[Full-disclosure] [ MDVSA-2010:219 ] mozilla-thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2010:219 http://www.mandriva.com/security/ ___ Package : mozilla-thunderbird Date: November 1, 2010 Affected: 2009.0, 2010.0, 2010.1 ___ Problem Description: A security issue was identified and fixed in mozilla-thunderbird: Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, when JavaScript is enabled, allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in October 2010 by the Belmoo malware (CVE-2010-3765). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149products_id=490 Additionally, some packages which require so, have been rebuilt and are being provided as updates. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3765 http://www.mozillamessaging.com/en-US/thunderbird/3.0.11/releasenotes/ ___ Updated Packages: Mandriva Linux 2009.0: d115c2e133751a651edc708de79c5847 2009.0/i586/beagle-0.3.8-13.29mdv2009.0.i586.rpm a153de02fa4e15aa74366d9645eb7e38 2009.0/i586/beagle-crawl-system-0.3.8-13.29mdv2009.0.i586.rpm 78f1c25062868c12ba455c2f4e7cc847 2009.0/i586/beagle-doc-0.3.8-13.29mdv2009.0.i586.rpm 17428c98fdf6a6389254bd6e6466c9cc 2009.0/i586/beagle-epiphany-0.3.8-13.29mdv2009.0.i586.rpm f3e5556da3606db8cc1cdc22d045f9a5 2009.0/i586/beagle-evolution-0.3.8-13.29mdv2009.0.i586.rpm 1b22db288256525a0713d759f8e35fa5 2009.0/i586/beagle-gui-0.3.8-13.29mdv2009.0.i586.rpm 8205ce75661116b482c799c6290ff4a6 2009.0/i586/beagle-gui-qt-0.3.8-13.29mdv2009.0.i586.rpm 2511dfcc3d099d9124bd13172cef5ff1 2009.0/i586/beagle-libs-0.3.8-13.29mdv2009.0.i586.rpm 6d454a78c03f3e0b02e67b11662b510e 2009.0/i586/firefox-ext-beagle-0.3.8-13.29mdv2009.0.i586.rpm 630ac5eef37173ad4a072e4762958f62 2009.0/i586/mozilla-thunderbird-3.0.10-0.1mdv2009.0.i586.rpm c4ce06de0d53e402f082b02adf6d4ec0 2009.0/i586/mozilla-thunderbird-af-3.0.10-0.1mdv2009.0.i586.rpm 2157225ead2337f377494840772af7ff 2009.0/i586/mozilla-thunderbird-ar-3.0.10-0.1mdv2009.0.i586.rpm 9a956c5616d8e646325dfa55cf7efcd1 2009.0/i586/mozilla-thunderbird-be-3.0.10-0.1mdv2009.0.i586.rpm d98dda0ca6aee79c25de5f78833d49df 2009.0/i586/mozilla-thunderbird-beagle-0.3.8-13.29mdv2009.0.i586.rpm d13b364ef6bd0171fdacb44dc810944f 2009.0/i586/mozilla-thunderbird-bg-3.0.10-0.1mdv2009.0.i586.rpm 8b9e92a9a41fea5930f69280809530c7 2009.0/i586/mozilla-thunderbird-ca-3.0.10-0.1mdv2009.0.i586.rpm a9071994feefb423cd97f6c091259fb2 2009.0/i586/mozilla-thunderbird-cs-3.0.10-0.1mdv2009.0.i586.rpm fd836317404e7594ed0e225813db8694 2009.0/i586/mozilla-thunderbird-da-3.0.10-0.1mdv2009.0.i586.rpm 92337be6f5648224402146d2e08f2d5a 2009.0/i586/mozilla-thunderbird-de-3.0.10-0.1mdv2009.0.i586.rpm 104c45867d60722d4a1ea58b0dbe6855 2009.0/i586/mozilla-thunderbird-el-3.0.10-0.1mdv2009.0.i586.rpm ddbf1160191ebd8828db7d616f953b70 2009.0/i586/mozilla-thunderbird-en_GB-3.0.10-0.1mdv2009.0.i586.rpm e02ff48bc8005b15fbda8db83ab92270 2009.0/i586/mozilla-thunderbird-enigmail-3.0.10-0.1mdv2009.0.i586.rpm fcf963edfdff2162300c446f08bfe006 2009.0/i586/mozilla-thunderbird-enigmail-ar-3.0.10-0.1mdv2009.0.i586.rpm 9df6bbf7efa8a217c51d1bd090918cd7 2009.0/i586/mozilla-thunderbird-enigmail-ca-3.0.10-0.1mdv2009.0.i586.rpm d1a80c4e49f6a410a449de4a35d6cafb 2009.0/i586/mozilla-thunderbird-enigmail-cs-3.0.10-0.1mdv2009.0.i586.rpm 6960a73aef12a1b9a6a60072478db4e0 2009.0/i586/mozilla-thunderbird-enigmail-de-3.0.10-0.1mdv2009.0.i586.rpm 7b5478719f85948be656778bacacbe19 2009.0/i586/mozilla-thunderbird-enigmail-el-3.0.10-0.1mdv2009.0.i586.rpm 330f73c9ac3044ce66a8e9a2a7663312 2009.0/i586/mozilla-thunderbird-enigmail-es-3.0.10-0.1mdv2009.0.i586.rpm bb8edbed937d509e6500457bcbb36618 2009.0/i586/mozilla-thunderbird-enigmail-fi-3.0.10-0.1mdv2009.0.i586.rpm 12de4abdb0df7f4cd9590c50a742ee50 2009.0/i586/mozilla-thunderbird-enigmail-fr-3.0.10-0.1mdv2009.0.i586.rpm 57e09806aa6e9a82af04e9cce5911318 2009.0/i586/mozilla-thunderbird-enigmail-hu-3.0.10-0.1mdv2009.0.i586.rpm 7ee0f4812cf909d067d07be89ec04443 2009.0/i586/mozilla-thunderbird-enigmail-it-3.0.10-0.1mdv2009.0.i586.rpm 52ee8e787197f0b587b37a73a559caac 2009.0/i586/mozilla-thunderbird-enigmail-ja-3.0.10-0.1mdv2009.0.i586.rpm 3bded02c1e53533ae21853a31e5697b0 2009.0/i586/mozilla-thunderbird-enigmail-ko-3.0.10-0.1mdv2009.0.i586.rpm ece94a45217464ec358e27405d6086d5
[Full-disclosure] Call for Papers -YSTS V - Security Conference, Brazil
Hello Full-Disclosure, the CFP for YSTS V is now open! --- YSTS 5th Edition Sao Paulo, Brazil May 16th, 2011 Call for Papers Opens: November 1st 2010 Call for Papers Close: February 28th 2011 http://www.ysts.org @ystscon INTRODUCTION Following the success of previous editions, the 5th edition of the you Sh0t the Sheriff security conference will happen on May, 16th, 2011 in Sao Paulo, Brazil. This is your chance to speak about that cool research you’ve been working on, to those whom matter in the Brazilian Information Security realm. ABOUT THE CONFERENCE you Sh0t the Sheriff is a very unique, one-day, event dedicated to bringing cutting edge talks to the top-notch professionals of the Information Security Community in Brazil. The conference’s main goal is to bring the attendees to the most up-to-date state of the information security world by mixing professionals and topics from different Infosec segments of the market. yStS is a very exclusive, mostly invite-only security con. Getting a talk accepted, will, not only get you to the event, but after you successfully present your talk, you will receive a challenge-coin that guarantees your entry to yStS for as long as the conference exists. Due to the great success of the previous years' editions, yes, we're keeping the same format: * YSTS 5 will be held at an almost secret location only announced to whom it may concern a couple of weeks before the con * the venue will be, most likely, a club or a bar * cool environment to network with great security folks from Brazil and abroad * since it’s a 1 day con with tons of talks, we provide coffee, lunch and an open-bar in the afternoon CONFERENCE FORMAT Anything Information Security related is interesting for the conference, although we do not accept commercial/ product-related talks. Just in case you need some ideas, some of the stuff that would be interesting to us are: * Operating Systems * Career and Management topics * Mobile Devices/Embedded Systems * Information Security Audit and Control * Social Networking and Search Engine Hacks Threats * Information Security Policies * Privacy * Messing with Network Protocols * Security from layer 1 through 7 * 802.11 Wireless and any RF related stuff for that matter * Authentication * Crypto * Incident Response other applicable (and useful) Infosec Policies * Information Warfare * Malware * Botnets * Secure Programming * Hacker Spaces * Application and Protocol Fuzzing * Physical Security * Virtualization * Webapp Security * DataBase Security * the Cloud * Cryptography * System Weaknesses * Infrastructure and Critical Systems * Social Engineering * Reverse Engineering * Social Reverse Engineering * Reversing Social Engineering * Caipirinha and Feijoada Hacks * and everything else information security related that our attendees would enjoy We do like shorter talks, so, please submit your talks and remember they must be 30 minutes long. (yes, we do strictly enforce that) We’re also opened to some 15-minute talks, some of the smart people around might not need 30 minutes to deliver a message, or it might be a project that has been just kicked-off. 15 minutes might be your thing and that's nothing to be ashamed about. you Sh0t the Sheriff is the perfect conference to release your new projects, trust us, other people have released cool stuff before they presented it at the big cons. And yes, we do prefer new hot-topics and, yes, first-time speakers are more than welcome. If you got good stuff to speak about, that's all that matters. SPEAKER PRIVILEGES (and, that applies only to the 30 minute-long talks) * USD 1,000.00 to help covering travel expenses for international speakers * Breakfast, lunch and dinner during conference * Pre-and-post-conference official party (and the unofficial ones as well) * Auditing products in traditional Brazilian barbecue restaurants * Life-time free admission for all future yStS conferences (yes, if you 've spoken before at yStS, you have your free-entry guaranteed, just buy us a beer, ohh, wait, it's free anyways, isn't it?) CFP IMPORTANT INFO Each paper submission must include the following information: * Name, title, address, email and phone/contact number * Short biography and qualification * Speaking experience * Do you need or have a visa to come to Brasil? * Summary or abstract for your presentation * is it a 30 minute or a 15 minute talk? * Technical requirements (others than LCD Projector) * Other publications or conferences where this material has been or will be published/submitted. VERY IMPORTANT DATES Final CFP Submission - February 28th, 2011 Final Notification of Acceptance - March 20th, 2011 Final Material Submission for accepted presentations - May 5th, 2011 All submissions must be sent via email, in text format only to: cfp/at/ysts.org IMPORTANT CONTACT INFORMATION Paper Submissions:cfp/at/ysts.org General Inquiries:
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
It would indeed be vulnerable to that, and you're also right about this attack vector being quite small. But IMHO an updates mechanism that signs it's packages it quite easy to implement, so we're talking about getting a tangible benefit from a small effort. Preventing the signing key from being stolen is a different matter entirely - it has to do with the vendor's own network infrastructure security. Unsigned updates, on the other hand, rely on the client network's security, which cannot be controlled by the vendor. In other words, a signed updates mechanism is clearly more secure than an unsigned updates mechanism, even if none of both can be 100% secure, and it comes at very little cost. Also, there's no such thing as a 100% secure system. :) BTW, I don't think the programmers of each application should be developing their own signature code. Never code your own crypto, just use what's available. Also, I believe the operating system should provide the mechanism, not the application. On Sun, Oct 31, 2010 at 3:36 PM, valdis.kletni...@vt.edu wrote: On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... Setting up a proper signing system involves a certain amount of actual cost and effort. And every organization that produces code, be it for-profit proprietary code or free open-source code, has to make resource tradeoffs. Is there any actual *evidence* that hijacking authorized updates is a big enough problem to be worth it? If each year, 5 of their customers get pwned by the sort of attack that Evilgrade does, but 50,000 get pwned by click here popups that code signing won't do squat to prevent, is it really worth their time and effort? Sure, sucks to be one of the 5, but if they instead spend the resources to do something *else* to make their customer's lives better that would benefit thousands rather than the 5 -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote: On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... ??? Are you ptoposing to throw the baby out with the bath water ??? I would not have expected that from *.edu. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
No, he's just saying that a bank might be accidentally broken and robbedaccidentally.of course On Mon, Nov 1, 2010 at 4:13 PM, Jeffrey Walton noloa...@gmail.com wrote: On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote: On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... ??? Are you ptoposing to throw the baby out with the bath water ??? I would not have expected that from *.edu. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
On Mon, Nov 1, 2010 at 12:26 PM, Jhfjjf Hfdsjj taser3...@yahoo.com wrote: On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote: On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... ??? Are you ptoposing to throw the baby out with the bath water ??? I would not have expected that from *.edu. I do not believe anyone is 'ptoposing' anything. All he said was that package signing should not be taken as a silver bullet, for experience has shown that the key's themselves are capable of being compromised if a vendor is successfully attacked. Exactly what I would expect from *.edu I read differently, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
On Sun, Oct 31, 2010 at 10:36 AM, valdis.kletni...@vt.edu wrote: On Sun, 31 Oct 2010 13:09:27 BST, Mario Vilas said: Just signing the update packages prevents this attack, so it's not that hard to fix. Except if a signing key gets compromised, as happened to one Linux vendor recently, causing a lot of kerfluffle... ??? Are you ptoposing to throw the baby out with the bath water ??? I would not have expected that from *.edu. I do not believe anyone is 'ptoposing' anything. All he said was that package signing should not be taken as a silver bullet, for experience has shown that the key's themselves are capable of being compromised if a vendor is successfully attacked. Exactly what I would expect from *.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Evilgrade 2.0 - the update explotation framework is back
I do not believe anyone is 'ptoposing' anything. All he said was that package signing should not be taken as a silver bullet, for experience has shown that the key's themselves are capable of being compromised if a vendor is successfully attacked. Exactly what I would expect from *.edu I read differently, Then by all means, elaborate. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2123-1] New NSS packages fix cryptographic weaknesses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2123-1 secur...@debian.org http://www.debian.org/security/ Florian Weimer November 01, 2010 http://www.debian.org/security/faq - Package: nss Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-3170 CVE-2010-3173 Several vulnerabilities have been discovered in Mozilla's Network Security Services (NSS) library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3170 NSS recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. CVE-2010-3173 NSS does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. For the stable distribution (lenny), these problems have been fixed in version 3.12.3.1-0lenny2. For the unstable distribution (sid) and the upcoming stable distribution (squeeze), these problems have been fixed in version 3.12.8-1. We recommend that you upgrade your NSS packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1-0lenny2.dsc Size/MD5 checksum: 1394 908a5e77c32e84069883a3cfb836eb24 http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1-0lenny2.diff.gz Size/MD5 checksum:53696 3d064b2d08ccc6a8ae11e1771379f1c7 http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1.orig.tar.gz Size/MD5 checksum: 5320607 750839c9c018a0984fd94f7a9cc3dd7f alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny2_alpha.deb Size/MD5 checksum: 273438 6a97ce0db5683e1b87c2a3debd4f0a2f http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny2_alpha.deb Size/MD5 checksum: 3049536 4eaec5fabcab56b1fe06c2d6e0fa8574 http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny2_alpha.deb Size/MD5 checksum: 342354 6bb6d7334e986265f9a1f6f0d6778d98 http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny2_alpha.deb Size/MD5 checksum: 1207870 d84910b4354cdb1796dd3d5787cdcee8 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny2_amd64.deb Size/MD5 checksum: 3101238 6350cb985ded4fbc6fb4c65127f586da http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny2_amd64.deb Size/MD5 checksum: 320840 7cc70e973254a99a76834a7febbadc67 http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny2_amd64.deb Size/MD5 checksum: 1071354 1fb1921a73e16bfd2a4dc6925bdb8a7e http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny2_amd64.deb Size/MD5 checksum: 262634 799e5eb80cf076fe34c9643b8078bb43 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny2_arm.deb Size/MD5 checksum: 254618 0d553164d3d303e096efbac3ab2dcabe http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny2_arm.deb Size/MD5 checksum: 309000 edc68fa74a8b939293ca23f7aa3a6efd http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny2_arm.deb Size/MD5 checksum: 1011704 9b9e1459b833922e31510cefab0594c0 http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny2_arm.deb Size/MD5 checksum: 2901632 4ad15a531cdf51ef146f3337148a71d2 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny2_armel.deb Size/MD5 checksum: 2924760 f06d340c4aa9f4044d5a00df6617e624 http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny2_armel.deb Size/MD5 checksum: 1017348 3f72c2cb4d1d39d0fed98acd9d4409c3
[Full-disclosure] [SECURITY] [DSA 2124-1] New Xulrunner packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-2124-1 secur...@debian.org http://www.debian.org/security/ Florian Weimer November 01, 2010 http://www.debian.org/security/faq - Package: xulrunner Vulnerability : several Problem type : local (remote) Debian-specific: no CVE Id(s) : CVE-2010-3765 CVE-2010-3174 CVE-2010-3176 CVE-2010-3177 CVE-2010-3178 CVE-2010-3179 CVE-2010-3180 CVE-2010-3183 Several vulnerabilities have been discovered in Xulrunner, the component that provides the core functionality of Iceweasel, Debian's variant of Mozilla's browser technology. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3765 Xulrunner allows remote attackers to execute arbitrary code via vectors related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and the creation of multiple frames, which triggers memory corruption. CVE-2010-3174 CVE-2010-3176 Multiple unspecified vulnerabilities in the browser engine in Xulrunner allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2010-3177 Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Xulrunner allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server. CVE-2010-3178 Xulrunner does not properly handle certain modal calls made by javascript: URLs in circumstances related to opening a new window and performing cross-domain navigation, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. CVE-2010-3179 Stack-based buffer overflow in the text-rendering functionality in Xulrunner allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a long argument to the document.write method. CVE-2010-3180 Use-after-free vulnerability in the nsBarProp function in Xulrunner allows remote attackers to execute arbitrary code by accessing the locationbar property of a closed window. CVE-2010-3183 The LookupGetterOrSetter function in Xulrunner does not properly support window.__lookupGetter__ function calls that lack arguments, which allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference and application crash) via a crafted HTML document. In addition, this security update includes corrections for regressions caused by the fixes for CVE-2010-0654 and CVE-2010-2769 in DSA-2075-1 and DSA-2106-1. For the stable distribution (lenny), these problems have been fixed in version 1.9.0.19-6. For the unstable distribution (sid) and the upcoming stable distribution (squeeze), these problems have been fixed in version 3.5.15-1 of the iceweasel package. We recommend that you upgrade your Xulrunner packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - Source archives: http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19-6.dsc Size/MD5 checksum: 1755 e07e9c6f05d92caf3c5a068b8cf249e1 http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19.orig.tar.gz Size/MD5 checksum: 44174623 83667df1e46399960593fdd8832e958e http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19-6.diff.gz Size/MD5 checksum: 176924 9ac56cbdededbd37f30b2fbf85724ba1 Architecture independent packages: http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.19-6_all.deb Size/MD5 checksum: 1466740 4db5a3cb380642680fc8584bbd559c1c alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.19-6_alpha.deb Size/MD5 checksum: 223584 461a28c6405acd4f9bb0576e2982da4e http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.19-6_alpha.deb Size/MD5 checksum: 9491974 d636e29b64c83a2a43d7cf50231ef343
[Full-disclosure] Security-Assessment.com Advisory: BroadWorks Call Detail Record Disclosure Vulnerability
(, ) (,
. `.' ) ('.',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_='```=.
presents..
Name : BroadWorks Call Detail Record Disclosure Vulnerability
Vendor Website : http://broadsoft.com/products/broadworks/
Date Released: November 2, 2010
Affected Software: BroadWorks = R16
Researcher : Nick Freeman (nick.free...@security-assessment.com)
PDF:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.pdf
TXT:
http://security-assessment.com/files/advisories/BroadWorks_Call_Detail_Record_Disclosure_Vulnerability.txt
+---+
|Description|
+---+
Security-Assessment.com discovered an issue regarding privilege
separation between different enterprise groups within BroadWorks.
This issue allows a user with Attendant Console privileges to
view and record live call detail records for any user of the
system, including users from other organisations.
++
|Exploitation|
++
Eavesdropping of call detail records requires knowledge of the target
user’s BroadWorks username, e.g. 098765...@serviceprovider.com.
BroadWorks uses Client Application Protocol (CAP) XML messages to
communicate between client applications and the BroadWorks platform. One
of the messages, monitoringUsersRequest, is transmitted by the Attendant
Console to BroadWorks during the logon procedure. This command includes
a list of usernames that the Attendant Console can monitor for incoming
and outgoing calls. A malicious user can replay this message with
usernames from other enterprises, and once this operation has completed,
all incoming and outgoing calls for the target user(s) will be visible to
the Attendant.
A basic proxy is available at
http://www.security-assessment.com/files/advisories/bwe.py which can
intercept and modify the XML stream, allowing the injection of
monitoringUsersRequest packets.
++
|Solution|
++
A patch is available from Broadsoft for this vulnerability.
+--+
|Credit|
+--+
Discovered and advised to Broadworks June 2010 by Nick Freeman of
Security-Assessment.com.
+-+
|About Security-Assessment.com|
+-+
Security-Assessment.com is a New Zealand based world leader in web
application testing,
network security and penetration testing. Security-Assessment.com
services organisations
across New Zealand, Australia, Asia Pacific, the United States and the
United Kingdom.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
