[SECURITY] [DSA 3162-1] bind9 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3162-1 secur...@debian.org http://www.debian.org/security/Florian Weimer February 18, 2015 http://www.debian.org/security/faq - - Package: bind9 CVE ID : CVE-2015-1349 Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator's part, or due to interference with network traffic by an attacker. This issue affects configurations with the directives dnssec-validation auto; (as enabled in the Debian default configuration) or dnssec-lookaside auto;. For the stable distribution (wheezy), this problem has been fixed in version 1:9.8.4.dfsg.P1-6+nmu2+deb7u4. We recommend that you upgrade your bind9 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJU5QqdAAoJEL97/wQC1SS+SyMIAJR6RrvsIhbFjHm863v3YICJ ijdNPXKLwiaa4UOnPLg1T2TFmuzcGlvwzhq7cIvEHCLan3ebAqTuRQuAbupaekUK TykDROE7UQDnGBTR28S/EX6c6++oD5BdK8CNLOCtLUfYt/gNJ2LvmW7Nx0rb1M1a N+JDYlE4T7OuJDrKbRr0UDSMcE0y6oQls1J7PwWl7IYTVoBD02a5sPLpYUcoxkw4 GD1caoOzcIG2MJP1vMxgNYHmnd3Y2BVgI7dGY2bejXQDrDpv6C0ep5jZu3VVbKQA Qc2T5mdUzl6KAMZ8Gxe6y5WPymoQiw1x3DmaxYfoPHvj4l7UOkKiNBZoJJa9QHA= =rYbV -END PGP SIGNATURE-
[SECURITY] [DSA 3163-1] libreoffice security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3163-1 secur...@debian.org http://www.debian.org/security/Alessandro Ghedini February 19, 2015 http://www.debian.org/security/faq - - Package: libreoffice CVE ID : CVE-2014-9093 Debian Bug : 771163 It was discovered that LibreOffice, an office productivity suite, could try to write to invalid memory areas when importing malformed RTF files. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted RTF files. For the stable distribution (wheezy), this problem has been fixed in version 1:3.5.4+dfsg2-0+deb7u3. For the upcoming stable distribution (jessie), this problem has been fixed in version 1:4.3.3-2. For the unstable distribution (sid), this problem has been fixed in version 1:4.3.3-2. We recommend that you upgrade your libreoffice packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJU5d7NAAoJEAVMuPMTQ89EHQgP/1ldyE0zd/qsa5o20rkhG0ww JfwUq21hMhSckAAFSuV+j9po1wAoykv8Il2X/mYJsh5XSy6XTsfcPP44lpMADv49 R8Ki33M55b8E7rr1q320GvCZgp2WOqm0XwueN4tWoiJYSxLtMn42fsZbd2OCpLKl dNz6R4z05AR+w47RJvxLS5/GN2bzV9TLBjBqy3HjWAH3Al7hrWoabgcTw1lLWekN 1/wuZcgnmimsXIGwbgf+dd4tOn+C5JJyrztOwfO+UZQDWNhGKlKkrHaNVwR/RUvs HzQomw+XdiJRoDltgzP1MBpA2N7ViTDgJ/6RTgpmIh/b3796Ut+zqq7C4sKqZYmE JUOgJTAqjKaq++gtUjtTYHQiQGIl3h8wViODQwfohqRm5oIdaO5dlgHLQUe5Unxk 3Z9s5zVwXkRPwPS6TYjY5orGzIFh0yac6CNhDCatn4RVhWfUzF6HyuWi6lyMWeHj ttHMVh2SxobZsEBWTpxaAygOkfdD6SmpBQKIDiWU22oOv/QmIr1pdiB7k5QQA0ER jdjPYMN8EwRY6IYtCegAZwRXfbyfROnAAgD3mg/HJN61+1RMaDiY2I+ObOGO0ZaX 4lUAPGmaay51aVbVbueKhqDH3HXBuiKfEu6waFir8r93+VyMMvG+oAg+QlNISG+V c8BnqwP1dQ9Hg2Q7qdrD =7FU7 -END PGP SIGNATURE-
iTunes 12.1.1 for Windows: still outdated and VULNERABLE 3rd party libraries, still UNQUOTED and VULNERABLE pathnames C:\Program Files\...
Hi @ll,
the just released iTunes 12.1.1 for Windows still comes with
outdated and VULNERABLE 3rd party libraries and vulnerable
command lines:
In AppleMobileDeviceSupport.msi:
* libeay32.dll and ssleay32.dll 0.9.8za from 2014-06-05
The current version is 0.9.8ze and has 21 security fixes
which are missing in 0.9.8za; see http://openssl.org/news/
At last, these DLLs are no more 7 years old as before, but
only 8 months old.
* libcurl.dll 7.16.2
is EIGHT years old and has at least 22 unfixed CVEs!
The current version is 7.40.0; for the fixed vulnerabilities
see http://curl.haxx.se/docs/security.html
An attacker can load these vulnerable DLLs and call their buggy
routines to exploit these bugs!
In AppleApplicationSupport.msi:
* msvcr100.dll and msvcp100.dll 10.0.40219.1 from 2011-02-20
These are the runtime DLLs for Visual C++ 2010 RTM.
The current version is but 10.0.40219.325; see
https://technet.microsoft.com/library/security/bulletin/MS11-025
An attacker can load these vulnerable DLLs and and call their
buggy routines to exploit their bugs!
Additionally the following VULNERABLE[*] command lines with unquoted
pathnames containing spaces are registered.
By AppleApplicationSupport.msi:
[HKEY_CLASSES_ROOT\CLSID\{fdd068c2-d51a-4175-8a20-5cbc704ea3bd}\LocalServer32]
@=[#AppleApplicationSupport_APSDaemon.exe]
[HKEY_CLASSES_ROOT\CLSID\{6812639B-FD61-4329-9901-22CFDBD690FE}\LocalServer32]
@=[#AppleApplicationSupport_APSDaemon.exe]
[HKEY_CLASSES_ROOT\CLSID\{D9E904CA-8865-42E7-B0F0-B7B8C4D54D70}\LocalServer32]
@=[#AppleApplicationSupport_APSDaemon.exe]
For beginners: the value of the unnamed registry entry is a COMMAND
LINE and has to be quoted properly!
From https://msdn.microsoft.com/library/ms683844.aspx
| To help provide system security, use quoted strings in the path to
| indicate where the executable filename ends and the arguments begin.
As of Windows 2003 developers who are NOT completely unaware of
Microsofts documentation might want to use the ServerExecutable
registry entry described there too.
But 12 years are surely way too short for Apple's developers, QA and
management to learn about such new features which help improve safety
and security.
By iTunes.msi:
[HKEY_CLASSES_ROOT\itms\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\iTunes\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\daap\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\itmss\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\itsradio\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\itunesradio\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Media\iTunes\shell\open\command]
@=[#iTunes.exe]
[HKEY_CLASSES_ROOT\itpc\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\itls\shell\open\command]
@=[#iTunes.exe] /url \%1\
[HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itls\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
[HKEY_CLASSES_ROOT\pcast\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
[HKEY_CLASSES_ROOT\iTunes.AssocProtocol.daap\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
[HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itms\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
[HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itmss\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
[HKEY_CLASSES_ROOT\iTunes.AssocProtocol.itpc\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
[HKEY_CLASSES_ROOT\iTunes.AssocProtocol.pcast\shell\open\command]
@=[INSTALLDIR]iTunes.exe /url \%1\
From http://msdn.microsoft.com/library/cc144175.aspx:
| If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if
~~~
| the element contains a space, it will not parse correctly.
JFTR: the command lines referenced above are about 1/3 of all
the command lines registered by iTunes.msi; the other 2/3
have properly quoted pathnames.
See http://home.arcor.de/skanthak/sentinel.html if you want to
detect software with this 20+ year old vulnerability[*] without
dissecting its *.MSI files.
Until Apple's developers, their QA and their managers start to
develop a sense for their customers safety and security and
due diligence: stay away from Apple's (Windows) software!
stay tuned
Stefan Kanthak
[*] https://cwe.mitre.org/data/definitions/428.html
You'll read more about it soon!
Defense in depth -- the Microsoft way (part 28): yes, we can (create even empty, but properly quoted pathnames)
Hi @ll, in order to prevent the start of the defunct USENET news client (alias Windows Mail) that Microsoft installs with Windows 7 and later versions of Windows as Microsoft Outlook NewsReader, the installation of all editions of Microsoft Office 2010 which include Microsoft Outlook 2010 as well as the standalone version of the latter create the following registry entries for the Microsoft Outlook NewsReader with empty pathnames for the icons and in the command lines: --- DEFUNCT.REG --- REGEDIT4 ; PLEASE NOTICE THE PROPERLY QUOTED ALBEIT EMPTY PATHNAMES! [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook] @=Microsoft Outlook DLLPath=MSIMNUI.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\news] @=URL:News-Protokoll URL Protocol= EditFlags=dword:0002 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\news\DefaultIcon] @=, -3 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\news\shell] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\news\shell\open] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\news\shell\open\command] @=\\ /outnews /newsurl:%1 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\nntp] @=URL:NNTP-Protokoll URL Protocol= EditFlags=dword:0002 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\nntp\DefaultIcon] @=, -3 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\nntp\shell] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\nntp\shell\open] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\nntp\shell\open\command] @=\\ /outnews /newsurl:%1 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\snews] @=URL:Snews-Protokoll URL Protocol= EditFlags=dword:0002 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\snews\DefaultIcon] @=, -3 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\snews\shell] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\snews\shell\open] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\Protocols\snews\shell\open\command] @=\\ /outnews /newsurl:%1 [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\shell] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\shell\open] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\News\Microsoft Outlook\shell\open\command] @=\\ /outnews --- EOF --- JFTR: the superfluous empty unnamed (default) registry values are created due to a well-known bug in the tools (not only) Microsoft uses to build packages for the Microsoft Installer. See but https://msdn.microsoft.com/en-us/library/bb165967.aspx why creating an empty default registry value (not only) for the open verb is a bug: | When registering standard verbs, do not set the default value | for the Open key. The default value contains the display string | on the menu. The operating system supplies this string for | standard verbs. regards Stefan Kanthak PS: Windows 7, and of course Windows 8, Windows 8.1 and Windows 10 too, have at least one command line with an empty but properly quoted pathname out-of-the-box, even before the installation of Microsoft Outlook 2010: [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Windows Mail\InstallInfo] ShowIconsCommand=expand:\\
