[Full-disclosure] CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability CA Advisory Date: 2008-07-31 Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company Impact: A remote attacker can execute arbitrary code or cause a denial of service condition. Summary: CA ARCserve Backup for Laptops and Desktops server contains a vulnerability that can allow a remote attacker to execute arbitrary code or cause a denial of service condition. CA has issued updates to address the vulnerability. The vulnerability, CVE-2008-3175, occurs due to insufficient bounds checking by the LGServer service. An attacker can make a request that can result in arbitrary code execution or crash the service. Mitigating Factors: Only the server installation of BrightStor ARCserve Backup for Laptops and Desktops is affected. The client installation is not affected. Severity: CA has given this vulnerability a High risk rating. Affected Products: CA ARCserve Backup for Laptops and Desktops r11.5 CA ARCserve Backup for Laptops and Desktops r11.1 SP2 CA ARCserve Backup for Laptops and Desktops r11.1 SP1 CA ARCserve Backup for Laptops and Desktops r11.1 CA ARCserve Backup for Laptops and Desktops r11.0 CA Desktop Management Suite 11.2 CA Desktop Management Suite 11.1 CA Protection Suites r2 CA Protection Suites 3.0 CA Protection Suites 3.1 Affected Platforms: Windows Status and Recommendation: CA has provided the following updates to address the vulnerability. CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: Upgrade to 11.1 SP2 and apply RO00912. CA ARCserve Backup for Laptops and Desktops 11.5: RO00913. CA Protection Suites 3.0: RO00912. CA Protection Suites 3.1: RO00912. CA Desktop Management Suite 11.2: Upgrade to CA Desktop Management Suite 11.2 C1 and apply RO00913. CA Desktop Management Suite 11.1: RO01150. CA ARCserve Backup for Laptops and Desktops 11.0: Upgrade to ARCserve Backup for Laptops and Desktops version 11.1 SP2 and apply the latest patches. QI85497. Note: CA Protection Suites r2 includes CA ARCserve Backup for Laptops and Desktops 11.0. How to determine if you are affected: For Windows: 1. Using Windows Explorer, locate the file "rxRPC.dll". The file can be found in the following default locations: CA ARCserve Backup for Laptops and Desktops 11.5: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops and Desktops\Server CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Protection Suites 3.0: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Protection Suites 3.1: C:\Program Files\CA\BrightStor ARCserve Backup for Laptops & Desktops\server CA Desktop Management Suite 11.2: C:\Program Files\CA\Unicenter DSM\BABLD\Server CA Desktop Management Suite 11.1: C:\Program Files\CA\Unicenter DSM\BABLD\Server 2. Right click on the file and select Properties. 3. Select the General tab. 4. If the file date is earlier than indicated in the below table, the installation is vulnerable. CA ARCserve Backup for Laptops and Desktops File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA ARCserve Backup for Laptops and Desktops 11.1, 11.1 SP1, 11.1 SP2 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.0 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Protection Suites 3.1 File Name File Size (bytes) File Date rxRPC.dll 114,688 June 11, 2008 CA Desktop Management Suite 11.2 File Name File Size (bytes) File Date rxRPC.dll 131,072 June 11, 2008 CA Desktop Management Suite 11.1 File Name File Size (bytes) File Date rxRPC.dll 122,880 June 11, 2008 Workaround: None References (URLs may wrap): CA Support: http://support.ca.com/ Security Notice for CA ARCserve Backup for Laptops and Desktops Server LGServer https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=181721 Solution Document Reference APARs: RO00912, RO00913, RO01150, QI85497 CA Security Response Blog posting: CA ARCserve Backup for Laptops and Desktops Server LGServer Service Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2008/08/01.aspx Reported By: Vulnerability Research Team of Assurent Secure Technologies, a TELUS Company. http://www.assurent.com/ CVE References: CVE-2008-3175 - LGServer buffer overflow http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3175 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://support.ca.com. For
[Full-disclosure] SUSE Security Announcement: net-snmp (SUSE-SA:2008:039)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:net-snmp Announcement ID:SUSE-SA:2008:039 Date: Fri, 01 Aug 2008 13:00:00 + Affected Products: openSUSE 10.2 openSUSE 10.3 openSUSE 11.0 SUSE SLES 9 Novell Linux Desktop 9 Open Enterprise Server Novell Linux POS 9 SUSE Linux Enterprise Desktop 10 SP1 SLE SDK 10 SP1 SLE SDK 10 SP2 SUSE Linux Enterprise Server 10 SP1 SUSE Linux Enterprise Desktop 10 SP2 SUSE Linux Enterprise Server 10 SP2 Vulnerability Type: authentication bypass, denial-of-service Severity (1-10):6 SUSE Default Package: no Cross-References: CVE-2008-0960 CVE-2008-2292 Content of This Advisory: 1) Security Vulnerability Resolved: - authentication bypass - denial-of-service Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: - viewvc/subversion 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The net-snmp daemon implements the "simple network management protocol". The version 3 of SNMP as implemented in net-snmp uses the length of the HMAC in a packet to verify against a local HMAC for authentication. An attacker can therefore send a SNMPv3 packet with a one byte HMAC and guess the correct first byte of the local HMAC with 256 packets (max). Additionally a buffer overflow in perl-snmp was fixed that can cause a denial-of-service/crash. 2) Solution or Work-Around Please install the update package. 3) Special Instructions and Notes Please restart net-snmp after the update. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv to apply the update, replacing with the filename of the downloaded RPM package. x86 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/libsnmp15-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/net-snmp-devel-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/perl-SNMP-5.4.1-77.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/snmp-mibs-5.4.1-77.2.i586.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/libsnmp15-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/net-snmp-devel-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/perl-SNMP-5.4.1-19.2.i586.rpm http://download.opensuse.org/pub/opensuse/update/10.3/rpm/i586/snmp-mibs-5.4.1-19.2.i586.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/net-snmp-devel-5.4.rc2-8.i586.rpm ftp://ftp.suse.com/pub/suse/update/10.2/rpm/i586/perl-SNMP-5.4.rc2-8.i586.rpm x86-64 Platform: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/x86_64/net-snmp-32bit-5.4.1-77.2.x86_64.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/x86_64/net-snmp-32bit-5.4.1-19.2.x86_64.rpm openSUSE 10.2: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/x86_64/net-snmp-32bit-5.4.rc2-8.x86_64.rpm Sources: openSUSE 11.0: http://download.opensuse.org/pub/opensuse/update/11.0/rpm/src/net-snmp-5.4.1-77.2.src.rpm openSUSE 10.3: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/net-snmp-5.4.1-19.
[Full-disclosure] [USN-632-1] Python vulnerabilities
=== Ubuntu Security Notice USN-632-1August 01, 2008 python2.4, python2.5 vulnerabilities CVE-2008-1679, CVE-2008-1721, CVE-2008-1887, CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: python2.4 2.4.3-0ubuntu6.2 python2.4-minimal 2.4.3-0ubuntu6.2 Ubuntu 7.04: python2.4 2.4.4-2ubuntu7.2 python2.4-minimal 2.4.4-2ubuntu7.2 python2.5 2.5.1-0ubuntu1.2 python2.5-minimal 2.5.1-0ubuntu1.2 Ubuntu 7.10: python2.4 2.4.4-6ubuntu4.2 python2.4-minimal 2.4.4-6ubuntu4.2 python2.5 2.5.1-5ubuntu5.2 python2.5-minimal 2.5.1-5ubuntu5.2 Ubuntu 8.04 LTS: python2.4 2.4.5-1ubuntu4.1 python2.4-minimal 2.4.5-1ubuntu4.1 python2.5 2.5.2-2ubuntu4.1 python2.5-minimal 2.5.2-2ubuntu4.1 After a standard system upgrade you need to reboot your computer to effect the necessary changes. Details follow: It was discovered that there were new integer overflows in the imageop module. If an attacker were able to trick a Python application into processing a specially crafted image, they could execute arbitrary code with user privileges. (CVE-2008-1679) Justin Ferguson discovered that the zlib module did not correctly handle certain archives. If an attacker were able to trick a Python application into processing a specially crafted archive file, they could execute arbitrary code with user privileges. (CVE-2008-1721) Justin Ferguson discovered that certain string manipulations in Python could be made to overflow. If an attacker were able to pass a specially crafted string through the PyString_FromStringAndSize function, they could execute arbitrary code with user privileges. (CVE-2008-1887) Multiple integer overflows were discovered in Python's core and modules including hashlib, binascii, pickle, md5, stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, and mmapmodule. If an attacker were able to exploit these flaws they could execute arbitrary code with user privileges or cause Python applications to crash, leading to a denial of service. (CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144). Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2.diff.gz Size/MD5: 2659655 79cfb16c20f87377a79ae1068eefd7fe http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2.dsc Size/MD5: 1261 59b4e269522696105572fb2d23ecae75 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3.orig.tar.gz Size/MD5: 9328584 fd9dd825b8c680fa04c2fc2c957964b1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/idle-python2.4_2.4.3-0ubuntu6.2_all.deb Size/MD5: 243158 237a537ba8a40032311ce70b9b142908 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-doc_2.4.3-0ubuntu6.2_all.deb Size/MD5: 3357934 424d51830d26cc3a80d8df9dae578b9a http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-examples_2.4.3-0ubuntu6.2_all.deb Size/MD5: 587390 a878b5a8ab9a6544106a8c779ef341a6 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 5568776 c5a350c0953b4eb23633e58c2a267799 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dev_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 1635048 ec18f029d34290df08cb2a1aaba8a9c5 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-gdbm_2.4.3-0ubuntu6.2_amd64.deb Size/MD5:30072 b2c8e4c4437baa9c2cbd5949d86abe4f http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-minimal_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 793962 6c81a3e2e045cdf4c2684a05121218c9 http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-tk_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 113812 c463a7a7be42bd01f918ad9ff01bd6ae http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4_2.4.3-0ubuntu6.2_amd64.deb Size/MD5: 2861788 41d6a96da599a5d09d436dee2292e793 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/python2.4/python2.4-dbg_2.4.3-0ubuntu6.2_i386.d
[Full-disclosure] [USN-633-1] libxslt vulnerabilities
=== Ubuntu Security Notice USN-633-1August 01, 2008 libxslt vulnerabilities CVE-2008-1767, CVE-2008-2935 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libxslt1.1 1.1.15-1ubuntu1.2 Ubuntu 7.04: libxslt1.1 1.1.20-0ubuntu2.2 Ubuntu 7.10: libxslt1.1 1.1.21-2ubuntu2.2 Ubuntu 8.04 LTS: libxslt1.1 1.1.22-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that long transformation matches in libxslt could overflow. If an attacker were able to make an application linked against libxslt process malicious XSL style sheet input, they could execute arbitrary code with user privileges or cause the application to crash, leading to a denial of serivce. (CVE-2008-1767) Chris Evans discovered that the RC4 processing code in libxslt did not correctly handle corrupted key information. If a remote attacker were able to make an application linked against libxslt process malicious XML input, they could crash the application, leading to a denial of service. (CVE-2008-2935) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15-1ubuntu1.2.diff.gz Size/MD5:64266 cf69a61672e61f708158980c7783ec87 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15-1ubuntu1.2.dsc Size/MD5: 901 b434ae6f23ddc2f7e87e42ee72b9697d http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt_1.1.15.orig.tar.gz Size/MD5: 2657197 238de9eda71b570ff7b78aaf65308fc6 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/libx/libxslt/python-libxslt1_1.1.15-1ubuntu1.2_all.deb Size/MD5: 7918 7161007248bac7267ee7f5aa5dab3011 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 541836 103a0da6902354830120a7952cce618f http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 210278 9adf228fcce713c593268a5276655c2b http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_amd64.deb Size/MD5: 118280 c8d9b1fdda773b5d06fd72a72b191a54 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_amd64.deb Size/MD5:96024 96fae1681c7a3729a502955e2f66a95c i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 519334 9f8db410faec033dc3cff889cf36f9d2 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 195678 497843da4c7d88763eee863ec3914c07 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_i386.deb Size/MD5: 114540 f154fed16a115a4094dbb230ef0da63e http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_i386.deb Size/MD5:95104 9e3137adb1d806a64ecbf35cdb37165e powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 549370 7cdc93d810d869b7258ef8586d36c6ec http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 206948 ebc3e8cd756ae02015c3374bc21025a8 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5: 116582 ee0a5989a52bb6618251e085949b91f1 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_powerpc.deb Size/MD5:97538 7244b184d0a04f74b735244b9b8b557f sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1-dev_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 538122 c2a61153dd8439d5680f90e8821d5a4c http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/libxslt1.1_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 202950 6357aec33fa998ae1ffa665e896b63f3 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/python2.4-libxslt1_1.1.15-1ubuntu1.2_sparc.deb Size/MD5: 115700 c804e21a583ad8728011bec63d3d0624 http://security.ubuntu.com/ubuntu/pool/main/libx/libxslt/xsltproc_1.1.15-1ubuntu1.2_sparc.deb Size/MD
[Full-disclosure] [USN-634-1] OpenLDAP vulnerability
=== Ubuntu Security Notice USN-634-1August 01, 2008 openldap2.2, openldap2.3 vulnerability CVE-2008-2952 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: slapd 2.2.26-5ubuntu2.8 Ubuntu 7.04: slapd 2.3.30-2ubuntu0.3 Ubuntu 7.10: slapd 2.3.35-1ubuntu0.3 Ubuntu 8.04 LTS: slapd 2.4.9-0ubuntu0.8.04.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Cameron Hotchkies discovered that OpenLDAP did not correctly handle certain ASN.1 BER data. A remote attacker could send a specially crafted packet and crash slapd, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.diff.gz Size/MD5: 514393 4f9e265da3b3862538e819f77e2e3586 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26-5ubuntu2.8.dsc Size/MD5: 1058 b22c78f0d48cc36e948b54e3af20edfd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/openldap2.2_2.2.26.orig.tar.gz Size/MD5: 2626629 afc8700b5738da863b30208e1d3e9de8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 130764 97be6915cd08b18f1cebd0278fdb6cbd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 166234 f033393ec3c64058c9a330f3ff8f3ffd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_amd64.deb Size/MD5: 961898 d2a6a9b40ae45ee16f07081caf554e1f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 118560 6e725d3528b0fbf7603ffaca188fd058 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 146330 c385cbad49d21de849f6deb69a3f24df http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_i386.deb Size/MD5: 873280 e2c56f6d1a5a372b90c416d4270a9136 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 132924 3f6561c503b4aba5bdd7380ca16a9233 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 157382 6b375c5e1da604ff063770a1bacdf9ae http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_powerpc.deb Size/MD5: 959922 18f40de968f784c06595986dc90ac2ba sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/ldap-utils_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 120868 e36bb816e65f673852040cbdc9e99fb8 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/libldap-2.2-7_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 148406 5ee83d9e8ab2b6a7e43d4486ef4495fd http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.2/slapd_2.2.26-5ubuntu2.8_sparc.deb Size/MD5: 903834 7fd3a71e6dfdfd629d15f1484eface61 Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.diff.gz Size/MD5: 139053 aaea5b917bae9e40a49389eb18ee6b0b http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30-2ubuntu0.3.dsc Size/MD5: 1333 4bf113a4b679696671b740e0602c0d0c http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/openldap2.3_2.3.30.orig.tar.gz Size/MD5: 2971126 c40bcc23fa65908b8d7a86a4a6061251 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 187762 3daa694023d35e8d1d5906531f77184e http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/libldap-2.3-0_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 292432 5e91f231274471465056dab7ac915579 http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/slapd_2.3.30-2ubuntu0.3_amd64.deb Size/MD5: 1228150 2f5c3cff26ded73113db5c3ae9da2c81 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/o/openldap2.3/ldap-utils_2.3.30-2ubuntu0.3_i386.deb Size/MD5: 156182 d70e186bfd
[Full-disclosure] [SECURITY] [DSA 1625-1] New cupsys packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1625-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - Package: cupsys Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE Id(s) : CVE-2008-0053 CVE-2008-1373 CVE-2008-1722 Debian Bug : 476305 Several remote vulnerabilities have been discovered in the Common Unix Printing System (CUPS). The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0053 Buffer overflows in the HP-GL input filter allowed to possibly run arbitrary code through crafted HP-GL files. CVE-2008-1373 Buffer overflow in the GIF filter allowed to possibly run arbitrary code through crafted GIF files. CVE-2008-1722 Integer overflows in the PNG filter allowed to possibly run arbitrary code through crafted PNG files. For the stable distribution (etch), these problems have been fixed in version 1.2.7-4etch4 of package cupsys. For the testing (lenny) and unstable distribution (sid), these problems have been fixed in version 1.3.7-2 of package cups. We recommend that you upgrade your cupsys package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.diff.gz Size/MD5 checksum: 107641 b1ae0953050580975ef0c6ff495e912d http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4.dsc Size/MD5 checksum: 1376 4f8938f4dac4a9732efd621f4aabb63a Architecture independent packages: http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch4_all.deb Size/MD5 checksum:45758 fbb5c3eaf74a1207d887e12bb75f6182 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch4_all.deb Size/MD5 checksum: 924012 43e775475535e31f2f6963947c03525d amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1087542 cb6a29323e4cd1069b669c89963a1fac http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum:53024 090d638da135798424a129257b51b157 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 142544 0d446b8acb588ec2b1c8c22067aa2364 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 1574904 cdd7afb0953a56cf8d213778cbe1773e http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_amd64.deb Size/MD5 checksum:80706 687de2f8bf779ca898863fb94a07a12b http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch4_amd64.deb Size/MD5 checksum:85968 8d69f2ac63f2d4fbd923c2caa33c604d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_amd64.deb Size/MD5 checksum:36352 02c24a715c2f06dd8bc62a851591948e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_amd64.deb Size/MD5 checksum: 162230 0e2325c67bf23841038be68557ba8758 arm architecture (ARM) http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum:48718 28a8ac4acad82bd582358e38c0c23013 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch4_arm.deb Size/MD5 checksum:78910 6566d320a557b02cf94f379b84f0dba9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch4_arm.deb Size/MD5 checksum:35936 6ae06d35d6c40084adfd8bfd65866174 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch4_arm.deb Size/MD5 checksum: 1025732 5c3e851e94f3a41216d7a7149839c8d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch4_arm.deb Size/MD5 checksum: 132040 3eb0b900c59ea118d768b1459898ea90 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch4_arm.deb
[Full-disclosure] [SECURITY] [DSA 1626-1] New httrack packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1626-1 [EMAIL PROTECTED] http://www.debian.org/security/ Thijs Kinkhorst August 01, 2008 http://www.debian.org/security/faq - Package: httrack Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no BugTraq ID : 30425 Joan Calvet discovered that httrack, a utility to create local copies of websites, is vulnerable to a buffer overflow potentially allowing to execute arbitrary code when passed excessively long URLs. For the stable distribution (etch), this problem has been fixed in version 3.40.4-3.1+etch1. For the testing (lenny) and unstable distribution (sid), this problem has been fixed in version 3.42.3-1. We recommend that you upgrade your httrack package. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.dsc Size/MD5 checksum: 950 277074178046b94ceebefa5f5eaee9de http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4.orig.tar.gz Size/MD5 checksum: 1626176 9e4de064afc1dfcb6f50b773f8081f1c http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1.diff.gz Size/MD5 checksum: 7597 005a605bfabc7f0830d8db87d3ee67fe Architecture independent packages: http://security.debian.org/pool/updates/main/h/httrack/httrack-doc_3.40.4-3.1+etch1_all.deb Size/MD5 checksum: 516676 9f2c726cbc7e6f97dfeda4f8a72c8e77 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 441370 a37aaf592b7ab95fd11eeec082d4919a http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 395946 7eea58a1b8a7d6d11501ec2e879f0167 http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum:61108 0894913629340bd559c929d07a05f19f http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum:31766 63db4ac65e705d74d1eab458b33f56e5 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_amd64.deb Size/MD5 checksum: 491618 e8a2076bb272020be529c39a53eea534 arm architecture (ARM) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum:33424 eed7c807ccebd9db0722545849938d0f http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 281686 1b4a63e9fea5cdbcd49eb02354fd0608 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 350912 9c85eea85e7bf24b734f259ecba0a303 http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum: 443078 64a26f96bfb086474c47a9f37d9db15d http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_arm.deb Size/MD5 checksum:59448 70d880740666db737ef8cbc8730e5377 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum:34180 5ac05721cb623cf7c25b9bffbc81ad6d http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum:65948 7a8fa1831ffadffab827c2a8ecc44068 http://security.debian.org/pool/updates/main/h/httrack/libhttrack1_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 321760 ee4562bcf5255b6addf8ac0b673d19fe http://security.debian.org/pool/updates/main/h/httrack/webhttrack_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 440990 594b8679acb8e05c9b0bede368a86ad3 http://security.debian.org/pool/updates/main/h/httrack/libhttrack-dev_3.40.4-3.1+etch1_hppa.deb Size/MD5 checksum: 438154 2bc91f3ebd931a161595b2c95253d15a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/h/httrack/httrack_3.40.4-3.1+etch1_i386.deb Size/MD5 checksum:32152 4f545c6163fc8516c6d0dae9ddf6082e http://security.debian.org/pool/updates/main/h/httrack/proxytrack_3.40.4-3.1+etch1_i386.deb
[Full-disclosure] Tool Release: ProcL - Detect Hidden Process
Greetings, I am glad to release ProcL v1.0. ProcL employs many different methods to detect hidden processes. Essentially, ProcL detailed and implemented a mechanism to embed all these different approaches in one tool to detect hidden processes. Our methods of detecting hidden processes requires the examination of each kernel object - EPROCESS, ETHREADS, HANDLES, JOBS. Therefore, we believe, ProcL would defeat process concealment from one certain method. Hiding a process is particularly threatening because it represents some malicious code running on your system that you are completely unaware of. Process hiding has a significant effect. Many of the trojan, virus, spyware, rootkit writers use similar techniques to hide themselves and stay undetected as long as possible on target machines. Finding all the ways a rootkit might hide a process is just the first step in defending against the rootkits. Detecting hidden objects is a promising new area in rootkit detection. For more information on the tool http://www.scanit.net/rd/tools/03 Download the tool http://www.scanit.net/files/tools/ProcL.zip Cheers, Pallav Khandhar Sr. Security Researcher Scanit R&D Lab___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] DNS Multiple Race Exploiting Tool
# Subject:DNS Multiple Race Exploiting Tool release Homepage: http://www.securebits.org/dnsmre.html Download: http://www.securebits.org/tools/dns_mre-v1.0.tar.gz OS: The tool runs on Linux Target OS: Tested against windows 2003 server # 01 Introduction 02 Features 03 Extra Notes 04 Running the Tool 05 Example 06 Credits 01 Introduction --- DNS Multiple Race Exploiting Tool exploits an inherent bug in the implementation of DNS Cache. The result of this exploitation is cache poisoning/overwriting with new entries. The exploitation happens by querying a DNS server, that either supports recursion or is configured with forwarders, for non-existent hostnames for a target domain. Along with the queries are fake reply/replies with static Transaction ID(s). Every query will generate another query from the DNS server with a random TXID. If one of the replies contains this specific TXID, the cache is poisoned. Because the replies are sent directly after the query, they will arrive at the DNS server much earlier than the legitimate reply from some Name Server. This attack was discovered and announced by Dan Kaminsky of Doxpara Research in July 2008. 02 Features --- A. The tool can attack both unpatched DNS systems as well as patched DNS systems. Attacking a patched system requires a much longer time than an unpatched system though. B. The tool can launch two modes of attack; one is against DNS server that supports recursion, and the second mode is against DNS server configured with forwarder DNS. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too. C. The tool spoofs the source IP address of the queries. This is useful if the attacker does not want leave any trace of his IP address on the server. D. The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like: [1] abdc.example.com is a CNAME of IN Class for www.example.com [2] www.example.com is an A of IN Class for IP 11.22.33.44 E. The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would be 32768). However, by sending 10 to 15 TXIDs, for example, the probability of making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed. 03 Extra Notes -- [*] There is a sleeping time between sending the Query and the Replies. The currently configured value of this time is 100 Milliseconds. This is important because during the test, I found that if the reply is sent directly along the query, the fake reply would arrive at the server before the server sends its own query and the fake reply would eventually be ignored. [*] There is another sleeping time between every iteration (query+replies). This "time" is meant to control the amount of packets per second. Currently, this "time" is 100 Milliseconds. [*] The tool does not create the packets in every iteration. It creates the needed packets (1 query and multiple replies based on the number of TXIDs) at once at the beginning. For later iterations, portions of the packets are modified and re-sent again. This is done for faster operation and to use the least amount of memory. [*] I am currently researching the most optimized and efficient way to poison a DNS system that randomizes the source port address. This includes the threshold number of TXIDs beyond which an attack would be unsuccessful, or sending multiple queries first before sending their corresponding fake replies, and so on. If you have some ideas and suggestions, please write to me at 04 Running the Tool --- The command syntax is: #./dns_mre [options] The options are: -t The target DNS server to poison (required) -n The Name Server used to impersonate (required) -s A spoofed client IP address (optional) -p Source port address used by target to send queries (required) -y Type of the attack (optional; default 1) 0 for Patched Sys
[Full-disclosure] n.runs-SA-2008.005 - Apple Inc. - CoreServices Framework’s CarbonCore Framework - Arbi trary Code Execution (remote)
n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.005 01-Aug-2008 Vendor:Apple Inc., http://www.apple.com Affected Products: CoreServices Framework’s CarbonCore Framework (Used by: i.e. Safari, Mail) Affected Platforms: Mac OS X v10.4.11 Mac OS X Server v10.4.11 Mac OS X v10.5.4 Mac OS X Server v10.5.4 Vulnerability: Arbitrary Code Execution (remote) Risk: CRITICAL Vendor communication: 2008/03/07Initial notification to Apple Inc. n.runs AG has found a considerable amount of vulnerabilities in Apple most up-to-date Default Systems and Default Installed Products both on Mac OS 10.5 (Leopard) and iPhone 1.1.4, and intends to send them in several phases to Apple Inc. 2008/03/08Apple Inc. replies to n.runs AG providing their public pgp key. Apple Inc. states that the Apple Inc. RFP will be used instead of the n.runs RFP 2008/03/08n.runs AG responds that vulnerability reporting will only happen under n.runs AG RFP 2008/03/11Apple Inc. confirms to n.runs AG that the n.runs AG RFP is aligned to their RFP, and that n.runs may continue with further communication and bug reporting 2008/03/11n.runs AG sends PoCs for various issues to Apple Inc. 2008/03/11Apple Inc. acknowledges the PoCs, but has issues reproducing some of the vulnerabilities. 2008/03/12n.runs AG sends more reliable PoCs along with detailed reproduction steps. 2008/03/24Apple Inc. sends a status report regarding the vulnerabilities reported by n.runs AG 2008/03/30n.runs AG thanks Apple Inc. for the status update and apologises for not being more responsive during the CanSecWest time-frame. 2008/03/31Apple Inc. sends a second status update and provides a link to where the credits will appear (http://support.apple.com/kb/HT1222) 2008/04/01n.runs AG acknowledges the update and sends a second set of vulnerabilities and PoC based on the good and frequent communications that n.runs AG has had with Apple Inc. so far. 2008/04/01Apple Inc. thanks n.runs AG for the new PoC, acknowledges them and includes a status report. Some of the issues are reported to be already known to them and/or discovered internally previously to n.runs AG reporting. Apple Inc. also informs that Sergio’s name and company has been added to their system to track credit information for each of the security issues, and provides the Radar IDs assigned to each of them. Apple mentions further issues when trying to reproduce some of the vulnerabilities. 2008/04/01n.runs AG thanks for the quick response and also clarifies that n.runs AG expects, as described in the RFP, to be credited for all the vulnerabilities reported to Apple Inc. - all of which affect the most up-to-date products available to the public - whether they are internally known to Apple Inc or not. 2008/04/03Apple Inc. replies: “Yes, that's our policy: all reporters of non publicly known security bugs get credit.” 2008/05/23n.runs AG reports another vulnerability and requests a status update for the previously reported vulnerabilities 2008/05/29Apple Inc. sends a status report and asks how n.runs would like to be credited, if there is some specific format. 2008/05/29n.runs AG sends the requested information to Apple Inc. 2008/05/31Apple Inc. sends the status report for the last reported issue, along with its Radar ID. 2008/07/10n.runs AG requests a status update for the issues reported to Apple Inc. 2008/07/11Apple Inc. sends the status report. Apple informs n.runs AG that some of the vulnerabilities had already been fixed, for which an update had been released some time ago. Apple Inc. also mentions that one of the vulnerabilities was found through internal security testing; consequently no credit was given, but that
[Full-disclosure] iDefense Security Advisory 07.31.08: Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability
iDefense Security Advisory 07.31.08 http://labs.idefense.com/intelligence/vulnerabilities/ Jul 31, 2008 I. BACKGROUND Mac OS X is a Unix operating system built from the XNU kernel. Mac OS X provides all the standard Unix capabilities and tools with an additional GUI component. For more information, see the vendor's site found at the following link URL. http://www.apple.com/macosx/ II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in Apple Inc.'s Mac OS X could allow an attacker to execute arbitrary code with the privileges of the currently logged in user. This vulnerability exists due to the way PDF files containing Type 1 fonts are handled. When processing a font with an overly large length, integer overflow could occur. This issue leads to heap corruption which can allow for arbitrary code execution. III. ANALYSIS Exploitation of this issue allows an attacker to execute arbitrary code. An attacker could exploit this issue via multiple attack vectors. The most appealing vector for attack is Safari. An attacker could host a malformed PDF file on a website and entice a targeted user to open a URL. Upon opening the URL in Safari the PDF file will be automatically parsed and exploitation will occur. While this is the most appealing attack vector, the file can also be attached to an e-mail. Any application which uses the Apple libraries for file open dialogs will crash upon previewing the malformed PDF document. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Mac OS X version 10.5.2. Previous versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE Apple addressed this vulnerability within their Mac OS X 2008-005 security update. More information is available at the following URL. http://support.apple.com/kb/HT2647 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-2322 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/09/2008 Initial vendor notification 07/10/2008 Initial vendor response 07/31/2008 Public disclosure IX. CREDIT This vulnerability was reported to iDefense by Pariente Kobi. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Fwd: Black Hat talk on Apple encryption cancelled
-- Forwarded message -- From: newsgroup <[EMAIL PROTECTED]> Date: Fri, Aug 1, 2008 at 7:13 PM Subject: Black Hat talk on Apple encryption cancelled To: [EMAIL PROTECTED] Just days before the annual Black Hat security conference in Las Vegas, a talk on Apple's FileVault encryption system was abruptly canceled by its presenter. Researcher Charles Edge told the Washington Post that he had signed confidentiality agreements with Apple. The agreements prevent him from discussing further any vulnerabilities he may have found within Apple's FileVault encryption system. Edge, Director of Technology of 318, Inc, has spoken at previous Black Hat and DefCon conferences. This is not the first time a vendor has asked a security research not to give at talk at Black Hat. In 2005, then-ISS employed researcher Micheal Lynn, was asked by Cisco not to present a talk on flaws within that company's routers. On stage at Black Hat, Lynn first quit his job, then went ahead and gave his original talk. Afterward, he, too, signed a confidentiality agreement with Cisco. http://news.cnet.com/8301-1009_3-10004627-83.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:160 ] libxslt
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:160 http://www.mandriva.com/security/ ___ Package : libxslt Date: August 1, 2008 Affected: 2007.1, 2008.0, 2008.1, Corporate 4.0 ___ Problem Description: Chris Evans of the Google Security Team found a vulnerability in the RC4 processing code in libxslt that did not properly handle corrupted key information. A remote attacker able to make an application linked against libxslt process malicious XML input could cause the application to crash or possibly execute arbitrary code with the privileges of the application in question (CVE-2008-2935). The updated packages have been patched to correct this issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2935 ___ Updated Packages: Mandriva Linux 2007.1: 9582b6a5a85d8a4fde0be6113565cd9d 2007.1/i586/libxslt1-1.1.20-2.2mdv2007.1.i586.rpm 5205ec749db53b73cbec782d507686df 2007.1/i586/libxslt1-devel-1.1.20-2.2mdv2007.1.i586.rpm 64a810f8ac91b49c80c38e33f2750f85 2007.1/i586/libxslt-proc-1.1.20-2.2mdv2007.1.i586.rpm bb9f876808ec910122977f7166112245 2007.1/i586/python-libxslt-1.1.20-2.2mdv2007.1.i586.rpm fa2168576c9baedb55b2577f913fbdec 2007.1/SRPMS/libxslt-1.1.20-2.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 1bd1a4df038c3c4a5b753537854afd17 2007.1/x86_64/lib64xslt1-1.1.20-2.2mdv2007.1.x86_64.rpm aaecaefb1c25c1838199058ffbec4bf9 2007.1/x86_64/lib64xslt1-devel-1.1.20-2.2mdv2007.1.x86_64.rpm e39afe30c9f38113fde7e1fd060de05b 2007.1/x86_64/libxslt-proc-1.1.20-2.2mdv2007.1.x86_64.rpm dfa8806c560c888f225b557622f3e10c 2007.1/x86_64/python-libxslt-1.1.20-2.2mdv2007.1.x86_64.rpm fa2168576c9baedb55b2577f913fbdec 2007.1/SRPMS/libxslt-1.1.20-2.2mdv2007.1.src.rpm Mandriva Linux 2008.0: 01d8d7608c3c74e8aa862f79907e07cc 2008.0/i586/libxslt1-1.1.22-2.2mdv2008.0.i586.rpm 4da832fd851d55b48b80341d7c3bc4ee 2008.0/i586/libxslt-devel-1.1.22-2.2mdv2008.0.i586.rpm 58e5f582472d1e28dce386c2bd5d9de4 2008.0/i586/libxslt-proc-1.1.22-2.2mdv2008.0.i586.rpm 74141e240b0e2a3b19790cb9addc0151 2008.0/i586/python-libxslt-1.1.22-2.2mdv2008.0.i586.rpm 85c0d64608fb55944316a2ac46096d13 2008.0/SRPMS/libxslt-1.1.22-2.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 7ff6d48c755e2907846f9a6b6378b5b9 2008.0/x86_64/lib64xslt1-1.1.22-2.2mdv2008.0.x86_64.rpm f026cc563722e6847d58b0e1e6f0f6ce 2008.0/x86_64/lib64xslt-devel-1.1.22-2.2mdv2008.0.x86_64.rpm bc530cb61a211a50155c59c52de543c3 2008.0/x86_64/libxslt-proc-1.1.22-2.2mdv2008.0.x86_64.rpm 458c1d9d588b4a3a435eb26dcf23e2f5 2008.0/x86_64/python-libxslt-1.1.22-2.2mdv2008.0.x86_64.rpm 85c0d64608fb55944316a2ac46096d13 2008.0/SRPMS/libxslt-1.1.22-2.2mdv2008.0.src.rpm Mandriva Linux 2008.1: c8cab87e462864b9d575613630500965 2008.1/i586/libxslt1-1.1.22-2.2mdv2008.1.i586.rpm 2fb2120f868e093a73c766537eca4c4c 2008.1/i586/libxslt-devel-1.1.22-2.2mdv2008.1.i586.rpm c9322ae81ff3e2bcbadef36a1d3f29ec 2008.1/i586/libxslt-proc-1.1.22-2.2mdv2008.1.i586.rpm fa11c933fa71ffe7dffd869454809523 2008.1/i586/python-libxslt-1.1.22-2.2mdv2008.1.i586.rpm 126fa9767b486af09ead4b9f5841 2008.1/SRPMS/libxslt-1.1.22-2.2mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: d7eeca6bfa273ff8d3995144272825e8 2008.1/x86_64/lib64xslt1-1.1.22-2.2mdv2008.1.x86_64.rpm cf74a4e8440e324e776d00162784da57 2008.1/x86_64/lib64xslt-devel-1.1.22-2.2mdv2008.1.x86_64.rpm b6ff1bbf9fc5c56421b4cd2c60515c21 2008.1/x86_64/libxslt-proc-1.1.22-2.2mdv2008.1.x86_64.rpm 9507d84c1b2338ac8a06a76efd9cd94d 2008.1/x86_64/python-libxslt-1.1.22-2.2mdv2008.1.x86_64.rpm 126fa9767b486af09ead4b9f5841 2008.1/SRPMS/libxslt-1.1.22-2.2mdv2008.1.src.rpm Corporate 4.0: 6fda1818a68ea24d52e6e181f095 corporate/4.0/i586/libxslt1-1.1.15-1.2.20060mlcs4.i586.rpm 1679fdbdfb7020be4622fae157a2a2b5 corporate/4.0/i586/libxslt1-devel-1.1.15-1.2.20060mlcs4.i586.rpm 3a030cdd0fbadaf26b4871d371fe6f54 corporate/4.0/i586/libxslt-proc-1.1.15-1.2.20060mlcs4.i586.rpm ecaa9e0beff76328b236a87870274b1d corporate/4.0/i586/libxslt-python-1.1.15-1.2.20060mlcs4.i586.rpm bf4154eaf3cff4b487a71c9f9edcb60c corporate/4.0/SRPMS/libxslt-1.1.15-1.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 953ce3b7b6f9f5be7c2a24d2aef92bbe corporate/4.0/x86_64/lib64xslt1-1.1.15-1.2.20060mlcs4.x86_64.rpm 4ae0c85ebc4d13552b6db13a2067dea4 corporate/4.0/x86_64/lib64xslt1-devel-1.1.15-1.2.20060mlcs4.x86_64.rpm 65d3b3a21d5165b0eb256db4c57d946d corporate/4.0/x86_64/libxslt-proc-1.1.15-1.2.20060mlcs4.x86_64.rpm 645272c4f3c51b3e28a19ff14be17a36 corporate/4.0/x
[Full-disclosure] iDefense Security Advisory 08.01.08: Ingres Database for Linux verifydb Insecure File Permissions Modification Vulnerability
iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service uses the Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. DESCRIPTION Local exploitation of a file permissions modification vulnerability in the "verifydb" utility, as included with Ingres Database 2006 Release 2 for Linux, allows attackers to modify the permissions of files owned by the Ingres database user. The vulnerability exists within the "verifydb" utility included with Ingres. It is used to cleanup unneeded files created in the database directory. This program has the set-uid bit set, and is owned by the "ingres" user. The "verifydb" program improperly changes the permissions on files. The program first creates a file called "iivdb.log" in the current directory, and then makes it world writable. By creating a symbolic link to a file owned by the "ingres" user, an attacker can gain write access to the target file. III. ANALYSIS Exploitation of this vulnerability allows an attacker to overwrite arbitrary files owned by the "ingres" user. By itself, this vulnerability does not have very serious consequences. However, when combined with the library loading vulnerability, it allows an attacker to execute arbitrary code with root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3356 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 08.01.08: Ingres Database for Linux libbecompat Stack Based Buffer Overflow Vulnerability
iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service use thes Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. DESCRIPTION Local exploitation of a stack-based buffer overflow vulnerability in the "libbecompat" library, as included in Ingres Database 2006 Release 2 for Linux, allows attackers to execute arbitrary code with the privileges of the Ingres user. The vulnerability exists within the "libbecompat" library that is used by several of the set-uid "ingres" utilities included with Ingres. When copying a user supplied environment variable into a fixed-size stack buffer, the library fails to check the length of the source string. This results in an exploitable stack buffer overflow. III. ANALYSIS Exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the "ingres" user. By itself, this vulnerability does not have very serious consequences. However, when combined with the library loading vulnerability, it allows an attacker to execute arbitrary code with root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workaround for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3389 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 08.01.08: Ingres Database for Linux ingvalidpw Untrusted Library Path Vulnerability
iDefense Security Advisory 08.01.08 http://labs.idefense.com/intelligence/vulnerabilities/ Aug 01, 2008 I. BACKGROUND Ingres Database is a database server used in several Computer Associates' products. For example, CA Directory Service use thes Ingres Database server. More information can be found on the vendor's website at the following URL. http://ingres.com/downloads/prod-cert-download.php II. DESCRIPTION Local exploitation of an untrusted library path vulnerability in the "ingvalidpw" utility, as included in Ingres Database 2006 Release 2 for Linux, allows attackers to execute arbitrary code with root privileges. The vulnerability exists within the "ingvalidpw" utility included with Ingres database. This utility is used to verify a user's credentials, and is installed set-uid root. When loading shared libraries, the "ingvalidpw" program will load libraries from a directory owned by the "ingres" user. By using a specially crafted library, a user with "ingres" privileges can gain root. III. ANALYSIS Exploitation of this vulnerability allows an attacker to elevate their privileges from the "ingres" user to root. By itself, this is not that serious of a vulnerability. However, when combined with the libbecompat and verifydb vulnerabilities it allows an unprivileged local user to gain root privileges. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Ingres 2006 Enterprise Edition Release 2 for Linux x86 (32-bit). Other versions may also be affected. V. WORKAROUND iDefense is currently unaware of any workarounds for this issue. VI. VENDOR RESPONSE "This problem has been identified and resolved by Ingres in the following releases: Ingres 2006 release 2 (9.1.0), Ingres 2006 release 1 (9.0.4), and Ingres 2.6." For more information, refer to Ingres' advisory at the following URL. http://www.ingres.com/support/security-alert-080108.php VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-3357 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 07/20/2007 Initial vendor response 07/23/2007 Initial vendor notification 08/01/2008 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright © 2008 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
