Details of VAR-200808-0011

ID

VAR-200808-0011

CVE

CVE-2008-2370

TITLE

Multiple PHP XML-RPC implementations vulnerable to code injection

Trust: 0.8

sources: CERT/CC: VU#442845

DESCRIPTION

Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. A vulnerability in a common PHP extension module could allow a remote attacker to execute code on a vulnerable system. Apache Tomcat is prone to a remote information-disclosure vulnerability. Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server. Information obtained may lead to further attacks. The following versions are affected: Tomcat 4.1.0 through 4.1.37 Tomcat 5.5.0 through 5.5.26 Tomcat 6.0.0 through 6.0.16 Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2008-2370: Apache Tomcat information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 4.1.0 to 4.1.37 Tomcat 5.5.0 to 5.5.26 Tomcat 6.0.0 to 6.0.16 The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected Description: When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.18 5.5.x users should obtain the latest source from svn or apply this patch which will be included from 5.5.27 http://svn.apache.org/viewvc?rev=680949&view=rev 4.1.x users should obtain the latest source from svn or apply this patch which will be included from 4.1.38 http://svn.apache.org/viewvc?rev=680950&view=rev Example: For a page that contains: <% pageContext.forward("/page2.jsp?somepar=someval&par="+request.getParameter("blah")); %> an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml Credit: This issue was discovered by Stefano Di Paola of Minded Security Research Labs. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01650939 Version: 1 HPSBUX02401 SSRT090005 rev.1 - HP-UX Running Apache Web Server Suite, Remote Denial of Service (DoS), Cross-site Scripting (XSS), Execution of Arbitrary Code, Cross-Site Request Forgery (CSRF) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-02-02 Last Updated: 2009-02-02 Potential Security Impact: Remote Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, cross-site request forgery (CSRF) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server or Tomcat-based Servelet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS), execution of arbitrary code, or cross-site request forgery (CSRF). Apache-based Web Server and Tomcat-based Servelet Engine are contained in the Apache Web Server Suite. References: CVE-2007-6420, CVE-2008-1232, CVE-2008-1947, CVE-2008-2364, CVE-2008-2370, CVE-2008-2938, CVE-2008-2939, CVE-2008-3658 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23 and B.11.31 running Apache-based Web Server v2.2.8.01.01 or earlier or Tomcat-based Servelet Engine v5.5.27.01.01 or earlier HP-UX B.11.11 running Apache-based Web Server v2.2.8.01.01 or earlier BACKGROUND CVSS 2.0 Base Metrics =============================================== Reference Base Vector Base Score CVE-2007-6420 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1232 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-1947 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2364 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2370 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 5.0 CVE-2008-2938 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-2939 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2008-3658 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 7.5 =============================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002. RESOLUTION HP has provided the following upgrades to resolve these vulnerabilities. The upgrades are available from the following location: URL: http://software.hp.com Note: HP-UX Web Server Suite v.3.02 contains HP-UX Apache-based Web Server v.2.2.8.01.02 and HP-UX Tomcat-based Servlet Engine 5.5.27.01.01 HP-UX Release - B.11.23 and B.11.31 PA-32 Apache Depot name - HPUXWSATW-B302-32.depot HP-UX Release - B.11.23 and B.11.31 IA-64 Apache Depot name - HPUXWSATW-B302-64.depot HP-UX Release - B.11.11 PA-32 Apache Depot name - HPUXWSATW-B222-1111.depot MANUAL ACTIONS: Yes - Update Install Apache-based Web Server or Tomcat-based Servelet Engine from the Apache Web Server Suite v3.02 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== hpuxwsAPACHE.APACHE hpuxwsAPACHE.APACHE2 hpuxwsAPACHE.AUTH_LDAP hpuxwsAPACHE.AUTH_LDAP2 hpuxwsAPACHE.MOD_JK hpuxwsAPACHE.MOD_JK2 hpuxwsAPACHE.MOD_PERL hpuxwsAPACHE.MOD_PERL2 hpuxwsAPACHE.PHP hpuxwsAPACHE.PHP2 hpuxwsAPACHE.WEBPROXY hpuxwsTOMCAT.TOMCAT hpuxwsWEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.23 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com HP-UX B.11.31 ================== hpuxws22APACHE.APACHE hpuxws22APACHE.APACHE2 hpuxws22APACHE.AUTH_LDAP hpuxws22APACHE.AUTH_LDAP2 hpuxws22APACHE.MOD_JK hpuxws22APACHE.MOD_JK2 hpuxws22APACHE.MOD_PERL hpuxws22APACHE.MOD_PERL2 hpuxws22APACHE.PHP hpuxws22APACHE.PHP2 hpuxws22APACHE.WEBPROXY hpuxws22APACHE.WEBPROXY2 hpuxws22TOMCAT.TOMCAT hpuxws22WEBMIN.WEBMIN action: install revision B.2.2.8.01.02 or subsequent URL: http://software.hp.com END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 2 February 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." \xa9Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2009-0016 Synopsis: VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components Issue date: 2009-11-20 Updated on: 2009-11-20 (initial release of advisory) CVE numbers: --- JRE --- CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 --- Tomcat --- CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2008-1232 CVE-2008-1947 CVE-2008-2370 CVE-2007-5333 CVE-2007-5342 CVE-2007-5461 CVE-2007-6286 CVE-2008-0002 --- ntp --- CVE-2009-1252 CVE-2009-0159 --- kernel --- CVE-2008-3528 CVE-2008-5700 CVE-2009-0028 CVE-2009-0269 CVE-2009-0322 CVE-2009-0675 CVE-2009-0676 CVE-2009-0778 CVE-2008-4307 CVE-2009-0834 CVE-2009-1337 CVE-2009-0787 CVE-2009-1336 CVE-2009-1439 CVE-2009-1633 CVE-2009-1072 CVE-2009-1630 CVE-2009-1192 CVE-2007-5966 CVE-2009-1385 CVE-2009-1388 CVE-2009-1389 CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 CVE-2009-2692 CVE-2009-2698 CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748 CVE-2009-2847 CVE-2009-2848 --- python --- CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 --- bind --- CVE-2009-0696 --- libxml and libxml2 --- CVE-2009-2414 CVE-2009-2416 --- curl -- CVE-2009-2417 --- gnutil --- CVE-2007-2052 - ----------------------------------------------------------------------- 1. Summary Updated Java JRE packages and Tomcat packages address several security issues. Updates for the ESX Service Console and vMA include kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is also updated for ESXi userworlds. 2. Relevant releases vCenter Server 4.0 before Update 1 ESXi 4.0 without patch ESXi400-200911201-UG ESX 4.0 without patches ESX400-200911201-UG, ESX400-200911223-UG, ESX400-200911232-SG, ESX400-200911233-SG, ESX400-200911234-SG, ESX400-200911235-SG, ESX400-200911237-SG, ESX400-200911238-SG vMA 4.0 before patch 02 3. Problem Description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 4.0 Windows Update 1 VirtualCenter 2.5 Windows affected, patch pending VirtualCenter 2.0.2 Windows affected, patch pending Workstation any any not affected Player any any not affected Server 2.0 any affected, patch pending Server 1.0 any not affected ACE any any not affected Fusion any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911223-UG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 2 * * vMA JRE is updated to version JRE 1.5.0_21 Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of JRE depends on your patch deployment history. b. Update Apache Tomcat version to 6.0.20 Update for VirtualCenter and ESX patch update the Tomcat package to version 6.0.20 which addresses multiple security issues that existed in the previous version of Apache Tomcat. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ======== ======== ======= ======================= vCenter 4.0 Windows Update 1 VirtualCenter 2.5 Windows affected, patch pending VirtualCenter 2.0.2 Windows affected, patch pending Workstation any any not affected Player any any not affected ACE any Windows not affected Server 2.x any affected, patch pending Server 1.x any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911223-UG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 not affected Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of Tomcat depends on your patch deployment history. c. Third party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the following security issue. Note that the same security issue is present in the ESX Service Console as described in section d. of this advisory. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the "ntp" user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. The NTP security issue identified by CVE-2009-0159 is not relevant for ESXi 3.5 and ESXi 4.0. The following table lists what action remediates the vulnerability in this component (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi 4.0 ESXi ESXi400-200911201-UG ESXi 3.5 ESXi affected, patch pending ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. d. Service Console update for ntp Service Console package ntp updated to version ntp-4.2.2pl-9.el5_3.2 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. The Service Console present in ESX is affected by the following security issues. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the "ntp" user. NTP authentication is not enabled by default on the Service Console. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0159 to this issue. The following table lists what action remediates the vulnerability in the Service Console (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911238-SG ESX 3.5 ESX affected, patch pending ** ESX 3.0.3 ESX affected, patch pending ** ESX 2.5.5 ESX affected, patch pending ** vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. ** The service consoles of ESX 2.5.5, ESX 3.0.3 and ESX 3.5 are not affected by CVE-2009-1252. The security issue identified by CVE-2009-0159 has a low impact on the service console of ESX 2.5.5, ESX 3.0.3 and ESX 3.5. e. Updated Service Console package kernel Updated Service Console package kernel addresses the security issues below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028, CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676, CVE-2009-0778 to the security issues fixed in kernel 2.6.18-128.1.6. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337, CVE-2009-0787, CVE-2009-1336 to the security issues fixed in kernel 2.6.18-128.1.10. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072, CVE-2009-1630, CVE-2009-1192 to the security issues fixed in kernel 2.6.18-128.1.14. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the security issues fixed in kernel 2.6.18-128.4.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2692, CVE-2009-2698 to the security issues fixed in kernel 2.6.18-128.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues fixed in kernel 2.6.18-164. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911201-UG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable ESX 2.5.5 ESX not applicable vMA 4.0 RHEL5 Patch 2 ** * hosted products are VMware Workstation, Player, ACE, Server, Fusion. ** vMA is updated to kernel version 2.6.18-164. f. Updated Service Console package python Service Console package Python update to version 2.4.3-24.el5. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service. Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, crash or, potentially, execute arbitrary code with the Python interpreter's privileges. Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service. An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911235-SG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. g. Updated Service Console package bind Service Console package bind updated to version 9.3.6-4.P1.el5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the "ANY" record type. A remote attacker could use this flaw to send a specially-crafted dynamic update packet that could cause named to exit with an assertion failure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0696 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911237-SG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. h. Updated Service Console package libxml2 Service Console package libxml2 updated to version 2.6.26-2.1.2.8. libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2414 and CVE-2009-2416 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911234-SG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. i. Updated Service Console package curl Service Console package curl updated to version 7.15.5-2.1.el5_3.5 A cURL is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2417 to this issue The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911232-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. j. Updated Service Console package gnutls Service Console package gnutil updated to version 1.4.1-3.el5_3.5 A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2730 to this issue The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911233-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VMware vCenter Server 4 Update 1 -------------------------------- Version 4.0 Update 1 Build Number 208156 Release Date 2009/11/19 Type Product Binaries http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1 VMware vCenter Server 4 and modules File size: 1.8 GB File type: .iso MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5 SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1 VMware vCenter Server 4 and modules File size: 1.5 GB File type: .zip MD5SUM: f843d9c19795eb3bc5a77f5c545468a8 SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c VMware vSphere Client and Host Update Utility File size: 113.8 MB File type: .exe MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9 SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959 VMware vCenter Converter BootCD File size: 98.8 MB File type: .zip MD5SUM: 3df94eb0e93de76b0389132ada2a3799 SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c VMware vCenter Converter CLI (Linux) File size: 36.9 MB File type: .tar.gz MD5SUM: 3766097563936ba5e03e87e898f6bd48 SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4 ESXi 4.0 Update 1 ----------------- ESXi400-200911201-UG https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013169/ESXi-4.0.0-update01.zip md5sum:c6fdd6722d9e5cacb280bdcc2cca0627 sha1sum:de9d4875f86b6493f9da991a8cff37784215db2e http://kb.vmware.com/kb/1014886 NOTE: The three ESXi patches for Firmware, VMware Tools, and the VI Client "C" are contained in a single download file. ESX 4.0 Update 1 ---------------- https://hostupdate.vmware.com/software/VUM/OFFLINE/release-158-20091118-187517/ESX-4.0.0-update01.zip md5sum: 68934321105c34dcda4cbeeab36a2b8f sha1sum: 0d8ae58cf9143d5c7113af9692dea11ed2dd864b http://kb.vmware.com/kb/1014842 To install an individual bulletin use esxupdate with the -b option. esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG -b ESX400-200911238-SG -b ESX400-200911201-UG -b ESX400-200911235-SG -b ESX400-200911237-SG -b ESX400-200911234-SG -b ESX400-200911232-SG -b ESX400-200911233-SG update 5. References CVE numbers --- JRE --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724 --- Tomcat --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002 --- ntp --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 --- kernel --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848 --- python --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031 --- bind --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 --- libxml and libxml2 --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 --- curl -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 --- gnutil --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052 - ------------------------------------------------------------------------ 6. Change log 2009-11-20 VMSA-2009-0016 Initial security advisory after release of vCenter 4.0 Update 1 and ESX 4.0 Update 1 on 2009-11-19 and release of vMA Patch 2 on 2009-11-23. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/lifecycle/ Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksHAooACgkQS2KysvBH1xmQMACfTEcnuPanvucXPmgJCTT054o+ dtoAniXz+9xLskrkPr3oUzAcDeV729WG =wSRz -----END PGP SIGNATURE----- . Affected Products ================= The WiKID Strong Authentication Server - Enterprise Edition The WiKID Strong Authentication Server - Community Edition References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286 Mitigation ========== Commercial users may download the most recent RPMs from the website: http://www.wikidsystems.com/downloads/ Users of the open source community version may download packages from Sourceforge: https://sourceforge.net/project/showfiles.php?group_id=144774 - -- Nick Owen WiKID Systems, Inc. 404-962-8983 (desk) http://www.wikidsystems.com Two-factor authentication, without the hassle factor. References Tomcat release notes tomcat.apache.org/security-5.html CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 - - ------------------------------------------------------------------------ 6. A cross-site scripting vulnerability was found in the HttpServletResponse.sendError() method which could allow a remote attacker to inject arbitrary web script or HTML via forged HTTP headers (CVE-2008-1232). A cross-site scripting vulnerability was found in the host manager application that could allow a remote attacker to inject arbitrary web script or HTML via the hostname parameter (CVE-2008-1947). A traversal vulnerability was found when the 'allowLinking' and 'URIencoding' settings were actived which could allow a remote attacker to use a UTF-8-encoded request to extend their privileges and obtain local files accessible to the Tomcat process (CVE-2008-2938). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 56ca5eb3e331c6675634a5e3f3c5afd7 2008.0/i586/tomcat5-5.5.23-9.2.10.2mdv2008.0.i586.rpm a1c688654decf045f80fb6d8978c73fa 2008.0/i586/tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm 2b7a97313ece05bbd5596045853cfca0 2008.0/i586/tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm e8384332efad0e2317a646241bece6ee 2008.0/i586/tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.i586.rpm a30cc8061f55f2613c517574263cdd21 2008.0/i586/tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm 4f4a12c8479f27c7f9ed877f5821afa3 2008.0/i586/tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm ced904c459478c1123ed5da41dddbd7f 2008.0/i586/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm 183e045a9b44747c7a4adaec5c860441 2008.0/i586/tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.i586.rpm 78af5a5788ac359a99a24f03a39c7b94 2008.0/i586/tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.i586.rpm 8e8569bfab5abef912299b9b751e49e9 2008.0/i586/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.i586.rpm 6899c327906423cdd02b930221c2496e 2008.0/i586/tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.i586.rpm 39fd3985d73f2f20efe4ed97c2a5e7c7 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: c4d1c4471c29d8cd34adb9f2002ef294 2008.0/x86_64/tomcat5-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 2caf09173a64a378636496196d99756f 2008.0/x86_64/tomcat5-admin-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm d6a9a290638267a1117a55041986d31a 2008.0/x86_64/tomcat5-common-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 2eead87d72af58ddc9e934b55e49a1aa 2008.0/x86_64/tomcat5-jasper-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 0fab26f89e83c882c5948a430bf82c8b 2008.0/x86_64/tomcat5-jasper-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 833334424b555a77e2a9951b71ed8fa3 2008.0/x86_64/tomcat5-jsp-2.0-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 115561d6233c3890cf3b85a7599ed03b 2008.0/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm eccf76ede6fb9256a2b52c861a9b0bb3 2008.0/x86_64/tomcat5-server-lib-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm cd9df1a8a1a5cb3216221bdefdfe8476 2008.0/x86_64/tomcat5-servlet-2.4-api-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm f7440a4111ec2fd30fa32e4bd74a0a20 2008.0/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 1464eb297888c4df98d8b7eabe7f0197 2008.0/x86_64/tomcat5-webapps-5.5.23-9.2.10.2mdv2008.0.x86_64.rpm 39fd3985d73f2f20efe4ed97c2a5e7c7 2008.0/SRPMS/tomcat5-5.5.23-9.2.10.2mdv2008.0.src.rpm Mandriva Linux 2008.1: 594abdc70bc430657eb831520926c73f 2008.1/i586/tomcat5-5.5.25-1.2.1.1mdv2008.1.i586.rpm bdec2b83b4fdb4d10a01a65fbdac512d 2008.1/i586/tomcat5-admin-webapps-5.5.25-1.2.1.1mdv2008.1.i586.rpm 3dbc007722996d1c36f31642f80b5c2a 2008.1/i586/tomcat5-common-lib-5.5.25-1.2.1.1mdv2008.1.i586.rpm 04b23d162d13f84d1d8707646ea9148c 2008.1/i586/tomcat5-jasper-5.5.25-1.2.1.1mdv2008.1.i586.rpm 602bf7d4ff261e8af20d50b9e76634bb 2008.1/i586/tomcat5-jasper-eclipse-5.5.25-1.2.1.1mdv2008.1.i586.rpm 0066e7519a2d3478f0a3e70bd95a7e5b 2008.1/i586/tomcat5-jasper-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm 1ba4743762cfa4594a27f0393de47823 2008.1/i586/tomcat5-jsp-2.0-api-5.5.25-1.2.1.1mdv2008.1.i586.rpm 262f2a39b800562cef36d724ce3efa35 2008.1/i586/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm b9f2af35a734d0e3a2d9bfe292aaced1 2008.1/i586/tomcat5-server-lib-5.5.25-1.2.1.1mdv2008.1.i586.rpm 8307ef374c5b995feac394b6f27474d5 2008.1/i586/tomcat5-servlet-2.4-api-5.5.25-1.2.1.1mdv2008.1.i586.rpm 3f4692170c35f992defcb4111a8133cd 2008.1/i586/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.1mdv2008.1.i586.rpm 02b9d28af879b825754eff6199bf1788 2008.1/i586/tomcat5-webapps-5.5.25-1.2.1.1mdv2008.1.i586.rpm 2621d41df35e895a1ed0ed471f93f211 2008.1/SRPMS/tomcat5-5.5.25-1.2.1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 6b1e03e5206eb262970198dccba7d0a3 2008.1/x86_64/tomcat5-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 930cf38058a0f8902e2741c6512e0aa0 2008.1/x86_64/tomcat5-admin-webapps-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm c527521cb93bab31df3f91422faf02a6 2008.1/x86_64/tomcat5-common-lib-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm f8bef98047ef956c8e4c0f877155e1f1 2008.1/x86_64/tomcat5-jasper-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 97a8a59178259d26838ce20c176c459a 2008.1/x86_64/tomcat5-jasper-eclipse-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 3bb885debc8576bd305c9fa4c9d25bfb 2008.1/x86_64/tomcat5-jasper-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 66dcf08e163fdaaf81992a7d25d84a20 2008.1/x86_64/tomcat5-jsp-2.0-api-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm dd92aab81bf4c75ab30b9b82153b24c0 2008.1/x86_64/tomcat5-jsp-2.0-api-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 517ed776282d089dd84f81d47104f660 2008.1/x86_64/tomcat5-server-lib-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 83d4bb973b7fec461e812d74541a5949 2008.1/x86_64/tomcat5-servlet-2.4-api-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm cbdd58e1c9e1e8f0089af055abbd85e0 2008.1/x86_64/tomcat5-servlet-2.4-api-javadoc-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm cbee0f1f720269f77a66e30709ecd7ae 2008.1/x86_64/tomcat5-webapps-5.5.25-1.2.1.1mdv2008.1.x86_64.rpm 2621d41df35e895a1ed0ed471f93f211 2008.1/SRPMS/tomcat5-5.5.25-1.2.1.1mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFIwYsKmqjQ0CJFipgRApJjAKCVZ1XtEGoADQcp8l/m1ECSRstnjACg4qE8 j+sCdAEJN0CXvurmFcjUvNU= =+kFf -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Nucleus XML-RPC PHP Code Execution Vulnerability SECUNIA ADVISORY ID: SA15895 VERIFY ADVISORY: http://secunia.com/advisories/15895/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Nucleus 3.x http://secunia.com/product/3699/ DESCRIPTION: A vulnerability has been reported in Nucleus, which can be exploited by malicious people to compromise a vulnerable system. http://sourceforge.net/project/showfiles.php?group_id=66479 OTHER REFERENCES: SA15852: http://secunia.com/advisories/15852/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . HP has updated the Apache Tomcat and Oracle database software to address vulnerabilities affecting confidentiality, availability, and integrity. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com

Trust: 3.51

sources: NVD: CVE-2008-2370 // CERT/CC: VU#442845 // JVNDB: JVNDB-2008-001606 // BID: 30494 // VULMON: CVE-2008-2370 // PACKETSTORM: 68743 // PACKETSTORM: 74633 // PACKETSTORM: 82837 // PACKETSTORM: 70055 // PACKETSTORM: 125556 // PACKETSTORM: 75161 // PACKETSTORM: 69700 // PACKETSTORM: 38388 // PACKETSTORM: 125436

AFFECTED PRODUCTS

vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.14	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.13	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.12	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.11	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.10	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.9	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.8	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.7	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.6	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.5	Trust: 1.9
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.16	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.15	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.4	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.3	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.2	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.1	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.26	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.25	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.24	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.23	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.22	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.21	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.20	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.19	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.18	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.17	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.16	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.15	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.14	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.13	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.12	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.11	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.10	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.9	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.8	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.7	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.6	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.5	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.4	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.3	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.2	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.1	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.37	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.36	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.34	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.32	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.31	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.30	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.29	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.28	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.24	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.12	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.10	Trust: 1.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.3	Trust: 1.3
vendor:	vmware	model:	virtualcenter	scope:	eq	version:	2.0.2	Trust: 1.1
vendor:	vmware	model:	virtualcenter	scope:	eq	version:	2.5	Trust: 1.1
vendor:	vmware	model:	vcenter	scope:	eq	version:	4.0	Trust: 1.1
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.21	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.19	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.0	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.4	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.27	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.5	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.18	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.0	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.16	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.35	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.15	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.0	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.2	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.20	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.9	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.22	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.25	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.17	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.13	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.26	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.6	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.33	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.23	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.1	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.11	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.14	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.7	Trust: 1.0
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.8	Trust: 1.0
vendor:	drupal	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	gentoo linux	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mandriva	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	pear xml rpc	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	phpxmlrpc	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	postnuke	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	red hat	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	serendipity	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	trustix secure linux	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	ubuntu linux	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	wordpress	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	xoops	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	phpmyfaq	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1.0 to 4.1.37 version	Trust: 0.8
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5.0 to 5.5.26 version	Trust: 0.8
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0.0 to 6.0.16 version	Trust: 0.8
vendor:	vmware	model:	esx	scope:	eq	version:	3.0.3	Trust: 0.8
vendor:	vmware	model:	esx	scope:	eq	version:	3.5	Trust: 0.8
vendor:	vmware	model:	esx	scope:	eq	version:	4.0	Trust: 0.8
vendor:	vmware	model:	server	scope:	eq	version:	2.x	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.5.5	Trust: 0.8
vendor:	cybertrust	model:	asianux server	scope:	eq	version:	2.0	Trust: 0.8
vendor:	cybertrust	model:	asianux server	scope:	eq	version:	2.1	Trust: 0.8
vendor:	cybertrust	model:	asianux server	scope:	eq	version:	3 (x86)	Trust: 0.8
vendor:	cybertrust	model:	asianux server	scope:	eq	version:	3 (x86-64)	Trust: 0.8
vendor:	sun microsystems	model:	opensolaris	scope:	eq	version:	(sparc)	Trust: 0.8
vendor:	sun microsystems	model:	opensolaris	scope:	eq	version:	(x86)	Trust: 0.8
vendor:	sun microsystems	model:	solaris	scope:	eq	version:	10 (sparc)	Trust: 0.8
vendor:	sun microsystems	model:	solaris	scope:	eq	version:	10 (x86)	Trust: 0.8
vendor:	sun microsystems	model:	solaris	scope:	eq	version:	9 (sparc)	Trust: 0.8
vendor:	sun microsystems	model:	solaris	scope:	eq	version:	9 (x86)	Trust: 0.8
vendor:	hewlett packard	model:	hp xp p9000 performance advisor software	scope:	lt	version:	5.4.1	Trust: 0.8
vendor:	red hat	model:	enterprise linux	scope:	eq	version:	5 (server)	Trust: 0.8
vendor:	red hat	model:	enterprise linux desktop	scope:	eq	version:	5.0 (client)	Trust: 0.8
vendor:	red hat	model:	rhel desktop workstation	scope:	eq	version:	5 (client)	Trust: 0.8
vendor:	nec	model:	webotx application server	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage application framework suite	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage application server	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage apworks	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage business application server	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage job workload server	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage studio	scope:	-	version:	-	Trust: 0.8
vendor:	fujitsu	model:	interstage web server	scope:	-	version:	-	Trust: 0.8
vendor:	wikid	model:	systems wikid server	scope:	eq	version:	3.0.4	Trust: 0.3
vendor:	vmware	model:	virtualcenter 2.5.update build	scope:	eq	version:	31	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.55	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.52	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.51	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.0.25	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.0.24	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.0.23	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.0.22	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	eq	version:	2.0.21	Trust: 0.3
vendor:	vmware	model:	server	scope:	eq	version:	2.0.2	Trust: 0.3
vendor:	vmware	model:	server	scope:	eq	version:	2.0.1	Trust: 0.3
vendor:	vmware	model:	server	scope:	eq	version:	2.0	Trust: 0.3
vendor:	vmware	model:	esx server	scope:	eq	version:	3.0.3	Trust: 0.3
vendor:	vmware	model:	esx server	scope:	eq	version:	3.0.2	Trust: 0.3
vendor:	vmware	model:	esx server	scope:	eq	version:	3.0.1	Trust: 0.3
vendor:	vmware	model:	esx server	scope:	eq	version:	3.0	Trust: 0.3
vendor:	vmware	model:	esx server	scope:	eq	version:	4.0	Trust: 0.3
vendor:	vmware	model:	esx server	scope:	eq	version:	3.5	Trust: 0.3
vendor:	suse	model:	linux enterprise server sp2	scope:	eq	version:	10	Trust: 0.3
vendor:	sun	model:	solaris 9 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 9 sparc	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 10 x86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	solaris 10 sparc	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 99	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 96	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 95	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 92	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 91	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 90	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 89	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 88	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 87	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 86	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 85	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 84	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 83	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 82	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 81	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 80	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 78	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 77	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 76	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 68	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 67	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 64	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 61	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 59	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 57	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 50	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 39	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 36	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 29	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 22	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 19	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 13	scope:	-	version:	-	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 100	scope:	-	version:	-	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	11.0	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	10.3	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	10.2	Trust: 0.3
vendor:	redhat	model:	red hat network satellite server	scope:	eq	version:	5.0.1	Trust: 0.3
vendor:	redhat	model:	red hat network satellite server	scope:	eq	version:	5.0	Trust: 0.3
vendor:	redhat	model:	red hat network satellite (for rhel	scope:	eq	version:	4)5.1	Trust: 0.3
vendor:	redhat	model:	jboss enterprise application platform el5	scope:	eq	version:	4.2	Trust: 0.3
vendor:	redhat	model:	jboss enterprise application platform el4	scope:	eq	version:	4.2	Trust: 0.3
vendor:	redhat	model:	jboss enterprise application platform .cp03	scope:	eq	version:	4.2	Trust: 0.3
vendor:	redhat	model:	jboss enterprise application platform	scope:	eq	version:	4.2	Trust: 0.3
vendor:	redhat	model:	enterprise linux desktop workstation client	scope:	eq	version:	5	Trust: 0.3
vendor:	redhat	model:	enterprise linux desktop client	scope:	eq	version:	5	Trust: 0.3
vendor:	redhat	model:	enterprise linux server	scope:	eq	version:	5	Trust: 0.3
vendor:	redhat	model:	developer suite as4	scope:	eq	version:	3	Trust: 0.3
vendor:	redhat	model:	certificate server	scope:	eq	version:	7.3	Trust: 0.3
vendor:	redhat	model:	application server ws4	scope:	eq	version:	2	Trust: 0.3
vendor:	redhat	model:	application server es4	scope:	eq	version:	2	Trust: 0.3
vendor:	redhat	model:	application server as4	scope:	eq	version:	2	Trust: 0.3
vendor:	pardus	model:	linux	scope:	eq	version:	20080	Trust: 0.3
vendor:	novell	model:	zenworks linux management	scope:	eq	version:	7.3	Trust: 0.3
vendor:	mandriva	model:	linux mandrake x86 64	scope:	eq	version:	2008.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	2008.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake x86 64	scope:	eq	version:	2008.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	2008.0	Trust: 0.3
vendor:	hp	model:	xp p9000 performance advisor	scope:	eq	version:	5.4.1	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.31	scope:	-	version:	-	Trust: 0.3
vendor:	hp	model:	hp-ux b.11.11	scope:	-	version:	-	Trust: 0.3
vendor:	fujitsu	model:	interstage studio standard-j edition	scope:	eq	version:	9.0	Trust: 0.3
vendor:	fujitsu	model:	interstage studio standard-j edition	scope:	eq	version:	8.0.1	Trust: 0.3
vendor:	fujitsu	model:	interstage studio enterprise edition	scope:	eq	version:	9.0	Trust: 0.3
vendor:	fujitsu	model:	interstage studio enterprise edition	scope:	eq	version:	8.0.1	Trust: 0.3
vendor:	fujitsu	model:	interstage business application server enterprise	scope:	eq	version:	8.0.0	Trust: 0.3
vendor:	fujitsu	model:	interstage apworks modelers-j edition	scope:	eq	version:	7.0	Trust: 0.3
vendor:	fujitsu	model:	interstage apworks modelers-j edition 6.0a	scope:	-	version:	-	Trust: 0.3
vendor:	fujitsu	model:	interstage apworks modelers-j edition	scope:	eq	version:	6.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server standard-j edition	scope:	eq	version:	9.1	Trust: 0.3
vendor:	fujitsu	model:	interstage application server standard-j edition a	scope:	eq	version:	9.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server standard-j edition	scope:	eq	version:	9.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server standard-j edition	scope:	eq	version:	8.0.2	Trust: 0.3
vendor:	fujitsu	model:	interstage application server standard-j edition	scope:	eq	version:	8.0.1	Trust: 0.3
vendor:	fujitsu	model:	interstage application server standard-j edition	scope:	eq	version:	8.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server plus developer	scope:	eq	version:	7.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server plus developer	scope:	eq	version:	6.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server plus	scope:	eq	version:	7.0.1	Trust: 0.3
vendor:	fujitsu	model:	interstage application server plus	scope:	eq	version:	7.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server plus	scope:	eq	version:	6.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	9.1	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition a	scope:	eq	version:	9.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	9.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	8.0.2	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	8.0.1	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	8.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	7.0.1	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	7.0	Trust: 0.3
vendor:	fujitsu	model:	interstage application server enterprise edition	scope:	eq	version:	6.0	Trust: 0.3
vendor:	avaya	model:	meeting exchange enterprise edition	scope:	eq	version:	-	Trust: 0.3
vendor:	avaya	model:	meeting exchange	scope:	eq	version:	5.0.0.52	Trust: 0.3
vendor:	avaya	model:	meeting exchange	scope:	eq	version:	5.0	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	4.2.1	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	3.1.6	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	3.1.5	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	3.1.4	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	3.1.3	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	4.2	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	4.1	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	4.0	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	3.1	Trust: 0.3
vendor:	avaya	model:	aura application enablement services	scope:	eq	version:	3.0	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.5	Trust: 0.3
vendor:	apache	model:	tomcat	scope:	eq	version:	6.0	Trust: 0.3
vendor:	apache	model:	tomcat	scope:	eq	version:	5.5	Trust: 0.3
vendor:	apache	model:	tomcat beta	scope:	eq	version:	4.1.9	Trust: 0.3
vendor:	apache	model:	tomcat beta	scope:	eq	version:	4.1.3	Trust: 0.3
vendor:	apache	model:	tomcat	scope:	eq	version:	4.1	Trust: 0.3
vendor:	apache	model:	ode	scope:	eq	version:	1.3.2	Trust: 0.3
vendor:	apache	model:	ode	scope:	eq	version:	1.0	Trust: 0.3
vendor:	wikid	model:	systems wikid server	scope:	ne	version:	3.0.5	Trust: 0.3
vendor:	vmware	model:	virtualcenter update	scope:	ne	version:	2.56	Trust: 0.3
vendor:	vmware	model:	vcenter update	scope:	ne	version:	4.01	Trust: 0.3
vendor:	sun	model:	opensolaris build snv 101	scope:	ne	version:	-	Trust: 0.3
vendor:	redhat	model:	jboss enterprise application platform .cp04	scope:	ne	version:	4.2	Trust: 0.3
vendor:	hp	model:	xp p9000 performance advisor	scope:	ne	version:	5.5.1	Trust: 0.3
vendor:	apache	model:	tomcat	scope:	ne	version:	6.0.18	Trust: 0.3
vendor:	apache	model:	tomcat	scope:	ne	version:	5.5.27	Trust: 0.3
vendor:	apache	model:	tomcat	scope:	ne	version:	4.1.38	Trust: 0.3
vendor:	apache	model:	ode	scope:	ne	version:	1.3.3	Trust: 0.3

sources: CERT/CC: VU#442845 // BID: 30494 // JVNDB: JVNDB-2008-001606 // CNNVD: CNNVD-200808-030 // NVD: CVE-2008-2370

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-2370
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#442845
value:	20.75
Trust: 0.8
NVD:	CVE-2008-2370
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200808-030
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2008-2370
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2008-2370
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

sources: CERT/CC: VU#442845 // VULMON: CVE-2008-2370 // JVNDB: JVNDB-2008-001606 // CNNVD: CNNVD-200808-030 // NVD: CVE-2008-2370

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2008-001606 // NVD: CVE-2008-2370

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200808-030

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-200808-030

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-001606

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2008-2370

PATCH

title:	Fixed in Apache Tomcat 5.5.SVN	url:	http://tomcat.apache.org/security-5.html	Trust: 0.8
title:	Fixed in Apache Tomcat 6.0.18	url:	http://tomcat.apache.org/security-6.html	Trust: 0.8
title:	Fixed in Apache Tomcat 4.1.SVN	url:	http://tomcat.apache.org/security-4.html	Trust: 0.8
title:	APPLE-SA-2008-10-09 Security Update 2008-007	url:	http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	Trust: 0.8
title:	HT3216	url:	http://support.apple.com/en-us/HT3216	Trust: 0.8
title:	HT3216	url:	http://support.apple.com/ja-jp/HT3216	Trust: 0.8
title:	tomcat5-5.5.23-0jpp.7.1.1AXS3	url:	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=156	Trust: 0.8
title:	ASA-2008-401	url:	http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm	Trust: 0.8
title:	HPSBUX02401 SSRT090005	url:	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01650939	Trust: 0.8
title:	HPSBST02955 SSRT101157	url:	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c04047415	Trust: 0.8
title:	1381	url:	http://www.miraclelinux.com/support/index.php?q=node/99&errata_id=1381	Trust: 0.8
title:	NV09-012	url:	http://www.nec.co.jp/security-info/secinfo/nv09-012.html	Trust: 0.8
title:	RHSA-2008:0648	url:	https://rhn.redhat.com/errata/RHSA-2008-0648.html	Trust: 0.8
title:	RHSA-2008:0862	url:	https://rhn.redhat.com/errata/RHSA-2008-0862.html	Trust: 0.8
title:	Multiple vulnerabilities in Oracle Java Web Console	url:	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_oracle_java1	Trust: 0.8
title:	251986	url:	http://sunsolve.sun.com/search/document.do?assetkey=1-66-251986-1	Trust: 0.8
title:	VMSA-2009-0002	url:	http://www.vmware.com/security/advisories/VMSA-2009-0002.html	Trust: 0.8
title:	VMSA-2009-0016	url:	http://www.vmware.com/security/advisories/VMSA-2009-0016.html	Trust: 0.8
title:	interstage_as_200902	url:	http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_200902.html	Trust: 0.8
title:	Red Hat: Important: jbossweb security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20080877 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: tomcat security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20080864 - Security Advisory	Trust: 0.1
title:	Red Hat: Important: tomcat security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20080862 - Security Advisory	Trust: 0.1
title:	Red Hat: Low: tomcat security update for Red Hat Network Satellite Server	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20081007 - Security Advisory	Trust: 0.1
title:	VMware Security Advisories: VirtualCenter Update 4 and ESX patch update Tomcat to version 5.5.27	url:	https://vulmon.com/vendoradvisory?qidtp=vmware_security_advisories&qid=73a787a1c84c97013ffa2f87f6d2e4ba	Trust: 0.1
title:	VMware Security Advisories: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	url:	https://vulmon.com/vendoradvisory?qidtp=vmware_security_advisories&qid=4675848a694e2124743f676a2c827ef7	Trust: 0.1

sources: VULMON: CVE-2008-2370 // JVNDB: JVNDB-2008-001606

EXTERNAL IDS

db:	NVD	id:	CVE-2008-2370	Trust: 3.6
db:	BID	id:	30494	Trust: 2.8
db:	SECUNIA	id:	31381	Trust: 2.5
db:	SECUNIA	id:	31379	Trust: 2.5
db:	SECTRACK	id:	1020623	Trust: 2.5
db:	SECUNIA	id:	33797	Trust: 1.7
db:	SECUNIA	id:	31639	Trust: 1.7
db:	SECUNIA	id:	36249	Trust: 1.7
db:	SECUNIA	id:	37460	Trust: 1.7
db:	SECUNIA	id:	31982	Trust: 1.7
db:	SECUNIA	id:	32120	Trust: 1.7
db:	SECUNIA	id:	35393	Trust: 1.7
db:	SECUNIA	id:	32266	Trust: 1.7
db:	SECUNIA	id:	32222	Trust: 1.7
db:	SECUNIA	id:	33999	Trust: 1.7
db:	SECUNIA	id:	31865	Trust: 1.7
db:	SECUNIA	id:	57126	Trust: 1.7
db:	SECUNIA	id:	31891	Trust: 1.7
db:	SECUNIA	id:	34013	Trust: 1.7
db:	VUPEN	id:	ADV-2009-1535	Trust: 1.7
db:	VUPEN	id:	ADV-2009-0503	Trust: 1.7
db:	VUPEN	id:	ADV-2008-2823	Trust: 1.7
db:	VUPEN	id:	ADV-2008-2780	Trust: 1.7
db:	VUPEN	id:	ADV-2009-3316	Trust: 1.7
db:	VUPEN	id:	ADV-2009-0320	Trust: 1.7
db:	VUPEN	id:	ADV-2009-2215	Trust: 1.7
db:	VUPEN	id:	ADV-2008-2305	Trust: 1.7
db:	BID	id:	31681	Trust: 1.7
db:	SREASON	id:	4099	Trust: 1.7
db:	SECUNIA	id:	15895	Trust: 0.9
db:	SECUNIA	id:	15810	Trust: 0.8
db:	SECUNIA	id:	15922	Trust: 0.8
db:	SECUNIA	id:	15852	Trust: 0.8
db:	SECUNIA	id:	15855	Trust: 0.8
db:	SECUNIA	id:	15861	Trust: 0.8
db:	SECUNIA	id:	15862	Trust: 0.8
db:	SECUNIA	id:	15872	Trust: 0.8
db:	SECUNIA	id:	15883	Trust: 0.8
db:	SECUNIA	id:	15884	Trust: 0.8
db:	BID	id:	14088	Trust: 0.8
db:	SECTRACK	id:	1014327	Trust: 0.8
db:	CERT/CC	id:	VU#442845	Trust: 0.8
db:	XF	id:	44156	Trust: 0.8
db:	JVNDB	id:	JVNDB-2008-001606	Trust: 0.8
db:	CNNVD	id:	CNNVD-200808-030	Trust: 0.6
db:	EXPLOIT-DB	id:	32137	Trust: 0.1
db:	VULMON	id:	CVE-2008-2370	Trust: 0.1
db:	PACKETSTORM	id:	68743	Trust: 0.1
db:	PACKETSTORM	id:	74633	Trust: 0.1
db:	PACKETSTORM	id:	82837	Trust: 0.1
db:	PACKETSTORM	id:	70055	Trust: 0.1
db:	PACKETSTORM	id:	125556	Trust: 0.1
db:	PACKETSTORM	id:	75161	Trust: 0.1
db:	PACKETSTORM	id:	69700	Trust: 0.1
db:	PACKETSTORM	id:	38388	Trust: 0.1
db:	PACKETSTORM	id:	125436	Trust: 0.1

sources: CERT/CC: VU#442845 // VULMON: CVE-2008-2370 // BID: 30494 // JVNDB: JVNDB-2008-001606 // PACKETSTORM: 68743 // PACKETSTORM: 74633 // PACKETSTORM: 82837 // PACKETSTORM: 70055 // PACKETSTORM: 125556 // PACKETSTORM: 75161 // PACKETSTORM: 69700 // PACKETSTORM: 38388 // PACKETSTORM: 125436 // CNNVD: CNNVD-200808-030 // NVD: CVE-2008-2370

REFERENCES

url:	http://www.securityfocus.com/bid/30494	Trust: 3.2
url:	http://www.securitytracker.com/id?1020623	Trust: 2.5
url:	http://secunia.com/advisories/31379	Trust: 2.5
url:	http://secunia.com/advisories/31381	Trust: 2.5
url:	http://www.vmware.com/security/advisories/vmsa-2009-0002.html	Trust: 2.4
url:	http://www.securityfocus.com/bid/31681	Trust: 2.3
url:	http://www.vmware.com/security/advisories/vmsa-2009-0016.html	Trust: 2.3
url:	http://tomcat.apache.org/security-4.html	Trust: 2.0
url:	http://tomcat.apache.org/security-5.html	Trust: 2.0
url:	http://tomcat.apache.org/security-6.html	Trust: 2.0
url:	http://support.avaya.com/elmodocs2/security/asa-2008-401.htm	Trust: 2.0
url:	http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html	Trust: 2.0
url:	http://secunia.com/advisories/31639	Trust: 1.7
url:	http://www.redhat.com/support/errata/rhsa-2008-0648.html	Trust: 1.7
url:	http://www.mandriva.com/security/advisories?name=mdvsa-2008:188	Trust: 1.7
url:	https://www.redhat.com/archives/fedora-package-announce/2008-september/msg00889.html	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html	Trust: 1.7
url:	https://www.redhat.com/archives/fedora-package-announce/2008-september/msg00859.html	Trust: 1.7
url:	http://secunia.com/advisories/31891	Trust: 1.7
url:	https://www.redhat.com/archives/fedora-package-announce/2008-september/msg00712.html	Trust: 1.7
url:	http://secunia.com/advisories/31865	Trust: 1.7
url:	http://www.redhat.com/support/errata/rhsa-2008-0862.html	Trust: 1.7
url:	http://www.redhat.com/support/errata/rhsa-2008-0864.html	Trust: 1.7
url:	http://lists.apple.com/archives/security-announce/2008/oct/msg00001.html	Trust: 1.7
url:	http://support.apple.com/kb/ht3216	Trust: 1.7
url:	http://secunia.com/advisories/32222	Trust: 1.7
url:	http://securityreason.com/securityalert/4099	Trust: 1.7
url:	http://secunia.com/advisories/31982	Trust: 1.7
url:	http://marc.info/?l=bugtraq&m=123376588623823&w=2	Trust: 1.7
url:	http://secunia.com/advisories/33797	Trust: 1.7
url:	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	Trust: 1.7
url:	http://secunia.com/advisories/32120	Trust: 1.7
url:	http://secunia.com/advisories/32266	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/0503	Trust: 1.7
url:	http://secunia.com/advisories/33999	Trust: 1.7
url:	http://secunia.com/advisories/34013	Trust: 1.7
url:	http://secunia.com/advisories/35393	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/1535	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/2215	Trust: 1.7
url:	http://secunia.com/advisories/36249	Trust: 1.7
url:	http://secunia.com/advisories/37460	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/3316	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2008/2780	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2009/0320	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2008/2823	Trust: 1.7
url:	http://www.vupen.com/english/advisories/2008/2305	Trust: 1.7
url:	http://marc.info/?l=bugtraq&m=139344343412337&w=2	Trust: 1.7
url:	http://secunia.com/advisories/57126	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/44156	Trust: 1.7
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a5876	Trust: 1.7
url:	https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a10577	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/507985/100/0/threaded	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/495022/100/0/threaded	Trust: 1.7
url:	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3cdev.tomcat.apache.org%3e	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2370	Trust: 1.2
url:	http://secunia.com/advisories/15895/	Trust: 0.9
url:	http://secunia.com/advisories/15852/	Trust: 0.9
url:	http://www.hardened-php.net/advisory-022005.php	Trust: 0.8
url:	http://secunia.com/advisories/15861/	Trust: 0.8
url:	http://secunia.com/advisories/15862/	Trust: 0.8
url:	http://secunia.com/advisories/15884/	Trust: 0.8
url:	http://secunia.com/advisories/15883/	Trust: 0.8
url:	http://news.postnuke.com/modules.php?op=modload&name=news&file=article&sid=2699	Trust: 0.8
url:	http://secunia.com/advisories/15855/	Trust: 0.8
url:	http://secunia.com/advisories/15810/	Trust: 0.8
url:	http://secunia.com/advisories/15872/	Trust: 0.8
url:	http://secunia.com/advisories/15922/	Trust: 0.8
url:	http://securitytracker.com/alerts/2005/jun/1014327.html	Trust: 0.8
url:	http://www.gulftech.org/?node=research&article_id=00088-07022005	Trust: 0.8
url:	http://www.gulftech.org/?node=research&article_id=00087-07012005	Trust: 0.8
url:	http://www.securityfocus.com/bid/14088	Trust: 0.8
url:	http://www.frsirt.com/english/advisories/2008/2305	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/44156	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-2370	Trust: 0.8
url:	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3cdev.tomcat.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3cdev.tomcat.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3cdev.tomcat.apache.org%3e	Trust: 0.7
url:	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3cdev.tomcat.apache.org%3e	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2008-2370	Trust: 0.7
url:	https://nvd.nist.gov/vuln/detail/cve-2008-1947	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2008-1232	Trust: 0.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1232	Trust: 0.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1947	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2007-5342	Trust: 0.4
url:	http://lists.vmware.com/pipermail/security-announce/2009/000068.html	Trust: 0.3
url:	http://tomcat.apache.org/	Trust: 0.3
url:	http://www.redhat.com/docs/en-us/jboss_enterprise_application_platform/4.2.0.cp04/html-single/readme/index.html	Trust: 0.3
url:	https://sourceforge.net/project/shownotes.php?release_id=626903&group_id=144774	Trust: 0.3
url:	http://sunsolve.sun.com/search/document.do?assetkey=1-66-251986-1	Trust: 0.3
url:	http://download.novell.com/download?buildid=n5vszfht1vs	Trust: 0.3
url:	/archive/1/495022	Trust: 0.3
url:	/archive/1/507985	Trust: 0.3
url:	http://mail-archives.apache.org/mod_mbox/ode-user/200908.mbox/%3cfbdc6a970908072141w20a7a9d9ka1f896ad8073dffb@mail.gmail.com%3e	Trust: 0.3
url:	http://rhn.redhat.com/errata/rhsa-2008-0648.html	Trust: 0.3
url:	http://www.novell.com/support/viewcontent.do?externalid=7006398	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2008-2938	Trust: 0.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5342	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2007-6286	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2007-5333	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2007-5461	Trust: 0.3
url:	http://enigmail.mozdev.org	Trust: 0.2
url:	http://kb.vmware.com/kb/1055	Trust: 0.2
url:	http://www.vmware.com/security	Trust: 0.2
url:	http://www.vmware.com/support/policies/eos.html	Trust: 0.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5461	Trust: 0.2
url:	http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce	Trust: 0.2
url:	http://www.vmware.com/resources/techresources/726	Trust: 0.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-6286	Trust: 0.2
url:	http://www.vmware.com/support/policies/security_response.html	Trust: 0.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5333	Trust: 0.2
url:	http://secunia.com/	Trust: 0.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2938	Trust: 0.2
url:	http://lists.grok.org.uk/full-disclosure-charter.html	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-2204	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2008-0002	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2009-3548	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-2526	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2009-2902	Trust: 0.2
url:	http://www.hp.com	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-0534	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-5035	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2010-3718	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-3190	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2009-2693	Trust: 0.2
url:	http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2010-2227	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-5063	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-1184	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-5064	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2010-4172	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-2481	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-5062	Trust: 0.2
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/	Trust: 0.2
url:	https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secbullarchive/	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-0013	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2010-1157	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2011-2729	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2009-2901	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.1
url:	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3cdev.tomcat.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3cdev.tomcat.apache.org%3e	Trust: 0.1
url:	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3cdev.tomcat.apache.org%3e	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2008:0877	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.exploit-db.com/exploits/32137/	Trust: 0.1
url:	http://tomcat.apache.org/security.html	Trust: 0.1
url:	http://svn.apache.org/viewvc?rev=680949&view=rev	Trust: 0.1
url:	http://host/page.jsp?blah=/../web-inf/web.xml	Trust: 0.1
url:	http://svn.apache.org/viewvc?rev=680950&view=rev	Trust: 0.1
url:	http://software.hp.com	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2008-2364	Trust: 0.1
url:	http://www.itrc.hp.com/service/cki/secbullarchive.do	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2007-6420	Trust: 0.1
url:	http://h30046.www3.hp.com/driveralertprofile.php?regioncode=na&langcode=useng&jumpid=in_sc-gen__driveritrc&topiccode=itrc	Trust: 0.1
url:	https://www.hp.com/go/swa	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2008-2939	Trust: 0.1
url:	http://h30046.www3.hp.com/subsignin.php	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2008-3658	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1630	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1102	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1099	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1098	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0745	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5515	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2671	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0675	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-2671	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0033	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1096	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2052	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2315	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2416	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1093	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1095	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2718	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1101	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1094	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1099	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2724	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5031	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0159	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3143	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1439	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2716	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4864	Trust: 0.1
url:	http://downloads.vmware.com/download/download.do?downloadgroup=vc40u1	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1895	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3142	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3144	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1093	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2407	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2692	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2673	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1887	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2723	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0778	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2676	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1096	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1721	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2675	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1103	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1097	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0746	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1103	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1385	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-2670	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1633	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0747	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1106	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1102	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2414	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-4965	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0748	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0834	Trust: 0.1
url:	http://kb.vmware.com/kb/1014842	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2847	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4307	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1097	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1105	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3528	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2406	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2720	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-2625	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2417	Trust: 0.1
url:	http://www.vmware.com/support/policies/lifecycle/	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2670	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1106	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1337	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2722	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1094	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0781	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2698	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0783	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1107	Trust: 0.1
url:	https://hostupdate.vmware.com/software/vum/offline/release-155-20091116-013169/esxi-4.0.0-update01.zip	Trust: 0.1
url:	https://hostupdate.vmware.com/software/vum/offline/release-158-20091118-187517/esx-4.0.0-update01.zip	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1101	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1104	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1252	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1100	Trust: 0.1
url:	http://enigmail.mozdev.org/	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0676	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0028	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0696	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1072	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1336	Trust: 0.1
url:	http://kb.vmware.com/kb/1014886	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1104	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2721	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0269	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1098	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1388	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1107	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1192	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1100	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0002	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5700	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1389	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5966	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0580	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0322	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2672	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1095	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2719	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2625	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0787	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2009-1105	Trust: 0.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2848	Trust: 0.1
url:	http://www.wikidsystems.com	Trust: 0.1
url:	https://sourceforge.net/project/showfiles.php?group_id=144774	Trust: 0.1
url:	http://www.wikidsystems.com/downloads/	Trust: 0.1
url:	http://www.vmware.com/download/download.do?downloadgroup=vc250u4	Trust: 0.1
url:	http://www.vmware.com/support/policies/eos_vi.html	Trust: 0.1
url:	http://www.vmware.com/support/vi3/doc/vi3_vc25u4_rel_notes.html	Trust: 0.1
url:	http://www.mandriva.com/security/	Trust: 0.1
url:	http://www.mandriva.com/security/advisories	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/3699/	Trust: 0.1
url:	http://sourceforge.net/project/showfiles.php?group_id=66479	Trust: 0.1
url:	http://secunia.com/secunia_vacancies/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

CREDITS

Stefano Di Paola

Trust: 0.6

sources: CNNVD: CNNVD-200808-030

SOURCES

db:	CERT/CC	id:	VU#442845
db:	VULMON	id:	CVE-2008-2370
db:	BID	id:	30494
db:	JVNDB	id:	JVNDB-2008-001606
db:	PACKETSTORM	id:	68743
db:	PACKETSTORM	id:	74633
db:	PACKETSTORM	id:	82837
db:	PACKETSTORM	id:	70055
db:	PACKETSTORM	id:	125556
db:	PACKETSTORM	id:	75161
db:	PACKETSTORM	id:	69700
db:	PACKETSTORM	id:	38388
db:	PACKETSTORM	id:	125436
db:	CNNVD	id:	CNNVD-200808-030
db:	NVD	id:	CVE-2008-2370

LAST UPDATE DATE

2024-09-18T23:00:39.470000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#442845	date:	2007-03-09T00:00:00
db:	VULMON	id:	CVE-2008-2370	date:	2019-03-25T00:00:00
db:	BID	id:	30494	date:	2015-05-07T17:17:00
db:	JVNDB	id:	JVNDB-2008-001606	date:	2015-03-26T00:00:00
db:	CNNVD	id:	CNNVD-200808-030	date:	2023-02-14T00:00:00
db:	NVD	id:	CVE-2008-2370	date:	2023-02-13T02:19:08.810

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#442845	date:	2005-07-06T00:00:00
db:	VULMON	id:	CVE-2008-2370	date:	2008-08-04T00:00:00
db:	BID	id:	30494	date:	2008-08-01T00:00:00
db:	JVNDB	id:	JVNDB-2008-001606	date:	2008-09-03T00:00:00
db:	PACKETSTORM	id:	68743	date:	2008-08-01T20:26:42
db:	PACKETSTORM	id:	74633	date:	2009-02-04T18:45:10
db:	PACKETSTORM	id:	82837	date:	2009-11-20T22:21:26
db:	PACKETSTORM	id:	70055	date:	2008-09-17T15:13:40
db:	PACKETSTORM	id:	125556	date:	2014-03-06T02:39:08
db:	PACKETSTORM	id:	75161	date:	2009-02-25T00:58:34
db:	PACKETSTORM	id:	69700	date:	2008-09-06T00:23:13
db:	PACKETSTORM	id:	38388	date:	2005-07-01T23:31:00
db:	PACKETSTORM	id:	125436	date:	2014-02-26T22:39:24
db:	CNNVD	id:	CNNVD-200808-030	date:	2007-05-16T00:00:00
db:	NVD	id:	CVE-2008-2370	date:	2008-08-04T01:41:00