[Full-disclosure] Ann: Backtrack 2.0 released
Dear List, On behalf of the Backtrack Team (which I am _not_ part of) I'd like to direct your attention to the immediate availability of Backtrack 2.0 and would like to personaly thank them for the immense effort put into this Project. http://www.remote-exploit.org/backtrack.html BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. It's evolved from the merge of the two wide spread distributions Whax and Auditor Security Collection. By joining forces and replacing these distribution the BackTrack could gain a massive popularity and was voted in 2006 as #1 at the surveil of insecure.org. Security professionals as well as new-comers are using it as their favorite toolset all over the globe. New exciting features in BackTrack 2, to mention a few: * Updated Kernel-Running 2.6.20, with several patches. * Broadcom based wireless card support * Most wireless drivers are built to support raw packet injection * Metasploit2 and Metasploit3 framework integration * Alignment to open standards and frameworks like ISSAF and OSSTMM * Redesigned menu structure to assist the novice as well as the pro * Japanese input support-reading and writing in Hiragana / Katakana / Kanji. * A lot more.. BackTrack has a long history and was based on many different linux distribution until it is now based on a Slackware linux distribution and the corresponding live-CD scripts. Every packet, kernel configuration and scripts are optimized to be used by security penetration testers. Patches and automatism have been added, applied or developed to provide a neat and ready-to-go environment. After coming into a stable development procedure during the last releases and consolidating feedbacks and addition, the team was focused to support more and newer hardware as well as provide more flexibility and modularity by restructuring the build and maintenance processes. With the current version, most applications are built as individual modules which help to speed up the maintenance releases and fixes. Because Metasploit is one of the key tools for most analysts it is tightly integrated into BackTrack and both projects collaborate together to always provide an on-the-edge implementation of Metasploit within the BackTrack CD-Rom images or the upcoming remote-exploit.org distributed and maintained virtualization images (like VMWare images appliances). Being superior while staying easy to use is key to a good security live cd. We took things a step further and aligned BackTrack to penetration testing methodologies and assessment frameworks (ISSAF and OSSTMM). This will help our professional users during their daily reporting nightmares. Currently BackTrack consists of more than 300 different up-to-date tools which are logically structured according to the work flow of security professionals. This structure allows even newcomers to find the related tools to a certain task to be accomplished. New technologies and testing techniques are merged into BackTrack as soon as possible to keep it up-to-date. No other commercial or freely available analysis platform offers an equivalent level of usability with automatic configuration and focus on penetration testing. -- http://secdev.zoller.lu Thierry Zoller Fingerprint : 4813 c403 58f1 1200 7189 a000 7cf1 1200 9f89 a000 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0051-1 mod_python
rPath Security Advisory: 2007-0051-1 Published: 2007-03-07 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Information Exposure Updated Versions: mod_python=/[EMAIL PROTECTED]:devel//1/3.1.4-8.4-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2680 https://issues.rpath.com/browse/RPL-1105 Description: Previous versions of the mod_python package have a weakness that can expose the contents of previously-freed memory, leading to potential information exposure. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2007-0052-1 kdelibs
rPath Security Advisory: 2007-0052-1 Published: 2007-03-07 Products: rPath Linux 1 Rating: Minor Exposure Level Classification: Indirect Deterministic Weakness Updated Versions: kdelibs=/[EMAIL PROTECTED]:devel//1/3.4.2-5.13-1 References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 https://issues.rpath.com/browse/RPL-1117 Description: Previous versions of the kdelibs package enable a cross-site scripting (XSS) attack against the konquerer web browser by embedding certain HTML tags within a comment in a title tag. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:057 ] - Updated xine-lib packages to address buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:057 http://www.mandriva.com/security/ ___ Package : xine-lib Date: March 8, 2007 Affected: 2007.0, Corporate 3.0 ___ Problem Description: The DMO_VideoDecoder_Open function in dmo/DMO_VideoDecoder.c in xine-lib does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. Updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 ___ Updated Packages: Mandriva Linux 2007.0: 241273125b4e2014a0fa1580c7ed0413 2007.0/i586/libxine1-1.1.2-3.3mdv2007.0.i586.rpm e2855220283ec658301068cf00bb266a 2007.0/i586/libxine1-devel-1.1.2-3.3mdv2007.0.i586.rpm b98b3376e156fb87a34f30aad34e65e5 2007.0/i586/xine-aa-1.1.2-3.3mdv2007.0.i586.rpm 88d1b8d538dcff220bf528674d0bf5b0 2007.0/i586/xine-arts-1.1.2-3.3mdv2007.0.i586.rpm ce54bd05bd941b2224c549bf685c0a08 2007.0/i586/xine-dxr3-1.1.2-3.3mdv2007.0.i586.rpm 0e33ea09058a1cd82fd8720278243c14 2007.0/i586/xine-esd-1.1.2-3.3mdv2007.0.i586.rpm 0e8c92ffdc4c3c8073531a72a47da8ca 2007.0/i586/xine-flac-1.1.2-3.3mdv2007.0.i586.rpm 3d7eb8f9a5f45ddebd7ccc20cec808f0 2007.0/i586/xine-gnomevfs-1.1.2-3.3mdv2007.0.i586.rpm 5a1390613c4505b2bfcd326ff0156b0c 2007.0/i586/xine-image-1.1.2-3.3mdv2007.0.i586.rpm 79899e7608558bb490003b9cba2a978c 2007.0/i586/xine-plugins-1.1.2-3.3mdv2007.0.i586.rpm ed4c39cfe82d66caa19c023a8495c4a1 2007.0/i586/xine-sdl-1.1.2-3.3mdv2007.0.i586.rpm 9256f65fff35cd6c25fd0b19823dcc8a 2007.0/i586/xine-smb-1.1.2-3.3mdv2007.0.i586.rpm 0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d92a6bebe5c1e915ed6dca150f32de2e 2007.0/x86_64/lib64xine1-1.1.2-3.3mdv2007.0.x86_64.rpm eb0c2f9d95f04e3d9c8ea1282c41f5dc 2007.0/x86_64/lib64xine1-devel-1.1.2-3.3mdv2007.0.x86_64.rpm cd81757a9c25e480d10932cb4d40f6e0 2007.0/x86_64/xine-aa-1.1.2-3.3mdv2007.0.x86_64.rpm acbaf60373d75281d3c3c7da24d7a1de 2007.0/x86_64/xine-arts-1.1.2-3.3mdv2007.0.x86_64.rpm 38997b2bd174345dcec41682569868c1 2007.0/x86_64/xine-dxr3-1.1.2-3.3mdv2007.0.x86_64.rpm 2425cc89f26171fc32f889ccf0b5b96c 2007.0/x86_64/xine-esd-1.1.2-3.3mdv2007.0.x86_64.rpm 5ddcb92e47e6f35de1db5482edf98a9c 2007.0/x86_64/xine-flac-1.1.2-3.3mdv2007.0.x86_64.rpm c68e811900a94bd92d65832f64bcdb8a 2007.0/x86_64/xine-gnomevfs-1.1.2-3.3mdv2007.0.x86_64.rpm f6aa73615c7c9a7238838641afc6af6a 2007.0/x86_64/xine-image-1.1.2-3.3mdv2007.0.x86_64.rpm 4437aff317d159abbd1785fbe53368e7 2007.0/x86_64/xine-plugins-1.1.2-3.3mdv2007.0.x86_64.rpm 4f062b56c298e09b0ec364c18814917f 2007.0/x86_64/xine-sdl-1.1.2-3.3mdv2007.0.x86_64.rpm fa2a314dbde0ccedf85043e10d94f3d3 2007.0/x86_64/xine-smb-1.1.2-3.3mdv2007.0.x86_64.rpm 0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm Corporate 3.0: dffe302693d57f09ad55573f20400258 corporate/3.0/i586/libxine1-1-0.rc3.6.15.C30mdk.i586.rpm 76bb6cba723566a5a0a02043d5e02fe2 corporate/3.0/i586/libxine1-devel-1-0.rc3.6.15.C30mdk.i586.rpm 24645aa6d547c1077236248eb54645f0 corporate/3.0/i586/xine-aa-1-0.rc3.6.15.C30mdk.i586.rpm 246938c45fe9d795c96aa349bf8cd107 corporate/3.0/i586/xine-arts-1-0.rc3.6.15.C30mdk.i586.rpm 0af50984ecd9fd2979f3da178871ac1d corporate/3.0/i586/xine-dxr3-1-0.rc3.6.15.C30mdk.i586.rpm 80b08a823d7793fb677bbb121a07f9cb corporate/3.0/i586/xine-esd-1-0.rc3.6.15.C30mdk.i586.rpm 31c8ad519bfab253300f5d575ea22f5b corporate/3.0/i586/xine-flac-1-0.rc3.6.15.C30mdk.i586.rpm 38bcaf1e4bf6f673c0e39048e7701348 corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.15.C30mdk.i586.rpm 27627560d6c1c7e5aa2fd63bde435b37 corporate/3.0/i586/xine-plugins-1-0.rc3.6.15.C30mdk.i586.rpm 3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm Corporate 3.0/X86_64: 0182ddc1159b46c24589b397412733e1 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.15.C30mdk.x86_64.rpm 01cb9805548452a161da99ad385ed474 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.15.C30mdk.x86_64.rpm b121a2b09b0da74ad2553f94319c2771 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.15.C30mdk.x86_64.rpm 91534b8494ab6ac1eec6c47261f6389b corporate/3.0/x86_64/xine-arts-1-0.rc3.6.15.C30mdk.x86_64.rpm 81d95f1a15722144e856384e4fe4a27b corporate/3.0/x86_64/xine-esd-1-0.rc3.6.15.C30mdk.x86_64.rpm f35de55cb2d1b241c60479728ab84ca0 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.15.C30mdk.x86_64.rpm b83e2f8b1cbf0802077ee0f7bc1ac6ec
[Full-disclosure] [MU-200703-01] Remote DOS in Asterisk SIP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Remote DOS in Asterisk SIP [MU-200703-01] March 07, 2006 http://labs.musecurity.com/advisories.html Affected Products/Versions: Asterisk versions 1.2.15 and 1.4.0, and earlier versions Product Overview: http://www.asterisk.org/ "Asterisk is the most popular and extensible open source telephone system in the world, offering flexibility, functionality and features not available in advanced, high-end (high-cost) proprietary business systems. Asterisk is a complete IP PBX (private branch exchange) for businesses, and can be downloaded for free." Vulnerability Details: Asterisk crashes when handed an otherwise valid request message but with no URI and no SIP-version in the request-line of the message. For example, "REGISTER\r\n ". The crash is due to a null pointer dereference, and does not appear to be otherwise exploitable. Vendor Response / Solution: Fixed in releases 1.2.16 and 1.4.1. Available from http://www.asterisk.org History: March 1, 2006 - First contact with vendor March 2, 2006 - Vendor acknowledges vulnerability March 7, 2006 - Advisory released Credit: This vulnerability was discovered by the Mu Security research team. http://labs.musecurity.com/pgpkey.txt Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the company's website at http://www.musecurity.com. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (Darwin) iD8DBQFF71EEMl+docYeP+YRAukhAJ9UtebKpf+EOAVI1yo7oXq+H46/ggCeMpvp WtZuYXJRPBo4e0tP04ljrHM= =I3nE -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FLSA - foresight linux security announcements
Just a heads up to folks that Foresight Linux [1] will now be publishing security advisories. These advisories will be published as soon as updates for the relevant issues have been pushed. The advisories will be posted to a newly-created mailing list [2] explicitly for this purpose, as well as to FullDisclosure, Bugtraq, and LWN.net. Interested users and developers are encouraged to subscribe to the foresight-security list. Developers who are interested in joining the foresight security team are encouraged to stop by #foresight and say hello. [1]: http://foresightlinux.org [2]: http://lists.rpath.org/mailman/listinfo/foresight-security -smithj ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:056 ] - Updated tcpdump packages address off-by-one overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:056 http://www.mandriva.com/security/ ___ Package : tcpdump Date: March 8, 2007 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 ___ Problem Description: Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based. Updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1218 ___ Updated Packages: Mandriva Linux 2006.0: d92b272b29238545670818ca1d03b171 2006.0/i586/tcpdump-3.9.3-1.3.20060mdk.i586.rpm 66d13291c325f4c08725ee28fd57c21d 2006.0/SRPMS/tcpdump-3.9.3-1.3.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 9a66f32f4fd622c3986a80dd447bad10 2006.0/x86_64/tcpdump-3.9.3-1.3.20060mdk.x86_64.rpm 66d13291c325f4c08725ee28fd57c21d 2006.0/SRPMS/tcpdump-3.9.3-1.3.20060mdk.src.rpm Mandriva Linux 2007.0: 34629bcb6e9ee83b6e9163bd0e3ab889 2007.0/i586/tcpdump-3.9.4-1.1mdv2007.0.i586.rpm ba39819805f0935af53e2ec77b302d14 2007.0/SRPMS/tcpdump-3.9.4-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: e0c4b35447b06600387db895f2ecee54 2007.0/x86_64/tcpdump-3.9.4-1.1mdv2007.0.x86_64.rpm ba39819805f0935af53e2ec77b302d14 2007.0/SRPMS/tcpdump-3.9.4-1.1mdv2007.0.src.rpm Corporate 3.0: f6dc96b67852e9a31868433020500ea1 corporate/3.0/i586/tcpdump-3.8.1-1.3.C30mdk.i586.rpm 978aeb218783686a74e4d2a6e1b772fb corporate/3.0/SRPMS/tcpdump-3.8.1-1.3.C30mdk.src.rpm Corporate 3.0/X86_64: b3440b61b1aaca36fb7426d2108d5a99 corporate/3.0/x86_64/tcpdump-3.8.1-1.3.C30mdk.x86_64.rpm 978aeb218783686a74e4d2a6e1b772fb corporate/3.0/SRPMS/tcpdump-3.8.1-1.3.C30mdk.src.rpm Corporate 4.0: b0d581c7c0166447c32019849638002e corporate/4.0/i586/tcpdump-3.9.3-1.3.20060mlcs4.i586.rpm d849293ac434f50fb2159bf0298a9921 corporate/4.0/SRPMS/tcpdump-3.9.3-1.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: a0955040cd81b0d5189e2b72fdddf459 corporate/4.0/x86_64/tcpdump-3.9.3-1.3.20060mlcs4.x86_64.rpm d849293ac434f50fb2159bf0298a9921 corporate/4.0/SRPMS/tcpdump-3.9.3-1.3.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7/2XmqjQ0CJFipgRAtBDAKDsiVO4Wq7b5X0/6OmQdodzS42nQwCggOVE D1MbIAalZVXg12JYfnsmM2k= =ySaD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:055 ] - Updated mplayer packages to address buffer overflow vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:055 http://www.mandriva.com/security/ ___ Package : mplayer Date: March 8, 2007 Affected: 2007.0, Corporate 3.0 ___ Problem Description: The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. Updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 ___ Updated Packages: Mandriva Linux 2007.0: c79b106f66ef06c04a656adbd2dd5caa 2007.0/i586/libdha1.0-1.0-1.pre8.13.1mdv2007.0.i586.rpm 5a596579a15d7092b559bbbd6c319167 2007.0/i586/mencoder-1.0-1.pre8.13.1mdv2007.0.i586.rpm dd6293fb4f03bd361932e385d07f8918 2007.0/i586/mplayer-1.0-1.pre8.13.1mdv2007.0.i586.rpm 0b7a8a5af99b3a3975a3f0f9e0b5c70a 2007.0/i586/mplayer-gui-1.0-1.pre8.13.1mdv2007.0.i586.rpm e90776605fb7d8b2c6c9845431dff696 2007.0/SRPMS/mplayer-1.0-1.pre8.13.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 3ccbf6766332228912f9ca86673ee082 2007.0/x86_64/mencoder-1.0-1.pre8.13.1mdv2007.0.x86_64.rpm d5544ee7ba584ad39c78221947d9f763 2007.0/x86_64/mplayer-1.0-1.pre8.13.1mdv2007.0.x86_64.rpm 7485610e6dae090636fb34c7c41c9343 2007.0/x86_64/mplayer-gui-1.0-1.pre8.13.1mdv2007.0.x86_64.rpm e90776605fb7d8b2c6c9845431dff696 2007.0/SRPMS/mplayer-1.0-1.pre8.13.1mdv2007.0.src.rpm Corporate 3.0: c856e0fc1743cd8f623d7ee8f9e6ffe3 corporate/3.0/i586/libdha0.1-1.0-0.pre3.14.9.C30mdk.i586.rpm 1350f9e69fd481e17b707a94fb1bc74a corporate/3.0/i586/libpostproc0-1.0-0.pre3.14.9.C30mdk.i586.rpm 98d7ca9b74490afb20c44efe098761fa corporate/3.0/i586/libpostproc0-devel-1.0-0.pre3.14.9.C30mdk.i586.rpm 536f8ad600598e2cffce436c1c0e695f corporate/3.0/i586/mencoder-1.0-0.pre3.14.9.C30mdk.i586.rpm 208ea2e10312f1cba5989ecbf43956f3 corporate/3.0/i586/mplayer-1.0-0.pre3.14.9.C30mdk.i586.rpm 1ff79a1c5e08b898a14010305797893c corporate/3.0/i586/mplayer-gui-1.0-0.pre3.14.9.C30mdk.i586.rpm 20150c93e21037f29585075932eb7ef0 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.9.C30mdk.src.rpm Corporate 3.0/X86_64: 823d5b19da1feead69cb245cbea24ec3 corporate/3.0/x86_64/lib64postproc0-1.0-0.pre3.14.9.C30mdk.x86_64.rpm b4839689ed4d7fd56198b266a913eda6 corporate/3.0/x86_64/lib64postproc0-devel-1.0-0.pre3.14.9.C30mdk.x86_64.rpm f522ed8f9e28c712af8820a21635a387 corporate/3.0/x86_64/mencoder-1.0-0.pre3.14.9.C30mdk.x86_64.rpm 91bb9c93d8d71e8978a0dfc9ba5f7b6e corporate/3.0/x86_64/mplayer-1.0-0.pre3.14.9.C30mdk.x86_64.rpm 10196940030f359d04c345e55c8c98fb corporate/3.0/x86_64/mplayer-gui-1.0-0.pre3.14.9.C30mdk.x86_64.rpm 20150c93e21037f29585075932eb7ef0 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.9.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8AEzmqjQ0CJFipgRApNzAJ9RDJuZFdlog1bW7Ol7+vBB1+KFtwCg4ogN 0qj1yJugJ+Mg+6GdPqIulnk= =9Czc -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:054 ] - Updated kdelibs packages to address DoS issue in KDE Javascript
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:054 http://www.mandriva.com/security/ ___ Package : kdelibs Date: March 8, 2007 Affected: 2007.0, Corporate 4.0 ___ Problem Description: ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference. Updated packages have been patched to address this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1308 ___ Updated Packages: Mandriva Linux 2007.0: 1d8397f15e58c6ebc8add4080524e8ba 2007.0/i586/kdelibs-common-3.5.4-19.3mdv2007.0.i586.rpm f9f0624e36296f15aa5f7bfe51765335 2007.0/i586/kdelibs-devel-doc-3.5.4-19.3mdv2007.0.i586.rpm 36d61d7ad928fbee40606a82028446ad 2007.0/i586/libkdecore4-3.5.4-19.3mdv2007.0.i586.rpm 15b28472271a57c834b27259a29f07da 2007.0/i586/libkdecore4-devel-3.5.4-19.3mdv2007.0.i586.rpm 1763a83f2c1b2fe368983ee87fad4fc2 2007.0/SRPMS/kdelibs-3.5.4-19.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 770bb5b58a92a6e8bf213f814346293c 2007.0/x86_64/kdelibs-common-3.5.4-19.3mdv2007.0.x86_64.rpm 8daded5cdd67051ceca12750140e551c 2007.0/x86_64/kdelibs-devel-doc-3.5.4-19.3mdv2007.0.x86_64.rpm aac88e6d7fd426401bfa11505550dcb4 2007.0/x86_64/lib64kdecore4-3.5.4-19.3mdv2007.0.x86_64.rpm 5c7becc6933c5d13761d561999691594 2007.0/x86_64/lib64kdecore4-devel-3.5.4-19.3mdv2007.0.x86_64.rpm 1763a83f2c1b2fe368983ee87fad4fc2 2007.0/SRPMS/kdelibs-3.5.4-19.3mdv2007.0.src.rpm Corporate 4.0: 358b45acbccb6b99d05748abc02f9dd7 corporate/4.0/i586/kdelibs-arts-3.5.4-2.4.20060mlcs4.i586.rpm 63cd48e403757866aa7979e5d7d906de corporate/4.0/i586/kdelibs-common-3.5.4-2.4.20060mlcs4.i586.rpm 9aa0299ec063ea41d52da7ba446757a4 corporate/4.0/i586/kdelibs-devel-doc-3.5.4-2.4.20060mlcs4.i586.rpm ad7439a70a0dd461073c6d38e73a5622 corporate/4.0/i586/libkdecore4-3.5.4-2.4.20060mlcs4.i586.rpm 9b1fd095f5735fbbc2e337fbb954b524 corporate/4.0/i586/libkdecore4-devel-3.5.4-2.4.20060mlcs4.i586.rpm 2c987a7ed1c263de3dde211cb0dee772 corporate/4.0/SRPMS/kdelibs-3.5.4-2.4.20060mlcs4.src.rpm Corporate 4.0/X86_64: 3c1ff52dc6a7347a2648f4c3628a3e3d corporate/4.0/x86_64/kdelibs-arts-3.5.4-2.4.20060mlcs4.x86_64.rpm 1d201913a24f345f77a53ea1ebc850b7 corporate/4.0/x86_64/kdelibs-common-3.5.4-2.4.20060mlcs4.x86_64.rpm 4ec74770c6dc7343092000db74ca5ca0 corporate/4.0/x86_64/kdelibs-devel-doc-3.5.4-2.4.20060mlcs4.x86_64.rpm b4d99dcd875a95c8b1301bcf54860306 corporate/4.0/x86_64/lib64kdecore4-3.5.4-2.4.20060mlcs4.x86_64.rpm 93cfdbf02993812bb52ae0d2e26a0c70 corporate/4.0/x86_64/lib64kdecore4-devel-3.5.4-2.4.20060mlcs4.x86_64.rpm 2c987a7ed1c263de3dde211cb0dee772 corporate/4.0/SRPMS/kdelibs-3.5.4-2.4.20060mlcs4.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8APFmqjQ0CJFipgRAgqzAJ9DmuNRfDFu7K1Xd1PqGkwg1dwNAwCeNpf8 +pvpIpYttsl6uOacHpxXXkQ= =+gJf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] YouTube email exploit being used by Casey Nunez AKA TheDramaTube AKA The Hurricane
YouTube user TheDramaTube (AKA The Hurricane) is actively using a YouTube email exploit that, when opened, logs the reader out of their and immediately gives him access. Beware of any messages sent by this user. The last time this exploit was used the subject line was "rfgt". In the body of the email was simply "r". The person who received the email was then logged out and Casey Nunez then had access to their acount, with the victim unable to log back in for a while. Casey Nunez 247 Marmandie Ave., Lot #56 River Ridge, LA 70123-1145 Phone# 504-250-1119 Be safe out there, Jamie - Don't get soaked. Take a quick peek at the forecast with theYahoo! Search weather shortcut.___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] YouTube email exploit being used by Casey Nunez AKA TheDramaTube AKA The Hurricane
bla bla bla, evidence or it didn't happen. On 3/8/07, Jaime Demetur <[EMAIL PROTECTED]> wrote: > YouTube user TheDramaTube (AKA The Hurricane) is actively using a YouTube > email exploit that, when opened, logs the reader out of their and > immediately gives him access. Beware of any messages sent by this user. > > The last time this exploit was used the subject line was "rfgt". In the body > of the email was simply "r". The person who received the email was then > logged out and Casey Nunez then had access to their acount, with the victim > unable to log back in for a while. > > Casey Nunez > 247 Marmandie Ave., Lot #56 > River Ridge, LA > 70123-1145 > Phone# 504-250-1119 > > Be safe out there, > Jamie > > > > > Don't get soaked. Take a quick peek at the forecast > with theYahoo! Search weather shortcut. > ___ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows Vista/2003/XP/2000 file management security issues
This is an article I promised to publish after Windows ReadDirectoryChangesW (CVE-2007-0843) [1] issue. It should explain why you must never place secure data inside insecure directory. Title: Microsoft Windows Vista/2003/XP/2000 file management security issues Author: 3APA3A, http://securityvulns.com/ Vendor: Microsoft (and potentially another vendors) Products: Microsoft Windows Vista/2003/XP/2000, Microsoft resource kit for Windows 2000 and different utilities. Access Vector: Local Type: multiple/complex (weak design, insecure file operations, etc) Original advisory: http://securityvulns.com/advisories/winfiles.asp Securityvulns.com news: http://security.nnov.ru/news/Microsoft/Windows/files.html 0. Intro This article contains a set of attack scenarios to demonstrate security weakness in few very common Windows management practices. Neither of the problem explained is critical, yet combined together they should force you to review your security practices. I can't even say "vulnerabilities" because there is no something you can call "vulnerability". It's just something you believe is secure and it's not. 1.1 Problem: inability to create secured file / folder in public one. Attack: folder hijack attack First, it's simply impossible with standard Windows interface to create something secured in insecure folder. Scenario 1.1: Bob wishes to create "Bob private data" folder in "Public" folder to place few private files. "Public" has at least "Write" permissions for "User" group. Bob: I Creates "Bob private data" folder II Sets permission for folder to only allow access to folder himself III Copies private files into folder Alice wants to get access to folder Bob created. She Ia Immediately after folder is created, deletes "Bob private data" folder and creates "Bob private data" folder again (or simply takes ownership under "Bob private data" folder if permissions allow). It makes Alice folder owner. IIa Immediately after Bob sets permissions, she grants herself full control under folder. She can do it as a folder owner. IIIa Reads Bob's private files, because files permissions are inherited from folder Alice can use "Spydir" (http://securityvulns.com/soft/) tool to monitor files access and automate this process. As you can see, [1] elevates this problem significantly. This is not new attack. Unix has "umask" command to protect administrators and users. Currently, Windows has nothing similar. CreateFile() API supports setting file ACL on file creation (just like open() allows to set mode on POSIX systems). ACL can be securely set only on newly created files. This raises a problem of secure file creation. 1.2 Problem: Inability to lock / securely change permissions of already created file Attack: pre-open file/directory attack. There are few classes of insecure file creation attack (attempt to open existing file), exploitable under Unix with hardlinks or symlinks. It's believed Windows is not vulnerable to this attacks because I. There is no symlinks under Windows. Symlink attacks are not possible. II. Security information in NTFS is not stored as a part of directory entry, it's a part of file data. Hard link attacks are not possible. III. File locks in Windows are mandatory. It means, if one application locks the file, another application can not open this file, if user doesn't have backup privileges. It mitigate different file-based attacks. There is at least one scenario, attacker can succeed without symbolic link: to steal data written to file created without check for file existence regardless of file locks and permissions. Attack description: if attacker can predict filename to be written, he can create file, open it and share this file for all types of access. Because locking and permissions are only checked on file open, attacker retain access to the file even if it's locked and it's permissions are changed to deny file access to attacker. Exploit (or useful tool): http://securityvulns.com/files/spyfile.c Opens file, shares it for different types of access and logs changes, keeping the file open. Compiled version is available from http://securityvulns.com/soft/ Scenario 1.2.1: Bob is now aware about folder hijack attack. He use xcopy /O /U /S to synchronize his files to newly created folder. xcopy /O copies security information (ownership and permissions) before writing data to file. Alice use "Spydir" to monitor newly created folders and files in Bob's directory. She use Spyfile to create spoofed files in target directory and waits for Bob t
[Full-disclosure] PHP import_request_variables() arbitrary variable overwrite
PHP import_request_variables() arbitrary variable overwrite
Name Using import_request_variables() you can overwrite
$_* and $* (any php variable).
Systems Affected PHP >=4.0.7 <=5.2.1
Severity High
Vendorhttp://www.php.net/
Advisory http://www.wisec.it/vulns.php?id=10
http://www.wisec.it/vuln_10.txt
Authors Stefano `wisec` di Paola ([EMAIL PROTECTED])
Francesco `ascii` Ongaro ([EMAIL PROTECTED])
Date 20060307
I. BACKGROUND
PHP is a scripting language. Since in the past PHP enabled by default
GLOBALS programmers wrote applications using this input method, nowadays
the globals on configuration has gone (while still used by many web
hosting companies) and programmers instead rewriting their code wrote
added patches to re implement superglobals their own.
These codes gave developers more troubles than benefits so PHP
developers wrote a function to securely import a part of the whole
"_REQUEST", this function is named import_request_variables() and exists
since PHP 4.0.7.
II. DESCRIPTION
>From the PHP manual:
[quote]
Imports GET/POST/Cookie variables into the global scope. It is useful if
you disable register_globals, but would like to see some variables in
the global scope.
[/quote]
So import_request_variables() emulate register globals on and is a bit
different from extract().
[quote]
Note: Although the prefix parameter is optional, you will get an
E_NOTICE level error if you specify no prefix, or specify an empty
string as a prefix. This is a possible security hazard. Notice level
errors are not displayed using the default error reporting level.
[/quote]
They warn you about the prefix thing, this is right for two reasons: the
first is that without prefix you have the same problems of globals on (but
it's also true that if you code everything with the prefix you return to
the starting point.
The second is the one explained in this advisory: using the function
import_request_variables() enable people to overwrite the following
arrays: $_GET $_POST $_COOKIE $_FILES $_SERVER $_SESSION and all the
others not mentioned.
We are conducting further investigations on _FILES, it seems possible to
overwrite the array but we are not sure that it could be used to trick
file upload scripts.
Given the specified entry points (the first argument of the function is
a case insensitive string of the input methods that will be imported,
G for GET, P for POST and C for COOKIE) a remote attacker will be able
to overwrite any internal and protected array.
The result is that if you use REGISTER GLOBALS ON you are MUCH MORE safe.
There is a little bonus: as highlighted in the code snippets on the following
ANALYSIS section the P char will enable both POST and FILES entry point
so import_request_variables('GPC') will give a global scope to
everything specified in GET POST COOKIE and FILES.
III. ANALYSIS
import_request_variables() is not new to vulnerabilities: consider this
change log entry for 24 Nov 2005, PHP 5.1.
[quote]
- Fixed potential GLOBALS overwrite via import_request_variables() and
possible crash and/or memory corruption. (Ilia)
[/quote]
Use the following test suite: run the script in a writable directory
inside a document root then point your browser to the test.php files and
make your tests.
--- >8 --- >8 --- >8 --- >8 --- testsuite.sh --- >8 --- >8 --- >8 --- >8
#!/bin/bash
mkdir hack-php_import_request_variables && cd
hack-php_import_request_variables
echo "Testing cli.."
echo "register_globals = Off" > php-ini-globals-off
php -c php-ini-globals-off -r "echo (int)ini_get("register_globals");"
echo "register_globals = On" > php-ini-globals-on
php -c php-ini-globals-on -r "echo (int)ini_get("register_globals");"
echo "Testing mod.."
mkdir globals-on && mkdir globals-off
cat > globals-on/test.php << TOKEN
GET'."n"; print_r(\$_GET);
echo 'POST'."n"; print_r(\$_POST);
echo 'COOKIE'."n"; print_r(\$_COOKIE);
echo 'SERVER'."n"; print_r(\$_SERVER);
echo 'SESSION'."n"; print_r(\$_SESSION);
echo 'FILES'."n"; print_r(\$_FILES);
?>
TOKEN
cp globals-on/test.php globals-off/test.php
echo "php_value register_globals on" > globals-on/.htaccess
echo "php_value register_globals off" > globals-off/.htaccess
--- >8 --- >8 --- >8 --- >8 --- --- >8 --- >8 --- >8 --- >8
Suggested tests are:
- test.php?_SERVER=string (overwrite $_SERVER array and make it a string)
- test.php?_SERVER[REMOTE_ADDR]=bypass client ip validation
- test.php?_SERVER[HTTP_REFERER]=bypass referer validation
Etc.. Add your POST/COOKIE/FILES probes.
The vulnerable code is in the following files:
./ext/standard/basic_functions.c:PHP_FUNCTION(import_request_variables)
./Zend/zend_hash.c:ZEND_API void
zend_hash_apply_with_arguments(HashTable *ht, apply_func_args_t
apply_func, int num_args, ...)
Vulnerable code snippet:
PHP_FUNCTION(import_request_variables) {
[..]
if (prefix_len == 0) {
php_
[Full-disclosure] PHP import_request_variables() vs extract()
Please note that also extract() will override any variable exluded
$GLOBALS but the main difference is that on http://it2.php.net/extract
you are advised to do not use "extract() against untrusted data, like
user-input ($_GET, ...)."
[quote]
if you want to run old code that relies on register_globals temporarily,
make sure you use one of the non-overwriting extract_type values such
as EXTR_SKIP and be aware that you should extract in the same order
that's defined in variables_order within the php.ini
[/quote]
Infact extract() has a EXTR_SKIP flag that implement this bhreaviuw:
[quote]
If there is a collision, don't overwrite the existing variable.
[/quote]
Using extract() with EXTR_SKIP will give you something like GLOBALS ON
that is safe if compared with what happens using extract($_GET); or
import_request_variables('G');
--- >8 --- >8 --- >8 --- >8 --- test1.php --- >8 --- >8 --- >8 --- >8
--- >8 --- >8 --- >8 --- >8 --- - --- >8 --- >8 --- >8 --- >8
Demo: test1.php?SERVER=abc
Expected result: the _SERVER array will became a string
The morale is that while an insecure usage of extract() by a developer
could be his fault there is no secure usage of
import_request_variables() and this is surely a PHP fault.
Regards,
Francesco 'ascii' Ongaro
http://www.ush.it/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List Charter
[Full-Disclosure] Mailing List Charter John Cartwright <[EMAIL PROTECTED]> - Introduction & Purpose - This document serves as a charter for the [Full-Disclosure] mailing list hosted at lists.grok.org.uk. The list was created on 9th July 2002 by Len Rose, and is primarily concerned with security issues and their discussion. The list is administered by John Cartwright. The Full-Disclosure list is hosted and sponsored by Secunia. - Subscription Information - Subscription/unsubscription may be performed via the HTTP interface located at http://lists.grok.org.uk/mailman/listinfo/full-disclosure. Alternatively, commands may be emailed to [EMAIL PROTECTED], send the word 'help' in either the message subject or body for details. - Moderation & Management - The [Full-Disclosure] list is unmoderated. Typically posting will be restricted to members only, however the administrators may choose to accept submissions from non-members based on individual merit and relevance. It is expected that the list will be largely self-policing, however in special circumstances (eg spamming, misappropriation) then offending members may be removed from the list by the management. An archive of postings is available at http://lists.grok.org.uk/pipermail/full-disclosure/. - Acceptable Content - Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. Gratuitous advertisement, product placement, or self-promotion is forbidden. Disagreements, flames, arguments, and off-topic discussion should be taken off-list wherever possible. Humour is acceptable in moderation, providing it is inoffensive. Politics should be avoided at all costs. Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. - Posting Guidelines - The primary language of this list is English. Members are expected to maintain a reasonable standard of netiquette when posting to the list. Quoting should not exceed that which is necessary to convey context, this is especially relevant to members subscribed to the digested version of the list. The use of HTML is discouraged, but not forbidden. Signatures will preferably be short and to the point, and those containing 'disclaimers' should be avoided where possible. Attachments may be included if relevant or necessary (e.g. PGP or S/MIME signatures, proof-of-concept code, etc) but must not be active (in the case of a worm, for example) or malicious to the recipient. Vacation messages should be carefully configured to avoid replying to list postings. Offenders will be excluded from the mailing list until the problem is corrected. Members may post to the list by emailing [EMAIL PROTECTED] Do not send subscription/ unsubscription mails to this address, use the -request address mentioned above. - Charter Additions/Changes - The list charter will be published at http://lists.grok.org.uk/full-disclosure-charter.html. In addition, the charter will be posted monthly to the list by the management. Alterations will be made after consultation with list members and a concensus has been reached. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Good resources on Web 2.0
List, I am looking for some good resources on Web 2.0 and Security. I know this is a huge topic, but any references to good books, articles, websites, tools, etc would be great Thanks___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Good resources on Web 2.0
On 3/9/07, Justin Boem <[EMAIL PROTECTED]> wrote: List, I am looking for some good resources on Web 2.0 and Security. I know this is a huge topic, but any references to good books, articles, websites, tools, etc would be great "web 2.0" security is the same as any other type of web security. the same principles apply. Thanks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike 00110001 <3 00110111 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability
Title: [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability CA Vuln ID (CAID): 35145 CA Advisory Date: 2007-03-08 Impact: Attackers can gain escalated privileges. Summary: The CA eTrust Admin GINA component contains a privilege escalation vulnerability within the reset password interface. Mitigating Factors: This vulnerability is exploitable only through physical interactive access or through Remote Desktop. Severity: CA has given this vulnerability a Medium risk rating. Affected Products: eTrust Admin 8.1 SP2 (8.1.2) eTrust Admin 8.1 SP1 (8.1.1) eTrust Admin 8.1 (8.1.0) Affected Platforms: Windows Status and Recommendation: CA has issued an update to correct the vulnerability. Two update options are available for CA eTrust Admin 8.1 SP2 (8.1.2), 8.1 SP1 (8.1.1), 8.1 (8.1.0): 1. Uninstall GINA and install 8.1 SP2 CR6 or later. Or 2. Manually replace the affected cube.exe executable with the fixed cube.exe executable from the 8.1 SP2 CR6 Manual Updates zip file. The fixed cube.exe file has a date of February 11, 2007 and a file size of 53,248 bytes. Both updates can be found at the eTrust Admin Solutions and Patches page: http://supportconnectw.ca.com/public/etrust/etrustadmin-dmo/downloads/etrustadmin-updates.asp Workaround: If patch application is not feasible at this time, ensure that Remote Desktop is disabled and restrict physical host access to reduce exposure. How to determine if the installation is affected: 1. Using Windows Explorer, locate the file "cube.exe". By default, the file is located in the "C:\Program Files\CA\eTrust Admin GINA Option" directory. 2. Right click on the file and select Properties. 3. Select the General tab. The installation is vulnerable if the creation date of cube.exe is earlier than February 11, 2007. References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ CA SupportConnect security notice for this vulnerability: Security Notice for CA eTrust Admin GINA http://supportconnectw.ca.com/public/etrust/etrustadmin-dmo/infodocs/etrust_secnot_gina.asp CA Security Advisor posting: CA eTrust Admin Privilege Escalation Vulnerability http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101038 CAID: 35145 CAID advisory link: http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35145 CVE Reference: CVE-2007-1345 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1345 OSVDB Reference: OSVDB ID: 32722 http://osvdb.org/32722 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza. Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:058 ] - Updated ekiga packages fix string vulnerabilities.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:058 http://www.mandriva.com/security/ ___ Package : ekiga Date: March 8, 2007 Affected: 2007.0 ___ Problem Description: A format string flaw was discovered in how ekiga processes certain messages, which could permit a remote attacker that can connect to ekiga to potentially execute arbitrary code with the privileges of the user running ekiga. This is similar to the previous CVE-2007-1006, but the original evaluation/patches were incomplete. Updated package have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0999 ___ Updated Packages: Mandriva Linux 2007.0: f1864ecddf6bd6f89ca97ae2f62e102a 2007.0/i586/ekiga-2.0.3-1.2mdv2007.0.i586.rpm 6553d806ec25e8e7b3bf954d0522f126 2007.0/SRPMS/ekiga-2.0.3-1.2mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d1044e6da6359f45c05b5b9633eb9b3e 2007.0/x86_64/ekiga-2.0.3-1.2mdv2007.0.x86_64.rpm 6553d806ec25e8e7b3bf954d0522f126 2007.0/SRPMS/ekiga-2.0.3-1.2mdv2007.0.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8LmWmqjQ0CJFipgRAoxqAKCGqGz5vPwbGLM8dIhVGu3aTC/0pQCZAZ5t 4tj/XeqT0NKpu3t3MRu8tYs= =bmdD -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDKSA-2007:059 ] - Updated gnupg packages provide enhanced forgery detection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDKSA-2007:059 http://www.mandriva.com/security/ ___ Package : gnupg Date: March 8, 2007 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: GnuPG prior to 1.4.7 and GPGME prior to 1.1.4, when run from the command line, did not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components. This could allow a remote attacker to forge the contents of an email message without detection. GnuPG 1.4.7 is being provided with this update and GPGME has been patched on Mandriva 2007.0 to provide better visual notification on these types of forgeries. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1263 ___ Updated Packages: Mandriva Linux 2006.0: ec697754fca080fa53c6c486cd91ba8c 2006.0/i586/gnupg-1.4.7-0.2.20060mdk.i586.rpm f30ab12655598264c10cee92ed76c951 2006.0/SRPMS/gnupg-1.4.7-0.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 845bfd1f359b7866e73ab2eb8b30b8fe 2006.0/x86_64/gnupg-1.4.7-0.2.20060mdk.x86_64.rpm f30ab12655598264c10cee92ed76c951 2006.0/SRPMS/gnupg-1.4.7-0.2.20060mdk.src.rpm Mandriva Linux 2007.0: c1b40e8866482c368aab5df228093ab3 2007.0/i586/gnupg-1.4.7-0.2mdv2007.0.i586.rpm 9dbf1a7a48aecb2ece048b47f4c7ade9 2007.0/i586/libgpgme11-1.1.2-2.1mdv2007.0.i586.rpm 3809f32ed3708606e6318fb7feed230d 2007.0/i586/libgpgme11-devel-1.1.2-2.1mdv2007.0.i586.rpm 62d991ccd15ca77ed37ccd4ca1bedba7 2007.0/SRPMS/gnupg-1.4.7-0.2mdv2007.0.src.rpm 31357e977acd83d777df2d77c22094f6 2007.0/SRPMS/gpgme-1.1.2-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d5339dd2bc4146dd18c2ab3b4eca028d 2007.0/x86_64/gnupg-1.4.7-0.2mdv2007.0.x86_64.rpm 608bd0a86d6f83927466f23e7d73fa8d 2007.0/x86_64/lib64gpgme11-1.1.2-2.1mdv2007.0.x86_64.rpm 915d2d203fa41ce12bc661d1a89d563b 2007.0/x86_64/lib64gpgme11-devel-1.1.2-2.1mdv2007.0.x86_64.rpm 62d991ccd15ca77ed37ccd4ca1bedba7 2007.0/SRPMS/gnupg-1.4.7-0.2mdv2007.0.src.rpm 31357e977acd83d777df2d77c22094f6 2007.0/SRPMS/gpgme-1.1.2-2.1mdv2007.0.src.rpm Corporate 3.0: 36afcf2ffb12348fccdfba01b485d7fc corporate/3.0/i586/gnupg-1.4.7-0.2.C30mdk.i586.rpm ec3c9d7bf56e941e2f92a92caa8ac812 corporate/3.0/SRPMS/gnupg-1.4.7-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 250e2ef0d26f6d51aa175e32c04e29d0 corporate/3.0/x86_64/gnupg-1.4.7-0.2.C30mdk.x86_64.rpm ec3c9d7bf56e941e2f92a92caa8ac812 corporate/3.0/SRPMS/gnupg-1.4.7-0.2.C30mdk.src.rpm Corporate 4.0: e39b79ee6122b17eaefa4abb7eec8d05 corporate/4.0/i586/gnupg-1.4.7-0.2.20060mlcs4.i586.rpm 16926c5d72457c65d89124c1ebd7d0b9 corporate/4.0/SRPMS/gnupg-1.4.7-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 810b054fed4d7c0b2c8605bb7c3efdca corporate/4.0/x86_64/gnupg-1.4.7-0.2.20060mlcs4.x86_64.rpm 16926c5d72457c65d89124c1ebd7d0b9 corporate/4.0/SRPMS/gnupg-1.4.7-0.2.20060mlcs4.src.rpm Multi Network Firewall 2.0: 014a4338ad09dca79149509a1a0a2050 mnf/2.0/i586/gnupg-1.4.7-0.3.M20mdk.i586.rpm d513a1498ccd2ee5661fb6a9e80c5230 mnf/2.0/SRPMS/gnupg-1.4.7-0.3.M20mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF8LvpmqjQ0CJFipgRAk5yAJ4mihFJrRV8cInt9tK3IOogC6wB3gCgjW0c eMLhgVvm4msQrd936ApOrYE= =vufo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-433-1] Xine vulnerability
=== Ubuntu Security Notice USN-433-1 March 09, 2007 xine-lib vulnerability CVE-2007-1246 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: libxine1c2 1.0.1-1ubuntu10.8 Ubuntu 6.06 LTS: libxine-main11.1.1+ubuntu2-7.6 Ubuntu 6.10: libxine1 1.1.2+repacked1-0ubuntu3.3 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Moritz Jodeit discovered that the DMO loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.diff.gz Size/MD5:12146 b32c486037c9bd487f47677d77057aad http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.dsc Size/MD5: 1187 e4c778b992408ec8e46e5500921545af http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_amd64.deb Size/MD5: 109296 92a59b50d859f12affc42fee457ed93f http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_amd64.deb Size/MD5: 3611908 9e6f2c0dad7b1050a71d1f29d3537ec1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_i386.deb Size/MD5: 109306 3224a1a8c0c259b90add235d58d10a7a http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_i386.deb Size/MD5: 4005002 81fd17d5eabfa12a3dea0d9c8fd79d7f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_powerpc.deb Size/MD5: 109320 eb1a5685b7288b8cc9ef6ae09d422aec http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_powerpc.deb Size/MD5: 3850506 7801ba1b96b888c38b4e72f8fb4ccee1 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_sparc.deb Size/MD5: 109312 22805f01c94ced268bd12cf951447af4 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_sparc.deb Size/MD5: 3695682 e0fbc0aa0791685943a5094ea6519b2d Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.diff.gz Size/MD5:19845 149027147eff0f72e1d0af9faa0cd6cf http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.dsc Size/MD5: 1113 6fdbc64e22ad7511a80cba1ea840b534 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_amd64.deb Size/MD5: 115856 6146578aeeecdf61742b90dca3a97155 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_amd64.deb Size/MD5: 2615268 a6cff8bccebfbe51d7b3a6916d9250b1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_i386.deb Size/MD5: 115852 6b404dc405aefcac89ec3eec339f25a0 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_i386.deb Size/MD5: 2934402 ea3a45814952437ac9f792cf1e7586b3 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_powerpc.deb Size/MD5: 115860 1484daaeb0459a88c1760a1330397e52 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_powerpc.deb Size/MD5: 2724986 889c6b454382dd63cd89020c87faf547 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_sparc.deb Size/MD5: 115860 b43491e3060c813b3530664cca2acd30 http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_sparc.deb S
[Full-disclosure] [USN-434-1] Ekiga vulnerability
=== Ubuntu Security Notice USN-434-1 March 09, 2007 ekiga, gnomemeeting vulnerability CVE-2007-0999 === A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: gnomemeeting 1.2.2-1ubuntu1.2 Ubuntu 6.06 LTS: ekiga2.0.1-0ubuntu6.2 Ubuntu 6.10: ekiga2.0.3-0ubuntu3.2 After a standard system upgrade you need to restart Ekiga or reboot your computer to effect the necessary changes. Details follow: It was discovered that Ekiga had format string vulnerabilities beyond those fixed in USN-426-1. If a user was running Ekiga and listening for incoming calls, a remote attacker could send a crafted call request, and execute arbitrary code with the user's privileges. Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2.diff.gz Size/MD5:13935 390ded46c12911e6ff7f0fb0b41648b1 http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2.dsc Size/MD5: 1811 bfaea7c58d0be1c76fb15275584929d8 http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2.orig.tar.gz Size/MD5: 6059950 65fe2d6a31e63a37c5a6217206223192 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_amd64.deb Size/MD5: 1826502 ab68c7c0c54d6ea2288058f1cd850e0a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_i386.deb Size/MD5: 1802224 2323471938830841421f5758518444a0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_powerpc.deb Size/MD5: 1817578 61f4574c015fb133a7d223d68945ad87 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/g/gnomemeeting/gnomemeeting_1.2.2-1ubuntu1.2_sparc.deb Size/MD5: 1803946 ab636f2081b328f36025e99cea2f0cd3 Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2.diff.gz Size/MD5:26736 820ab04b4cb0423bb9d62f03bf3e4634 http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2.dsc Size/MD5: 2090 921caa6df4e1ceeb79438b5f653992c6 http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1.orig.tar.gz Size/MD5: 5572709 9f0a2bcce380677e38b23991320df171 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_amd64.deb Size/MD5: 3687974 428c44b190d3e1e6f97f8d3be08aa6fe i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_i386.deb Size/MD5: 3658256 2b4c80838f881af9780e65e5be79b26b powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_powerpc.deb Size/MD5: 3673874 44119593cb37df9ae0c759df26e9f5b3 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.1-0ubuntu6.2_sparc.deb Size/MD5: 3661004 85ce6c1bc136e1e6699cfb501d537abd Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2.diff.gz Size/MD5:27205 ae82839a944aa39b118b1fa6edda3f1c http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2.dsc Size/MD5: 1837 90fa46619ab136f7e8d7086916c1bdc0 http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3.orig.tar.gz Size/MD5: 5749938 5ad3458d73d65c6502c312ff0c430a7c amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_amd64.deb Size/MD5: 3689026 82e52fe078d8ab0102bf647d12cfe4cc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_i386.deb Size/MD5: 3668638 4ebd1951ef9e4cc4860223e682c90541 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0ubuntu3.2_powerpc.deb Size/MD5: 3676386 efcac25a055bb4cd5e776550c370880f sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/e/ekiga/ekiga_2.0.3-0u
