that could be exploited by malicious people to bypass authentication restrictions. CVE Identifier: CVE-2010-3017 Description: RSA Access Manager Agent version 4.7.1 with RSA Adaptive Authentication Integration contains a potential vulnerability that could be exploited to bypass authentication restrictions and gain unauthorized access to sensitive information. Affected Products: RSA Access Manager Agent version 4.7.1 with RSA Adaptive Authentication Integration Unaffected Products: RSA Access Manager Agent version 4.9 with RSA Adaptive Authentication Integration Recommendation: RSA strongly recommends that all customers running RSA Access Manager Agent version 4.7.1 apply the following software hot fixes designed to address to this issue at the earliest opportunity. The hotfix can be downloaded from SecurCare Online or by contacting RSA Security Customer Support. ÂSecurity Hot fix RSA Access Manager Agent hot fix 4.7.1.7 or greater This security hot fix for RSA Access Manager Agent is available immediately. As of the date of this RSA SecurCare® Online Security Advisory, RSA is not aware of any security breaches that have occurred as a result of this vulnerability. Common Vulnerability Scoring System (CVSS) Base Score is 5.7 (AV:A/AC:M/Au:N/C:C/I:N/A:N). For more information on CVSS scoring, please see the Knowledge Base Article, ÂSecurity Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA Access Manager, visit the RSA web site at http://www.rsa.com/node.aspx?id=1186. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes & Security Advisories Subscription RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youÂd like to stop receiving RSA SecurCare Notes & Security Advisories, or if youÂd like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view5. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection. EMC Product Security Response Center security_al...@emc.com http://www.emc.com/contact-us/contact/product-security-response-center.htm -BE
ESA-2010-014: RSA, The Security Division of EMC, releases security hot fixes for potential vulnerability in RSA� Access Manager Server under certain conditions.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2010-014: RSA, The Security Division of EMC, releases security hot fixes for potential vulnerability in RSA® Access Manager Server under certain conditions. Security Advisory Updated August 31, 2010 Summary: RSA Access Manager Server contains a potential vulnerability that could be exploited to bypass certain security restrictions, potentially enabling unauthorized access to protected resources. CVE Identifier: CVE-2010-3018 Description: RSA Access Manager Server contains potential vulnerability that may be exploited to bypass certain security restrictions during cache update that may lead to unauthorized access to protected resources. Affected Products: RSA Access Manager Server version 5.5.3 RSA Access Manager Server version 6.0.4 RSA Access Manager Server version 6.1 Recommendation: RSA strongly recommends that all customers running RSA Access Manager Server versions 5.5.3, 6.0.4, and 6.1 apply the following security hot fixes, which contain the resolution to this issue, at the earliest opportunity. The hotfix can be downloaded from SecurCare Online or by contacting RSA Security Customer Support. In addition, RSA recommends that customers running versions of Access Manager Agents prior to 6.0.4 upgrade to supported software. ÂSecurity Hot fix # 5.5.3.172 for RSA Access Manager Server version 5.5.3 ÂSecurity Hot fix # 6.0.4.53 for RSA Access Manager Server version 6.0.4 ÂSecurity Hot fix # 6.1.2.01 for RSA Access Manager Server version 6.1 The security hot fixes for RSA Access Manager Servers are available immediately. As of the date of this RSA SecurCare® Online Security Advisory, RSA is not aware of any security breaches that have occurred as a result of this vulnerability. Common Vulnerability Scoring System (CVSS) Base Score is 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N). For more information on CVSS scoring, please see the Knowledge Base Article, ÂSecurity Advisories Severity Rating at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. Obtaining More Information: For more information about RSA Access Manager, visit the RSA web site at http://www.rsa.com/node.aspx?id=1186. Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. General Customer Support Information: http://www.rsa.com/node.aspx?id=1264 RSA SecurCare Online: https://knowledge.rsasecurity.com EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.rsa.com/node.aspx?id=2575 SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. About RSA SecurCare Notes & Security Advisories Subscription RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If youÂd like to stop receiving RSA SecurCare Notes & Security Advisories, or if youÂd like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view5. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submi
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +- Summary === The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products = Vulnerable Products +-- These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. CPU ACL Bypass Vulnerabilities ~~ One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x. Determination of Software Versions ~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name. Cisco Controller Product Version.. 5.1.151.0 RTOS Version. Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type... DATA + WPS Cisco WiSMs ~~~ Use the "show wism module controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by these vulnerabilities. Details === Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such
[ GLSA 201009-06 ] Clam AntiVirus: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201009-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Clam AntiVirus: Multiple vulnerabilities Date: September 07, 2010 Bugs: #314087, #321157 ID: 201009-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities have been reported in Clam AntiVirus. Background == Clam AntiVirus (short: ClamAV) is an anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. Affected packages = --- Package / Vulnerable / Unaffected --- 1 app-antivirus/clamav < 0.96.1 >= 0.96.1 Description === Multiple vulnerabilities were discovered in Clam AntiVirus. For further information, please consult the CVE entries referenced below. Impact == A remote attacker could possibly bypass virus detection or cause a Denial of Service. Workaround == There is no known workaround at this time. Resolution == All Clam AntiVirus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-antivirus/clamav-0.96.1" References == [ 1 ] CVE-2010-0098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0098 [ 2 ] CVE-2010-1311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1311 [ 3 ] CVE-2010-1639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1639 [ 4 ] CVE-2010-1640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1640 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201009-06.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
etax 2010 failure to validate remote ssl certificate properly
etax 2010[0] 1.fails to properly check the remote https server has a valid certificate for the host it claims to be from. Test case: edit the hosts file like this: IP_OF_HTTPS_SERVER_HERE etaxservices10.etax.ato.gov.au e.g. 203.0.178.114 (note: you need a certificate for _any_ domain signed by a CA installed on the client boxen). 2. will communicate over http if told to ;) (mod_rewrite etc.). ... etax 2010 will send the details of the tax request in a SOAP request. Have fun ;) [0] http://www.ato.gov.au/individuals/content.asp?doc=/content/32234.htm&page=5 -- Small things make base men proud. -- William Shakespeare, "Henry VI"
[ GLSA 201009-05 ] Adobe Reader: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201009-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: September 07, 2010 Bugs: #297385, #306429, #313343, #322857 ID: 201009-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Adobe Reader might result in the execution of arbitrary code or other attacks. Background == Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF reader. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 app-text/acroread < 9.3.4 >= 9.3.4 Description === Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact == A remote attacker might entice a user to open a specially crafted PDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or bypass intended sandbox restrictions, make cross-domain requests, inject arbitrary web script or HTML, or cause a Denial of Service condition. Workaround == There is no known workaround at this time. Resolution == All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.3.4" References == [ 1 ] APSA10-01 http://www.adobe.com/support/security/advisories/apsa10-01.html [ 2 ] APSB10-02 http://www.adobe.com/support/security/bulletins/apsb10-02.html [ 3 ] APSB10-07 http://www.adobe.com/support/security/bulletins/apsb10-07.html [ 4 ] APSB10-09 http://www.adobe.com/support/security/bulletins/apsb10-09.html [ 5 ] APSB10-14 http://www.adobe.com/support/security/bulletins/apsb10-14.html [ 6 ] APSB10-16 http://www.adobe.com/support/security/bulletins/apsb10-16.html [ 7 ] CVE-2009-3953 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3953 [ 8 ] CVE-2009-4324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324 [ 9 ] CVE-2010-0186 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0186 [ 10 ] CVE-2010-0188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188 [ 11 ] CVE-2010-0190 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0190 [ 12 ] CVE-2010-0191 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0191 [ 13 ] CVE-2010-0192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0192 [ 14 ] CVE-2010-0193 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0193 [ 15 ] CVE-2010-0194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0194 [ 16 ] CVE-2010-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0195 [ 17 ] CVE-2010-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0196 [ 18 ] CVE-2010-0197 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0197 [ 19 ] CVE-2010-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0198 [ 20 ] CVE-2010-0199 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0199 [ 21 ] CVE-2010-0201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0201 [ 22 ] CVE-2010-0202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0202 [ 23 ] CVE-2010-0203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0203 [ 24 ] CVE-2010-0204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0204 [ 25 ] CVE-2010-1241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1241 [ 26 ] CVE-2010-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1285 [ 27 ] CVE-2010-1295 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1295 [ 28 ] CVE-2010-1297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297 [ 29 ] CVE-2010-2168 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2168 [ 30 ] CVE-2010-2201 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2201 [ 31 ] CVE-2010-2202 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2202 [ 32 ] CVE-2010-2203 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2203 [ 33 ] CVE-2010-2204 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2204 [ 34 ] CVE-2010-2205
[security bulletin] HPSBMA02574 SSRT100038 rev.1 - HP ProLiant G6 Lights-Out 100, Remote Management, Denial of Service (DoS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02498412 Version: 1 HPSBMA02574 SSRT100038 rev.1 - HP ProLiant G6 Lights-Out 100, Remote Management, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-09-07 Last Updated: 2010-09-07 Potential Security Impact: Denial of service (DoS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP ProLiant G6 Lights-Out 100 Remote Management. This vulnerability could be exploited remotely to create a Denial of Service (DoS) in the Lights-Out 100. References: CVE-2010-3006 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP ProLiant G6 Lights-Out 100 Remote Management v4.04 firmware and previous BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-3006(AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided HP ProLiant G6 Lights-Out 100 Remote Management v4.06 firmware or a subsequent version to resolve the vulnerability. Note: As of the time of this security bulletin release, the latest version of Lights out 100 Remote Management software is v4.21. Below are impacted products which have the impacted Lights out 100 Remote Management: Proliant Model Update to this firmware version or a later version HP ProLiant DL160 G6 v4.06 HP ProLiant DL160se G6 v4.06 HP ProLiant DL180 G6 v4.06 HP ProLiant ML150 G6 v4.06 HP ProLiant DL 170h G6 v4.06 HP ProLiant DL2x170h G6 v4.06 HP ProLiant DL4x170h G6 v4.06 HP ProLiant SL160z G6 v4.06 HP ProLiant SL170z G6 v4.06 HP ProLiant SL2x170z G6 v4.06 HP ProLiant ML110 G6 v4.06 HP ProLiant DL120 G6 v4.06 PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 7 September 2010 Initial Release Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2010 Hewlett-Packard Development Company, L.P. H
[USN-984-1] LFTP vulnerability
=== Ubuntu Security Notice USN-984-1 September 07, 2010 lftp vulnerability CVE-2010-2251 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.04 Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: lftp3.6.1-1ubuntu0.1 Ubuntu 9.04: lftp3.7.8-1ubuntu0.1 Ubuntu 9.10: lftp3.7.15-1ubuntu2.1 Ubuntu 10.04 LTS: lftp4.0.2-1ubuntu0.1 In general, a standard system update will make all the necessary changes. ATTENTION: This update changes previous behaviour by ignoring the filename supplied by servers in Content-Disposition headers. To re-enable previous behaviour, use the new xfer:auto-rename setting. Details follow: It was discovered that LFTP incorrectly filtered filenames suggested by Content-Disposition headers. If a user or automated system were tricked into downloading a file from a malicious site, a remote attacker could create the file with an arbitrary name, such as a dotfile, and possibly run arbitrary code. Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1.diff.gz Size/MD5:13383 dfc4f52d9d2a2a0798d6b3fe9e53e9ca http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1.dsc Size/MD5: 735 c437fe420a9ea04dae271f3bc5156f48 http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1.orig.tar.gz Size/MD5: 1806782 cb074387f2516efe6abe5664af5504f9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_amd64.deb Size/MD5: 433588 bf2ccb726c6f658caa3c5c6aa029257b i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_i386.deb Size/MD5: 398738 d1ec62b4b33785c745e7d10ca30f90cb lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_lpia.deb Size/MD5: 405662 a71e74893407cba0d9ef96c402ac60e3 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_powerpc.deb Size/MD5: 428536 522aa38b50d4e5b01e92680a14dcb9d7 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.6.1-1ubuntu0.1_sparc.deb Size/MD5: 392686 0004e5ca7e3fcaab3b1b10f431655670 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1.diff.gz Size/MD5:14075 b04d88a4d5afefd2cf2cc018da908082 http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1.dsc Size/MD5: 1151 4b8c86550b9d42c9d9b2677868e9e462 http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8.orig.tar.gz Size/MD5: 1920121 014a4ac6b9ea4016d5cd64afe0397b89 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_amd64.deb Size/MD5: 470430 46a72bd567b2ee6c9dce31f1583daf4a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_i386.deb Size/MD5: 401102 1e0b78a5b2659c8e81cde7d6fed715ef lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_lpia.deb Size/MD5: 404420 c6e1cec2e0fce91b5c7b3bd696b6a7ac powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_powerpc.deb Size/MD5: 425506 02497ad03d03a35204e820f94b951624 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/l/lftp/lftp_3.7.8-1ubuntu0.1_sparc.deb Size/MD5: 393988 90876d9d92e53ad028be5feedce5772e Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1.diff.gz Size/MD5:15248 10d56523f7ca48b4f7ca7b12b54acdc0 http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1.dsc Size/MD5: 1188 24cc77bbaaaf15083280ee374b74e952 http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15.orig.tar.gz Size/MD5: 2058252 6c43ffdb59234ff0533cfdda0c3c305c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lftp/lftp_3.7.15-1ubuntu2.1_amd64.deb Size/MD5: 475460 a7ec4eec5d4c1b7ef1a2219859f30176 i386 architecture (x86 compatible Intel/AMD): http://securi
Joomla Component Aardvertiser 2.1 free Blind SQL Injection Vulnerability
# Exploit Title: Joomla Component Aardvertiser 2.1 free Blind SQL Injection Vulnerability # Date: 07.09.2010 # Author: Stephan Sattler // www.solidmedia.de # Software Link: http://sourceforge.net/projects/aardvertiser/files/com_aardvertiser%20V2.1.1%20Free/com_aardvertiserfree.zip/download # Version: 2.1 free [ Vulnerability//PoC ] http://www.site.com/joomlapath/index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view
[SECURITY] [DSA 2098-2] New typo3-src packages fix regression
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2098-2 secur...@debian.org http://www.debian.org/security/ Thijs Kinkhorst September 7, 2010 http://www.debian.org/security/faq - Package: typo3-src Vulnerability : several Problem type : local/remote Debian-specific: no CVE Id(s) : not yet available Debian Bug : 590719 The update for TYPO3 in DSA 2098 introduced a regression which could make the backend functionality unusable. This update corrects the problem. For reference the original advisory below. Several remote vulnerabilities have been discovered in the TYPO3 web content management framework: cross-site Scripting, open redirection, SQL injection, broken authentication and session management, insecure randomness, information disclosure and arbitrary code execution. More details can be found in the Typo3 security advisory: http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-012/ For the stable distribution (lenny), these problems have been fixed in version 4.2.5-1+lenny5. The testing distribution (squeeze) will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 4.3.5-1 (not affected by the regression). We recommend that you upgrade your typo3-src package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5-1+lenny5.dsc Size/MD5 checksum: 1008 ae2679dfa995bc4d97c3385b185613f7 http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5-1+lenny5.diff.gz Size/MD5 checksum: 149043 c44d4e5f388a382673f6c921dcdc24ed http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src_4.2.5.orig.tar.gz Size/MD5 checksum: 8144727 75b2e5db6ac586fb6176f329be452159 Architecture independent packages: http://security.debian.org/pool/updates/main/t/typo3-src/typo3_4.2.5-1+lenny5_all.deb Size/MD5 checksum: 134050 92862c44d428912c1b48dd3363fa6dd9 http://security.debian.org/pool/updates/main/t/typo3-src/typo3-src-4.2_4.2.5-1+lenny5_all.deb Size/MD5 checksum: 8194252 189667ba77e8546e48f0e079da893f0f These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-annou...@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMhogoAAoJEOxfUAG2iX57VbsIAIaJ88pO35fUYk0LpOXpqu4y nzbyySK+opOHJij+6M+C7unEk/sa6EO2MrzUgs4qNjj5d7pMYh2r7goOP9oY5+To HSnWAy/AaAO4xP3mELWXzeA12HjAG2Jo5g+a++UPaFxIMF8feMfQDEZWpRksTBCC nqHT62Qs/G0IPn/1n8Ncqgu6PefpC0KeJQ95S2y2U4P2++8FvfDqpHF6EvlPFXpl VcVQYqgjQYUCHFYMfIloW/8MU3dmlDAmsYt/tNn4V5hrI1IHsGZ1XnNfXj9/GvOC Tm44MvSXg23NUAw5s9AJ2LsHsY47G7bJAiFd3MLkd30EkwYLpkLi26bISYLQPsI= =Ugoj -END PGP SIGNATURE-
[ GLSA 201009-04 ] SARG: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201009-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SARG: User-assisted execution of arbitrary code Date: September 07, 2010 Bugs: #222121 ID: 201009-04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple stack-based buffer overflow vulnerabilities were discovered in SARG allowing for remote code execution. Background == SARG is the Squid Analysis Report Generator. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 net-analyzer/sarg < 2.2.5-r5 >= 2.2.5-r5 Description === Multiple vulnerabilities were discovered in SARG. For further information please consult the CVE entries referenced below. Impact == These vulnerabilities might allow attackers to execute arbitrary code via unknown vectors. NOTE: This is a legacy GLSA. Updates for all affected architectures are available since April 18, 2009. It is likely that your system is already no longer affected by this issue. Workaround == There is no known workaround at this time. Resolution == All SARG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-analyzer/sarg-2.2.5-r5" References == [ 1 ] CVE-2008-1922 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1922 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201009-04.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
Call for Participation - GameSec 2010 - Berlin, Germany
CALL FOR PARTICIPATION GameSec 2010 - Conference on Decision and Game Theory for Security 22-23 November 2010, Berlin, Germany www.gamesec-conf.org *** Keynote Speakers: Prof. Nick Bambos (Stanford Univ.) and Prof. Silvio Micali (MIT). A list of accepted papers and conference program are available on the conference website at http://gamesec-conf.org/program.php http://gamesec-conf.org/papers.php *** GameSec conference aims to bring together researchers who aim to establish a theoretical foundation for making resource allocation decisions that balance available capabilities and perceived security risks in a principled manner. The conference focuses analytical models based on game, information, communication, optimization, decision, and control theories that are applied to diverse security topics. At the same time, the connection between theoretical models and real world security problems are emphasized to establish the important feedback loop between theory and practice. Observing the scarcity of venues for researchers who try to develop a deeper theoretical understanding of the underlying incentive and resource allocation issues in security, we believe that GameSec will fill an important void and serve as a distinguished forum of highest standards for years to come. *** Registration and Venue: Early registration deadline: 3 October 2010 To register for GameSec 2010, please visit http://gamesec-conf.org/registration.php Venue and Hotel information is available at http://gamesec-conf.org/venue.php *** Industry Gold Sponsor: Deutsche Telekom Laboratories Industry Silver Sponsor: Frauenhofer Heinrich Hertz Institute Technical co-sponsors: IEEE Control System Society International Society of Dynamic Games In-cooperation with ACM SIGSAC IEEE Multimedia Communication Technical Committee. *** 2010 Organizers General Chair: Tansu Alpcan (TU-Berlin, T-Labs) TPC Co-Chairs: - John Baras (Univ Maryland) - Levente Buttyan (Budapest Univ.) Publicity Co-Chairs: - Zhu Han (Univ. of Houston) - Albert Levi (Sabanci Univ.) Publication Chair: Holger Boche (TU-Berlin, HHI) Finance and Registration Chair: Slawomir Stanczak (TU-Berlin, HHI) Local Chair: Jean-Pierre Seifert (TU-Berlin, T-Labs) Administrative Assistant: Christine Kluge (TU-Berlin, T-Labs) *** Steering Board Tansu Alpcan (TU-Berlin, T-Labs) Nick Bambos (Stanford Univ.) Tamer Basar (Univ. of Illinois) Anthony Ephremides (Univ. of Maryland) Jean-Pierre Hubaux (EPFL)
[SECURITY] [DSA-2105-1] New freetype packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2105-1 secur...@debian.org http://www.debian.org/security/Giuseppe Iuculano September 07, 2010http://www.debian.org/security/faq - Package: freetype Vulnerability : several Problem type : local(remote) Debian-specific: no CVE Id(s) : CVE-2010-1797 CVE-2010-2541 CVE-2010-2805 CVE-2010-2806 CVE-2010-2807 CVE-2010-2808 CVE-2010-3053 Several vulnerabilities have been discovered in the FreeType font library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1797 Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. CVE-2010-2541 Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2805 The FT_Stream_EnterFrame function in base/ftstream.c in FreeType does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file CVE-2010-2806 Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow. CVE-2010-2807 FreeType uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. CVE-2010-2808 Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font. CVE-2010-3053 bdf/bdflib.c in FreeType allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string. For the stable distribution (lenny), these problems have been fixed in version 2.3.7-2+lenny3 For the unstable distribution (sid) and the testing distribution (squeeze), these problems have been fixed in version 2.4.2-1 We recommend that you upgrade your freetype package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Debian (stable) - --- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7-2+lenny3.diff.gz Size/MD5 checksum:39230 95a3841e7258573ca2d3e0075b8e7f73 http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7.orig.tar.gz Size/MD5 checksum: 1567540 c1a9f44fde316470176fd6d66af3a0e8 http://security.debian.org/pool/updates/main/f/freetype/freetype_2.3.7-2+lenny3.dsc Size/MD5 checksum: 1219 2a2bf3d4568d92e2a48ebcda38140e73 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-dev_2.3.7-2+lenny3_alpha.deb Size/MD5 checksum: 775278 2f2ca060588fc33b6d7baae02201dbd2 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6_2.3.7-2+lenny3_alpha.deb Size/MD5 checksum: 412188 ad9537e93ed3fb61f9348470940f3ce5 http://security.debian.org/pool/updates/main/f/freetype/libfreetype6-udeb_2.3.7-2+lenny3_alpha.udeb Size/MD5 checksum: 296592 e689b1c4b6bd7779e44d1cd641be9622 http://security.debian.org/pool/updates/main/f/freetype/freetype2-demos_2.3.7-2+lenny3_alpha.deb Size/MD5 checksum: 253786 287a98ca57139d4dee8041eba2881e3b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/f/freetype/l
Re: etax 2010 failure to validate remote ssl certificate properly
On 8 September 2010 05:09, dave b wrote: > etax 2010[0] Minor edit :) "> (note: you need a certificate for _any_ domain signed by a CA" should be: "> (note: you need a certificate for a domain that has been signed by a signed by a CA installed on the client pc" i.e. a certificate for https://foo.com that works on the client :) -- An honest tale speeds best being plainly told. -- William Shakespeare, "Henry VI"
Recent developments in FireWire Attacks
Hello, The security vulnerabilities associated with open FireWire ports are nothing new, having been covered extensively by Maximilian Dornseif (2004 and 2005) and more recently by Adam Boileau (2006 and 2008). Unfortunately the tools released as part of these disclosures (pyfw, pythonraw1394 and winlockpwn) have all started to succumb to bit rot. In addition, there has been comparative lack of research on the vulnerabilities of Mac OS X against FireWire attacks. Therefore I would like to share my updated research in the field. This includes a open source cross platform (GNU/Linux and Mac OS X) library, libforensic1394, for performing memory forensics/attacks over FireWire and a paper on the subject. (Although written from a forensics standpoint the security implications associated with the interface are discussed at great length.) The paper can be found here: https://freddie.witherden.org/pages/ieee-1394-forensics.pdf with the associated pages for it and libforensic1394 being https://freddie.witherden.org/pages/ieee-1394-forensics/ https://freddie.witherden.org/tools/libforensic1394/ Included in the paper is: - A comprehensive discussion on obtaining memory access over the interface. - Coverage of the new "Juju" FireWire stack, introduced in the 2.6.22 Linux kernel. (Its features, susceptibility to memory access attacks, etc.) - Limitations of existing libraries and how libforensic1394 represents an improvement over them. - User-space code samples showing how responses to read/write requests can be spoofed my a malicious application on the target system. - Updated attack signatures for 32- and 64-bit versions of Windows to bypass logon passwords. - Similar signatures for Mac OS X 10.6 along with a discussion of how the user logon password can be extracted from a (locked) system. This, from a security standpoint, is particularly concerning. - Mitigation for Windows, Mac OS X and GNU/Linux. - Source code for all sample programs. Polemically yours, Freddie.