[Full-disclosure] [ MDVSA-2008:245 ] firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:245 http://www.mandriva.com/security/ ___ Package : firefox Date: December 17, 2008 Affected: 2009.0 ___ Problem Description: Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox 3.x, version 3.0.5 (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5505, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513). This update provides the latest Mozilla Firefox 3.x to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5501 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5502 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5513 http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.5 ___ Updated Packages: Mandriva Linux 2009.0: 8c26ae144535af31e98e911bbc210f71 2009.0/i586/beagle-0.3.8-13.3mdv2009.0.i586.rpm 7810ad014b7c1c098912b26500f7e484 2009.0/i586/beagle-crawl-system-0.3.8-13.3mdv2009.0.i586.rpm 4319abff57448721251018988222ef6d 2009.0/i586/beagle-doc-0.3.8-13.3mdv2009.0.i586.rpm cae43ca5754dff94a31f056cc51a12b5 2009.0/i586/beagle-epiphany-0.3.8-13.3mdv2009.0.i586.rpm 8cb211f17efd54a3671b676a5f2a4af2 2009.0/i586/beagle-evolution-0.3.8-13.3mdv2009.0.i586.rpm 96d9834e221a0ecb71c9bdd4d4779383 2009.0/i586/beagle-gui-0.3.8-13.3mdv2009.0.i586.rpm 86fec216541d1c44305127681e809ff5 2009.0/i586/beagle-gui-qt-0.3.8-13.3mdv2009.0.i586.rpm 33de345c066c93fbd5e8c1860f2c6825 2009.0/i586/beagle-libs-0.3.8-13.3mdv2009.0.i586.rpm 1a41dea943561f1c3adcec826bead0db 2009.0/i586/devhelp-0.21-3.2mdv2009.0.i586.rpm 4dbbd875a8dbf8bd2fd4888919921404 2009.0/i586/devhelp-plugins-0.21-3.2mdv2009.0.i586.rpm e58d51bc4fa89d702e636ba4b23cb389 2009.0/i586/epiphany-2.24.0.1-3.2mdv2009.0.i586.rpm 784fc591b55b31187d4485dfc5b96988 2009.0/i586/epiphany-devel-2.24.0.1-3.2mdv2009.0.i586.rpm 70a9c6d7eb2e12585236e8077c767d2f 2009.0/i586/firefox-3.0.5-0.1mdv2009.0.i586.rpm 404012d67b17271f9b1810ce7d4eff34 2009.0/i586/firefox-af-3.0.5-0.1mdv2009.0.i586.rpm e44792595c5eea5f89f9ad0e9e3e543f 2009.0/i586/firefox-ar-3.0.5-0.1mdv2009.0.i586.rpm cf87666de5298afee8f89cc1efc81170 2009.0/i586/firefox-be-3.0.5-0.1mdv2009.0.i586.rpm 845dbaffa1fb9971b5ee28f8be8b6581 2009.0/i586/firefox-bg-3.0.5-0.1mdv2009.0.i586.rpm b9cf097750b56f3c4e521e98fb1f9d56 2009.0/i586/firefox-bn-3.0.5-0.1mdv2009.0.i586.rpm cc293cd83a9ee72bb97c036f42273dee 2009.0/i586/firefox-ca-3.0.5-0.1mdv2009.0.i586.rpm 57a03f4acb708caa8eafd36fcb96dd7d 2009.0/i586/firefox-cs-3.0.5-0.1mdv2009.0.i586.rpm d3d2065839405f82066c403e698d1127 2009.0/i586/firefox-cy-3.0.5-0.1mdv2009.0.i586.rpm dc7edca3daf2cf64d3f2bbbc3ad8c167 2009.0/i586/firefox-da-3.0.5-0.1mdv2009.0.i586.rpm 9c5123ca87254d6586e5b18d97b22884 2009.0/i586/firefox-de-3.0.5-0.1mdv2009.0.i586.rpm b1b4d131d6b58708eac6df72bac0ceea 2009.0/i586/firefox-el-3.0.5-0.1mdv2009.0.i586.rpm 6caa13f23401f1c729063e31478e238f 2009.0/i586/firefox-en_GB-3.0.5-0.1mdv2009.0.i586.rpm 1f962624e5603c9179c7f5152d79fa9d 2009.0/i586/firefox-es_AR-3.0.5-0.1mdv2009.0.i586.rpm 03806678c5b83ae46a8127512d63d4f8 2009.0/i586/firefox-es_ES-3.0.5-0.1mdv2009.0.i586.rpm 052bf4dad24a6af7dd5d12bd62c1fd84 2009.0/i586/firefox-et-3.0.5-0.1mdv2009.0.i586.rpm 5f4c188605529e4a1298bd4292601276 2009.0/i586/firefox-eu-3.0.5-0.1mdv2009.0.i586.rpm d3cd29d6f4ea7707eb8b9098b9213cc8 2009.0/i586/firefox-ext-beagle-0.3.8-13.3mdv2009.0.i586.rpm 3bf794c00f80988fccdb647fba3cad60 2009.0/i586/firefox-ext-mozvoikko-0.9.5-4.2mdv2009.0.i586.rpm f79140ea312818425cf82dba0c958bc6 2009.0/i586/firefox-fi-3.0.5-0.1mdv2009.0.i586.rpm 34abbcf70521374e959b77aebd8988a3 2009.0/i586/firefox-fr-3.0.5-0.1mdv2009.0.i586.rpm c11a1a9ed5130792b4dfc93482b8aee5 2009.0/i586/firefox-fy-3.0.5-0.1mdv2009.0.i586.rpm 02d5fb831096441409b57f80d155ec4a 2009.0/i586/firefox-ga_IE-3.0.5-0.1mdv2009.0.i586.rpm b29af7537bca10986bf2340ac407a4ba 2009.0/i586/firefox-gl-3.0.5-0.1mdv2009.0.i586.rpm 2a9e1449989
[Full-disclosure] [USN-695-1] shadow vulnerability
=== Ubuntu Security Notice USN-695-1 December 18, 2008 shadow vulnerability https://launchpad.net/bugs/306082 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: login 1:4.0.13-7ubuntu3.4 Ubuntu 7.10: login 1:4.0.18.1-9ubuntu0.2 Ubuntu 8.04 LTS: login 1:4.0.18.2-1ubuntu2.2 Ubuntu 8.10: login 1:4.1.1-1ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Paul Szabo discovered a race condition in login. While setting up tty permissions, login did not correctly handle symlinks. If a local attacker were able to gain control of the system utmp file, they could cause login to change the ownership and permissions on arbitrary files, leading to a root privilege escalation. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.4.diff.gz Size/MD5: 205508 177620b33b720ce87d522259acbdbe0c http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13-7ubuntu3.4.dsc Size/MD5: 931 673a51cff0b63fd347c79c9545ea0fe4 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.13.orig.tar.gz Size/MD5: 1622557 034fab52e187e63cb52f153bb7f304c8 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.4_amd64.deb Size/MD5: 249668 c5c19a139a5fe912d19076866078c6e0 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.4_amd64.deb Size/MD5: 683786 f2ef6413b8c60d9b6a586599fe2e8b1e i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.4_i386.deb Size/MD5: 241052 31d9c29d22a4a01a8de1a629d4797165 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.4_i386.deb Size/MD5: 616702 e2237b8c7b6f8ec8d685caa31a2f58ab powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.4_powerpc.deb Size/MD5: 251530 f8d7a2e2ba0ac5eeaae53d37a9d99049 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.4_powerpc.deb Size/MD5: 665414 4d377d684bc618ca3c7e20521ea03a4e sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.13-7ubuntu3.4_sparc.deb Size/MD5: 240128 8a61b5741da03dbf64f97796461a7c5e http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.13-7ubuntu3.4_sparc.deb Size/MD5: 620410 b3c418caa6b787c682df86bc965613db Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.18.1-9ubuntu0.2.diff.gz Size/MD5: 147849 23e5cd2a20460c6083d4e99afd93bb1b http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.18.1-9ubuntu0.2.dsc Size/MD5: 1199 c86a0638f6f64d4214f212ff0381a86d http://security.ubuntu.com/ubuntu/pool/main/s/shadow/shadow_4.0.18.1.orig.tar.gz Size/MD5: 2354234 3f54eaa3a35e7c559f4def92e9957581 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.18.1-9ubuntu0.2_amd64.deb Size/MD5: 327468 c80b850497e00c01d8ad3817e8e7c9ad http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.18.1-9ubuntu0.2_amd64.deb Size/MD5: 795952 e72d9d7ad5ca2f5f79085320d27881cd i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.18.1-9ubuntu0.2_i386.deb Size/MD5: 320296 b1e64e3bd6f567babba9b0ffed18b023 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.18.1-9ubuntu0.2_i386.deb Size/MD5: 716214 5d1ce7904c45af4807721bcccf89049c lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/s/shadow/login_4.0.18.1-9ubuntu0.2_lpia.deb Size/MD5: 317166 9de8c0a5c50fa7a2fda13391fc01a964 http://ports.ubuntu.com/pool/main/s/shadow/passwd_4.0.18.1-9ubuntu0.2_lpia.deb Size/MD5: 709846 09a444f189c84cc2a705150a2a19a315 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/s/shadow/login_4.0.18.1-9ubuntu0.2_powerpc.deb Size/MD5: 328522 8b789214c1bad2adeb6d6cac6d144328 http://security.ubuntu.com/ubuntu/pool/main/s/shadow/passwd_4.0.18.1-9ubuntu0.2_powerpc.de
[Full-disclosure] [USN-690-1] Firefox and xulrunner vulnerabilities
=== Ubuntu Security Notice USN-690-1 December 17, 2008 firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2008-5500, CVE-2008-5501, CVE-2008-5502, CVE-2008-5505, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513 === A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.5+nobinonly-0ubuntu0.8.04.1 Ubuntu 8.10: abrowser3.0.5+nobinonly-0ubuntu0.8.10.1 firefox-3.0 3.0.5+nobinonly-0ubuntu0.8.10.1 xulrunner-1.9 1.9.0.5+nobinonly-0ubuntu0.8.10.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2008-5500, CVE-2008-5501, CVE-2008-5502) It was discovered that Firefox did not properly handle persistent cookie data. If a user were tricked into opening a malicious website, an attacker could write persistent data in the user's browser and track the user across browsing sessions. (CVE-2008-5505) Marius Schilder discovered that Firefox did not properly handle redirects to an outside domain when an XMLHttpRequest was made to a same-origin resource. It's possible that sensitive information could be revealed in the XMLHttpRequest response. (CVE-2008-5506) Chris Evans discovered that Firefox did not properly protect a user's data when accessing a same-domain Javascript URL that is redirected to an unparsable Javascript off-site resource. If a user were tricked into opening a malicious website, an attacker may be able to steal a limited amount of private data. (CVE-2008-5507) Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefox did not properly parse URLs when processing certain control characters. (CVE-2008-5508) Kojima Hajime discovered that Firefox did not properly handle an escaped null character. An attacker may be able to exploit this flaw to bypass script sanitization. (CVE-2008-5510) Several flaws were discovered in the Javascript engine. If a user were tricked into opening a malicious website, an attacker could exploit this to execute arbitrary Javascript code within the context of another website or with chrome privileges. (CVE-2008-5511, CVE-2008-5512) Flaws were discovered in the session-restore feature of Firefox. If a user were tricked into opening a malicious website, an attacker could exploit this to perform cross-site scripting attacks or execute arbitrary Javascript code with chrome privileges. (CVE-2008-5513) Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.5+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5: 105923 f12b085d54cf9974f59417c819369f7b http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.5+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2073 f77df6017c984d30a3d94852d612592c http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.5+nobinonly.orig.tar.gz Size/MD5: 11578151 aab85acc009ddf9e0949f6ef8021c629 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.5+nobinonly-0ubuntu0.8.04.1.diff.gz Size/MD5:77585 714fea2e00f4d2d225419b7714617379 http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.5+nobinonly-0ubuntu0.8.04.1.dsc Size/MD5: 2138 29439d2544479c7d6071b77b5392beca http://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.5+nobinonly.orig.tar.gz Size/MD5: 40094530 e717d276d7d511ec448c7a308ed38ea7 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.5+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66036 1c795fc7e998798eb93166ad6749a782 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.5+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66044 6a91da8f7b1e0f5e8bcee8290ffe8f79 http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.5+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:66008 043213fede954207a951faa3fb3dbcef http://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.5+nobinonly-0ubuntu0.8.04.1_all.deb Size/MD5:65996 39449a48e9cf507448f4fe112a9f56
[Full-disclosure] [USN-694-1] libvirt vulnerability
=== Ubuntu Security Notice USN-694-1 December 18, 2008 libvirt vulnerability CVE-2008-5086 === A security issue affects the following Ubuntu releases: Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: libvirt00.3.0-0ubuntu2.1 Ubuntu 8.04 LTS: libvirt00.4.0-2ubuntu8.1 Ubuntu 8.10: libvirt00.4.4-3ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that libvirt did not mark certain operations as read-only. A local attacker may be able to perform privileged actions such as migrating virtual machines, adjusting autostart flags, or accessing privileged data in the virtual machine memory and disks. Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.3.0-0ubuntu2.1.diff.gz Size/MD5: 3544 e3f113d1e263a8a5b2b831de6d242d1b http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.3.0-0ubuntu2.1.dsc Size/MD5: 808 df2b4d52fcdba599d46d3316b13458ff http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.3.0.orig.tar.gz Size/MD5: 2265548 e6a85e2ef99f985a298376e01fcc7a3c amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-dev_0.3.0-0ubuntu2.1_amd64.deb Size/MD5: 230520 783cfc179c03e40500fc1a1a3354dac4 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt0_0.3.0-0ubuntu2.1_amd64.deb Size/MD5: 186806 4d7e7f531ad07b08264856bf9762dc20 http://security.ubuntu.com/ubuntu/pool/universe/libv/libvirt/libvirt-bin_0.3.0-0ubuntu2.1_amd64.deb Size/MD5: 136992 27a0e129f38e57faae36b0adf6e1b000 http://security.ubuntu.com/ubuntu/pool/universe/libv/libvirt/python-libvirt_0.3.0-0ubuntu2.1_amd64.deb Size/MD5:86872 1da16e06104d27759886b575d2b73f8f i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-dev_0.3.0-0ubuntu2.1_i386.deb Size/MD5: 217692 56dd66f156bee8b01f4b68e23e2811d3 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt0_0.3.0-0ubuntu2.1_i386.deb Size/MD5: 186672 3a708d77e58e68b4009937ae9500f8e6 http://security.ubuntu.com/ubuntu/pool/universe/libv/libvirt/libvirt-bin_0.3.0-0ubuntu2.1_i386.deb Size/MD5: 135332 69ba54123bc7cb52eebac54313ff6001 http://security.ubuntu.com/ubuntu/pool/universe/libv/libvirt/python-libvirt_0.3.0-0ubuntu2.1_i386.deb Size/MD5:85340 c67f3ea7487e838af3ee7a0a21be4241 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/libv/libvirt/libvirt-dev_0.3.0-0ubuntu2.1_lpia.deb Size/MD5: 232922 d16c1c0f50b965c2f8a0663995764b5f http://ports.ubuntu.com/pool/main/libv/libvirt/libvirt0_0.3.0-0ubuntu2.1_lpia.deb Size/MD5: 198292 ff4ab36c840d51a92bc76d18aedba3c4 http://ports.ubuntu.com/pool/universe/libv/libvirt/libvirt-bin_0.3.0-0ubuntu2.1_lpia.deb Size/MD5: 142812 51aec3c2358e54a10783d6c14dcbfab1 http://ports.ubuntu.com/pool/universe/libv/libvirt/python-libvirt_0.3.0-0ubuntu2.1_lpia.deb Size/MD5:87042 80be0e16045d055f1afa897091a446bc Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.4.0-2ubuntu8.1.diff.gz Size/MD5:18325 d9c67215893dd4041c4a114d7b8feddf http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.4.0-2ubuntu8.1.dsc Size/MD5: 1080 360545d20502031bab8c298c71707346 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt_0.4.0.orig.tar.gz Size/MD5: 2968326 2f6c6adb62145988f0e5021e5cbd71d3 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-doc_0.4.0-2ubuntu8.1_all.deb Size/MD5: 303538 bbc86d969cd89c814fbd2dcaed27d3c0 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-bin_0.4.0-2ubuntu8.1_amd64.deb Size/MD5:89346 7e272e9e45d8d76bfd7ffcf48fc6ec0f http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt-dev_0.4.0-2ubuntu8.1_amd64.deb Size/MD5: 225052 3188ff93f87ddcc2a448db87c1d94272 http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt0-dbg_0.4.0-2ubuntu8.1_amd64.deb Size/MD5: 550738 b9ab13df10f0ab9d50e0311a8e99636c http://security.ubuntu.com/ubuntu/pool/main/libv/libvirt/libvirt0_0.4.0-2ubuntu8.1_amd64.deb Size/MD5: 181422 4fdc4326e58624f344e5
[Full-disclosure] [USN-690-3] Firefox vulnerabilities
=== Ubuntu Security Notice USN-690-3 December 18, 2008 firefox vulnerabilities CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507, CVE-2008-5511, CVE-2008-5512 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2008-5500) Boris Zbarsky discovered that the same-origin check in Firefox could be bypassed by utilizing XBL-bindings. An attacker could exploit this to read data from other domains. (CVE-2008-5503) Marius Schilder discovered that Firefox did not properly handle redirects to an outside domain when an XMLHttpRequest was made to a same-origin resource. It's possible that sensitive information could be revealed in the XMLHttpRequest response. (CVE-2008-5506) Chris Evans discovered that Firefox did not properly protect a user's data when accessing a same-domain Javascript URL that is redirected to an unparsable Javascript off-site resource. If a user were tricked into opening a malicious website, an attacker may be able to steal a limited amount of private data. (CVE-2008-5507) Several flaws were discovered in the Javascript engine. If a user were tricked into opening a malicious website, an attacker could exploit this to execute arbitrary Javascript code within the context of another website or with chrome privileges. (CVE-2008-5511, CVE-2008-5512) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1.diff.gz Size/MD5: 184514 ea36713d00feb7d1a44974a0e1c7f493 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1.dsc Size/MD5: 1162 6930aff7e9ed188341f10c1a410ae8ec http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614i.orig.tar.gz Size/MD5: 48160160 7234454384feba2cea0c2fe41c1db3f0 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_all.deb Size/MD5:53606 88e207c0ae72435f1ee16e2a9198cc0d http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_all.deb Size/MD5:52716 720a5744971e6fdc93c6324473fce469 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 47668874 24ebc949c4b042769d1d192cde3fad6c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 2858706 b308aaff2727c534c0c10c938e01aca3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5:85988 03b8fab9f9e8c0066a2cf45c35efcb3a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 9491628 1bde3e7e8e4e5b7285025f3743ebdead http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 72 a49b67decdfc95d1ceec3c978761e511 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 165798 c5fc0c565b74a533e1293c1538296259 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 247788 d1739f167db8c0094dc14b7000ba816d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 825458 0d923da8d43e1d5028f8e8347a0c01dc http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_amd64.deb Size/MD5: 218528 90b4b67171bddf8e9636e8f9d8086524 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614i-0ubuntu1_i386.deb Size/MD5: 44216124 36645bf7f4e758f672f6ad7bccad30d3 http://security.ubuntu.com/
[Full-disclosure] [USN-692-1] Gadu vulnerability
=== Ubuntu Security Notice USN-692-1 December 17, 2008 ekg, libgadu vulnerability CVE-2008-4776 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libgadu31:1.6+20051103-1ubuntu1.1 Ubuntu 7.10: libgadu31:1.7~rc2-2ubuntu0.7.10.1 Ubuntu 8.04 LTS: libgadu31:1.7~rc2-2ubuntu0.8.04.1 Ubuntu 8.10: libgadu31:1.8.0+r592-1ubuntu0.1 After a standard system upgrade you need to restart your session to effect the necessary changes. Details follow: It was discovered that the Gadu library, used by some Instant Messaging clients, did not correctly verify certain packet sizes from the server. If a user connected to a malicious server, clients using Gadu could be made to crash, leading to a denial of service. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.6+20051103-1ubuntu1.1.diff.gz Size/MD5:35354 ecdf6037647d24e67e420299f8bf3c2f http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.6+20051103-1ubuntu1.1.dsc Size/MD5: 819 b6e90f714e487383e6d0bf67e98c8957 http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.6+20051103.orig.tar.gz Size/MD5: 503834 5bea3583499a8b9989016af9221b3a07 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_amd64.deb Size/MD5: 133146 85cfd1168568f5fd6edf848fc4f91d63 http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_amd64.deb Size/MD5:67886 874ac814a70dfae5a61bdad164b78c76 http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_amd64.deb Size/MD5: 293566 06f87355ed9349e215af731b968501ce i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_i386.deb Size/MD5: 127014 5fd41a5c0bce4258e6f4bb82f51eaf1c http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_i386.deb Size/MD5:64248 168adb89a8a875ccf6eb4302cab920a4 http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_i386.deb Size/MD5: 273378 71859a4928ec1ce2ab8117fdda02aeeb powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_powerpc.deb Size/MD5: 134160 7b90cbde1411221e822c1952641f1379 http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_powerpc.deb Size/MD5:68306 a5485f32dc2d84340286d02a3161c713 http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_powerpc.deb Size/MD5: 292000 f36a1f2c5ec9d0325532e86d0cc2150e sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_sparc.deb Size/MD5: 130728 58ffd885d139feb7b99fdffc5c59fb7b http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_sparc.deb Size/MD5:66288 487246f4be79c8f597ebf7bc641e3a64 http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_sparc.deb Size/MD5: 279900 0769cb58f813ac14c05ef99073b4e940 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1.diff.gz Size/MD5:37621 2630b60a3377c5041390339f0193e38e http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1.dsc Size/MD5: 898 164b0b16597df5d35869ac22e725d371 http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2.orig.tar.gz Size/MD5: 514073 b4ea482130e163af1456699e2e6983d9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_amd64.deb Size/MD5: 135710 0f0852a49e3b5d61ad106b50b66254b4 http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.7.10.1_amd64.deb Size/MD5:70258 8e6f4f8c9311f66513c2b44c076080d6 http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1_amd64.deb Size/MD5: 303716 c0f68dbd421b0d8d1b6412258f0910ee i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_i386.deb Size/MD5: 131008 8ea62b04f2f1e792c73cfa3c970
[Full-disclosure] [USN-693-1] LittleCMS vulnerability
=== Ubuntu Security Notice USN-693-1 December 17, 2008 LittleCMS vulnerability CVE-2008-5317 === A security issue affects the following Ubuntu releases: Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: liblcms11.16-5ubuntu3.1 Ubuntu 8.04 LTS: liblcms11.16-7ubuntu1.1 Ubuntu 8.10: liblcms11.16-10ubuntu0.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that certain gamma operations in lcms were not correctly bounds-checked. If a user or automated system were tricked into processing a malicious image, a remote attacker could crash applications linked against liblcms1, leading to a denial of service, or possibly execute arbitrary code with user privileges. Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.1.diff.gz Size/MD5:22270 1b07d069f29de87c948d397bb60f1c63 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.1.dsc Size/MD5: 1053 52d8cf3618b1d68c4d847807145ff300 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_amd64.deb Size/MD5: 674464 3ea01d1fb1e43a689d5aafe150702755 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_amd64.deb Size/MD5: 104172 ebeeb2d5b7dfc5df6cd759900d29f1bd http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_amd64.deb Size/MD5:58010 cfc5b383ff04d603270e5e129a100a35 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_amd64.deb Size/MD5: 160770 6ada95ac551daf18adf83eb0274eb15a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_i386.deb Size/MD5: 625654 5bca706031d3f2150a08ae8d4f252b5d http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_i386.deb Size/MD5:98032 520b7d9b6f4e9ad58974ea574c594640 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_i386.deb Size/MD5:54488 fa816dc4c97ffc22d8200d390ccbfdc3 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_i386.deb Size/MD5: 151868 6a9d8575a81353384712b8b890c5d3db lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_lpia.deb Size/MD5: 627708 35acd977e4ca7c9ba06c5a19d708f6a5 http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_lpia.deb Size/MD5:96818 483f473b4ec36e5baa6cbd87644fb0db http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_lpia.deb Size/MD5:54790 10144bba21291ab939b0cbdcc82b39a8 http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_lpia.deb Size/MD5: 148288 d638ba9bac48029ab63942b76086f9ec powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_powerpc.deb Size/MD5: 763170 75eb4df9ffc2343940521d61386232d8 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_powerpc.deb Size/MD5: 114370 0f56f9006b051e3f90ac255242ed55da http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_powerpc.deb Size/MD5:71750 313ced524c05c5b5524a43a6fe00b3b9 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_powerpc.deb Size/MD5: 169576 99c75e89acf4c53d2da192131832ab61 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.1_sparc.deb Size/MD5: 657440 32a668d688b45caf1b576d375067bab4 http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.1_sparc.deb Size/MD5: 100078 272239660086573a11e9117150e990a4 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.1_sparc.deb Size/MD5:58090 d337f0c2012f27b06923b7e3bcc151a7 http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.1_sparc.deb Size/MD5: 160136 8b597e2f473e0df9a1d945f0e442940b Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubun
[Full-disclosure] [USN-690-2] Firefox vulnerabilities
=== Ubuntu Security Notice USN-690-2 December 18, 2008 firefox vulnerabilities CVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513 === A security issue affects the following Ubuntu releases: Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: firefox 2.0.0.19+nobinonly1-0ubuntu0.7.10.1 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Several flaws were discovered in the browser engine. These problems could allow an attacker to crash the browser and possibly execute arbitrary code with user privileges. (CVE-2008-5500) Boris Zbarsky discovered that the same-origin check in Firefox could be bypassed by utilizing XBL-bindings. An attacker could exploit this to read data from other domains. (CVE-2008-5503) Several problems were discovered in the JavaScript engine. An attacker could exploit feed preview vulnerabilities to execute scripts from page content with chrome privileges. (CVE-2008-5504) Marius Schilder discovered that Firefox did not properly handle redirects to an outside domain when an XMLHttpRequest was made to a same-origin resource. It's possible that sensitive information could be revealed in the XMLHttpRequest response. (CVE-2008-5506) Chris Evans discovered that Firefox did not properly protect a user's data when accessing a same-domain Javascript URL that is redirected to an unparsable Javascript off-site resource. If a user were tricked into opening a malicious website, an attacker may be able to steal a limited amount of private data. (CVE-2008-5507) Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Firefox did not properly parse URLs when processing certain control characters. (CVE-2008-5508) Kojima Hajime discovered that Firefox did not properly handle an escaped null character. An attacker may be able to exploit this flaw to bypass script sanitization. (CVE-2008-5510) Several flaws were discovered in the Javascript engine. If a user were tricked into opening a malicious website, an attacker could exploit this to execute arbitrary Javascript code within the context of another website or with chrome privileges. (CVE-2008-5511, CVE-2008-5512) Flaws were discovered in the session-restore feature of Firefox. If a user were tricked into opening a malicious website, an attacker could exploit this to perform cross-site scripting attacks or execute arbitrary Javascript code with chrome privileges. (CVE-2008-5513) Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1.diff.gz Size/MD5: 193899 36adc1276acd43f74f72cfcc1ae3d0e9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1.dsc Size/MD5: 1667 191a120d310a4e50dc3890bc39dd5eb4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1.orig.tar.gz Size/MD5: 38003869 ef1cc2719a0d2e765e7395191917b0e1 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_all.deb Size/MD5: 200940 bb5074878422fcc2770502b9ccb0da27 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 78150706 95fdf710a1475b0bc9c2d05b93729e1d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 3199474 a81af067e5cd04967c4b073e4ea88b3d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5:98272 a5da4c672ee9cdb9238827240a1fd8d4 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-libthai_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5:67296 1867fa5365e1877b2991f0012a5a0508 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_amd64.deb Size/MD5: 10470700 e782eb0e3ee75833b54f6bf6eb7ad587 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 77284164 a71bc30bc1337cf8f764c4e34c0225bc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.19+nobinonly1-0ubuntu0.7.10.1_i386.deb Size/MD5: 3187094 ac6687331ea182a211af874e78d6ed17 http://security.ubuntu.c
[Full-disclosure] [ MDVSA-2008:244 ] mozilla-firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:244 http://www.mandriva.com/security/ ___ Package : mozilla-firefox Date: December 17, 2008 Affected: 2008.1, Corporate 3.0, Corporate 4.0 ___ Problem Description: Security vulnerabilities have been discovered and corrected in the latest Mozilla Firefox 2.x, version 2.0.0.19 (CVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513). This update provides the latest Mozilla Firefox 2.x to correct these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5500 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5503 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5510 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5511 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5513 http://www.mozilla.org/security/known-vulnerabilities/firefox20.html#firefox2.0.0.19 ___ Updated Packages: Mandriva Linux 2008.1: 7f8addc0fc247ef9bd733736e0073ba1 2008.1/i586/devhelp-0.19-3.6mdv2008.1.i586.rpm a6e1937e7b0c45bebcf5d98803eb0494 2008.1/i586/devhelp-plugins-0.19-3.6mdv2008.1.i586.rpm 55b8c8e37e4ce64e60142b6737690705 2008.1/i586/epiphany-2.22.0-4.6mdv2008.1.i586.rpm 0c217f86408d4419e27d22aef775d6da 2008.1/i586/epiphany-devel-2.22.0-4.6mdv2008.1.i586.rpm 60f64aad8ce848e969a8fe18cba79204 2008.1/i586/galeon-2.0.4-3.6mdv2008.1.i586.rpm 7f32328e0f534178b4a802b0bfa9ebe6 2008.1/i586/gnome-python-extras-2.19.1-10.6mdv2008.1.i586.rpm 8d5a7c2f9bde5f633a2b31cde538ceb6 2008.1/i586/gnome-python-gda-2.19.1-10.6mdv2008.1.i586.rpm 0ae91b7fc58689ad7fc78aca511d1473 2008.1/i586/gnome-python-gda-devel-2.19.1-10.6mdv2008.1.i586.rpm 15726fe08bde35037bad8acab9c66f50 2008.1/i586/gnome-python-gdl-2.19.1-10.6mdv2008.1.i586.rpm 544418a2e56393ea38fd3a8c5de099c0 2008.1/i586/gnome-python-gksu-2.19.1-10.6mdv2008.1.i586.rpm 1b10bbce9204be69622ed24be81a2c46 2008.1/i586/gnome-python-gtkhtml2-2.19.1-10.6mdv2008.1.i586.rpm 1a12b611693611bcec69be8bce034f2c 2008.1/i586/gnome-python-gtkmozembed-2.19.1-10.6mdv2008.1.i586.rpm ad9f4dc989f6725044733a8e806ba5d5 2008.1/i586/gnome-python-gtkspell-2.19.1-10.6mdv2008.1.i586.rpm 17b7b784a72db58f46e2e67ac60fffc4 2008.1/i586/libdevhelp-1_0-0.19-3.6mdv2008.1.i586.rpm 00596cab51923af07c279be332cc271d 2008.1/i586/libdevhelp-1-devel-0.19-3.6mdv2008.1.i586.rpm 8e0bf3dfc7d882fdd06671eded809a6e 2008.1/i586/libgluezilla0-1.2.6.1-2.6mdv2008.1.i586.rpm cffccf85e222828b46af77b7f2d28146 2008.1/i586/libmozilla-firefox2.0.0.19-2.0.0.19-1.1mdv2008.1.i586.rpm 4596f1d84b137113c28b90b6196aa9d9 2008.1/i586/libmozilla-firefox-devel-2.0.0.19-1.1mdv2008.1.i586.rpm 20d16b0cec438f771b7b968b654768bd 2008.1/i586/mozilla-firefox-2.0.0.19-1.1mdv2008.1.i586.rpm 48a84ff1a5d0a152a2fd432fe6604fbd 2008.1/i586/mozilla-firefox-af-2.0.0.19-1.1mdv2008.1.i586.rpm da5e5f2c1de6d0adae84fe0cae1ee586 2008.1/i586/mozilla-firefox-ar-2.0.0.19-1.1mdv2008.1.i586.rpm 94d52eebf9d87481e07be3ff4bbe7d67 2008.1/i586/mozilla-firefox-be-2.0.0.19-1.1mdv2008.1.i586.rpm be0a8cbe5a57bf221c54a93aff527d6c 2008.1/i586/mozilla-firefox-bg-2.0.0.19-1.1mdv2008.1.i586.rpm 0695d12cab500b072c49b036cd51f6ac 2008.1/i586/mozilla-firefox-br_FR-2.0.0.19-1.1mdv2008.1.i586.rpm 5b660a17e526253c33d6e00bd68f3269 2008.1/i586/mozilla-firefox-ca-2.0.0.19-1.1mdv2008.1.i586.rpm baf0feba0f8f56e8738fb09ead69b4b8 2008.1/i586/mozilla-firefox-cs-2.0.0.19-1.1mdv2008.1.i586.rpm 063e442a8f0c0a068ded60eba73dab53 2008.1/i586/mozilla-firefox-da-2.0.0.19-1.1mdv2008.1.i586.rpm e27139fae9ff249b70e8737ac6ea0d47 2008.1/i586/mozilla-firefox-de-2.0.0.19-1.1mdv2008.1.i586.rpm d5b254ef9a4e903a5ec6057ed890fdf8 2008.1/i586/mozilla-firefox-el-2.0.0.19-1.1mdv2008.1.i586.rpm 24bcf5364c3fe535968519a5cf84d794 2008.1/i586/mozilla-firefox-en_GB-2.0.0.19-1.1mdv2008.1.i586.rpm 3312c2ee3ff8297c7b5909f5d0839075 2008.1/i586/mozilla-firefox-es_AR-2.0.0.19-1.1mdv2008.1.i586.rpm 8534b0f7290a4c80a394b90661515258 2008.1/i586/mozilla-firefox-es_ES-2.0.0.19-1.1mdv2008.1.i586.rpm 04703ad6ada3f71b96f66a3e770b7826 2008.1/i586/mozilla-firefox-et_EE-2.0.0.19-1.1mdv2008.1.i586.rpm a7efc391c7d77bc0a32803f776b61fde 2008.1/i586/mo
Re: [Full-disclosure] List of security teams contact information
> Well it's a Wiki so we can all contribute. You can edit any field on osvdb.org as well--just click on it... -- http://www.cirt.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] List of security teams contact information
Well it's a Wiki so we can all contribute. On Wed, Dec 17, 2008 at 5:27 PM, security curmudgeon wrote: > > : I've created a list with contact information for various security teams: > : > : > http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information > : I hope this makes informing vendors about security issues easier. If you > : have any additional information or spot an error, let me know. > > http://osvdb.org/vendors > > This project was created a while back to do the same. Please consider > contributing to it. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.astorandblack.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] request for comments...
On Wed, Dec 17, 2008 at 5:20 PM, wrote: > On Wed, 17 Dec 2008 15:30:21 +0200, James Matthews said: > >> Wow now there is a twitter also! > > 140 character limit. And we already know from long experience that > security via bumper sticker slogans doesn't work. No good can come from this. > There is a big info sec community on Twitter already, see http://www.twitter.com/securitytwits ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] request for comments...
On Wed, 17 Dec 2008 15:30:21 +0200, James Matthews said: > Wow now there is a twitter also! 140 character limit. And we already know from long experience that security via bumper sticker slogans doesn't work. No good can come from this. pgppnw9gUEFr8.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n.runs-SA-2008.010 - Opera HTML parsing Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.010 16-Dec-2008 ___ Vendor:Opera Software ASA, http://www.opera.com Affected Products: Opera Browser all platforms Vulnerability: HTML parsing flaw lead to remote code execution Risk: HIGH ___ Vendor communication: 2008/11/10Initial notification to Opera including n.runs RFP and n.runs PGP public key 2008/11/12Opera response and remarks to agree in general with n.runs RFP but depending on the issue the timeline for a fix might have to be longer than the one mentioned in n.runs RFP (30 days) 2008/11/12n.runs replies and outlines following a responsible disclosure policy as long as Opera keep n.runs in the loop. n.runs send with same email a zip archive including two PoC files and detailed crash log analysis 2008/11/14n.runs resends the last email with a download link for the PoCs because Opera's MX Server did not accept the enclosed encrypted zip archive 2008/11/14Opera acknowledges the PoC files 2008/11/24Opera communicates to n.runs that they identified the nature of the issue and that they are looking into a fix 2008/12/12Opera sends n.runs a current draft of the Opera advisory and notifies new version is scheduled to be released early next week 2008/12/16Opera releases Opera 9.63 [1] 2008/12/16n.runs releases this advisory ___ Overview: Quoting http://www.opera.com/company/: "Opera started in 1994 as a research project within Norway's largest telecom company, Telenor. Within a year, it branched out to become an independent development company named Opera Software ASA. Today, Opera Software develops the Opera Web browser, a high-quality, multi-platform product for a wide range of platforms, operating systems and embedded Internet products - including Mac, PC and Linux computers, mobile phones and PDAs,game consoles and other devices like the Nintendo Wii and DS, Sony Mylo and more. Opera's vision is to deliver the best Internet experience on any device. Opera's key business objective is to earn global leadership in the market for PC / desktops and embedded products. Opera's main business strategy is to provide a browser that operates across devices, platforms and operating systems, and can deliver a faster, more stable and flexible Internet experience than its competitors." Description: A remotely exploitable vulnerability has been found in the HTML parsing engine. In detail, the following flaw was determined: - - Certain HTML constructs affecting an internal heap structure. As a result of a pointer calculation, memory may be corrupted in such a way that an attacker could execute arbitrary code. Impact An attacker could exploit the vulnerability by constructing a specially prepared Websit. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-on user. Solution: Opera has issued an update to correct this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document. n.runs AG wants to highlight the fluent communication with Opera and its very quick response to validate and fix the issue. ___ Credit: Bugs found by Alexios Fakos of n.runs AG. ___ References: http://www.opera.com/support/kb/view/921/ [1] This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php ___ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact secur...@nruns.com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.1 (Build 2523) Charset: us-ascii wsFVAwUBSUkVgF5rjmT2uFcEAQJhNA//dB4JagGBzVTFk9jt5DlzORUm0ze1ZDpn 2V0KSnEpHO6WvvaTQ0sZSBTLeK4C9zmwPbu8LokjCZW
Re: [Full-disclosure] List of security teams contact information
: I've created a list with contact information for various security teams: : : http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information : I hope this makes informing vendors about security issues easier. If you : have any additional information or spot an error, let me know. http://osvdb.org/vendors This project was created a while back to do the same. Please consider contributing to it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Network Security Scanner OpenVAS 2.0.0 Released
Hello, On December 17th, 2008, the OpenVAS[1] developer team released OpenVAS 2.0.0 which marks the start of the next generation of the Open Vulnerability Assessment System for network security scanning. OpenVAS is a fork of the Nessus security scanner which has continued development under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0 in October 2007, the OpenVAS developers continued the auditing of the code inherited from Nessus and have added a variety of useful features for OpenVAS users, for server adminstrators and for developers of Network Vulnerability Tests (NVTs). The main changes compared to the 1.0 series cover: * OVAL Support: OpenVAS 2.0.0 introduces preliminary support for OVAL, the Open Vulnerability and Assessment Language[2]. OVAL is an international, information security, community standard to promote open, standardized and publicly available security content. The OpenVAS server can now execute OVAL files just like its own Network Vulnerability Tests (NVTs) using the OVAL definitions interpreter "ovaldi". While the plain ovaldi tool can only check local systems where it is installed, the combination with OpenVAS enables ovaldi to test any target system for which OpenVAS has collected information. OpenVAS 2.0.0 includes readily available support for Red Hat Enterprise Linux security announcements as published in OVAL format. OVAL support will expand to further platforms. * OpenVAS Transfer Protocol (OTP): A comprehensive audit of the Nessus Transfer Protocol (NTP) resulted in numerous improvements and fixes and lead to the OpenVAS Transfer Protocol (OTP). Since NTP support was dropped entirely, the 1.0 and 2.0 series of OpenVAS Server and Client can not operate in mixed mode. * Object Identifiers (OIDs): In order to make identifying individual NVTs easier, OpenVAS adopted an OID-based numbering scheme for NVTs. OIDs in OpenVAS will start with the prefix 1.3.6.1.4.1.25623, backward compatibility in server and client has been ensured. * 64-bit Support: Intensive work on 64-bit cleanliness has been undertaken. OpenVAS 2.0.0 is expected be fully 64-bit compatible. * Improved GUI Client: The OpenVAS-Client has seen a number of improvements and is now able to display NVT signature information in the GUI and in the various reports. Reporting has been improved as well as localization for various languages (best support in this order: German, Spanish/French, Swedish, Hebrew, Croatian). * Bugfixes: Any spotted bugs have been fixed. Please refer to the CHANGES files supplied with the individual modules for details. * Code Audit: A large amount of outdated or unused code has been idenfied and removed or replaced. Compatibility of NASL NVTs and the OpenVAS Feed Service: The available NVT package (openvas-plugins) and OpenVAS Feed which provides more than 6000 NVTs are compatible for both the 1.0 and the 2.0 series of OpenVAS. Migration from OpenVAS 1.0: If you want to migrate your existing reports created with an 1.0 series client to OpenVAS 2.0.0, please use the script provided in the openvas-client/tools directory. If you are currently using OpenVAS 1.0.x, we recommend that you install the OpenVAS 2.0.0 source code relase seperately from your existing installation. Documentation: An extensive documentation for OpenVAS has been created as well and was recently released. Users, adminstrators and developers can now access more than 100 pages of the OpenVAS Compendium, available in English and German. Downloads: All download links for OpenVAS 2.0.0 and additional information can be found on the OpenVAS website[1]. OpenVAS 2.0.0 is initially relased as a source code release; packages for various distributions are expected to follow. The OpenVAS team would like to thank everybody who has contributed to this release. We have worked hard to bring you the best OpenVAS version. If you have any questions or suggestions, please feel free to use the public mailing list and our online chat. Please use the OpenVAS bug tracker[3] to report bugs. The OpenVAS developers would like to wish all users a recreative holiday season and a a happy new year. [1] http://www.openvas.org [2] http://oval.mitre.org [3] http://bugs.openvas.org -- Michael Wiegand | OpenPGP key: D7D049EC | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] List of security teams contact information
On Wed, Dec 17, 2008 at 9:23 AM, Berend-Jan Wever wrote: > I've created a list with contact information for various security teams: > http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information osvdb.org has a pretty comprehensive vendor dictionary already. you should check to see if the ones you list have updated contact info in there. http://osvdb.org/vendors -Sullo -- http://www.cirt.net ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List of security teams contact information
Hey all, I've created a list with contact information for various security teams: http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information I hope this makes informing vendors about security issues easier. If you have any additional information or spot an error, let me know. Cheers, SkyLined Berend-Jan Wever http://skypher.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] request for comments...
Twitter gave it to me today because someone malicious was using it. Best wishes, -Andrew On Wed, Dec 17, 2008 at 1:30 PM, James Matthews wrote: > Wow now there is a twitter also! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] request for comments...
Wow now there is a twitter also! On Wed, Dec 17, 2008 at 2:31 PM, j-f sentier wrote: > N3td3v, the FD voice. > > 2008/12/17 n3td3v > > On Tue, Dec 16, 2008 at 6:53 PM, Ureleet wrote: >> > On Tue, Dec 16, 2008 at 11:59 AM, n3td3v wrote: >> >> On Tue, Dec 16, 2008 at 4:16 PM, jose achada >> wrote: >> >>> no phisical barriers are imposed and nor the big media can hide you. >> >> >> >> The intelligence services have been in control of the "big media" and >> >> have been for some time. >> > >> > ill agree there. >> > >> > >> >> When I started full-disclosure I was innocent and pure, then I met >> >> various people and realised how the world really works. >> > >> > u didnt start fulldisclosure, u mean 2 say, when u started ON fd. but >> > according 2 ur posts be4 fd existed that i have googled, thats a lie. >> > >> > >> >> I met them on-line and in person, they wanted a slice of n3td3v, they >> >> wanted to control the path n3td3v takes... >> >> >> >> I told them I won't allow you to do that, but you can be with me and >> >> we can progress together... >> >> >> >> I still get emails from the intelligence services trying to give me >> >> advice on the path of n3td3v, but I reject all advice. >> > >> > obviusly >> > >> >> I know that the government can impose big guys to come after me to >> >> force me to 'go with their agenda, not mine' but im not at that stage >> >> yet. >> >> >> >> The n3td3v group is still free from government influence, apart from >> >> the 'big media' who control us all. >> >> >> >> I fear this won't last forever, there are people trying to control >> >> what "n3td3v" is doing behind the scenes, because its become a big >> >> powerful name in the 'cyber security' arena. >> > >> > u have dilusious of grandeur. u rnt a big powerful name. u rnt a >> > group. u r just u. nd no 1 knows u. >> > >> > >> >> I will as long as I can make n3td3v be free and independent from the >> >> intelligence services, but if they offer me a job how will I stop >> >> myself being influenced by their agenda? >> > >> > this is why. n3td3v = andrew wallace. >> > >> >> Thanks for your feedback on what you think, not that I or anyone or >> this list care what you think. >> >> -Andrew >> >> http://twitter.com/n3td3v >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.astorandblack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new unpatched security flaw found Firefox 3.0.4
Maybe one day it will be exploited as a bug. On Wed, Dec 17, 2008 at 12:28 PM, Andrew Farmer wrote: > On 16 Dec 08, at 11:49, carl hardwick wrote: > > New unpatched security flaw found in Firefox 3.0.4 > > PoC here: https://bugzilla.mozilla.org/attachment.cgi?id=302699 > > Relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=416907 > > This doesn't appear to be security-critical - it's a NULL dereference. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.astorandblack.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] request for comments...
N3td3v, the FD voice. 2008/12/17 n3td3v > On Tue, Dec 16, 2008 at 6:53 PM, Ureleet wrote: > > On Tue, Dec 16, 2008 at 11:59 AM, n3td3v wrote: > >> On Tue, Dec 16, 2008 at 4:16 PM, jose achada > wrote: > >>> no phisical barriers are imposed and nor the big media can hide you. > >> > >> The intelligence services have been in control of the "big media" and > >> have been for some time. > > > > ill agree there. > > > > > >> When I started full-disclosure I was innocent and pure, then I met > >> various people and realised how the world really works. > > > > u didnt start fulldisclosure, u mean 2 say, when u started ON fd. but > > according 2 ur posts be4 fd existed that i have googled, thats a lie. > > > > > >> I met them on-line and in person, they wanted a slice of n3td3v, they > >> wanted to control the path n3td3v takes... > >> > >> I told them I won't allow you to do that, but you can be with me and > >> we can progress together... > >> > >> I still get emails from the intelligence services trying to give me > >> advice on the path of n3td3v, but I reject all advice. > > > > obviusly > > > >> I know that the government can impose big guys to come after me to > >> force me to 'go with their agenda, not mine' but im not at that stage > >> yet. > >> > >> The n3td3v group is still free from government influence, apart from > >> the 'big media' who control us all. > >> > >> I fear this won't last forever, there are people trying to control > >> what "n3td3v" is doing behind the scenes, because its become a big > >> powerful name in the 'cyber security' arena. > > > > u have dilusious of grandeur. u rnt a big powerful name. u rnt a > > group. u r just u. nd no 1 knows u. > > > > > >> I will as long as I can make n3td3v be free and independent from the > >> intelligence services, but if they offer me a job how will I stop > >> myself being influenced by their agenda? > > > > this is why. n3td3v = andrew wallace. > > > > Thanks for your feedback on what you think, not that I or anyone or > this list care what you think. > > -Andrew > > http://twitter.com/n3td3v > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] request for comments...
On Tue, Dec 16, 2008 at 6:53 PM, Ureleet wrote: > On Tue, Dec 16, 2008 at 11:59 AM, n3td3v wrote: >> On Tue, Dec 16, 2008 at 4:16 PM, jose achada wrote: >>> no phisical barriers are imposed and nor the big media can hide you. >> >> The intelligence services have been in control of the "big media" and >> have been for some time. > > ill agree there. > > >> When I started full-disclosure I was innocent and pure, then I met >> various people and realised how the world really works. > > u didnt start fulldisclosure, u mean 2 say, when u started ON fd. but > according 2 ur posts be4 fd existed that i have googled, thats a lie. > > >> I met them on-line and in person, they wanted a slice of n3td3v, they >> wanted to control the path n3td3v takes... >> >> I told them I won't allow you to do that, but you can be with me and >> we can progress together... >> >> I still get emails from the intelligence services trying to give me >> advice on the path of n3td3v, but I reject all advice. > > obviusly > >> I know that the government can impose big guys to come after me to >> force me to 'go with their agenda, not mine' but im not at that stage >> yet. >> >> The n3td3v group is still free from government influence, apart from >> the 'big media' who control us all. >> >> I fear this won't last forever, there are people trying to control >> what "n3td3v" is doing behind the scenes, because its become a big >> powerful name in the 'cyber security' arena. > > u have dilusious of grandeur. u rnt a big powerful name. u rnt a > group. u r just u. nd no 1 knows u. > > >> I will as long as I can make n3td3v be free and independent from the >> intelligence services, but if they offer me a job how will I stop >> myself being influenced by their agenda? > > this is why. n3td3v = andrew wallace. > Thanks for your feedback on what you think, not that I or anyone or this list care what you think. -Andrew http://twitter.com/n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] new unpatched security flaw found Firefox 3.0.4
On 16 Dec 08, at 11:49, carl hardwick wrote: > New unpatched security flaw found in Firefox 3.0.4 > PoC here: https://bugzilla.mozilla.org/attachment.cgi?id=302699 Relevant bug is https://bugzilla.mozilla.org/show_bug.cgi?id=416907 This doesn't appear to be security-critical - it's a NULL dereference. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/